Question: Are external certifications and surveillance audits (e.g., ISO 27001, SOC 2) tracked and renewed on time?
Why This Matters
External certification demonstrates assurance to customers and regulators. Timely renewals prevent loss of credibility and contract risk.
Maturity
0 — Unaware
No record of certifications or expiry dates.
No record of certifications or expiry dates.
1 — Ad Hoc
Dates tracked by individual departments.
Dates tracked by individual departments.
2 — Defined
Central register of certifications and surveillance audits.
Central register of certifications and surveillance audits.
3 — Managed
Renewal calendar and responsibility matrix in place.
Renewal calendar and responsibility matrix in place.
4 — Integrated
Link certification status to client assurance and risk register.
Link certification status to client assurance and risk register.
5 — Optimized
Automated reminders and evidence dashboards for auditors and clients.
Automated reminders and evidence dashboards for auditors and clients.
How to Level Up
| From → To | Actions |
|---|---|
| 0 → 1 | Collect list of certifications and issuers. |
| 1 → 2 | Create central register with expiry dates. |
| 2 → 3 | Define owners and renewal process. |
| 3 → 4 | Link cert status to risk and sales requirements. |
| 4 → 5 | Automate notifications and dashboards. |
Enablers
- People: Compliance Officer, Quality Manager, CISO
- Process: Track → Renew → Report
- Technology: GRC register / calendar system
Evidence
- Certification register
- Renewal reminders and records
- Audit reports and certificates
KPIs
- Number of active certifications
- Percentage renewed on time
- Average lead time for renewal preparation
Low-Cost / Open-Source Options (MSME)
| Purpose | Tool | Notes |
|---|---|---|
| Register | Airtable / Odoo | Track certifications |
| Calendar | Google Calendar | Renewal alerts |
| Dashboard | Metabase | Visual status |
Common Pitfalls
- Expiry dates missed due to staff turnover
- Certificates not linked to scope statement
- No evidence of renewal follow-up
Compliance Mapping
| Standard | Clauses / Notes |
|---|---|
| ISO/IEC 27001 | 9.2 (Audit) / 10.1 (Improvement) |
| NIST CSF 2.0 | GV.MA / GV.OV |
| NIRMATA Mapping | CA-Q07 maintains external assurance continuity. |