ISO 27001 audit

What is an ISO 27001 audit and why is it needed?

An ISO 27001 audit is the process of evaluating an organization's ISMS to determine if it aligns with the most recent information security practices set out by the ISO 27001 guidelines. The audit typically involves a review of the organization's policies, procedures, and controls related to information security.

It is a mandatory step in the ISO 27001 certification process, which is an independent evaluation of how effective an organization's information security practices are. ISO 27001 certification is not mandatory, but it can help to build trust and confidence with customers, partners, and other stakeholders.

The key objectives of an ISO 27001 audit are:

• Ensuring that your ISMS is adequately implemented, operated, and is successful in decreasing information security risks to a level that is manageable
• Making certain that flaws and remedial measures are dealt with as soon as possible
• Ensuring that information security flaws and events/incidents are properly reported, controlled, and fixed

ISO 27001 is intended to help an organization keep its information security risks at a tolerable level. Therefore, in addition to ensuring overall compliance and effectiveness of the ISMS, it will be necessary to make sure that the implemented measures reduce risk to the point where stakeholders are willing to tolerate the residual risk.

What are the different types of audits?

Audits are essential to ensure your company's operations are running smoothly. There are many types of audits and different ways to categorize them, but here, we focus on internal and external audits.

What is an internal audit?

An internal audit is an assessment done by a company's team or assigned auditors (for example, a partner). The primary focus is to review and evaluate internal controls, risk management procedures, and overall governance processes.

Internal audits help spot areas needing improvement, strengthen internal processes, and ensure compliance with organizational policies. Such audits are a way to keep things running as intended and make the company's systems work better over time.

What is an external audit?

An external audit is done by an independent external auditor or audit firm. The main goal is to provide an unbiased and independent assessment of an organization's financial statements, compliance with regulations, or other specific areas.

External audits are often required for regulatory compliance or financial transparency to assure external stakeholders, such as investors, regulators, or the general public. Such audits are essential to instill confidence in a company's financial and operational information.

How do companies conduct internal and external ISO 27001 audits?

The ISO 27001 certification process is a rigorous and lengthy one that involves continuous audits and evaluations. There are two main types of ISO 27001 audits that an organization can undertake: internal audits and external audits.

An internal audit is necessary for compliance regardless of whether or not an organization is looking to be certified. However, an external audit is required for certification. Organizations must hire third-party Certification Bodies (CB) with competent auditing resources to perform external audits in accordance with ISO 27001 standards.

Let's take a look at how both internal and external audits are conducted.

ISO 27001 internal audit

An ISO 27001 internal audit is a detailed review of your organization's ISMS to ensure that it fulfills the certification criteria. In contrast to a certification review, this audit is carried out by your own employees, and the results will be used to steer the development of your ISMS.

It is important to note that audits can be performed by a hired provider if the organization lacks in-house auditors who are both skilled and objective. "Second-party audits" are commonly used, since the supplier functions as an "inside resource" for the customer.

What are the steps in an internal ISO 27001 audit?

When getting certified, especially for the first time, the internal audit ensures everything is set up correctly for you to pass on your first attempt. Use an internal audit checklist to keep track of the necessary steps in the process. Here's a rundown of the steps in an internal audit:

1) Plan the internal audit

Careful planning is critical for a fool-proof process. It will serve as your roadmap and help you prepare for unforeseen obstacles.

• Create your audit plan: Initiate the internal audit process by developing a comprehensive audit plan. This document outlines the scope, objectives, and methodologies for the audit. It serves as a blueprint for the entire audit, ensuring a systematic and thorough examination of ISMS.
• Update the audit plan if needed: Flexibility is key in the audit planning phase. Regularly review and update the audit plan to accommodate organizational processes, risks, or regulatory requirement changes. This ensures that the audit remains relevant and effective in addressing current information security concerns.

