Audits are essential in helping organisations attain ISO 27001 certification. An auditor must perform both internal and external audits during this certification process to assess whether your ISMS complies with its standard.
The Stage 1 audit involves reviewing documentation that covers your policies and procedures, interviewing staff members, observing operational processes, and collecting evidence against employees who violate them.
Stage 1
Once your organisation has successfully completed the audit preparation phase, addressed any risks identified in its initial ISO 27001 audit, implemented controls to address them, and conducted an internal ISO 27001 audit, it’s time for certification. To be awarded certification status, both Stage 1 and Stage 2 audits must be successfully completed in order to gain compliance certification.
At Stage 1 audits, an external auditor will carefully review your ISMS documentation against ISO standards to confirm you have all the required documents in place. This may take two to six months, during which the audit team may conduct interviews with staff members and observe operational procedures and business processes first-hand before compiling a report detailing areas that require improvement (known as nonconformities), which must be addressed prior to commencing Stage 2 audits.
Stage 1 audit is a thorough assessment of your ISMS that looks at policies in action, compliance evidence against ISO clauses and controls, and ultimately makes a conformance determination. While more in-depth than full auditing procedures, Stage 1 auditing can still be completed remotely or on site.
Your internal auditor will then review the findings from the Stage 1 audit and produce a report outlining any identified issues and an action plan with timelines to address them. They may also identify areas for improving ISMS and any expected benefits as outlined by an accredited certification body; once complete, this report will be sent off for certification, resulting in your ISO 27001 certificate being delivered directly.
Your ISO 27001 certificate is valid for three years, during which period it’s important that you conduct surveillance audits to make sure your ISMS is still operating as intended and continue reducing information security risks to an acceptable level while safeguarding consumer and investor data. Audits are an integral component of maintaining ISO 27001 certification while showing your commitment to information security best practices. Your external auditor will inspect your ISMS during these audits to make sure you’re continually improving and adhering to information security protocols.
Stage 2
After successfully passing your Stage 1 audit, it’s time to prepare for your Stage 2 certification audit. Your auditor should send you a formal information request list so you have an idea of what they’ll be looking for during this second stage. Typically, this involves an on-site visit by an ISO 27001 audit team that wants to see how your ISMS is operating, speak with staff members, and gauge internal audits and management reviews to make sure they address risks effectively.
At this stage, the ISO 27001 auditor is likely to identify some observations or opportunities for improvement (OFIs). These should not be treated as nonconformances but should instead be seen as areas for your ISMS to improve on; as best practices dictate, OFIs should be resolved prior to your next audit. Once this process is completed and OFIs have been addressed, it’s time to start planning for the on-site Stage 2 audit.
Before your auditor arrives, it is a good idea to convene a kickoff meeting between your ISMS leadership team and any stakeholders who will be involved. This meeting should set the stage for the audit by creating an environment in which everyone understands what to expect during and after the audit and also giving leadership an opportunity to voice any issues or concerns with regards to the auditing process.
At an on-site Stage 2 audit, an auditor will scrutinise your ISMS documentation, its Statement of Applicability, internal audits and management reviews conducted, as well as any evidence in support of it. Essentially, this ISO 27001 audit seeks to ascertain whether your ISMS fulfils all requirements listed in Annex A.
Once you’ve successfully passed the Stage 2 audit, your ISO 27001 certificate will be awarded. Your organisation must then ensure compliance with this standard through surveillance audits and full reassessment every four years. Clients or partners may require certification before doing business with you, so it is vitally important that these regular audits occur.
Stage 3
ISO 27001 certification can be daunting, yet understanding its components can ease some anxiety. In this episode of our podcast, Ryan Mackie shares his experiences navigating both audit processes as we go over every part of his process.
Stage 1 of an audit, known as an initial review, provides a less intensive examination of your ISMS. Here, an auditor will look for key documents like information security policies and a Statement of Applicability, as well as potential nonconformities or opportunities for improvement; any such issues must be rectified with acceptable corrective action plans and evidence before moving onto Stage 2.
Stage 2 will involve your auditor visiting your organisation and interviewing managers and employees in order to assess if your business processes and Annex A controls match what’s written in the documentation. They will examine a sample of information assets, such as logs proving daily system backups, as well as reviewing documentation pertaining to your ISMS, audit reports, personal observations, interviews with employees or consultants, and personal observations from personal observation trips or interviews—collecting evidence that they then review before conducting tests to validate it all.
Once all evidence has been organised and reviewed, an auditor will compile a report for management that includes a summary of findings and audit tests performed, listing major and minor nonconformities along with opportunities for improvement. This report should then be presented to senior management as well as relevant individuals responsible for overseeing any necessary corrective action taken against it.
Once your ISMS is compliant, an auditor will issue a certificate valid for three years. After three years have passed, you must undergo a surveillance audit and submit evidence showing your ISMS meets its requirements as per standard. A successful surveillance audit will allow you to apply for another certificate.
Stage 4
ISO 27001 certification can be a time-consuming, effort-intensive endeavour that demands collaboration across your rganization. Furthermore, certification requires proof that effective policies and controls have been put in place that comply with standards, as well as an audit to prove this fact. Unfortunately, an audit can be an intimidating experience without adequate preparation.
To assist in the audit process, we will discuss what an ISO 27001 audit entails as well as what to expect during each stage. Furthermore, we’ll go over the costs involved with ISO 27001 certification as well as provide some tips to reduce these expenses.
At Stage 1, an auditor will review your ISMS on-site, performing an initial review to quickly check for key documentation like your Information Security Policy and Statement of Applicability, as well as meet mandatory requirements and ensure your ISMS is ready for Stage 2.
At this initial review stage, your auditor may uncover nonconformities to the ISO 27001 standard that need to be corrected before moving onto Stage 2. They could also identify opportunities for enhancement in your ISMS that should be taken advantage of to optimise it further.
Once your major and minor nonconformities have been corrected, the auditor will provide a report outlining his recommendations for certification. This document includes observations such as any major and minor nonconformities and OFIs discovered during the audit, providing you with an excellent opportunity to get any questions about audit findings answered while also preparing for an external ISO 27001 certification audit.
Your ISO 27001 certificate will remain valid for three years before it’s time for recertification auditing. During this process, an auditor will evaluate your entire ISMS, from Framework Clauses 4–10 and Annex A controls to looking at how its evolution over the past three years has reduced any new risks that have surfaced.