ISO 27001 audit: How to conduct a successful audit

In this article:

• What is an ISO 27001 audit and why is it needed? 
• How to conduct internal and external ISO 27001 audits? 
• How to prepare for an ISO 27001 audit?
• How often should ISO 27001 audits be carried out?
• Who conducts an ISO 27001 audit?
• Conclusion

What is an ISO 27001 audit and why is it needed?

An ISO 27001 audit is the process of evaluating an organisation's ISMS to determine if it aligns with the most recent information security practices set out by the ISO 27001 guidelines. The audit typically involves a review of the organisation's policies, procedures, and controls related to information security.

It is a mandatory step in the ISO 27001 certification process, which is an independent evaluation of how effective an organisation's information security practices are. ISO 27001 certification is not mandatory, but it can help to build trust and confidence with customers, partners, and other stakeholders.

The key objectives of an ISO 27001 audit are:

• Ensuring that your ISMS is adequately implemented, operated, and is successful in decreasing information security risks to a level that is manageable.
• Making certain that flaws and remedial measures are dealt with as soon as possible.
• Ensuring that information security flaws and events/incidents are properly reported, controlled and fixed.

ISO 27001 is intended to help an organisation keep its information security risks at a tolerable level; therefore, in addition to ensuring overall compliance and effectiveness of the ISMS, it will be necessary to make sure that the implemented measures reduce risk to the point where stakeholders are willing to tolerate the residual risk.

How to conduct internal and external ISO 27001 audits?

The ISO 27001 certification process is a rigorous and lengthy one that involves continuous audits and evaluations. There are two main types of ISO 27001 audits that an organisation can undertake: internal audits and external audits.

An internal audit is necessary for compliance regardless of whether or not an organisation is looking to be certified. However, an external audit is required for certification. Organisations must hire third-party (Certification Bodies (CB) with competent auditing resources to perform external audits in accordance with ISO 27001 standards.

Let’s take a look at how both internal and external audits are conducted:

1. ISO 27001 internal audit

An ISO 27001 internal audit is a detailed review of your organization's ISMS to ensure that it fulfils the certification criteria. In contrast to a certification review, this audit is carried out by your own employees, and the results will be used to steer the development of your ISMS.

It is important to note that audits can be performed by a hired provider if the organisation lacks in-house auditors who are both skilled and objective. "2nd party audits" are commonly used since the supplier functions as an "inside resource" for the customer.

What are the steps in an ISO 27001 internal audit?

1. Audit planning:

• Create your audit plan
• Update the audit plan if required

2. Conducting the internal audits:

• Identify the control owners
• Decide on your audit approach
• Contact the control owners
• Arrange the audit meeting
• Conduct your first meeting
• Perform the audit
• Perform documentation review and collect evidence
• Perform process review and collect evidence
• Discuss steps after the audit meeting

3. Reporting your audit findings to:

• To auditee
• To management review team

4. Updating the incident and corrective action log

5. Updating the audit schedule 

2. ISO 27001 External Audit

External audits refer to audits conducted by certification bodies or by interested parties seeking assurance of an organisation's ISMS. These audits follow methodical criteria and are used to gain and maintain certification. External audits can be done by interested parties but only a certification body can get an organisation certified.  

Before the audit is conducted, an audit plan is agreed upon, resources are assigned, and dates, hours and places are set by the external auditors or certification authorities. 

