ISO 27001 audit: How to run a successful audit

In this article:

• What is an ISO 27001 audit and why is it needed?
• What are the types of audits?
• How to conduct internal and external ISO 27001 audits?
• How to prepare for an ISO 27001 audit?
• How often should ISO 27001 audits be carried out?
• Who conducts an ISO 27001 audit?
• FAQ

What is an ISO 27001 audit and why is it needed?

An ISO 27001 audit is the process of evaluating an organisation's ISMS to determine if it aligns with the most recent information security practices set out by the ISO 27001 guidelines. The audit typically involves a review of the organisation's policies, procedures, and controls related to information security.

It is a mandatory step in the ISO 27001 certification process, which is an independent evaluation of how effective an organisation's information security practices are. ISO 27001 certification is not mandatory, but it can help to build trust and confidence with customers, partners, and other stakeholders.

The key objectives of an ISO 27001 audit are:

• Ensuring that your ISMS is adequately implemented, operated, and is successful in decreasing information security risks to a level that is manageable.
• Making certain that flaws and remedial measures are dealt with as soon as possible.
• Ensuring that information security flaws and events/incidents are properly reported, controlled and fixed.

ISO 27001 is intended to help an organisation keep its information security risks at a tolerable level; therefore, in addition to ensuring overall compliance and effectiveness of the ISMS, it will be necessary to make sure that the implemented measures reduce risk to the point where stakeholders are willing to tolerate the residual risk.

What are the types of audits?

Audits are essential to ensure your company’s operations are running smoothly. There are many types of audits and different ways to categorise them, but here, we focus on internal and external audits.

What is an internal audit?

An internal audit is an assessment done by a company's team or assigned auditors (for example, a partner). The primary focus is to review and evaluate internal controls, risk management procedures, and overall governance processes.

Internal audits help spot areas needing improvement, strengthen internal processes, and ensure compliance with organisational policies. Such audits are a way to keep things running as intended and make the company's systems work better over time.

What is an external audit?

An external audit is done by an independent external auditor or audit firm. The main goal is to provide an unbiased and independent assessment of an organisation's financial statements, compliance with regulations, or other specific areas.

External audits are often required for regulatory compliance or financial transparency to assure external stakeholders, such as investors, regulators, or the general public. Such audits are essential to instil confidence in a company's financial and operational information.

How to conduct internal and external ISO 27001 audits?

The ISO 27001 certification process is a rigorous and lengthy one that involves continuous audits and evaluations. There are two main types of ISO 27001 audits that an organisation can undertake: internal audits and external audits.

An internal audit is necessary for compliance regardless of whether or not an organisation is looking to be certified. However, an external audit is required for certification. Organisations must hire third-party Certification Bodies (CB) with competent auditing resources to perform external audits in accordance with ISO 27001 standards.

Let’s take a look at how both internal and external audits are conducted:

1. ISO 27001 internal audit

An ISO 27001 internal audit is a detailed review of your organization's ISMS to ensure that it fulfils the certification criteria. In contrast to a certification review, this audit is carried out by your own employees, and the results will be used to steer the development of your ISMS.

It is important to note that audits can be performed by a hired provider if the organisation lacks in-house auditors who are both skilled and objective. "2nd party audits" are commonly used since the supplier functions as an "inside resource" for the customer.

What are the steps in an internal ISO 27001 audit?

When getting certified, especially for the first time, the internal audit ensures everything is set up correctly for you to pass on your first attempt. Use an internal audit checklist to keep track of the necessary steps in the process. Here's a rundown of the steps in an internal audit:

1) Plan the internal audit

Careful planning is critical for a fool-proof process. It will serve as your roadmap and help you prepare for unforeseen obstacles.

• Create your audit plan: Initiate the internal audit process by developing a comprehensive audit plan. This document outlines the scope, objectives, and methodologies for the audit. It serves as a blueprint for the entire audit, ensuring a systematic and thorough examination of ISMS.
• Update the audit plan if needed: Flexibility is key in the audit planning phase. Regularly review and update the audit plan to accommodate organisational processes, risks, or regulatory requirement changes. This ensures that the audit remains relevant and effective in addressing current information security concerns.

