ISO 27001 Audit
What is an ISO 27001 audit?
An ISO 27001 audit is carried out by a professional, objective auditor and is based on the requirements of ISO/IEC 27001 (current edition: ISO/IEC 27001:2022). It checks that:
- Your Information Security Management System (ISMS) complies with the standard
- The ISMS objectives and your organization’s information needs are met
- The ISMS policies, procedures, and other controls are effective and practical
Why is an ISO 27001 audit important?
An audit matters for several reasons:
- It is required to achieve ISO 27001 certification
- It confirms your ISMS is properly implemented and maintained
- It checks the ISMS meets the standard’s requirements and your organization’s needs
- It verifies the ISMS meets your information security objectives and plans
- It confirms the ISMS reduces information security risks to a manageable level
- It ensures non-conformities and corrective actions are dealt with promptly
- It ensures security weaknesses, events, and incidents are properly reported, managed, and remedied
Types of audit
To claim conformity with the standard, an organization must first run a schedule of internal audits. To be certified, it must also undergo external audits by a third-party certification body.
- Internal audits: conducted using the organization’s own resources. If you don’t have qualified, objective auditors on staff, a competent supplier can perform them.
- External audits: conducted by a third-party certification body to obtain or retain certification. The term can also cover audits by other interested parties (such as partners or customers) who want to verify your ISMS for themselves.
Internal audit guidelines
- Documentation review: a thorough examination of your policies, processes, standards, and guidance to confirm they are up to date and fit for purpose.
- Field review: actively sampling evidence to show that policies, procedures, and standards are being followed and guidance is being applied.
- Analysis: after reviewing documentation and evidence, the auditor examines the findings to confirm the requirements are met.
- Audit report: prepared in line with Clause 9.2 and presented to management, to ensure accountability.
- Management review: a mandatory activity under Clause 9.3, which must take the audit findings into account so that necessary corrective actions and improvements are implemented.
External audit guidelines
The external audit process is largely the same as the internal process, but is used to obtain and retain certification. The auditor produces an audit plan, which you confirm before resources, dates, times, and locations are agreed. The audit is then carried out in two stages.
Stage 1: Preliminary (documentation) audit
This is the documentation-review stage, confirming you have everything needed for an operating ISMS. Its main goals are to:
- Review your ISMS documentation – scope, objectives, and supporting policies
- Tour the site to help plan Stage 2
- Gather information about all sites you operate from
- Gather information about key processes, procedures, and equipment used
- Confirm that applicable statutory and regulatory requirements are documented
- Check that the necessary personnel are ready for Stage 2
- Review the current state of internal audits and management reviews
- Prepare for Stage 2, including which sites will be audited
Stage 2: Implementation audit
This is an evidence-based audit to confirm the ISMS is operating in compliance with the standard – that the written policies, procedures, and standards are applied, operationalized, and effective. It begins with an opening meeting where the auditor explains the process, and covers:
- Review of actions taken since Stage 1 to confirm they have been closed out
- Inspection of documentation for evidence the management system complies with the standard
- The overall effectiveness of your management system and whether it helps you meet your goals
- An audit of your activities and processes to confirm operational control
- Analysis of internal audits and management reviews
- The effectiveness of preventive and corrective measures
- Review of key performance goals and objectives
On successful completion of Stage 2, the organization is awarded ISO 27001 certification, valid for three years.
Surveillance and recertification audits
Surveillance audits are conducted between certification and recertification, focusing on one or more parts of the ISMS – IAS conducts two within the three-year validity period (roughly every 12 months). A recertification audit is conducted before the certification period expires; it is more thorough than a surveillance audit and comparable to the Stage 2 audit.
Contact IAS today to learn more about ISO 27001 audits, or visit our frequently asked questions page.
Explore more
- ISO 27001 Certification in Canada – information security certification
- ISO 27001 Certification Process – the full step-by-step process
- ISO 27001 Training in Canada – lead and internal auditor training
Frequently Asked Questions
What is an ISO 27001 audit?
An objective assessment of your ISMS against ISO/IEC 27001, to confirm it is compliant, effective, and meets your information security objectives.
What is the difference between internal and external audits?
Internal audits are run by your organization (or a competent supplier) to maintain conformity; external audits are run by a certification body to obtain or retain certification.
What happens in Stage 1 and Stage 2?
Stage 1 reviews your documentation and readiness; Stage 2 is an evidence-based audit confirming the ISMS is operating in compliance.
How often are surveillance audits?
Typically two within the three-year cycle, roughly every 12 months.
Which clauses cover auditing?
Clause 9.2 (internal audit) and Clause 9.3 (management review) of ISO/IEC 27001.
Which edition is current?
ISO/IEC 27001:2022.