2) Conduct the internal audit

It's time for action. Once the audit planning is in place, the next crucial phase in the ISO 27001 internal audit process is the actual execution of the audit. Conduct your internal audit by following these steps:

• Identify the control owners: Identify and engage with control owners who are responsible for specific aspects of the ISMS. Establish clear communication channels to streamline the audit process.
• Decide on your audit approach: Choose a suitable audit approach aligned with the audit objectives. Whether through interviews, document reviews, or observations, tailor the approach to the unique characteristics of the ISMS and organisational operations.
• Contact the control owners: Initiate communication with control owners to inform them about the impending audit. Discuss the audit scope, objectives, and the specific controls to be assessed.
• Arrange the audit meeting: Coordinate with control owners to schedule the audit meeting. This serves as a platform to set expectations, discuss the audit plan, and address initial queries or concerns.
• Conduct your first meeting: Reiterate audit objectives and scope during the initial meeting. Outline the audit process timeline and clarify roles and responsibilities.
• Perform the audit: Execute the audit according to the established plan and approach. Utilize selected methods to assess controls, ensuring a thorough examination of processes, documentation, and evidence.
• Perform documentation review and collect evidence: Examine relevant documents to assess compliance with ISO 27001 requirements. Systematically collect evidence to substantiate findings, providing a basis for audit results.
• Perform process review and collect evidence: Evaluate the effectiveness of processes related to information security. Identify gaps or areas for improvement and gather evidence to support observations.
• Discuss steps after the audit meeting: Engage in a post-audit discussion with control owners to review findings and gather insights.

3) Report your audit findings

After the internal audit is completed, the next critical phase is to communicate the findings to key stakeholders, such as the auditee and management review team.

• Report to the auditee: Communicate the audit findings transparently, highlighting strengths and areas for improvement within the ISMS while showing a proactive approach to address vulnerabilities.
• Report to the management review team: Submit a concise report outlining key audit observations and recommendations, enabling informed decision-making and resource allocation to enhance the organization's overall information security posture.

4) Update the incident and corrective action log

Regularly add new incidents and actions to a log, keeping it current so it can serve as a central hub for tracking issues identified during the audit, ensuring a proactive approach to resolving and preventing similar problems.

5) Update the audit schedule

Continuously refine the audit schedule based on the outcomes of the internal audit, adjusting it to reflect changes in priorities, risks, or organizational processes. This will ensure that future audits remain pertinent and effective in addressing emerging information security challenges.

ISO 27001 external audit

External audits refer to audits conducted by certification bodies or by interested parties seeking assurance of an organization's ISMS. These audits follow methodical criteria and are used to gain and maintain certification. External audits can be done by interested parties, but only a certification body can get an organization certified.

Before the audit is conducted, an audit plan is agreed upon, resources are assigned, and dates, hours, and places are set by the external auditors or certification authorities.

The following are the types of external audits and the stages of conducting them:

• Stage 1 Audit — Documentation Review — This determines if a functioning ISMS is in place and that all relevant paperwork is in place. (Conducted by: An external auditor)
• Stage 2 Audit — Certification Audit — A fact-based audit to ensure that the ISMS is running in line with the standard and that the written policies and procedures are implemented. This audit is undertaken on a sample basis, and the results are analyzed. (Conducted by: Your certification body)
• Surveillance Audit — There are scheduled assessments conducted in between certification and recertification audits, which are called Periodic Audits. These assessments will focus on one or more aspects of an ISMS. (Conducted by: The ISO Registrar)
• Recertification Audit — A recertification audit is a more extensive evaluation than a surveillance audit, and is conducted before the certification period ends (3 years for the United Kingdom Accreditation Service approved certifications). The standard is fully covered. (Conducted by: Your certification body)

At DataGuard, we provide a range of services around information security, including consultation for ISO 27001. Learn more about our ISO 27001 consultancy services here.

How should companies prepare for an ISO 27001 audit?

Preparing for an ISO 27001 audit involves having the right documents, preparing for interviews, assessing your management, and much more. Consider the following key factors when preparing for an ISO 27001 audit:

1. Check if the key processes of the ISMS are implemented and operational

• Organizational context — This includes understanding and documenting the organizational environment and needs for information security, including interested stakeholders. The scope of the ISMS is documented in this manner.
• Risk and opportunity management — Identify and analyze your organization's information security threats and opportunities and document a treatment plan.
• Leadership — Your organization's security policy should have a written declaration and proof of resources that establish a strong, top-level leadership.
• Management review — Your organization's ISMS has to undergo a formal management review in accordance with Clause 9.3.
• Corrective action and continuous improvement — Your organization must manage and implement continuous corrective and improvement actions in an efficient and effective manner.

Here are different types of corrective actions:

• Minor non-conformities: These are issues that do not have a significant impact on the effectiveness of the information security management system (ISMS), but need to be corrected in order to maintain compliance.
• Major non-conformities: These are issues that have a significant impact on the effectiveness of the ISMS and require immediate corrective action.
• Observations: These are areas where the ISMS could be improved, but are not considered non-conformities. These are often used as opportunities for improvement.
• Preventive actions: These are actions taken to prevent non-conformities from occurring in the future.
• Corrective actions: These are actions taken to correct non-conformities that have already occurred.

