Audits are commonly used to ensure that an activity meets a set of defined criteria. For all ISO management system standards, audits are used to ensure that the management system meets the relevant standard’s requirements, the organisation’s own requirements and objectives, and remains efficient and effective. It will be necessary to conduct a programme of audits to confirm this.
What is an ISO 27001 audit?
An ISO 27001 audit involves a competent and objective auditor reviewing:
- The ISMS or elements of it and testing that it meets the standard’s requirements,
- The organisation’s own information requirements, objectives for the ISMS,
- That the policies, processes, and other controls are practical and efficient.
In addition to the overall compliance and effectiveness of the ISMS, as ISO 27001 is designed to enable an organisation to manage it’s information security risks to a tolerable level, it will be necessary to check that the implemented controls do indeed reduce risk to a point where the risk owner(s) are happy to tolerate the residual risk.
What are the types of audits?
The standard requires that an organisation is required to plan and conduct a schedule of “internal audits” to be able to claim compliance with the standard. Furthermore, if an organisation desires to achieve certification, it will require “external audits” to be carried out by a “Certification Body” – an organisation with competent auditing resources against ISO 27001.
To ensure maximum benefit from the ISMS, it is strongly recommended to ensure that the certification body selected is accredited by a recognised supervising authority. Within the UK, certification bodies are accredited by UKAS – the United Kingdom Accreditation Service.
Internal audits, as the name would suggest, are those audits carried out by the organisation’s own resources. If the organisation does not have competent and objective auditors within its own staff, these audits can be carried out by a contracted supplier. These are often referred to as “2nd party audits” since the supplier acts as an “internal resource”.
The term “external audits” most commonly applies to those audits carried out by a certification body to gain or maintain certification. However, the term may also be used to refer to those audits carried out by other interested parties (e.g. partners or customers) wishing to gain their own assurance of the organisation’s ISMS. This is especially true when such a party has requirements that go beyond those of the standard.
Why are ISO 27001 audits important?
Without verifying how your ISMS is managed and performs, there is no real guarantee of assurance that it is delivering against the objectives it is set to fulfil.
Audits go some way to providing this assurance.
Why do I need to audit my ISMS?
There are many reasons for auditing your ISMS:
- The standard requires it – Clause 9.2 Internal audit mandates a programme of internal audits.
- To ensure that your ISMS is adequately implemented and operated.
- To ensure the ISMS meets the requirements of the standard.
- To ensure the ISMS meets the organisation’s own requirements.
- To ensure the ISMS meets the objectives set by the organisation for information security against Clause 6.2 Information security objectives and planning to achieve them.
- To ensure the ISMS is effective in reducing information security risks to a tolerable level.
- To ensure that any nonconformities and corrective actions are addressed in a timely manner.
- To ensure that information security weaknesses, events, and incidents are reported, managed, and resolved effectively and efficiently.
What’s involved with ISO 27001 internal audits?
- Documentation review – This is a review of the organisation’s policies, procedures, standards, and guidance documentation to ensure that it is fit for purpose and is reviewed and maintained.
- Evidential audit (or field review) – This is an audit activity that actively samples evidence to show that policies are being complied with, that procedures and standards are being followed, and that guidance is being considered.
- Analysis – Following on from documentation review and/or evidential sampling, the auditor will assess and analyse the findings to confirm if the standard requirements are being met.
- Audit report – An audit report will need to be prepared as required by the standard in Clause 9.2 f) and provided to management to ensure visibility.
- Management review – is a required activity under Clause 9.3 Management review, which must consider the findings of the audits carried out to ensure that corrective actions and improvements are implemented as necessary.
What’s involved in an external ISO 27001 audit?
The processes for external audit are essentially the same as for the internal audit programme but usually carried out to achieve and maintain certification.
The programme of external [certification] audits will be determined by the external auditors [certification body] but will follow a systematic requirement (see below).
The relevant auditor will provide a plan of the audit, and once the organisation confirms this, resources will be allocated and dates, times and locations agreed.
The audit will then be conducted following the audit plan.
How often are external audits carried out?
Different accreditation bodies around the world set out different requirements for the programme of certification audits; however, in the case of UKAS accredited certificates, this will include:
- Initial certification audit – conducted in 2 stages.
- Periodic surveillance audits – typically at 6 monthly or, at a minimum, annual intervals.
- Recertification audits conducted every 3 years.
What are the types and stages of external audits?
- Stage 1 Audit – “Documentation Review” establishes that the organisation has the required documentation for an operational ISMS.
