In this article:
An ISO 27001 audit is the process of evaluating an organisation's ISMS to determine if it aligns with the most recent information security practices set out by the ISO 27001 guidelines. The audit typically involves a review of the organisation's policies, procedures, and controls related to information security.
It is a mandatory step in the ISO 27001 certification process, which is an independent evaluation of how effective an organisation's information security practices are. ISO 27001 certification is not mandatory, but it can help to build trust and confidence with customers, partners, and other stakeholders.
The key objectives of an ISO 27001 audit are:
ISO 27001 is intended to help an organisation keep its information security risks at a tolerable level; therefore, in addition to ensuring overall compliance and effectiveness of the ISMS, it will be necessary to make sure that the implemented measures reduce risk to the point where stakeholders are willing to tolerate the residual risk.
Audits are essential to ensure your company’s operations are running smoothly. There are many types of audits and different ways to categorise them, but here, we focus on internal and external audits.
An internal audit is an assessment done by a company's team or assigned auditors (for example, a partner). The primary focus is to review and evaluate internal controls, risk management procedures, and overall governance processes.
Internal audits help spot areas needing improvement, strengthen internal processes, and ensure compliance with organisational policies. Such audits are a way to keep things running as intended and make the company's systems work better over time.
An external audit is done by an independent external auditor or audit firm. The main goal is to provide an unbiased and independent assessment of an organisation's financial statements, compliance with regulations, or other specific areas.
External audits are often required for regulatory compliance or financial transparency to assure external stakeholders, such as investors, regulators, or the general public. Such audits are essential to instil confidence in a company's financial and operational information.
The ISO 27001 certification process is a rigorous and lengthy one that involves continuous audits and evaluations. There are two main types of ISO 27001 audits that an organisation can undertake: internal audits and external audits.
An internal audit is necessary for compliance regardless of whether or not an organisation is looking to be certified. However, an external audit is required for certification. Organisations must hire third-party Certification Bodies (CB) with competent auditing resources to perform external audits in accordance with ISO 27001 standards.
Let’s take a look at how both internal and external audits are conducted:
An ISO 27001 internal audit is a detailed review of your organization's ISMS to ensure that it fulfils the certification criteria. In contrast to a certification review, this audit is carried out by your own employees, and the results will be used to steer the development of your ISMS.
It is important to note that audits can be performed by a hired provider if the organisation lacks in-house auditors who are both skilled and objective. "2nd party audits" are commonly used since the supplier functions as an "inside resource" for the customer.
When getting certified, especially for the first time, the internal audit ensures everything is set up correctly for you to pass on your first attempt. Use an internal audit checklist to keep track of the necessary steps in the process. Here's a rundown of the steps in an internal audit:
Careful planning is critical for a fool-proof process. It will serve as your roadmap and help you prepare for unforeseen obstacles.
It's time for action. Once the audit planning is in place, the next crucial phase in the ISO 27001 internal audit process is the actual execution of the audit. Conduct your internal audit by following these steps:
After the internal audit is completed, the next critical phase is to communicate the findings to key stakeholders, such as the auditee and management review team.
Regularly add new incidents and actions to a log, keeping it current and serving as a central hub for tracking issues identified during the audit, ensuring a proactive approach to resolving and preventing similar problems.
Continuously refine the audit schedule based on the outcomes of the internal audit, adjusting it to reflect changes in priorities, risks, or organisational processes. This will ensure that future audits remain pertinent and effective in addressing emerging information security challenges.
Doing an internal ISO 27001 audit is like giving your organisation a health check for information security. It helps spot where you're doing well and where there might be weak points so you can strengthen them before real issues pop up.
Beyond meeting information security standards, internal ISO 27001 audits encourage a mindset of always getting better at keeping data safe. It's not just paperwork – it's a practical way to ensure your information security is top-notch and everyone on the team is on the same page.
So, even if you may not be aiming to get the ISO 27001 certification, an internal audit can provide insights on protecting your organisation from cybersecurity threats.
External audits refer to audits conducted by certification bodies or by interested parties seeking assurance of an organisation's ISMS. These audits follow methodical criteria and are used to gain and maintain certification. External audits can be done by interested parties, but only a certification body can get an organisation certified.
Before the audit is conducted, an audit plan is agreed upon, resources are assigned, and dates, hours and places are set by the external auditors or certification authorities.