2) Conduct the internal audit

It's time for action. Once the audit planning is in place, the next crucial phase in the ISO 27001 internal audit process is the actual execution of the audit. Conduct your internal audit by following these steps:

• Identify the control owners: Identify and engage with control owners who are responsible for specific aspects of the ISMS. Establish clear communication channels to streamline the audit process.
• Decide on your audit approach: Choose a suitable audit approach aligned with the audit objectives. Whether through interviews, document reviews, or observations, tailor the approach to the unique characteristics of the ISMS and organisational operations.
• Contact the control owners: Initiate communication with control owners to inform them about the impending audit. Discuss the audit scope, objectives, and the specific controls to be assessed.
• Arrange the audit meeting: Coordinate with control owners to schedule the audit meeting. This serves as a platform to set expectations, discuss the audit plan, and address initial queries or concerns.
• Conduct your first meeting: Reiterate audit objectives and scope during the initial meeting. Outline the audit process timeline and clarify roles and responsibilities.
• Perform the audit: Execute the audit according to the established plan and approach. Utilise selected methods to assess controls, ensuring a thorough examination of processes, documentation, and evidence.
• Perform documentation review and collect evidence: Examine relevant documents to assess compliance with ISO 27001 requirements. Systematically collect evidence to substantiate findings, providing a basis for audit results.
• Perform process review and collect evidence: Evaluate the effectiveness of processes related to information security. Identify gaps or areas for improvement and gather evidence to support observations.
• Discuss steps after the audit meeting: Engage in a post-audit discussion with control owners to review findings and gather insights.

3) Report your audit findings

After the internal audit is completed, the next critical phase is to communicate the findings to key stakeholders, such as the auditee and management review team.

• Report to the auditee: Communicate the audit findings transparently, highlighting strengths and areas for improvement within the ISMS while showing a proactive approach to address vulnerabilities.
• Report to the management review team: Submit a concise report outlining key audit observations and recommendations, enabling informed decision-making and resource allocation to enhance the organisation's overall information security posture.

4) Update the incident and corrective action log

Regularly add new incidents and actions to a log, keeping it current and serving as a central hub for tracking issues identified during the audit, ensuring a proactive approach to resolving and preventing similar problems.

5) Update the audit schedule

Continuously refine the audit schedule based on the outcomes of the internal audit, adjusting it to reflect changes in priorities, risks, or organisational processes. This will ensure that future audits remain pertinent and effective in addressing emerging information security challenges.

What are the benefits of doing an internal ISO 27001 audit?

Doing an internal ISO 27001 audit is like giving your organisation a health check for information security. It helps spot where you're doing well and where there might be weak points so you can strengthen them before real issues pop up.

Beyond meeting information security standards, internal ISO 27001 audits encourage a mindset of always getting better at keeping data safe. It's not just paperwork – it's a practical way to ensure your information security is top-notch and everyone on the team is on the same page.

So, even if you may not be aiming to get the ISO 27001 certification, an internal audit can provide insights on protecting your organisation from cybersecurity threats.

External Content: YouTube Video 

In order to be able to play the desired video, you agree that a connection to the servers of YouTube, LLC, 901 Cherry Ave, San Bruno, CA 94066, USA is established. This transmits personal data (device and browser information (in particular the IP address and operating system) to the operator of the portal for usage analysis. 

You can find more information about the handling of your personal data in our privacy policy.

Watch Video 

Always unlock YouTube

2. ISO 27001 External Audit

External audits refer to audits conducted by certification bodies or by interested parties seeking assurance of an organisation's ISMS. These audits follow methodical criteria and are used to gain and maintain certification. External audits can be done by interested parties, but only a certification body can get an organisation certified.  

Before the audit is conducted, an audit plan is agreed upon, resources are assigned, and dates, hours and places are set by the external auditors or certification authorities. 

