In today's world, data collecting is an important part of marketing and sales in every organisation. It is critical for understanding customers and market potential. However, the hazards of data collecting can take many forms, ranging from hackers to system failures to inadvertent data loss. Due to these concerns, Information Security Management Systems (ISMS) are critical, and ensuring that your systems are certified and up to date will increase your credibility in the eyes of your customers. An ISO 27001 audit is the first step on your path to a secure and clear legal environment.
This article outlines the ISO 27001 regulations, how to conduct an internal and external audit, and the benefits to your organisation.
In this article:
- What is an ISO 27001 audit and why is it needed?
- How to conduct internal and external ISO 27001 audits?
- How to prepare for an ISO 27001 audit?
- How often should ISO 27001 audits be carried out?
- Who conducts an ISO 27001 audit?
What is an ISO 27001 audit and why is it needed?
As part of the ISO 27001 certification process, a number of audits must be carried out in order to assist you in identifying areas for development, ensuring that you have best practice processes in place, and verifying that your organisation information and data is secure.
The key objectives of an ISO 27001 audit are:
- Ensuring that your ISMS is adequately implemented, operated, and is successful in decreasing information security risks to a level that is manageable.
- Making certain that flaws and remedial measures are dealt with as soon as possible.
- Ensuring that information security flaws and events/incidents are properly reported, controlled and fixed.
ISO 27001 is intended to help an organisation keep its information security risks at a tolerable level; therefore, in addition to ensuring overall compliance and effectiveness of the ISMS, it will be necessary to make sure that the implemented measures reduce risk to the point where stakeholders are willing to tolerate the residual risk.
How to conduct internal and external ISO 27001 audits?
The ISO 27001 certification process is not a short process. Your organization's compliance with the applicable ISO standard is verified through a series of interconnected, continuous audits and evaluations.
The certification requires an organization to prepare and carry out a series of internal audits and external audits performed by a third party organization having competent auditing resources in accordance with ISO 27001.
There are two main types of ISO 27001 audits; internal audits and external audits.
1. ISO 27001 internal audit
An ISO 27001 internal audit is a detailed review of your organization's ISMS to ensure that it fulfils the certifications criteria. In contrast to a certification review, this audit is carried out by your own employees, and the results will be used to steer the development of your ISMS.
It is important to note that audits can be performed by a hired provider if the organisation lacks in-house auditors who are both skilled and objective. "2nd party audits" are commonly used since the supplier functions as a "inside resource" for the customer.
Here are the main steps in conducting an internal audit:
- Step 1 — Documentation Review — Start by reviewing the documentation developed during the implementation of your ISMS. This will clearly define the scope of your audit and make sure that it matches the extent of your organisation. It's also important to identify the primary stakeholders of the ISMS so that if any paperwork is needed during the audit, you will be able to request it.
- Step 2 — Management Review — During this phase, the audit activity begins to take place. Before implementing an audit plan, speak with management to determine the best time and resources to conduct the audit. Often, this may require setting up regular checkpoints where you will be able to offer the management with intermediate updates. This early meeting with management gives both sides a chance to voice any concerns they may have.
- Step 3 — Field Review — This is the part of the audit that actively samples evidence to show that regulations are being complied with, that procedures and standards are being followed, and that guidance is being considered.
You will need to:
- Observe how the ISMS works in practice by speaking with front-line staff members.
- Perform audit tests to validate evidence as it is gathered.
- Complete audit reports to document the results of each test.
- Review ISMS documents, printouts and any other relevant data.
- Step 4 — Analysis — Analyzing the audit data in light of your organisation's overall risk management strategy and control goals is a must. Occasionally, this examination may uncover inconsistencies in the evidence or highlight the need for more audits.
- Step 5 — Report — Afterward, you will have to deliver the audit findings to your management. An ISO 27001 internal audit should contain the following:
- Details on the scope, objectives, times frame and amount of work done.
- An executive summary of the most important findings that provide a high level analysis and draw conclusions.
- The target audience for the report and, if necessary, rules for categorization and distribution.
- An in-depth analysis of the findings. Conclusions and recommended corrective actions.
- Documentation outlining specific suggestions or restrictions.
Further review and revision may be required because the final report involves management committing to an action plan.
2. ISO 27001 External Audit
As with the internal audit process, external audits are commonly used to obtain and maintain the certification.
External audits will be set by the external auditors or certification authorities who follow a methodical criteria. When an audit plan is agreed upon, resources will be assigned and dates, hours, and places will be set, and the audit will then be carried out in accordance with the audit strategy.
The following are the types of external audits and the stages of conducting them:
- Surveillance Audit - There are scheduled assessments conducted in between certification and recertification audits, which are called Periodic Audits. These assessments will focus on one or more aspects of an ISMS.