The following are the types of external audits and the stages of conducting them:

• Stage 1 Audit — Documentation Review — This determines if a functioning ISMS is in place and that all relevant paperwork is in place.
  (Conducted by: An external auditor) 
• Stage 2 Audit — Certification Audit — A fact-based audit to ensure that the ISMS is running in line with the standard and that the written policies and procedures are implemented. This audit is undertaken on a sample basis, and the results are analyzed.
  (Conducted by: Your certification body)
• Surveillance Audit - There are scheduled assessments conducted in between certification and recertification audits, which are called Periodic Audits. These assessments will focus on one or more aspects of an ISMS.
  (Conducted by: The ISO Registrar) 
• Recertification Audit — A recertification audit is a more extensive evaluation than a surveillance audit, and is conducted before the certification period ends (3 years for the United Kingdom Accreditation Service approved certifications). The standard is fully covered.
  (Conducted by: Your certification body) 
  
  

At DataGuard, we provide a range of services around information security, including consultation for ISO 27001. Learn more about our ISO 27001 consultancy services here.

How to prepare for an ISO 27001 Audit?

Preparing for an ISO 27001 audit involves having the right documents, preparing for interviews, assessing your management and much more. Consider the following key factors when preparing for an ISO 27001 audit:

1. Check if the key processes of the ISMS are implemented and operational

• Organisational context — This includes understanding and documenting the organisational environment and needs for information security, including interested stakeholders. The scope of the ISMS is documented in this manner.
• Risk and opportunity management — Identify and analyse your organisation’s information security threats and opportunities and document a treatment plan.
• Leadership — Your organisation’s security policy should have a written declaration and proof of resources that establish a strong, top level leadership.
• Management review — Your organisation’ ISMS has to undergo a formal management review in accordance with (Clause 9.3)¹
• Corrective action and continuous improvement — Your organisation must manage and implement continuous corrective and improvement actions in an efficient and effective manner.
  Here are different types of corrective actions:
  
  • Minor non-conformities: These are issues that do not have a significant impact on the effectiveness of the information security management system (ISMS), but need to be corrected in order to maintain compliance.
  • Major non-conformities: These are issues that have a significant impact on the effectiveness of the ISMS and require immediate corrective action.
  • Observations: These are areas where the ISMS could be improved but are not considered non-conformities. These are often used as opportunities for improvement.
  • Preventive actions: These are actions taken to prevent non-conformities from occurring in the future.
  • Corrective actions: These are actions taken to correct non-conformities that have already occurred. 

2. Prepare all the documentation for the audit beforehand

To demonstrate your compliance with ISO 27001, your organisation must produce the following documents:

• ISMS Scope statement (Clause 4.3)¹
• Organisational information security policy (Clause 5.2)¹
• Risk management method Clause (6.1.2 & 6.1.3)¹
• Risk register & treatment plan Clause (6.1.3 e)¹
• Statement of applicability Clause (6.1.3 d)¹
• Policies & processes required under Annex A where controls are applicable.

3. Make sure that evidential records are accessible and easy to locate

You must make sure that employees and subcontractors have easy access to papers, and evidence of information security issues is a vital part of the audit.

4. Prepare all employees for audit interviews

It is a good strategy to make sure that the people being audited are aware of what to anticipate and how to respond in advance.

It is a good strategy to make sure that the people being audited are aware of what to anticipate and how to respond in advance. Here are 6 steps to do so:  

1. Explain the purpose of the audit: Start by explaining to the individual why the audit is taking place, what the objectives are, and what the benefits of compliance are. This will help them understand the importance of the audit and its impact on the organization.
2. Provide an overview of the audit process: Provide the individual with a detailed overview of the audit process, including the scope, the timeline, the areas that will be audited, and the expected outcomes. This will help them understand what to expect and how to prepare.
3. Review the ISMS documentation: Review the organization's ISMS documentation with the individual to ensure they are familiar with the policies, procedures, and controls that are in place. This will help them understand how the organization manages information security and what their role is in this process.
4. Conduct a mock audit: Conduct a mock audit with the individual to help them understand what the actual audit process will be like. This will give them a chance to practice responding to questions and providing evidence of compliance.
5. Provide training on information security: Provide training on information security to the individual to ensure they have a good understanding of information security principles and best practices. This will help them answer questions and provide evidence of compliance during the audit.
6. Address any areas of concern: Address any areas of concern with the individual to ensure they are prepared to respond to questions related to those areas during the audit.