- Stage 2 Audit – “Certification Audit” – an evidential audit to confirm that the organisation is operating the ISMS in accordance with the standard – i.e. that the documented policies, procedures, and standards are implemented, operational, and effective. This evidential audit is conducted on a sampling basis.
- Surveillance Audit – also known as “Periodic Audits”, are carried out on a scheduled basis between certification and recertification audits and will focus on one or more ISMS areas.
- Recertification Audit – Carried out before the certification period expires (3 years for UKAS accredited certificates) and is a more thorough review than those carried out during a surveillance audit. It covers all areas of the standard.
In addition to the formal certification external audits programme above, you may be required to undergo an external audit by an interested third party such as a customer, partner, or regulator. The relevant party will normally provide you with an audit plan and follow up with an audit report that should be fed into your ISMS Management Review.
Value of an ISO 27001 Audit with/without Certification
The organisation’s decision to achieve compliance and possibly certification to ISO 27001 will depend on implementing and operating a formal, documented ISMS. This will often be documented within a business case that will identify the expected objectives and return on investment.
Without certification, the organisation can only claim “compliance” to the standard, and this compliance is not assured by any accredited third party. If the reason for implementing the ISMS is only for improved security management and internal assurance, then this may be sufficient.
For maximum benefit and return on investment to be gained from the ISMS in terms of providing assurance to the organisation’s external interested parties and stakeholders, an independent, external, accredited certification audit programme will be required.
Remember that the only difference in terms of effort between “compliance” and “certification” is the programme of external certification audits. This is because to claim “compliance” to the standard truly the organisation will still have to do everything required by the standard – self-tested “compliance” does not reduce the resources required and the effort involved in implementing and operating an ISMS.
Preparing for an ISO 27001 certification audit
When preparing for a certification audit, the following key points should be considered:
- Are the key process of the ISMS implemented and operational?
- Organisational context – Understanding and documenting the organisational context and requirements for information security, including interested parties. This will also include documenting the scope of the ISMS
- Risk & opportunity management – Has the organisation identified and assessed information security risks and opportunities and documented a treatment plan?
- Leadership – Can strong top-level leadership be demonstrated – e.g. through the provision of resources and a documented commitment statement within the organisational security policy.
- Internal audit – Has s a programme of internal audits been documented, agreed and commenced in accordance with Clause 9.2?
- Management review – has the ISMS undergone a formal management review in accordance with Clause 9.3
- Corrective action and Continual improvement – can the organisation demonstrate that corrective actions and improvements are being managed and implemented in an effective and efficient manner?
- Are the required documents in place and approved?
- ISMS Scope statement (Clause 4.3)
- Organisational information security policy (Clause 5.2)
- Risk management method (Clause 6.1.2 & 6.1.3)
- Risk register & treatment plan (Clause 6.1.3 e)
- Statement of applicability (Clause 6.1.3 d)
- Policies & processes required under Annex A where controls are applicable.
- Are evidential records easy to locate and access?
- Have all staff and relevant contractors received information security education, training, and awareness?It is also good practice to ensure that those who will be interviewed have been briefed about what to expect during the audit and how to respond. Also, ensure that they are able to easily access documents and evidence that may be requested by the auditor.
Who conducts an ISO 27001 audits?
All audits against ISO 27001 must be carried out by competent and objective auditors.
To demonstrate competence for ISO 27001 audit, it is usually required that the auditor has demonstrable knowledge of the standard and how to conduct an audit. This may be through attending an ISO 27001 Lead Auditor course or through having another recognised auditing qualification and then provable knowledge of the standard. It can be possible to show that an auditor is competent without formal training. However, this is likely to be a more difficult conversation with your certification body.
To demonstrate objectivity, it must be shown that the auditor is not auditing their own work and that they are not unduly influenced via their reporting lines.
It may be more practical for smaller organisations or those wanting clearer objectivity to bring in a contracted auditor.
Certification bodies will have checked their auditors for competence and should be prepared to demonstrate that to you on request.
How does ISMS.online make the audit process more efficient?
ISMS.online includes a pre-built audit programme project covering both internal and external audits and may also include audits against GDPR if you have taken this option.
The pre-built audit programme includes:
- Activities for 2 recommended audits before certification
- A plan of internal audits for the first 3-year certification period
- Placeholders for your external certification and periodic audits
As well as providing the audit programme project, the ability to quickly link to other work areas within the all-in-one-place ISMS.online platform means linking audit findings to controls, corrective actions and improvements, and even risks are made easy and accessible. This will enable you to easily demonstrate to your external auditor the joined-up management of identified findings.