As ISO 27001 is the only standard that lays out specifications for an information security management system (ISMS), the certificate is highly regarded and internationally recognized. The certification deals primarily with customers’ data privacy and an organization’s perspective on the priority of protecting this information. So, if you have this certification in your toolbox, it inspires a tremendous amount of confidence in customers and shareholders alike. For this reason, it is quite an achievement to earn this certification because the process is no small feat. One of the most significant steps of the certification process involves an external security audit, which your organization must pass. While the audit during the certification process is the most thorough, you will also need to obtain yearly audit reports to verify that you continue to demonstrate ISO compliance. To ensure that you pass your audit with flying colors, we will walk you through the audit process, discussing the three stages of the audit in addition to the documents you will need to organize in preparation.
Three Stages of an External Audit
First and foremost, you should understand the purpose of the external audit. The ISO audit aims to confirm that your organization has implemented all ISO 27001 requirements as needed. The auditor will confirm that your ISMS is compliant, in addition to identifying any potential issues with your ISMS that need improvement. The audit will be divided into three stages, the first of which is stage one. The first stage is where the certification body will review your documents and methodologies adopted by your organization when implementing the ISO 27001 requirements. As this is the first stage, it is where the auditor will familiarize themselves with your company. They will review documents such as the Statement of Applicability, access control policy, inventory of assets, the scope of the ISMS, risk assessment, and risk treatment methodology. These documents will reveal the state of security in your organization in addition to your risk mitigation plans and controls.
As stage one auditors focus primarily on documentation, you will need to provide all required documents to pass. Before doing this, you need to understand the ISO 27001 standard. It's also essential to create a checklist of the mandatory documents and records that the auditors need, which we will provide later in this blog. It's best practice to formulate a plan to pass the stage one audit rather than waiting a few days before the audit to prepare, to ensure that you have all required documents and give yourself time to gather them if you are missing any. It is typical to create this plan around six months before the audit. The audit is typically held onsite, but it will likely be held at your headquarters if you have multiple locations. The stage one audit will be completed in one to two days, after which you can begin preparing for stage two. Auditors will provide you with feedback prior to stage two so that you can make any necessary changes.
The stage two audit will be conducted about a month or two following stage one. The certification body will return to your location to evaluate the implementation of the management system. Additionally, they will also determine your degree of compliance based on ISO requirements. The second audit will follow this process; audit plan, opening meeting, conduct audit, closing meeting, and audit report. Essentially, the certification body will send an audit plan to your organization in advance that they will follow upon their arrival. On the first day, they will hold a meeting to explain their rules and objectives for the audit. Following this, they will begin the audit in which they review how your ISMS will hold up. You can expect them to interview team members and managers during this process. Once this is complete, they will hold a closing meeting to discuss any non-conformances or opportunities for improvement. This audit typically takes a few days, after which the auditor will summarize their findings.
To prepare for stage two, you should establish a rapport with your auditors and thoroughly review their audit plan. You should also compile the documents provided in stage one, as the auditors will use them to reference your compliance. Next, you should prepare for interviews. This will be your chance to clarify any confusion and make sure team members are aware and ready. Preparation is critical for stage two, and once it is complete, you will move onto stage three.
The third stage of the external audit consists of the follow-up audits to confirm that your organization remains compliant. To avoid surprises, organizations are recommended to conduct internal audits regularly to ensure compliance before external audits. However, internal audits are typically checklist-oriented, so be aware that an internal auditor may overlook some inconsistencies and flaws. For this reason, we recommend you conduct these audits with an external auditor familiar with ISO 27001. Once you receive your certification, you should expect these audits to be conducted annually, and they typically start one to two years following your certification. A recertification audit is held every three years to verify the strength of your organization's commitment to maintaining an effective ISMS.
Documents to Organize
Now that you understand the external audit process of ISO 27001, we will provide you with a list of mandatory documents and records. Use this as a checklist to ensure that you are fully prepared to pass your audit with every necessary document ready.
- Scope of the ISMS
- Information security policy and objectives
- Risk assessment and risk treatment methodology
- Statement of Applicability
- Risk treatment plan
- Risk assessment report
- Definition of security roles and responsibilities
- Inventory of assets
- Acceptable use of assets
- Access control policy
- Operating procedures for IT management
- Secure system engineering principles
- Supplier security policy
- Incident management procedure
- Business continuity procedures
- Statutory, regulatory, and contractual requirements
- Records of training, skills, experience, and qualifications
- Monitoring and measurement results
- Internal audit program
- Results of internal audits
- Results of the management review
- Results of corrective actions
- Logs of user activities, exceptions, and security events
Once you have ensured that you have all mandatory documents and records, you can continue to prepare for your external audit. This process is vital to earning your ISO 27001 certification, so you should begin to prepare well in advance for your audit. While a time-consuming and in-depth process, the audit is the most significant step to verifying your compliance and dedication to information security. Once you have earned your certification, your organization will be recognized by all as fulfilling the highest standard of information security. This will demonstrate to customers, stakeholders, and team members that information security is a significant priority in your organization and you have taken the measures to achieve and maintain it.