The following are the types of external audits and the stages of conducting them:

• Stage 1 Audit — Documentation Review — This determines if a functioning ISMS is in place and that all relevant paperwork is in place.
  (Conducted by: An external auditor) 
• Stage 2 Audit — Certification Audit — A fact-based audit to ensure that the ISMS is running in line with the standard and that the written policies and procedures are implemented. This audit is undertaken on a sample basis, and the results are analyzed.
  (Conducted by: Your certification body)
• Surveillance Audit - There are scheduled assessments conducted in between certification and recertification audits, which are called Periodic Audits. These assessments will focus on one or more aspects of an ISMS.
  (Conducted by: The ISO Registrar) 
• Recertification Audit — A recertification audit is a more extensive evaluation than a surveillance audit, and is conducted before the certification period ends (3 years for the United Kingdom Accreditation Service approved certifications). The standard is fully covered.
  (Conducted by: Your certification body) 
  
  

At DataGuard, we provide a range of services around information security, including consultation for ISO 27001. Learn more about our ISO 27001 consultancy services here.

How to prepare for an ISO 27001 Audit?

Preparing for an ISO 27001 audit involves having the right documents, preparing for interviews, assessing your management and much more. Consider the following key factors when preparing for an ISO 27001 audit:

1. Check if the key processes of the ISMS are implemented and operational

• Organisational context — This includes understanding and documenting the organisational environment and needs for information security, including interested stakeholders. The scope of the ISMS is documented in this manner.
• Risk and opportunity management — Identify and analyse your organisation’s information security threats and opportunities and document a treatment plan.
• Leadership — Your organisation’s security policy should have a written declaration and proof of resources that establish a strong, top-level leadership.
• Management review — Your organisation’s ISMS has to undergo a formal management review in accordance with (Clause 9.3)¹
• Corrective action and continuous improvement — Your organisation must manage and implement continuous corrective and improvement actions in an efficient and effective manner.
  Here are different types of corrective actions:
  
  • Minor non-conformities: These are issues that do not have a significant impact on the effectiveness of the information security management system (ISMS), but need to be corrected in order to maintain compliance.
  • Major non-conformities: These are issues that have a significant impact on the effectiveness of the ISMS and require immediate corrective action.
  • Observations: These are areas where the ISMS could be improved but are not considered non-conformities. These are often used as opportunities for improvement.
  • Preventive actions: These are actions taken to prevent non-conformities from occurring in the future.
  • Corrective actions: These are actions taken to correct non-conformities that have already occurred. 

2. Prepare all the documentation for the audit beforehand

To demonstrate your compliance with ISO 27001, your organisation must produce the following documents:

• ISMS Scope statement (Clause 4.3)¹
• Organisational information security policy (Clause 5.2)¹
• Risk management method (Clause 6.1.2 & 6.1.3)¹
• Risk register & treatment plan (Clause 6.1.3 e)¹
• Statement of applicability (Clause 6.1.3 d)¹
• Policies & processes required under Annex A where controls are applicable.

3. Make sure that evidential records are accessible and easy to locate

You must make sure that employees and subcontractors have easy access to papers, and evidence of information security issues is a vital part of the audit.

4. Prepare all employees for audit interviews

It is a good strategy to make sure that the people being audited are aware of what to anticipate and how to respond in advance.

It is a good strategy to make sure that the people being audited are aware of what to anticipate and how to respond in advance. Here are 6 steps to do so:  

1. Explain the purpose of the audit: Start by explaining to the individual why the audit is taking place, what the objectives are, and what the benefits of compliance are. This will help them understand the importance of the audit and its impact on the organization.
2. Provide an overview of the audit process: Provide the individual with a detailed overview of the audit process, including the scope, the timeline, the areas that will be audited, and the expected outcomes. This will help them understand what to expect and how to prepare.
3. Review the ISMS documentation: Review the organization's ISMS documentation with the individual to ensure they are familiar with the policies, procedures, and controls that are in place. This will help them understand how the organization manages information security and what their role is in this process.
4. Conduct a mock audit: Conduct a mock audit with the individual to help them understand what the actual audit process will be like. This will give them a chance to practice responding to questions and providing evidence of compliance.
5. Provide training on information security: Provide training on information security to the individual to ensure they have a good understanding of information security principles and best practices. This will help them answer questions and provide evidence of compliance during the audit.
6. Address any areas of concern: Address any areas of concern with the individual to ensure they are prepared to respond to questions related to those areas during the audit.

How often should ISO 27001 audits be carried out?

Like many standards, ISO 27001 does not specify how often an organisation needs to carry out an internal audit. That is because every organisation’s ISMS is different.

