Build or upgrade your ISMS on our platform

What is the ISO 27001 audit process?

What us involved in an ISO 27001 audit?

Audits are commonly used to ensure that an activity meets a set of defined criteria. For all ISO management system standards, audits are used to ensure that the management system meets the requirements of the relevant standard, the organisation’s own requirements and objectives, and remains efficient and effective. It will be necessary to conduct a programme of audits to confirm this.

What is an ISO 27001 audit?

An ISO 27001 audit involves a competent and objective auditor reviewing the ISMS or elements of it and testing that it meets the requirements of the standard, the organisation’s own information requirements and objectives for the ISMS and that the policies, processes, and other controls are effective and efficient.

In addition to the overall compliance and effectiveness of the ISMS, an ISO 27001 audit is designed to enable an organisation to manage its information security risks to a tolerable level, it will be necessary to check that the implemented controls do indeed reduce risk to a point where the risk owner(s) are happy to tolerate the residual risk.

What are the types of audits?

The standard requires that an organisation is required to plan and conduct a schedule of “internal audits” in order to be able to claim compliance to the standard. Furthermore, if an organisation desires to achieve certification, then it will require “external audits” to be carried out by a “Certification Body” – an accredited organisation with the competent resources for auditing against ISO 27001.

To ensure maximum benefit from the ISMS, it is strongly recommended to ensure that the certification body selected is accredited by a recognised supervising authority. Within the UK, certification bodies are accredited by UKAS – the United Kingdom Accreditation Service. This is the only government mandated accreditation body in the UK.

Internal audit

Internal audits, as the name would suggest, are those audits carried out by the organisation on the organisational ISMS. If the organisation does not have competent and objective auditors within its own staff, these audits can be carried out by a contractor.

External audit

The term “external audits” most commonly applies to those audits carried out by a certification body for the purpose of gaining or maintaining certification, however, it may also be used to refer to those audits carried out by other interested parties (e.g. partners or customers) wishing to gain their own assurance of the organisation’s ISMS. This is especially true when such a party has requirements that go beyond those of the standard.

Why are ISO 27001 audits important?

Without verifying how your ISMS is managed and performs, there is no real guarantee of assurance that it is delivering against the objectives it is set to fulfil. Audits go some way to providing this assurance.

Why do I need to audit my ISMS?

There are a number of reasons for auditing your ISMS:

  • The standard requires it – clause 9.2, Internal audit mandates a programme of internal audits.
  • To ensure that your ISMS is adequately implemented and operated.
  • To ensure the ISMS meets the requirements of the standard.
  • To ensure the ISMS meets the organisation’s own requirements.
  • To ensure the ISMS meets the objectives set by the organisation for information security against clause 6.2 Information security objectives and planning to achieve them.
  • To ensure the ISMS is effective in reducing information security risks to a tolerable level.
  • To ensure that any nonconformities and corrective actions are addressed in a timely manner.
  • To ensure that information security weaknesses, events, and incidents are reported, managed, and resolved effectively and efficiently.

What’s involved with ISO 27001 internal audits?

Documentation review – This is a review of the organisation’s policies, procedures, standards, and guidance documentation to ensure that it is fit for purpose and is reviewed and maintained.

Evidential audit (or field review) – This is an audit activity that actively samples evidence to show that policies are being complied with, that procedures and standards are being followed, and that guidance is being considered.

Analysis – Following on from documentation review and/or evidential sampling, the auditor will assess and analyse the findings in order to confirm if the requirements of the standard are being met.

Audit report – An audit report will need to be prepared as required by the standard in Clause 9.2 f) and provided to management to ensure visibility.

Management review – This is a required activity under Clause 9.3 Management review which must consider the findings of the audits carried out to ensure that corrective actions and improvements are implemented as necessary.

What’s involved in an external ISO 27001 audit?

The processes for external audit are essentially the same as for the internal audit programme but usually carried out for the purpose of achieving and maintaining certification. The programme of external [certification] audits will be determined by the external auditors [certification body] but will follow a systematic requirement.

The relevant auditor will provide a plan of the audit and once this is confirmed by the organisation, resources will be allocated and dates, times and locations agreed. The audit will then be conducted following the audit plan.

How often are external audits carried out?

Different accreditation bodies around the world set out different requirements for the programme of certification audits, however, in the case of UKAS accredited certificates, this will include:

  • Initial certification audit – conducted in 2 stages.
  • Periodic surveillance audits – typically at 6 monthly or, at a minimum, annual intervals.
  • Re-certification audits conducted every 3 years.

What are the types and stages of external audits?

  • Stage 1 audit – “Documentation Review” to establish that the organisation has the required documentation for an operational ISMS.
  • Stage 2 audit – “Certification Audit” – an evidential audit to confirm that the organisation is operating the ISMS in accordance with the standard – i.e. that the documented policies, procedures, and standards are implemented, operational, and effective. This evidential audit is conducted on a sampling basis.
  • Surveillance audit – Also known as “Periodic Audits”, these are carried out on a scheduled basis in between certification and recertification audits and will focus on one or more areas of the ISMS.
  • Recertification audit – Carried out before the certification period expires (3 years for UKAS accredited certificates) and is a more thorough review than those carried out during a surveillance audit. It covers all areas of the standard.

In addition to the programme of formal certification external audits above, you may be required to undergo an external audit by an interested third party such as a customer, partner, or regulator. The relevant party will normally provide you with an audit plan and follow up with an audit report that should be fed into your ISMS Management Review.

