ISO 27001 audits are not just a bureaucratic procedure that you want to quickly get over with and forget. On the contrary, they can be a very important tool to make sure your organization is protected.
They objectively evaluate the Information Security Management System (ISMS), help identify potential vulnerabilities, improve security measures, and ensure and showcase compliance with international standards.
The goal of this article is to provide you with the necessary information to perform the whole cycle of ISO 27001 audits, including both internal and external, in order to reduce possible inconsistencies or errors that may arise during the process. We will also look into the main benefits, and best practices to follow when taking on this big challenge.
Ready to learn all about ISO 27001 audits? Let's get started.
What is an ISO 27001 audit?
Let's start with the basics. An audit serves as a measure to guarantee that a function is fulfilling a predetermined set of quality standards. In the case of ISO 27001, audits are used to verify that the management of the practice adheres to its specified requirements. They are carried out to confirm that the organizational needs are met and that the process operates safely and effectively.
A great way to make sure that you are successfully implementing the standard is to create and follow an ISO 27001 checklist, in order to break down the process and make sure you are not missing anything important.
An ISO 27001 audit is carried out by an accredited auditor who will review the following:
- The ISMS or elements of it, verifying that it meets the standard's requirements.
- The company's requirements and objectives for the ISMS.
- The policies, processes, work instructions, and other controls to see if they're effective and efficient.
So, in addition to the compliance and effectiveness of the ISMS, ISO 27001 is designed to enable an organization to manage its information security risks to an acceptable level. You need to check that the implemented controls reduce risk down to a point where the risk owner(s) are comfortable to tolerate the residual risk.
Types of ISO 27001 audits
There are two types of ISO 27001 audits:
- ISO 27001 internal audits are the first step in a company's ISO 27001 accreditation journey. An internal audit evaluates an organization's ISMS conducted by an internal team of auditors. It will test the effectiveness of the ISMS, identify any non-conformities or areas for improvement, and ensure that the organization complies with the standard's requirements.
- ISO 27001 external audits are in the final stage and are carried out by an impartial third-party auditor. Once completed, the audit body will issue a certificate of compliance if the ISMS meets the standard's requirements, assuring customers, stakeholders, and the management team that the organization's information security practices have been independently checked and verified against the ISO 27001 standard.
5 benefits of auditing ISO 27001 standard
Audits are essential not only because they make sure that your controls are working as they should be, but they also showcase this compliance and build trust. Trust with your colleagues that you are working hard to meet the criteria, trust with the rest of your business that everything is performing as it should be, and trust with customers and stakeholders that their data is safe.
All too often, audits are thought of as a box-ticking exercise, but it's important to note that they are not just a burden or a packet of extra work that's landed on your desk and you want to get rid of as soon as possible.
Here are five reasons why audits are essential and can indeed help your organization:
- More effective Risk Management - An ISO 27001 audit can help organizations identify, manage, and control information security risks, reducing the probability and impact of security incidents.
- Regulatory compliance - Depending on the industry, some organizations must meet specific standards and controls for their governance and regulatory compliance obligations. A successful ISO 27001 audit can help ensure compliance with those regulations.
- Competitive advantage and increased customer confidence - Being an accredited organization can be an important differentiator in a crowded marketplace and set you apart from the competition. Passing the detailed and intensive audit process means you have solid controls in place to protect your information and that of your customers, increasing their confidence in your organization.
- Continual improvement - Part of the audit process will be to identify areas for improvement so your internal processes, procedures, and working practices will get better with every one. The standard (and audit cycle) encourages a culture of continuous improvement in information security practices, leading to ongoing enhancements and refinements.
- Third-party verification - The external audit stage in the ISO 27001 accreditation process verifies your information security practices carried out by an accredited third-party supplier. So, it's not just your organization saying that you take information security seriously but a qualified and trusted third party.
How to perform an ISO 27001 internal audit?
Carrying out an internal audit can be a daunting and overwhelming process, but luckily the ISO 27001 standard has some clauses to help:
- Clause 9.2 C- Audit Program - This clause instructs organizations to plan, implement and maintain an audit program. This includes documenting the frequency, methods, responsibilities, and reporting requirements for your program.
- Clause 9.2 D - Audit Criteria and Scope - This clause sets out how to define each audit's criteria and scope to ensure the objectives are met.
- Clause 9.2 E - Audit Selection & Independence - This section defines how to select competent auditors that ensure the impartiality of the process, ensuring that the audit is transparent and has the appropriate controls in place.
- Clause 9.2 F - Reporting On Audit Results - This part of the clause is responsible for reporting the audit results to management and ensuring any exceptions have the appropriate level of visibility.
- Clause 9.2 G- Audit Program & Record Retention - This set of activities is related to capturing evidence and ensuring that it is stored in alignment with the retention policies documented in the ISMS.
Another important item to include in your toolkit is using your IT Asset Management solution to help you check your compliance levels and make sure everything is running smoothly and nothing has gone without notice.
Invgate Insight, for instance, can help you build an asset inventory in compliance with the ISO 27001 standard to keep track of your assets and the information they support through a centralized asset inventory. This way, you can monitor your assets’ lifecycle, generate periodic reports to assess their performance, and conduct internal audits to evaluate your organization’s compliance.
In particular, Insight will provide you with information on things like:
- Your IT assets security compliance.
- Unauthorized devices or outdated software on your network.
- Warranty, licenses, and contract expirations.
ISO 27001 internal audit checklist
When carrying out an internal audit, here are the key steps that you need to follow:
- Documentation review - This stage involves reviewing the documentation you created when implementing your ISMS and ensuring that it is still accurate and up to date.
