ISO Certification

In today’s complex and ever-changing environment, organizations face increased oversight pressures and mounting challenges to satisfy a variety of compliance requirements. Balancing between managing new and persistent risks and fulfilling business priorities of revenue growth and cost savings can strain your organization’s resources.


We Understand Risk

Frank, Rimerman’s professionals not only help you to manage your IT risks but partner with your organization to turn risks into opportunities to drive business value. Through continuous learning about technology and compliance requirements that we employ for the benefit of our clients and our commitment to five-star service, Frank, Rimerman Information Security, LLC is well-positioned to help you reach your organization’s security, risk mitigation and compliance goals.

ISO 27001

ISO 27001 is a globally recognized standard that specifies the requirements for an information security management system (ISMS). An ISMS is a framework of policies and procedures to systematically manage information security risks within an organization.

ISO 27001 certification shows prospective and current customers, business partners, and the board, that your organization takes information security seriously. The certification improves your business reputation in the marketplace and can give you a competitive advantage helping to win new business.

ISO 27701

ISO 27701 provides a standard that provides guidance for organizations to establish, implement and maintain a privacy information management system (PIMS) as an extension to ISO/IEC 27001. PIMS is a framework for managing privacy risks associated with the collecting and processing of personally identifiable information (PII). It is designed to help organizations comply with privacy regulations, such as the General Data Protection Regulation (GDPR).

Ready to get your certification process started?

ISO Certification Process

The following certification activities are performed as part of the ISO 27001 Information Security Management System (ISMS) certification.

  • Readiness Assessment

    Frank, Rimerman Information Security can perform an optional ISO Readiness Assessment of the ISMS that includes reviewing the policies and procedures, including information system processes, to identify potential gaps in the client’s ISMS. The assessment informs an organization of necessary remediation to be better prepared for the initial ISO 27001 certification audit.

  • Certification Audit

    The initial certification is conducted to evaluate the organization’s ISMS documentation, implementation and monitoring. The initial audit is conducted in two stages, as follows:

    • Stage 1 Audit
      The first stage is composed of several components. First, it includes an audit of ISMS documentation that is the foundational information referenced during the Stage 2 audit. Second, it confirms the ISMS scope including the personnel, services, products, processes and sites. Third, the auditor verifies the organization has completed an internal audit including management’s review of the findings. Finally, the organization’s understanding of the standard is also evaluated during this stage.
    • Stage 2 Audit
      The second stage of the initial certification involves a detailed examination of the ISMS controls as noted in Annex A of the standards to determine if the organization has effectively implemented and is consistently monitoring its ISMS in accordance with ISO 27001. This stage is performed onsite with the organization’s process owners at its various locations as detailed in the agreed-upon audit plan.
  • Certification Decision Process

    The Frank, Rimerman Certification Body management team reviews the results of Stage 1 and Stage 2 assessments, the evidence provided, the corrections and corrective actions of any identified nonconformities and make the certification decision.  If the organization’s ISMS is approved for certification, Frank, Rimerman Information Security will issue an ISO 27001 certificate, which is valid for three years from the issuance date subject to the successful annual surveillance audits.


  • Surveillance Audit

    Surveillance audits are performed onsite at the organization’s sites as detailed in the audit program. These audits are required to verify that the organization continues to conform to the requirements of the standards and to confirm the initial scope remains valid. Surveillance audits are completed annually before the certification anniversary.

  • ISO/IEC 27701 Extension

    ISO 27701 is the data privacy extension to ISO 27001. Implementation of this standard can enhance privacy compliance and reduce the risk of privacy regulation infractions.  Organizations looking to get certified to ISO 27701 must either have an existing ISO 27001 certification or can implement ISO 27001 and ISO 27701 together simultaneously. 

  • Certificate Register

    Frank, Rimerman Information Security maintains a directory of valid certifications containing the certification number, company name, ISMS name, ISMS scope, the products and services covered, and the site(s).

    If you would like to verify the ISO certification of a specific client, please click here to fill out the form and we will contact you directly.

  • Independence and Impartiality

    Frank, Rimerman Information Security fully understands the importance of independence and impartiality. The firm is impartial, intellectually honest, and free of conflicts of interest. To ensure commitments to independence, impartiality and objectivity of its management systems certification activities.

    Our stated impartiality policy clearly identifies and assesses all relationships that may result in a conflict of interest or pose a threat to impartiality.  The policy helps ensure that our personnel are, and will remain, impartial in our certification activities.

    Frank, Rimerman will not provide any sort of advisory, management systems consulting services to assist in the design, selection, implementation of controls or internal audit services to meet the ISO requirements. This requirement does not prevent Frank, Rimerman from performing ISO pre-audit readiness assessment services.



    Frank, Rimerman Information Security clients may contest an application, certification, or other decision taken by the Firm. The appeal must be submitted by requesting and completing an Appeals document which will be provided by Frank, Rimerman via email. The Firm will acknowledge receipt of the appeal and notify the client of the status of the appeal. Firm personnel involved in the certification activity will not be involved in the matter of the appeal. Frank, Rimerman Information Security will ensure the investigation, and decision on an appeal submitted does not result in any discriminatory action taken against the client.

    Frank, Rimerman Information Security will give formal notice to the appellant at the end of the process.

    To file a confidential appeal, please send an email to [email protected] with “ISO Appeal”  in the subject line. 

  • Complaints

    Frank, Rimerman Information Security shall acknowledge the receipt of a complaint and will provide the client with progress on its resolution. The decision, formally communicated at the end of the complaint-handling process, will be communicated by individuals not previously involved in the subject of the complaint. Prior to disclosing any complaints against Frank, Rimerman Information Security or its clients, both parties will collectively discuss such matters unless disclosure is required by law.

    To file a confidential complaint, please email [email protected] with “ISO Complaint” in the subject line. 

  • Maintaining Certification

    Frank, Rimerman Information Security clients are responsible for maintaining the certified ISMS. If the client fails to complete the surveillance audits or recertification activities or fails to remediate major conformities within the specified time frame, the Firm will initiate certification suspension procedures. Suspension status will be communicated to the client, and the client has six months from the audit to remediate the issues, after which certification may be restored. If remediation is not completed, Frank, Rimerman Certification Body Management will determine if certification should be withdrawn, or the scope of certification reduced. The client should contact the Firm upon reduction or expansion of the ISMS scope to initiate the scope review process.

  • Use of Frank, Rimerman Information Security Certification Mark

    Use of Frank, Rimerman Information Security Certification Mark is restricted, and may not be used in a misleading manner, such as by implying that Frank, Rimerman certifies a product or that the Certification applies to activities outside the scope of the certification. Clients are required to discontinue the use of advertising matter that contains a reference to the certification upon suspension or withdrawal of the certification.


  • ISO/IEC 27001 and ISO/IEC 27701 services are provided by Frank, Rimerman Information Security, LLC which is accredited by the ANSI-ASQ National Accreditation Board (ANAB). As a certification body accredited by ANAB, Frank, Rimerman Information Security, LLC can certify our client’s ISMS conforms to the ISO/IEC 27001 and ISO/IEC 27701 standards.

    Frank, Rimerman Information Security LLC is an affiliate of Frank, Rimerman + Co. Although separate legal entities, Frank, Rimerman Information Services maintains a services agreement with Frank, Rimerman + Co, which provides access to the technical expertise, staffing capabilities and technologies of a larger, more diversified professional services firm.  

Contact Us

Our offices are located throughout the greater San Francisco Bay Area. If you would like to contact us, please call one of our office locations or send us a message.