How often should ISO 27001 audits be carried out?

Like many standards, ISO 27001 does not specify how often an organisation needs to carry out an internal audit. That is because every organisation’s ISMS is different.

Internal ISO 27001 audits are recommended at least once a year by industry experts. This won’t always be practical, therefore you need to undertake an audit at least once every three years because it is the length that most ISO 27001 certification authorities validate an organisation’s ISMS for. After this, there is a significant likelihood the organisation will have ceased to comply with regulations altogether.

For external audits, different accreditation bodies around the world set out different requirements for the programme of certification audits; however, in the case of the United Kingdom Accreditation Service (UKAS) accredited certificates, this will include:

• Initial certification audit – conducted in 2 stages.
• Periodic surveillance audits – typically at 6 monthly or, at a minimum, annual intervals.
• Recertification audits are conducted every 3 years.

Who conducts an ISO 27001 audit?

Internal and external ISO 27001 audits are conducted by separate parties. The internal audit can be conducted by a team within the organisation or a qualified external party, while the external audit is conducted by an accredited certifying body. 

An internal ISO 27001 audit audits must be performed by auditors who are both competent and objective. To exhibit competence, an auditor must possess certain skills and present the following:

• Expertise in physical security, cyber security, computer security or other forms of information security
• A comprehensive knowledge of the standard and the auditing procedure.
• An ISO 27001 Lead Auditor training or a recognized auditing qualification and proof of understanding of the standard
• An awareness of the organisation's mission and goals, as well as its culture and willingness to take risks.

An auditor's competence can be demonstrated even without formal training. However, this may lead to some difficulties with your certifying body. There must also be a clear separation between the auditor's job and their reporting lines in order to prove objectivity.

For organisations looking for clearer objectivity, it may be more practical to bring in a certified auditor like DataGuard. This is because certifying bodies will have tested their auditors for competency and should be able to verify it to you on request.

Conclusion

The ISO 27001 audit is a vital part of maintaining compliance with your organisation's ISMS. With its main objective being to ensure that an organisation's ISMS is adequately implemented and operated, an accreditation in ISO 27001 will allow your organisation to retain confident customers and stakeholders.

Likewise, it is fundamental for organisations to understand when ISO 27001 audits are required and gauge the importance of having certified auditors to carry out the job.

DataGuard advises organisations from different backgrounds on topics including Privacy by Design and Default, data exchanges with third-party service providers and product erasure principles.

Need help navigating the world of information security, or in preparing for a certification audit? We are happy to help — Get in touch with one of our experts today.

FAQs

How long does an ISO 27001 audit take?

An ISO 27001 audit can take anywhere from a few days to several weeks, depending on factors like the size and complexity of the organisation, the scope of the audit, the number of auditors involved, and the readiness of the organisation. For a smaller organisation, the audit may take only a few days, while for larger and more complex organisations, the audit can take up to several weeks or even months.

Who needs to be ISO 27001 certified?

It isn’t mandatory for organisations to get ISO 27001 certification. But it is recommended for any organisation that deals with sensitive or private information and wants to show its stakeholders that it has good information security management practices in place. Organisations that may want ISO 27001 certification include, but are not limited to, businesses, government agencies, healthcare providers, and financial institutions.

What happens if you fail an ISO 27001 audit?

Failure to comply with ISO 27001 standards during an audit can result in your organisation's certification being withdrawn until the issues identified are adequately addressed. Audits often reveal areas where you can improve your security posture and refine your ISMS (Information Security Management System), the framework you use to manage and protect your information assets.

To regain compliance after a failed ISO audit, a thorough review of your security posture and ISMS is essential. This includes identifying and correcting any discrepancies or deficiencies identified during the audit process. The certification body will provide a reasonable timeframe for implementing corrective actions and demonstrating compliance with the ISO 27001 standards.