How to Prepare Your Organization for an ISO 27001 Security Audit
Preparing for An ISO 27001 Internal Security Audit
By Jordan MacAvoy
ISO 27001 is the only standard that sets out the specifications for an information security management system (ISMS). Achieving ISO 27001 certification is no small feat and inspires confidence in an organization’s customers who understand the effort the organization invested for their benefit. This is because ISO 27001 deals specifically with a customer’s data privacy and the organization’s perspective on the importance of protecting against a security incident or breach that may expose sensitive data.
However, before your organization can achieve certification, you are required to undergo an ISO 27001 audit and pass. You will also need to obtain yearly audit reports to attest that you are still ISO compliant.
What Is An ISO 27001 Security Audit?
The ISO audit seeks to verify that your organization has implemented the ISO 27001 requirements as needed. While verifying whether your Information Security Management System is compliant, the auditor will also point out any issues with your ISMS and any areas that need improvements.
External audits are divided into three stages:
Stage 1
This is the first stage where the certification body (CB) will review your documents and methodologies adopted by the organization when implementing the ISO 27001 requirements. During this stage, the auditors will have a chance to familiarize themselves with your organization. They will review documents such as the Statement of Applicability, information, access control policy, inventory of assets, the scope of the ISMS, risk assessment and risk treatment methodology, etc.
How to Prepare For Stage 1 Audit?
The Stage 1 auditors focus mainly on documentation; thus, if you want to pass, you need to provide the required documentation. This requires you to understand the ISO 27001 standard. Also, try to research and create a checklist of the mandatory documents and records that the auditors need. Skim through the non-mandatory documents and pick out the documents that apply to your organization.
Formulate a plan to pass the Stage 1 audit instead of waiting a few days to the audit to prepare. The typical plan should be about 6 months of preparation before the audit.
A Stage 1 audit typically occurs onsite, but if your organization has several locations, the auditor can decide to conduct the audit at your headquarters. Stage 1 audits are completed in 1-2 days, after which you can begin preparing for Stage 2. The auditors will provide you with document information, thus allowing you time to fix nonconformances before the next audit.
Stage 2
A month or two after the Stage 1 audit, the CB will return to evaluate the implementation of the management system. They will also determine your degree of compliance based on the standard’s requirements. The audit follows the process outlined below:
- Audit Plan
The certification body typically sends an audit plan for about 2 weeks to the audit day. This is the plan they will follow while on site. During the audit, they’ll request that your managers and employees are available when needed. - Opening Meeting
On the first day of the audit, the auditors will hold a meeting where they’ll explain their ground rules as well as the objectives of the audits. - Conduct Audit
Once the meeting is over, the auditor will begin the audit as stipulated in their audit plan. During this stage, they expect to see how ISMS will hold up. You can expect them to interview your employees and watch as your senior managers exhibit their leadership skills.
During Stage 1, the auditors had assessed your organization’s ISMS and noted the areas that pose risks. These are among the first areas that they’ll audit. Expect this audit to be thorough compared to the first audit. They’ll poke around your system and have access to your staff. The auditors will ask your staff questions related to compliance and expect them to answer. They will also highlight areas that could use some improvement. - Closing Meeting
After the Stage 2 audit is complete, the auditors will hold a meeting to discuss the non-conformances and opportunities for improvements (OFIs). - Audit Report
The Stage 2 audit typically takes several days, after which the auditors will summarize their findings, especially the non-conformances and OFIs in an audit report.
How to Prepare For A Stage 2 Audit
Preparation is a critical part of any audit. Here are tips to help with your preparation:
- Review the Audit Plan
The auditors will send an audit plan for about 2 weeks to the audit. Use this as a chance to establish a rapport with the auditors and discuss the plan before they begin the audit. If there are unclear areas, you can ask and ensure that you get everything right. - Documentation
Compile the documents that you provided during the Stage 1 audit as the auditors will use these as a reference to review whether your organization is compliant. Therefore, use these documents to confirm that everything is as stated in the documentation. If the auditors had pointed out areas of non-conformity during the Stage 1 audit, you could confirm whether they’ve been addressed. - Interview Preparation
Take time to prepare your staff for the interviews with auditors. Ensure that your employees understand the audit process and what’s required of them. Any employees that will interact with the auditors should be prepared with concise answers, in case the auditors have questions.
Stage 3
These are follow-up audits to confirm that your organization remains compliant. To avoid any surprises, organizations are advised to conduct internal audits to ensure that they’re compliant before the external audits. However, since these internal audits are typically checklist-oriented, the internal auditor might overlook a few inconsistencies and flaws. An external auditor who’s experienced in ISO 27001 audits is recommended.
Once you have become certified, you can expect these surveillance audits to be conducted once every year. These audits are performed one and two years after your certification. A recertification audit is held every three years to demonstrate that your organization is committed to improving the ISMS and ensuring that it is effective. You can expect surveillance audits in years one and two after your recertification.
What Happens After ISO 27001 Certification?
Once you pass the ISO 27001 audits and become certified, it is easy to relax as you’ve achieved your goal. However, as mentioned earlier, you should expect a series of audits even after you become certified. This means that maintaining and improving the system does not stop after you become certified.
Therefore, be sure to regularly perform risk assessments on your ISMS and review the results to see the areas that need to be improved. Perform corrective actions to improve areas that were highlighted in your risk assessment. Also, conduct internal audits several months before the surveillance audits to ensure that your organization is compliant. The internal audits need to be thorough instead of a checklist; you can even hire an external auditor to conduct the audit. The audit results will determine how your compliance is fairing and areas of non-conformity.
Do not forget to engage your top management as they’re responsible for making crucial decisions, such as approving your budget.
Guest Author Background
SecureOps is excited to have a guest blogger for this post. Jordan MacAvoy is the Vice President of Marketing at Reciprocity Labs and manages the company’s go-to-market strategy and execution. Prior to joining Reciprocity, Mr. MacAvoy served in executive roles at Fundbox, a Forbes Next Billion Dollar Company, and Intuit, via their acquisition of the SaaS marketing and communications solution, Demandforce. Reciprocity was founded by Ken Lynch in 2009 with a vision to help companies with goals that are good for society, such as improving customer privacy and our environment.