What to Expect From Stage 1 and Stage 2 ISO 27001 Certification Audits

Those who are just getting to know ISO 27001 will no doubt find the audit a daunting process. It is a large, complicated task that can be difficult for even seasoned professionals. 

Those who are just getting to know ISO 27001 will no doubt find the audit a daunting process. It is a large, complicated task that can be difficult for even seasoned professionals. But, as with numerous challenges, it is possible to overcome any concerns through adequate preparation. Once you realise how the process works, it will not seem as daunting.

If your organisation is attempting certification with the assistance of a consultancy firm like Bridewell, an experienced consultant will arrange a pre-certification audit and assurance exercise closer to your scheduled certification audit. This helps to determine if your ISMS (information security management system) will meet all the criteria required.

You can see this as a pre-certification ‘dry run’ or ‘rehearsal’ audit. It allows your organisation to identify potential issues that can be addressed before the actual certification audit, and it gives member of your organisation the chance to see how the big day will play out.

The certification audit is performed by an independent third party certification body (CB) that is selected by your organisation, and the process consists of two stages – ‘Stage 1’ and ‘Stage 2’ audits.

Stage 1 Audit

The Stage 1 audit is the first assessment of the ISMS and is often referred to as a ‘documentation review’ audit, because the assigned auditor will examine your documentation process to check that the ISMS has been developed in accordance with what is required by the standard and what is determined by the organization as being necessary for the effectiveness of the information security management system. Your organisation will be required to produce evidence of all crucial aspects of the ISMS, such as policies, procedures and processes to determine if they comply with requirements of ISO 27001, but how much information needs to be supplied depends on the certification body requirements.

This stage is more of an ‘investigation ‘or ‘exploration’ audit, where the auditor does a high-level review of your ISMS and gain an understanding of management’s description of the organisation’s system and the suitability of the design of security controls.

Stage 1 audits can be completed on-site, remotely or a hybrid approach to determine whether your ISMS has fulfilled the minimum requirements of the standard and the length of the assessment depends on the size of your organisation and the industry you are in. Once the Stage 1 audit is complete, the auditor will point out any areas of nonconformity and potential improvements of the ISMS. Just like a driving test, nonconformities are divided by minor and major variations. Bearing in mind that major nonconformities should be addressed immediately, minor nonconformities can be re-evaluated at the next assessment.

Stage 2 Audit

If your organisation is successful with the first stage, the auditor will conduct a more comprehensive assessment. This is the Stage 2 audit and is often referred to as the ‘certification audit’. During a stage 2 audit, the auditor will conduct an on-site assessment to determine if your organisation’s ISMS complies with ISO 27001. This assessment will involve reviewing the activities and procedures in greater depth that support the development of the ISMS.

The auditor will also have meetings and interviews with managers and key members of staff to validate that all activities are performed following the specifications of ISO 27001. The auditor will also be seeking evidence that your organisation is following the documentation that was previously reviewed in stage 1. The auditor will also request to see evidence of your internal audits and management reviews. This allows the auditor to determine if your processes and procedures are in place and well understood, to ensure that you have suitable checks and mechanisms to reduce the risks of a data security breach, which are required by ISO 27001.

If everything is in order, the auditor will recommend your organisation for certification (pending an internal review by the certification body) as required by the United Kingdom Accreditation Service (UKAS). Once the review process is complete, a certificate will be issued stating that your organisation’s ISMS complies with ISO 27001 standard. Your ISO 27001 certification will remain valid for three years.

Maintaining your certification will require some addition activities.

How to Maintain Your Certification

Your certification will be confirmed on an annual basis through surveillance activities, with a full re-assessment every fourth year.

The first surveillance visit takes place 6 – 12 months after the grant of certification.

At the initial assessment stage, you will be provided with an estimate of the work involved for the four-year cycle.

At any time during the life of your certification, if the estimated effort changes (for example, if you have an extension to scope granted which affects the effort required in subsequent assessments), then you will be provided with an amended estimate. A quotation for each year’s assessment will be provided.

Measures to Maintain Your Certification

• Inform your certification body of any changes that may affect the scope of your certification as early as possible. Your certification body can be contacted at any point in the cycle.
• Ensure that your key technical staff maintain their technical competence by attending recognised training courses and relevant sector events.
• Ensure that you keep up to date with regulatory changes in your sector.
• Ensure that you are subscribed to regular updates from UKAS/ ISMS publications and technical bulletins to ensure that you receive the latest certification requirements.
• Inform UKAS or your certification body in advance of any relocation of premises from which accredited work is performed.
• Implement an appropriate internal audit regime. Bridewell have qualified internal auditors who can help support your organisation.
• Ensure on-going effective document control.
• Retain all quality records and technical records throughout the period between assessments.
• You can use the PDCA (plan–do–check–act) model for the control and continuous improvement of cyber security processes and activities.
• Organisations that have achieved certification to ISO27001 standard are advised to adopt the following measures to maintain their certification: