Information is critical to the operation and perhaps even the survival of your organization. Being certified to ISO/IEC 27001 will help you to manage and protect your valuable information assets.

ISO/IEC 27001 is the only auditable international standard which defines the requirements for an Information Security Management System (ISMS). The standard is designed to ensure the selection of adequate and proportionate security controls.

This helps you to protect your information assets and give confidence to any interested parties, especially your customers. The standard adopts a process approach for establishing, implementing, operating, monitoring, reviewing, maintaining, and improving your ISMS.

Who is it relevant to?

ISO/IEC 27001 is suitable for any organization, large or small, in any sector or part of the world. The standard is particularly suitable where the protection of information is critical, such as in the finance, health, public and IT sectors.

ISO/IEC 27001 is also highly effective for organizations which manage information on behalf of others, such as IT outsourcing companies: It can be used to assure customers that their information is being protected.


Certifying your ISMS against ISO/IEC 27001 can bring the following benefits to your organization:

  • Demonstrates the independent assurance of your internal controls and meets corporate governance and businesscontinuity requirements.
  • Independently demonstrates that applicable laws and regulations are observed.
  • Provides a competitive edge by meeting contractual requirements and demonstrating to your customers that the security of their information is paramount.
  • Independently verifies that your organizational risks are properly identified, assessed and managed, while formalizing information security processes, procedures and documentation.
  • Proves your senior management’s commitment to the security of its information.The regular assessment process helps you to continually monitor your performance and improve.

Note: these benefits are not realized by organizations who simply comply with ISO/IEC 27001 or the recommendations in the Code of Practice standard, ISO/IEC 27002.
1.      Initial Meeting
QUACERT provides necessary information to Organisation, including Certification Principles and Conditions, Certification process and procedure, and other relevant information.

2.      Certificate Registration
After reviewing and understanding Certification Principles and Conditions,certification process and procedures, organization must send the"Certification Registration" signed by the authorized representative to QUACERT.

3.    Consider certificate registration and set up an auditing program
Before conducting assessment, QUACERT considers "CertificationRegistration" and supporting information. Then, QUACERT will establishauditing programs for organizations applying for certification basing onresults of the Certification Registration Consideration.

4.     Assessment preparation
Basing on the results of Certification Registration Consideration,QUACERT will determine competence requirements of the officials involvedin audit team and staffs making certification decisions. QUACERT must ensure all tasks assigned to the audit team are clearly defined andinformed the organization applying for certification.

5.       Assessment
QUACERT executes assessment in two phases. The first phase is toconsider the conditions and collect the necessary information related tothe organization. The second one is conducted at the site of theorganization.

6.       Assessment Conclusion & Report
 Auditor team of QUACERT must analyze all relevant information andevidence collected during the assessment in the 1st and 2nd phase toreview findings and give assessment conclusions.

7.   Certification
The auditor team must provide all the necessary information to technical board of QUACERT for verification before certification petition, includingassessment report, review, verifying information provided to QUACERT, propose to grant or not to grant a certificate along with the conditions ornote.

The Certificate is effective for 03 years since the signing date with the condition that the Organization complies fully with the requirements of theCertification Principles and Conditions.

8.   Surveillance activities & Certification maintaining
Monitoring activities are performed at least once a year at the site of theorganization. Surveillance time is normally not exceeding 12 months since the end of the 2nd assessment phase.

9.     Re-assessment 
Re-assessment activities are conducted in order to evaluate theorganization's continuous compliance with the requirements of relatedmanagement system standards. 

10.   Extending assessment 
If organizations that have been certified desire to expand the scope ofcertification, they must make a registration to QUACERT. Upon receipt ofregistration, QUACERT will consider and determine necessary assessment activities to decide to expand or not certified range.

11.    Extraordinary assessment
QUACERT procedures must consider the ability to conduct extraordinaryassessment for certified organization to be able to investigate complain,respond to changes or review suspended organizations.