Find an auditor
Going through an audit can be a nerve-racking process. When it comes to ISO 27001, the one thing you have to remember is that at its core, an audit is an auditor’s informed opinion on how well your organization’s controls meet the relevant clauses. There are a few things you should consider when selecting an auditor:
- Accreditation: Ensure that your auditor is a member of ANSI National Accreditation Board (ANAB). ANAB assesses and accredits certification bodies. Only certified bodies can issue an ISO 27001 certification.
- Find a reputable firm. It doesn’t have to be a brand-name firm like KPMG; one with a good reputation will suffice. If you need guidance in this area, we’re happy to provide some recommendations.
- Experience matters. An auditor with more experience is likely to have a better and more thorough understanding of ISO 27001, how to evaluate controls against your organization, and the best practices that apply.
- Auditors are like snowflakes; no two are alike. It’s important that your auditor understands your business, so they can expertly assess if there are any gaps or deficiencies
Auditors are guided by the IIA standard Code of Ethics, which tasks auditors with being independent and objective. The documentation you developed as evidence is seen by an auditor as proof that a particular control exists, and helps them evaluate operational effectiveness (whether or not the control is performing as it should).
Using a combination of techniques, an auditor obtains an in-depth understanding of your program and how it fits into the ISO 27001 framework. These techniques may include:
- Observation: Observing you perform a task relevant to specific control.
- Inquiry: Interviewing you or your team to learn about a specific process.
- Inspection: Requesting evidence of compliance with a control.
Stage 1 vs. Stage 2 Audit
The audit process for ISO 27001 is broken down into two distinct stages.
In stage 1, an auditor reviews the ISMS, typically on-site, to determine if mandatory requirements are being met, and whether the management system is good enough to proceed to stage 2. This initial review is primarily focused on validating whether your ISMS is appropriately designed — whether the documented processes exist, are effective, and comply with the standard requirements. The auditor will also gauge your own understanding of the standard, and discuss planning for stage 2. Ideally, stage 1 should take place at most two to four weeks before stage 2, so that the management system does not substantially change between the two stages.
In stage 2, the auditor will more thoroughly assess your ISMS, and evaluate whether its implemented effectively meets ISO 27001 requirements.
In order to satisfy the auditor’s needs, it’s imperative that documentation is both complete and accurate. The source of the information in the document has to be identified and verified, the content of the document must be written with integrity, and the documentation has to be easily accessible and retrievable for audit purposes. At the end of the day, you want your auditor to come to the same conclusion about the state and health of your information security program as you would. It’s your job to help them come to that conclusion.
At the end of this long journey, once an auditor has reviewed your work and determined that your controls, policies, and procedures meet all requirements, and after you have implemented the corrective actions to address the auditor’s findings raised during stage 1 and 2, your auditor will give you their stamp of approval. and can now recommend you for certification.
Your ISMS files will then be reviewed by an independent and certified body, which will (with any luck) decide in your favor and grant you a certification. You can now shout from the rooftops (or post on your website) that you are ISO 27001 compliant…for now.
An ISO 27001 certificate is valid for three years, which in the world of compliance is relatively long. However, ISO 27001 imposes an additional “continual improvement” requirement. To maintain your certification, you must go through surveillance audits every year, in order to ensure that you’re continually improving and adhering to your information security protocols, rather than letting them stagnate.
Join the conversation