ISO 27001 Audit

What is an ISO 27001 audit?

A professional and objective auditor conducts an ISO 27001 audit, which includes the following guidelines:

  • Ensuring that the Information Security Management System (ISMS) complies with the ISO 27001 standards
  • Determining whether the objectives of ISMS, as well as the organization’s own information needs, are compliant with ISO 27001 standards 
  • The organization’s ISMS policies, procedures, and other controls are effective and practicable.

ISO 27001

What is the Importance of ISO 27001 Audit?

An ISO 27001 audit is important for a variety of reasons:

  • ISO 27001 audit is required to achieve ISO 27001 certification.
  • To guarantee that your ISMS is properly installed and maintained.
  • To check that the ISMS complies with the ISO 27001 standard’s requirements.
  • To verify that the ISMS fits the needs of the organisation.
  • To ensure that the ISMS fulfils the organization’s information security objectives and plans.
  • Verify that the ISMS is successful in lowering information security risks to a manageable level.
  • To guarantee that any nonconformities or corrective actions are dealt with as soon as possible.
  • To ensure that information security flaws, events, and incidents are properly and efficiently reported, managed, and remedied.

What are the different kinds of audits?

To claim conformity with the standard, a company must first organize and implement a schedule of internal audits. Furthermore, if a company wants to be certified, it must have external audits performed by a third-party certification body in accordance with ISO 27001 Standard.

Internal Audits: Internal audits are those conducted by the organization’s own resources, as the name implies. These audits can be performed by a licensed supplier if the organization does not have qualified and objective auditors on staff. 

External Audits: The term external audits refers to audits conducted by a third-party certification authority in order to obtain or retain certification. However, the word can also apply to audits conducted by other interested parties (such as partners or customers) that want to verify the organization’s ISMS for themselves.

ISO 27001 Internal Audit Guidelines

  • Documentation review: This is a thorough examination of the organization’s policies, processes, standards, and guidance documents to ensure that they are up to date and fit for purpose.
  • Field Review: This is an audit activity in which evidence is actively sampled to indicate that policies, procedures, and standards are being followed, and guidance is being taken into account.
  • Following the evaluation of paperwork and/or evidence samples, the auditor will examine and analyze the findings to ensure that the standard requirements are being met.
  • Audit report: To ensure accountability, an audit report must be prepared in accordance with the standard in Clause 9.2 f) and presented to management.
  • Management review – is a compulsory activity under Clause 9.3 Management review, and it must take into account the findings of the audits to ensure that necessary corrective actions and improvements are implemented.

ISO 27001 External Audit Guidelines

The processes for external auditing are largely the same as for internal auditing, however; they are typically used to get and retain certification. The external auditors from a third-party certification body will conduct the external audits for an organization. 

The applicable auditor will produce an audit plan, which will be confirmed by the organization before resources are allocated and dates, times, and locations are agreed upon. The audit will then be carried out in accordance with the audit plan:

Stage 1 Preliminary Audit: This is the documents review stage of the ISO 27001 audit. It ensures that the organisation has all of the necessary documentation for an operating ISMS. The following are the primary goals of the Stage 1 ISO 27001 Audit:

  • An audit of the documentation for your ISO 27001 Information Security Management System, including the system’s scope, objectives, and any applicable policies and paperwork that support the system’s functioning.
  • A tour of the site to aid with the planning of Stage 2.
  • To obtain information about all company sites from which the organisation operates
  • To obtain information about key processes, procedures, and any equipment used
  • To confirm that all statutory and regulatory requirements applicable to the organisation are documented
  • To determine if all necessary personnel are ready for the Stage 2 Audit.
  • To determine the current state of internal audits and management reviews.
  • To prepare for the Stage 2 Audit, including determining which sites will be audited.

Stage 2 Implementation Audit: This is an evidential audit to validate that the ISMS is being operated in compliance with the ISO 27001 standard – that is, that the written policies, procedures, and standards are being applied, operationalized, and effective. The Stage 2 ISO 27001 Audit will begin with an Opening Meeting, during which the Auditor will explain the process. Among the topics discussed are:

  • Review of steps taken as a result of the Stage 1 ISO 27001 Audit to guarantee progress requests that have been fulfilled (also known as ‘closed out’)
  • Inspection of documentation for proof of compliance with the norm by the Management System
  • The overall effectiveness of your management system, as well as if it is assisting you in meeting your organization’s goals.
  • Conduct an audit of your activities and processes to see if you have operational control and are following your rules and procedures.
  • Analysis of internal audits and management reviews
  • Efficiency of preventive and remedial measures
  • Examining important performance goals and objectives

Upon successful completion of the Stage 2 Audit, and organization will be awarded ISO 27001 certification for a validity period of 3 years. 

Surveillance audits: These audits will be conducted on a regular basis in the interim between certification and recertification audits and will focus on one or more ISMS categories. IAS conducts 2 surveillance audits at the end of every 12 months within the 3 year validity period of certification.

Recertification Audit: This will be conducted prior to the expiration of the certification period. Recertification audits are more thorough than surveillance audits and are comparable to the Stage 2 ISO 27001 Audit.

Contact IAS today to learn more about ISO 27001 Audit, or visit our ISO 27001 Audit frequently asked questions page!