2. Prepare all the documentation for the audit beforehand

To demonstrate your compliance with ISO 27001, your organization must produce the following documents for the audit:

• ISMS Scope statement (Clause 4.3)
• Organizational information security policy (Clause 5.2)
• Risk management method (Clause 6.1.2 & 6.1.3)
• Risk register & treatment plan (Clause 6.1.3 e)
• Statement of applicability (Clause 6.1.3 d)
• Policies & processes required under Annex A where controls are applicable

3. Make sure that evidence is accessible and easy to locate

You must make sure that employees and subcontractors have easy access to documentation, because evidence of information security is a vital part of the audit.

4. Prepare all employees for audit interviews

It is a good strategy to make sure that the people being audited are aware of what to anticipate and how to respond in advance. Here are 6 steps to do so:

1. Explain the purpose of the audit: Start by explaining to the individual why the audit is taking place, what the objectives are, and what the benefits of compliance are. This will help them understand the importance of the audit and its impact on the organization.
2. Provide an overview of the audit process: Provide the individual with a detailed overview of the audit process, including the scope, the timeline, the areas that will be audited, and the expected outcomes. This will help them understand what to expect and how to prepare.
3. Review the ISMS documentation: Review the organization's ISMS documentation with the individual to ensure they are familiar with the policies, procedures, and controls that are in place. This will help them understand how the organization manages information security and what their role is in this process.
4. Conduct a mock audit: Conduct a mock audit with the individual to help them understand what the actual audit process will be like. This will give them a chance to practice responding to questions and providing evidence of compliance.
5. Provide training on information security: Provide training on information security to the individual to ensure they have a good understanding of information security principles and best practices. This will help them answer questions and provide evidence of compliance during the audit.
6. Address any areas of concern: Address any areas of concern with the individual to ensure they are prepared to respond to questions related to those areas during the audit.

How often should ISO 27001 audits be carried out?

Like many standards, ISO 27001 does not specify how often an organization needs to carry out an internal audit. That is because every organization's ISMS is different.

Internal ISO 27001 audits are recommended at least once a year by industry experts. This won't always be practical. Therefore, you need to undertake an audit at least once every three years because it is the length that most ISO 27001 certification authorities validate an organization's ISMS for. 

For external audits, different accreditation bodies around the world set out different requirements for certification audits; however, in the case of the United Kingdom Accreditation Service (UKAS) accredited certificates, this will include:

• Initial certification audit—conducted in 2 stages.
• Periodic surveillance audits—typically at 6 monthly or, at a minimum, annual intervals.
• Recertification audits are conducted every 3 years.

Who conducts an ISO 27001 audit?

Internal and external ISO 27001 audits are conducted by separate parties. The internal audit can be done by a team within the organization or a qualified external party, while the external audit is handled by an accredited certifying body.

An internal ISO 27001 audit must be performed by auditors who are both competent and objective. To exhibit competence, an auditor must possess certain skills and present the following:

• Expertise in physical security, cyber security, computer security, or other forms of information security
• A comprehensive knowledge of the standard and the auditing procedure
• An ISO 27001 Lead Auditor training or a recognized auditing qualification and proof of understanding of the standard
• An awareness of the organization's mission and goals, as well as its culture and willingness to take risks

An auditor's competence can be demonstrated even without formal training. However, this may lead to some difficulties with your certifying body. There must also be a clear separation between the auditor's job and their reporting lines in order to prove objectivity.

For organizations looking for clearer objectivity, it may be more practical to bring in a certified auditor like DataGuard. 

Get help to run your ISO 27001 audit

Running an ISO 27001 audit is vital for protecting your organization's information. It pinpoints and mitigates risks while encouraging a culture of continuous improvement.

Getting ISO 27001 certified shows that your company is serious about security and follows the highest standards. This positions you as a transparent, trusted company and may even bring new customers and partners.

At the same time, ISO 27001 audits can be a complex journey. Certified auditors can help you navigate it. At DataGuard, we have a team of certified auditors who understand the ins and outs of information security. We offer practical consultancy services to support your organization, providing insights in a simple, jargon-free manner.

Whether you're eyeing an ISO 27001 certification or want to tighten up your security game, reach out to hear more and strengthen your defences.

Frequently asked questions