Share on facebook
Share on twitter
Share on linkedin

An insider’s guide to the ISO27001 audit process

Following our recent blog that answered the most common ISO27001 questions, it’s worth exploring the audit process so that businesses know what to expect.

ISO27001 certification is performed against the ISO27001:2013 standard and it is important to differentiate it from ISO27002, which is the guidance that supports the implementation of the 114 controls from within Annex A of ISO27001. Organisations do not get certified against ISO27002.

ISO27001 certifications are valid for three years and subsequently the certification process consists of three audit stages. Two of those stages are concerned with obtaining certification and the third is about ensuring ongoing effectiveness of the ISMS:

Stage 1 Audit

This audit is a confirmation that the required documented information within the ISO27001 standard exists. This involves auditors speaking to key stakeholders and reviewing all documented information within the ISMS. Should stage 1 be successful, you will be recommended for Stage 2.

Stage 2 Audit

The Stage 2 audit is focussed around the operational effectiveness of the ISMS and supporting policies, procedures and processes that make up the ISMS. It covers all of the clauses within the standard and the Annex A controls. Depending on your maturity and the outcome of the Stage 1 audit, the Stage 2 audit can take place weeks or months after Stage 1. If all goes well, after this audit you will be recommended for ISO27001 certification.

Surveillance Audits

Surveillance audits are an additional set of audits that are spread over the certification cycle. The surveillance audits cover the ISMS implementation over the three year cycle and are used to assure ongoing effectiveness.

What are the biggest issues after passing ISO27001 certification?

The biggest issue after passing ISO27001 certification is the anti-climax and ongoing management of the ISMS. Many organisations make a big effort to improve their security posture and embed the ISMS to achieve certification, only to have resources moved away or discontinue the work with their onboarded consultancy. ISO27001 is a continual process that should work for the business but these things can often get dropped after a certification audit. Don’t waste all that good work – ensure the ISMS is resourced effectively with people that have the expertise to effectively managed the ISMS moving forward.

What happens if we do not pass the ISO27001 certification?

Audits can make people feel apprehensive of the entire certification and the fear of failure is natural. Should the worst happen and you fail or receive multiple findings, it is important to understand the root causes of the failure. A failure of a certification audit can happen if you are unable to demonstrate that you have designed an effective ISMS which meets the requirements of the standard in addition to a complete breakdown of a control or a selection of controls. A common problem can be misunderstanding the requirements of the standard and not having the competence to design and implement the information security management processes effectively. 

And finally

ISO27001 certification is a daunting task that involves information security expertise and the ability to implement change effectively. While some organisations try to implement the standard internally, we would recommend seeking some expert support. This is worth the investment because it can provide you with confidence, help to improve your own knowledge of ISO27001 and provide a higher chance of success. A good cyber security consultancy will be able deliver an ISMS tailored to your organisation’s needs and provide tangible risk mitigation.

ISO 27001 Webinar

What Exactly Is ISO 27001? ISO 27001 is an international standard on how to manage information security. It details requirements for establishing, implementing, maintaining and

Watch the webinar here >

If you have any further questions around ISO 27001 or want to discuss the process please just give us a call. At Bridewell Consulting we are in it for the long term. As a trusted partner, our team of experts can assist you on your cyber security journey and beyond. For further information or a no commitment chat, on any of the above, please get in touch here or give us a call on +44 (0) 3303 110 940

Related Posts

9/11 – Twenty Years on

The advances in technology since then can now allow an attacker to achieve wide reaching consequences without having to be physically present at the target. The combination of cyber-attacks and physical attacks place even greater demand on security professionals to manage the risk.
When the September 11 attacks were carried out, terror groups had a minimal online presence. Changes in technology have allowed these groups to embrace the anonymity the internet can provide to further their activity.

Ransomware – Do I need Cyber Insurance

Ransomware incidents continue to feature in the international as well as IT industry press, with recent high profile victims being JBS Foods, Fujifilm, Colonial Pipeline, Ireland’s Health Service Executive, and AXA Insurance. Less well publicised are the many smaller organisations that are held to cyber ransom.