Internal ISO 27001 audits are recommended at least once a year by industry experts. This won’t always be practical. Therefore, you need to undertake an audit at least once every three years because it is the length that most ISO 27001 certification authorities validate an organisation’s ISMS for. After this, there is a significant likelihood the organisation will have ceased to comply with regulations altogether.

For external audits, different accreditation bodies around the world set out different requirements for the programme of certification audits; however, in the case of the United Kingdom Accreditation Service (UKAS) accredited certificates, this will include:

• Initial certification audit – conducted in 2 stages.
• Periodic surveillance audits – typically at 6 monthly or, at a minimum, annual intervals.
• Recertification audits are conducted every 3 years.

Who conducts an ISO 27001 audit?

Internal and external ISO 27001 audits are conducted by separate parties. The internal audit can be conducted by a team within the organisation or a qualified external party, while the external audit is conducted by an accredited certifying body. 

An internal ISO 27001 audit audits must be performed by auditors who are both competent and objective. To exhibit competence, an auditor must possess certain skills and present the following:

• Expertise in physical security, cyber security, computer security or other forms of information security
• A comprehensive knowledge of the standard and the auditing procedure.
• An ISO 27001 Lead Auditor training or a recognized auditing qualification and proof of understanding of the standard
• An awareness of the organisation's mission and goals, as well as its culture and willingness to take risks.

An auditor's competence can be demonstrated even without formal training. However, this may lead to some difficulties with your certifying body. There must also be a clear separation between the auditor's job and their reporting lines in order to prove objectivity.

For organisations looking for clearer objectivity, it may be more practical to bring in a certified auditor like DataGuard. This is because certifying bodies will have tested their auditors for competency and should be able to verify it to you on request.

Get help to run your ISO 27001 audit 

Running an ISO 27001 audit is vital for protecting your organisation's information. It pinpoints and mitigates risks while encouraging a culture of continuous improvement.

Getting ISO 27001 certified shows that your company is serious about security and follows the highest standards. This positions you as a transparent, trusted company and may even bring new customers and partners.

At the same time, ISO 27001 audits can be a complex journey, and certified auditors can help you navigate it. At DataGuard, we have a team of certified auditors who understand the ins and outs of information security. We offer practical consultancy services to support your organisation, providing insights in a simple, jargon-free manner.

Whether you're eyeing ISO 27001 certification or want to tighten up your security game, reach out to hear more and strengthen your organisation’s defences.

FAQs

How long does an ISO 27001 audit take?

As a rough estimate, a comprehensive ISO 27001 certification audit for a medium-sized organisation could take anywhere from a few weeks to a few months. The duration of an ISO 27001 audit can vary widely depending on several factors, including the size and complexity of the organisation, the scope of the ISMS, and the level of preparedness for the audit. Consult with the chosen certification body or auditors for a more accurate estimate.

Who needs to be ISO 27001 certified?

Though not a must, the ISO 27001 certification is relevant to any organisation managing information and data. The certification is widely embraced and often demanded by stakeholders because lacking proper policies and procedures poses risks to their information. ISO 27001 is now the norm in industries hit by cyber threats more heavily, for example, education, government, healthcare or communications. But with the rise in cybercrime, all businesses, big or small, should consider information security, and getting ISO 27001 certified is a good way to prioritise it.

What happens if you fail an ISO 27001 audit?

If an organisation fails an ISO 27001 audit, it typically faces corrective actions to address identified non-compliance, followed by a re-audit. Severe or persistent non-compliance may lead to the suspension or withdrawal of the ISO 27001 certification, impacting your organisation's reputation and trust. After a failed audit, you will receive a report that will be your go-to to identify what you need to change to pass the next audit. It is also recommended to speak with the auditors for further clarification on what needs improvement.

What do ISO auditors look for?

ISO auditors look for evidence of an organisation's compliance with specific ISO standards by assessing documentation, management system effectiveness, risk management, continuous improvement processes, personnel training, internal audits, monitoring and measurement practices, customer satisfaction monitoring, legal compliance, supplier management, and emergency preparedness. The focus is on ensuring that the organisation meets the requirements outlined in the applicable ISO standard and is committed to continual improvement.