- Recertification Audit — A recertification audit is a more extensive evaluation than a surveillance audit, and is conducted before the certification period ends (3 years for the United Kingdom Accreditation Service approved certifications). The standard is fully covered.
- Stage 1 Audit — Documentation Review — This determines if a functioning ISMS is in place and that all relevant paperwork is in place.
- Stage 2 Audit — Certification Audit — A fact-based audit to ensure that the ISMS is running in line with the standard and that the written policies and procedures are implemented. This audit is undertaken on a sample basis, and the results are analyzed.
At DataGuard, we provide a range of services around information security, including consultation for ISO 27001. Learn more about our ISO 27001 consultancy services here.
How to prepare for an ISO 27001 Audit?
Preparing for an ISO 27001 audit involves having the right documents, preparing for interviews, assessing your management and much more. Consider the following key factors when preparing for an ISO 27001 audit:
1. Are the key processes of the ISMS implemented and operational?
- Organizational context — This includes understanding and documenting the organizational environment and needs for information security, including interested stakeholders. The scope of the ISMS is documented in this manner.
- Risk and opportunity management — Identify and analyze your organisation’s information security threats and opportunities and document a treatment plan.
- Leadership — Your organisation’s security policy should have a written declaration and proof of resources that establish a strong, top level leadership.
- Management review — Your organizations’ ISMS has to undergo a formal management review in accordance with (Clause 9.3)1
- Corrective action and continuous improvement — Your organisation must manage and implement continuous corrective and improvement actions in an efficient and effective manner.
2. Do you have the documents required for the audit?
To demonstrate your compliance with ISO 27001, your organisation must produce the following documents:
- ISMS Scope statement (Clause 4.3)1
- Organisational information security policy (Clause 5.2)1
- Risk management method Clause (6.1.2 & 6.1.3)1
- Risk register & treatment plan Clause (6.1.3 e)1
- Statement of applicability Clause (6.1.3 d)1
- Policies & processes required under Annex A where controls are applicable.
3. Are evidential records easy to locate and access?
You must make sure that employees and subcontractors have easy access to papers and evidence of information security issues is a vital part of the audit.
4. Are your employees prpeared for audit interviews?
It is a good strategy to make sure that the people being audited are aware of what to anticipate and how to respond in advance.
Do you need help with preparation for the audit? Find out how our information security consultants can help you.
How often should ISO 27001 audits be carried out?
Like many standards, ISO 27001 does not specify how often an organisation needs to carry out an internal audit. That is because every organisation’s ISMS is different.
Internal ISO 27001 audits are recommended at least once a year by industry experts. This won’t always be practical, therefore you need to undertake an audit at least once every three years because it is the length that most ISO 27001 certification authorities validate an organisation’s ISMS for. After this, there is a significant likelihood the organisation will have ceased to comply with regulations altogether.
For external audits, different accreditation bodies around the world set out different requirements for the programme of certification audits; however, in the case of the United Kingdom Accreditation Service (UKAS) accredited certificates, this will include:
- Initial certification audit – conducted in 2 stages.
- Periodic surveillance audits – typically at 6 monthly or, at a minimum, annual intervals.
- Recertification audits conducted every 3 years.
Who conducts an ISO 27001 audit?
All ISO 27001 audits must be performed by auditors who are both competent and objective. To exhibit competence, an auditor must possess certain skills and present the following:
- Expertise in physical security, cyber security, computer security or other forms of information security
- A comprehensive knowledge of the standard and the auditing procedure.
- An ISO 27001 Lead Auditor training or a recognized auditing qualification and proof of understanding of the standard
- An awareness of the organisation's mission and goals, as well as its culture and willingness to take risks.
An auditor's competence can be demonstrated even without formal training, however, this may lead to some difficulties with your certifying body. There must also be a clear separation between the auditor's job and their reporting lines in order to prove objectivity.
For organisations looking for clearer objectivity, it may be more practical to bring in a certified auditor like DataGuard. This is because certifying bodies will have tested their auditors for competency and should be able to verify it to you on request.
The ISO 27001 audit is a vital part of maintaining compliance with your organisation's ISMS. With its main objective being to ensure that an organisation's ISMS is adequately implemented and operated, an accreditation in ISO 27001 will allow your organisation to retain confident customers and stakeholders.
Likewise, it is fundamental for organisations to understand when ISO 27001 audits are required and gauge the importance of having certified auditors to carry out the job.
DataGuard advises organisations from different backgrounds on topics including Privacy by Design and Default, data exchanges with third party service providers and product erasure principles.
Need help navigating the world of information security, or in preparing for a certification audit? We are happy to help — Get in touch with one of our experts today.