The following are the types of external audits and the stages of conducting them:
At DataGuard, we provide a range of services around information security, including consultation for ISO 27001. Learn more about our ISO 27001 consultancy services here.
Preparing for an ISO 27001 audit involves having the right documents, preparing for interviews, assessing your management and much more. Consider the following key factors when preparing for an ISO 27001 audit:
To demonstrate your compliance with ISO 27001, your organisation must produce the following documents:
You must make sure that employees and subcontractors have easy access to papers, and evidence of information security issues is a vital part of the audit.
It is a good strategy to make sure that the people being audited are aware of what to anticipate and how to respond in advance.
It is a good strategy to make sure that the people being audited are aware of what to anticipate and how to respond in advance. Here are 6 steps to do so:
Like many standards, ISO 27001 does not specify how often an organisation needs to carry out an internal audit. That is because every organisation’s ISMS is different.
Internal ISO 27001 audits are recommended at least once a year by industry experts. This won’t always be practical. Therefore, you need to undertake an audit at least once every three years because it is the length that most ISO 27001 certification authorities validate an organisation’s ISMS for. After this, there is a significant likelihood the organisation will have ceased to comply with regulations altogether.
For external audits, different accreditation bodies around the world set out different requirements for the programme of certification audits; however, in the case of the United Kingdom Accreditation Service (UKAS) accredited certificates, this will include:
Internal and external ISO 27001 audits are conducted by separate parties. The internal audit can be conducted by a team within the organisation or a qualified external party, while the external audit is conducted by an accredited certifying body.
An internal ISO 27001 audit audits must be performed by auditors who are both competent and objective. To exhibit competence, an auditor must possess certain skills and present the following:
An auditor's competence can be demonstrated even without formal training. However, this may lead to some difficulties with your certifying body. There must also be a clear separation between the auditor's job and their reporting lines in order to prove objectivity.
For organisations looking for clearer objectivity, it may be more practical to bring in a certified auditor like DataGuard. This is because certifying bodies will have tested their auditors for competency and should be able to verify it to you on request.
Running an ISO 27001 audit is vital for protecting your organisation's information. It pinpoints and mitigates risks while encouraging a culture of continuous improvement.
Getting ISO 27001 certified shows that your company is serious about security and follows the highest standards. This positions you as a transparent, trusted company and may even bring new customers and partners.
At the same time, ISO 27001 audits can be a complex journey, and certified auditors can help you navigate it. At DataGuard, we have a team of certified auditors who understand the ins and outs of information security. We offer practical consultancy services to support your organisation, providing insights in a simple, jargon-free manner.
Whether you're eyeing ISO 27001 certification or want to tighten up your security game, reach out to hear more and strengthen your organisation’s defences.
As a rough estimate, a comprehensive ISO 27001 certification audit for a medium-sized organisation could take anywhere from a few weeks to a few months. The duration of an ISO 27001 audit can vary widely depending on several factors, including the size and complexity of the organisation, the scope of the ISMS, and the level of preparedness for the audit. Consult with the chosen certification body or auditors for a more accurate estimate.
Though not a must, the ISO 27001 certification is relevant to any organisation managing information and data. The certification is widely embraced and often demanded by stakeholders because lacking proper policies and procedures poses risks to their information. ISO 27001 is now the norm in industries hit by cyber threats more heavily, for example, education, government, healthcare or communications. But with the rise in cybercrime, all businesses, big or small, should consider information security, and getting ISO 27001 certified is a good way to prioritise it.
If an organisation fails an ISO 27001 audit, it typically faces corrective actions to address identified non-compliance, followed by a re-audit. Severe or persistent non-compliance may lead to the suspension or withdrawal of the ISO 27001 certification, impacting your organisation's reputation and trust. After a failed audit, you will receive a report that will be your go-to to identify what you need to change to pass the next audit. It is also recommended to speak with the auditors for further clarification on what needs improvement.
ISO auditors look for evidence of an organisation's compliance with specific ISO standards by assessing documentation, management system effectiveness, risk management, continuous improvement processes, personnel training, internal audits, monitoring and measurement practices, customer satisfaction monitoring, legal compliance, supplier management, and emergency preparedness. The focus is on ensuring that the organisation meets the requirements outlined in the applicable ISO standard and is committed to continual improvement.