- Management review - Liaise with management to agree to plan out the rest of the audit activities and agree on timelines and resources.
- Field review - This is the stage where most of the actual auditing activities take place. You will need to assess how the ISMS works by interviewing front-line colleagues, performing audit checks to validate the evidence as it is gathered, completing audit reports to document the results of each test, and reviewing all documentation relevant to the ISMS.
- Analysis - This stage will review the evidence created during the audit and ensure all requirements are met.
- Management report and assessment - This stage involves reporting the audit results to the management team. Your report will need to include the following:
- An introduction that defines the scope, objectives, timing, and extent of the audit
- An executive summary that provides a high-level overview of the findings, analysis, and conclusion
- Information about the intended audience of the report and guidelines for its distribution and classification
- A detailed analysis of the findings, conclusions, and recommended corrective actions. The analysis should cover any gaps in the documentation; if all colleagues had the appropriate training in information security management; do colleagues know how to respond appropriately in an audit situation; and if it is easy to find the relevant documentation
- A statement outlining the recommended actions, opportunities for improvement, or any limitations in scope.
How to prepare for an ISO 27001 external audit?
External audits are the final stage in your ISO 27001 accreditation. They are carried out by a qualified external party to ensure the standard requirements are being met and built on the work done in the internal audit stage comprehensively and transparently.
ISO 27001 external audit stages
Here are the stages for an external audit:
- Documentation review - The external auditor will review all documentation pertaining to your ISMS.
- Field audit - The auditor will collect evidence and audit the ISMS by reviewing working practices and interviewing colleagues.
- Analysis - The auditor will review and check the evidence against the audit scope and findings.
- Report - The audit will report on the audit findings to the client organization and any findings, failures, and improvement opportunities.
The ISO 27001 audit cycle
The ISO 27001 audit cycle includes both types of audits detailed above. Each of them has different players involved, as well as a different scope and goal. Let’s take a closer look at them:
- Internal audit - This audit is carried out by colleagues within the organization, either by a dedicated compliance and audit team or by a different party, to ensure no potential for conflicts of interest.
- External audit
- ISMS design review - This stage ensures that the organization has the required documentation to form an operational ISMS.
- Certification audit - This is the evidence-based audit to verify that the organization is running the ISMS per the standard.
- Surveillance audits - Are also known as interim or mini audits and are carried out on a scheduled basis between certification and recertification audits to ensure that performance remains on track. These are smaller audits and will focus on one or more ISMS areas.
- Recertification audits - Are carried out before the certification expires and are more involved than an interim audit. A recertification audit will cover all areas of the standard.
In essence, ISO 27001 audits demonstrate an organization's compliance with the standard. They are a mandatory part of the certification process, and submitting to it demonstrates a commitment to good practices with information security. It's important to understand that committing to periodic audits isn't just an administrative load, but the whole process will effectively ensure your organization's information is thoroughly protected.
Luckily, the whole procedure can be divided into practical tasks to help you address all the requirements specified by the standard. Internal audits act as a precursor to external audits and help get colleagues used to the process and make sure everything and everyone are on the right track. External audits are carried out by a third-party entity, and seal the whole process of certification with an official external approval.
Apart from setting apart an appropriate amount of time to prepare for the audits, and making sure you have successfully organized the tasks and aren't missing any step, its important to have the support of an ITAM tool to make sure all your data on information assets is accurate and updated and to get notified of any potential threats.
Frequently Asked Questions
How often are external audits carried out?
After the initial external audit, maintenance audits are carried out every six months to one year, and then there is a recertification audit every three years.
Who conducts an ISO 27001 audit?
It depends. In the case of internal audits, the auditors belong to a team independent of the stakeholders responsible for maintaining the ISMS. This separation ensures that the auditors do not evaluate their own work and ensures that appropriate segregation of duties is in place.- if it's an external audit, a third-party auditor or team of auditors will conduct the assessment.
What are the steps in an ISO 27001 audit?
At a high level, the key stages are a documentation review and live ways of working review against the ISMS, including colleague observations and interviews.
What is the audit period for ISO 27001?
The audit period sets out how frequently an organization has to be reviewed against the standard and will include internal, external, and recertification reviews.
How do I prepare for an ISO 27001 audit?
Preparation, preparation, preparation. In short, lots of hard work. Check your documentation to ensure it is fit for purpose and is aligned with the audit scope. Check training is up to date and make refresher sessions available if needed. Check your ways of working and ensure that all colleagues know how to respond appropriately in the event of an audit. Finally, carry out frequent internal audits to keep you and everyone in your organization honest.
Can you fail an ISO 27001 audit?
Yes. You can fail an ISO 27001 audit if you fail to meet the requirement of the standard or have the appropriate documentation, controls, and/or evidence in place.
Does ISO 27001 require an internal audit?
Yes. The internal audit is a mandatory part of the process and prepares the organization for the external audit stage.
How much does an ISO 27001 audit cost?
It depends on the scope of the audit and how much external resourcing is needed.
Can I audit my own company for ISO 27001?
Yes and no. An internal team can carry out an internal audit if it's a different team from the one implementing and running the ISMS. The external audit must be carried out by a third party to ensure no conflict of interest.
How to avoid common ISO 27001 internal audit mistakes?
Again, the answer is hard work and diligence. Check your documentation against your objectives. Check the ISMS. Check that your people are comfortable with the standard and the appropriate working methods. Build regular internal audits into your process and continual improvement so you keep improving over time.