The value of an ISO 27001 audit with/without certification

The organisation’s decision to achieve compliance and possibly certification to ISO 27001 will depend on the reasons for implementing and operating a formal, documented ISMS and this will often be documented within a business case that will identify the expected objectives and return on investment.

Without certification, the organisation can only claim “compliance” to the standard, and this compliance is not assured by any accredited third party. If the reason for implementing the ISMS is only for improved security management and internal assurance, then this may be sufficient.

For maximum benefit and return on investment to be gained from the ISMS in terms of providing assurance to the organisation’s external interested parties and stakeholders, an independent, external, accredited certification audit programme will be required.

Remember that the only difference in terms of effort between “compliance” and “certification” is the programme of external certification audits. This is because to truly claim “compliance” to the standard the organisation will still have to do everything required by the standard – self-tested “compliance” does not reduce the resources required and the effort involved in implementing and operating an ISMS.

Preparing for an ISO 27001 certification audit

When preparing for a certification audit the following key points should be considered:

Are the key processes of the ISMS implemented and operational?

  • Organisational context – Understanding and documenting the organisational context and requirements for information security including those of interested parties. This will also include documenting the scope of the ISMS
  • Risk & opportunity management – Has the organisation identified and assessed information security risks and opportunities and documented a treatment plan?
  • Leadership – Can strong top-level leadership be demonstrated – e.g. through the provision of resources and a documented commitment statement within the organisational security policy.
  • Internal audit – Has a programme of internal audits been documented, agreed and commenced in accordance with Clause 9.2?
  • Management review – Has the ISMS undergone a formal management review in accordance with Clause 9.3
  • Corrective action – Can the organisation demonstrate that corrective actions and improvements are being managed and implemented in an effective and efficient manner?

Are the required documents in place and approved?

  • ISMS scope statement (Clause 4.3)
  • Organisational information security policy (Clause 5.2)
  • Risk management method (Clause 6.1.2 & 6.1.3)
  • Risk register & treatment plan (6.1.3 e)
  • Statement of applicability (Clause 6.1.3 d)
  • Policies & processes required under Annex A where controls are applicable

Are evidential records easy to locate and access?

Have all staff and relevant contractors received information security education, training and awareness?

It is also good practice to ensure that those who will be interviewed have been briefed about what to expect during the audit and how to respond. Also, ensure that they are able to easily access documents and evidence that may be requested by the auditor.

Who conducts an ISO 27001 audit?

All audits against ISO 27001 must be carried out by competent and objective auditors.

To demonstrate competence for ISO 27001 audit, it is usually required that the auditor has demonstrable knowledge of the standard and how to conduct an audit. This may be through attending an ISO 27001 Lead Auditor course or through having another recognised auditing qualification and then provable knowledge of the standard. It can be possible to show that an auditor is competent without formal training, however, this is likely to be a more difficult conversation with your certification body.

To demonstrate objectivity, it must be shown that the auditor is not auditing their own work and that they are not unduly influenced via their reporting lines. For smaller organisations or those wanting clearer objectivity, it may be more practical to bring in a contracted auditor.

Certification bodies will have checked their auditors for competence and should be prepared to demonstrate that to you on request.

How does
ISMS.online make the audit process more efficient?

ISMS.online includes a pre-built audit programme project that covers both internal and external audits and may also include audits against GDPR if you have taken this option.

The pre-built audit programme includes:

  • Activities for 2 recommended audits prior to certification
  • A plan for internal audits for the first 3-year certification period
  • Placeholders for your external certification and periodic audits

As well as providing the audit programme project, the ability to quickly link to other work areas within the all-in-one-place ISMS.online platform means that linking audit findings to controls, to corrective actions and improvements and even to risks is made easy and accessible. This will enable you to easily demonstrate to your external auditor the joined-up management of identified findings.

Need more information? Please get in touch to speak to one of our experts today.

How often do I need to conduct an internal audit?

You need to conduct internal audits that cover the entire standard, at minimum, over the certification period (3 years for UKAS accredited certificates).

You could do this as a single audit but it is more commonly broken down into smaller audits over the 3-year period.

It is also important to audit some areas more frequently if the risk levels are high or the area is subject to frequent changes.

It is recommended that you audit the management system requirements (Clauses 4-10) on an annual basis and this can be tied into your ISMS management review which also has to be conducted annually.

How much detail should you include in an ISO 27001 internal audit exercise?

The minimum required is that you document the areas audited, any evidence sampled, and any nonconformities and opportunities for improvement identified, however, it is good practice and provides significantly more benefit if you document all findings, including where something is working correctly – and it will provide a more positive feeling to the audit report.

What does an ISO 27001 certification audit involve?

An initial ISO 27001 certification audit involves:

Stage 1 audit - “Documentation Review” to establish that the organisation has the required documentation for an operational ISMS.

Stage 2 audit - “Certification Audit” – an evidential audit to confirm that the organisation is operating the ISMS in accordance with the standard – i.e. that the documented policies, procedures, and standards are implemented, operational, and effective. This evidential audit is conducted on a sampling basis.

To maintain your certification moving forwards, this involves:

Surveillance audits - Also known as “Periodic Audits” these are carried out on a scheduled basis in between certification and recertification audits and will focus on one or more areas of the ISMS.

Re-certification audit - Carried out before the certification period expires (3 years for UKAS accredited certificates) and is a more thorough review than those carried out during a surveillance audit. It covers all areas of the standard.