Step 1: Proposal for Certification 4

~Contact AVRV and exchange of preliminary information. AVRV provides you a

proposal based on the size and nature of your organization, detailing the cost and
time involved
Step 2: Pre-audit (Optional) ¢
“You may decide to perform pre-audit to assess the readiness of your organization for
the audit. This stage is optional
Step 3: Stage 1 Audit [
~AVRV auditors team during stage 1 shall obtain a sufficient understanding of the
design of the ISMIS in the context of the client's organization, risk assessment and
treatment (including the controls determined - Statement of Applicability). information
security policy and objectives and. in particular, of the client's preparedness for the
audit
“The results of stage 1 are documented in a written report by the Lead Auditor. The
stage 1 report includes the further types of information and records that may be
required for detailed examination during stage 2
-A positive result following an independent review and evaluation of the above shall

“Evaluation of the implementation and systems effectiveness through observation of

working practices, infrastructure utiized, IT systems, personnel interviews and
examination of records including for example
information security performance and the effectiveness of the ISMIS, evaluating
against the information security objectives;
~correspondence between the determined controls, the Statement of Applicability and
the results of the information security fisk assessment and risk treatment process
and the information security policy and objectives;
~implementation of controls (see Annex D). taking into account the extemal and
intemal context and related risks, the organization's monitoring, measurement and
analysis of information security processes and controls, to determine whether
controls are implemented and effective and meet their stated information security
objectives;
determination of control objectives and controls based on the information security risk
assessment and risk treatment processes;
~Atthe end of this stage all audit finding will be presented to you by the lead auditor
“The assigned Lead Auditor shall propose the recommendation based on the
evaluation and review of the effective implementation of corrections and corrective
actions on findings raised during the audit The final audit report is forwarded for the
review and decision.

~Appointed independent and impartial team of ARV reviews the audit report and the
recommendation of the audit team and decides further on granting or not certification
Step 7: Awarding Certification [
“The client is informed on the results of the certification decision and following
successful certification a three years certification cycle is initiated and a certificate is
issued
Step 8: Surveillance audit [
“Each year the validity of the certification remains subject to successful surveillance
audts. Every twelve months we will verify that the management system conforms to
the requirements of the standard
Step 9: Recertification ¢
“After 3 years and before the expiry of your certification our routine visit will be
extended to enable a re-certfication audit