Preparing for a ISO 27701 audit
If you’ve been through an ISO 27701 audit before, you are well aware of how tedious and time-consuming it can be for your team and yourself. If you haven’t, we want you to close your eyes, go to your happy place… and then imagine it being slowly filled with spreadsheets from floor to ceiling.
The People
Typically, ISO 27701 is done in conjunction with ISO 27001. After you’ve made the decision to pursue an ISO 27701 & ISO 27001 attestation, here’s something to keep in mind when drafting your audit preparation strategy. You may want to create a taskforce of employees from the IT or security team, with support from team members familiar enough with your technical systems. Having an executive or manager own this process with the team will also be hugely beneficial.
The ISO 27001 & ISO 27701 process requires commitment, and team members may need to take time away from their other tasks to focus on preparing for an audit. You should account for a loss in productivity, and ensure you are staffed accordingly.
The Process
The first thing you may want to do is examine ISO 27001& ISO 27701 ’s clauses and Annexes. ISO 27701 is an extension of ISO 27001, therefore all 10 clauses and Annex A must be implemented first before you can implement the requirements from ISO 27701. The following five steps will guide you in this process, but this can feel like an overwhelming decision, and while you can certainly do it by yourself, give us a call if you’d like some help — it’s what we do day in, day out.
Step 1: Understanding the Audit Process
Before we dive into the details around preparing for an ISO 27701 audit, let’s take a step back and start by outlining the three stages that make up the ISO 27701 certification process itself. Keeping this broader view in mind will save you time and help you better structure your preparation.
Stage 1
In stage 1, the auditor you selected will review your ISMS-PIMS, typically on-site, to determine if mandatory requirements are being met, and whether the management system is good enough to proceed to stage 2.
This initial review is primarily focused on validating whether your ISMS-PIMS is appropriately designed — whether the documented processes exist, are effective, and comply with the standard requirements. The auditor will also gauge your own understanding of the standard, and discuss planning for stage 2. Ideally, stage 1 should take place two to four weeks before stage 2, so that the management system does not substantially change between the two stages.
Stage 2
In stage 2, the auditor will conduct a more thorough assessment of your ISMS-PIMS, and evaluate whether it is implemented effectively and meets ISO 27001 & ISO 27701 requirements.
In order to satisfy the auditor’s needs, it’s imperative that documentation is both complete and accurate. The source of any documented information must be identified and verified, documents must be written with integrity, and documentation has to be easily accessible and retrievable for audit purposes. At the end of the day, you want your auditor to come to the same conclusion about the state and health of your information security program as you would. It’s your job to help them come to that conclusion.
Stage 3
Once the first two stages are completed, you can now apply for certification. This process can be facilitated by your auditor, who will assist in submitting your ISMS-PIMS files to a formally accredited certification body. You can find a list of reputable certification bodies in the ANAB directory.
However, the ISO 27001-ISO 27701 process doesn’t end when you obtain your certification. To maintain your certification, you must go through surveillance audits every year, in order to ensure that you’re continually improving and adhering to your information security protocols, rather than letting them stagnate. Additionally, the certification itself is only valid for three years!
Understanding the certification process is important as it helps you gauge the continual effort you need to put into maintaining compliance.
You now understand the level of commitment, time and dedication required to implement and manage an effective ISMS-PIMS program. Now that you know what you are in for you can start to gauge your level of readiness.
Step 2: Take an Inventory
A good starting point is to take stock of your resources and team. Given the level of effort required to become ISO 27001-ISO 27701 compliant, it is important that knowledgeable team members lead the effort. If your team doesn’t have the right skill set, you may want to consider hiring people with the appropriate expertise. In fact, having the right people in place is a key requirement to demonstrate compliance with clause 7.2, which dictates that your ISMS-PIMS must be managed by competent, properly trained employees.
Once an experienced team is in place, you’ll need to create an inventory of your business, systems, and assets, and map those to the control requirements outlined in ISO 27001-ISO 27701’s ten clauses and Annexes. You can generally do this in one of two ways:
DIY
You can open up Excel, and start manually mapping each of the clauses and subsequent requirements to your existing controls, policies, and procedures. This requires you to have (or, most likely, obtain) a deep understanding of the standard’s often complex requirements.
Using A Compliance Automation Tool
With a compliance automation tool such as TrustOps, you simply upload your business stack, sit back, and watch as the tool auto-generates controls, tests, and policies, each mapped to the appropriate ISO 27001-ISO 27701 clause or control.
We’ve experienced the DIY route first-hand, and decided to build a tool to save you from having to spend countless months buried in spreadsheets. We sincerely hope that you learn from us and don’t pick the DIY option.
Once your mapping is complete, you’ll need to compare what you have with what the standard requires, and find where your gaps are. You’ll then use this gap analysis to help add and implement specific processes, documentation, and controls. Your gaps are now your to-do list.
Step 3: Implementing a Management Review Program
When it comes to ISO 27001-ISO 27701, senior management has a tremendous amount of responsibility. If you thought you could simply hire a dedicated team and take a step back, you will be disappointed. In fact, clause 9.3 explicitly states: senior management shall review the organization’s Information Security Management System at planned intervals to ensure its continuing suitability, adequacy, and effectiveness.
ISO 27001-ISO 27701 also requires the implementation of a management review team. This team should be composed of senior management, and reviews should take place often enough to ensure that the ISMS-PIMS continues to be effective. Additionally, these meetings must conform to specific guidelines: they must occur on a predefined, periodic basis; meeting notes and action items must be recorded; specific agenda items must be discussed.
Step 4: Adopt Controls
Your to-do list will quickly become overwhelmed with documents and controls that you need to have in place.
If you’re using a compliance automation tool such as TrustOps, you should be covered! At TrustCloud, we’re always working to save you from wasting your time and energy on spreadsheets and menial tasks, so we’ve analyzed the ISO 27001 – ISO 27701 requirements and designed a comprehensive set of controls and policies for you to adopt.We’ve also mapped out the evidence requirement for each control in plain English, translated from the original legalese. We’ll automatically learn where you are, and help you understand what you need to do to get where you want to go.
Some ISO 27001 – ISO 27701 controls require you to implement security tools and services to improve your security and business processes, and you will need to research, purchase, and configure these appropriately. Examples include performing pen testing, enrolling in asset management, and conducting background checks.This is another area where it pays to do your homework, or have some guidance — depending on your organization’s processes, as well as the workload of your employees, the procurement process can stretch on and become a significant risk factor in your adoption of the standard.
Throughout this process, you should be gathering evidence to show that you are accurately compliant with all relevant controls, writing or amending policies, and documenting procedures that explain how certain controls are satisfied.
Step 5: Conducting an Internal Audit
One of the biggest pain points for companies preparing for an ISO 27001- ISO 27701 audit is meeting the requirement for clause 9.2. This clause requires that the organization conduct internal audits, to provide information on whether the ISMS-PIMS both conforms to the organization’s own requirements for its ISMS-PIMS (9.2a) as well as conforms to the requirements of the standard (9.2b).
In order to fulfill these requirements, an independent and objective auditor must conduct internal audits at (frequent) planned intervals, and any issues or non-conformities must be tracked, documented, analyzed, and remediated.
Some companies choose to instead hire an external consultant. This can be a good option, as long as the consultant is competent and has unrestricted access to records and personnel to perform their review without issues.
The Audit
The ISO certification obtained after stage 3 (read the process section above for further details) is valid for three years. However, it is a requirement that annually, an ISO ‘surveillance’ audit is performed to continually reassess conformance of your ISMS.
