The Route to Certification

2007-11-07

The following provides general information on the route to ISMS/ITSMS/BCMS certification.
For further information, please contact to ISMS/ITSMS/BCMS certification bodies, which certify and register organizations' ISMS/ITSMS/BCMS.

1. Where to submit application

Application for ISMS/ITSMS/BCMS certification will be submitted to accredited ISMS/ITSMS/BCMS certification bodies.

Accreditation of the ISMS/ITSMS/BCMS certification bodies is conducted by JIPDEC.
Please note that JIPDEC is an accreditation body for providing accreditation of certification bodies, not providing certification and registration of organizations' ISMS/ITSMS/BCMS.

2. Selection of certification bodies

An Organization seeking ISMS/ITSMS/BCMS certification selects a certification body among the accredited certification bodies.
Please see the following URL for information on the accredited ISMS/ITSMS/BCMS certification bodies
ISMS URL:http://www.isms.jipdec.or.jp/en/lst/isr/index.html
ITSMS URL: http://www.isms.jipdec.or.jp/en/itsms/lst/isr/index.html
BCMS URL:http://www.isms.jipdec.or.jp/bcms/lst/isr/index.html

  • Applicant organizations can apply to any accredited ISMS/ITSMS/BCMS certification bodies regardless of industry sectors since the accreditation is not limited by industry sectors.
    Applications, however, may not be accepted by some certification bodies if the audit of an organization's ISMS/ITSMS/BCMS needs particular sector-specific expertise, and therefore it is recommended that an applicant organization should contact the certification body to confirm this before submitting an application. Care also should be taken that there may also be some other cases where certification bodies are not able to accept applications when there are any conflicts of interests between an applicant organization and the certification body selected by the organization.
  • After selecting a certification body, the organization contacts the body to confirm conditions on its certification audit and registration before applying to the body. Application will be submitted when these things are agreed with the certification body.
  • Certification/ registration fees vary depending on e.g. the ISMS/ITSMS/BCMS scope and size of the applicant organization, as well as by certification body.

3. Audit and registration

  • The audit of the organization's ISMS/ITSMS/BCMS is initiated when the application is accepted and the certification body is ready to the audit.

  • ISMS/ITSMS/BCMS audit is generally conducted in two stages: Stage 1 and Stage 2. The purposes of the audits are explained as below.

    The purpose of the stage 1 audit is to determine the focus for planning the stage 2 audit by gaining an understanding of the ISMS/ITSMS/BCMS in the light of the applicant organization' s ISMS/ITSMS/BCMS policy and objectives as well as the organization's readiness for the audit.
    The purpose of the stage 2 audit is to confirm that the organization complies with its own policy, objectives and procedures, and that its ISMS/ITSMS/BCMS conform to all requirements in the standards, ISO/IEC 27001 (JIS Q 27001), ISO/IEC 20000-1 (JIS Q 20000-1) or BS 25999-2, and is achieving the organization's policy and objectives.

  • Audit days are dependent on e.g. the ISMS/ITSMS/BCMS scope and size of the organization.
  • The period from application to registration depends on e.g. the ISMS/ITSMS/BCMS scope and size of the applicant organization, as well as conditions of non-conformities found at the audits.
  • The organization's registered information is reported to JIPDEC from certification bodies. The information is posted on the JIPDEC website according to this report, but please note that it may take about a month dependent on the timing when the report is submitted.

4. Certification maintenance

  • Once certified, surveillance audits are conducted normally once a year. The surveillance audits may sometimes be conducted at shorter intervals.
  • Recertification audits are carried out once every three years.