When it comes to your organization’s system and safety standards, audits ensure you meet all the critical requirements to operate effectively. An ISO 27001 audit assesses your information security management system (ISMS), as well as other relevant policies needed to protect company data.
In this article, we provide an overview of the ISO 27001 audit and what to expect during the two main steps of the process.
Start by selecting an external auditor
One of the first steps after your organization decides to get an ISO 27001 audit is to find an auditor. It’s important to find someone your stakeholders are comfortable working with and if needed, someone who can help with other aspects of the audit process.
The first consideration when selecting an auditor is the firm’s accreditation status. While auditor accreditation is optional, those who go through the process not only hold themselves to a higher standard but are further held to those standards by an official accrediting body.
Any auditor you work with typically starts the process by asking you to fill out an application. This will help them determine the project scope, the number of people who will be involved, the estimated timeline, and associated costs.
It’s important to have your completed application, project scope, and any relevant details of your ISMS in place before your audit begins.
Stage one of the ISO 27001 audit process
In the first stage of the ISO 27001 audit process, your auditor goes through the initial scoping documentation, the statement of applicability, any internal audits you’ve performed, and your organization’s ISMS setup.
If anything needs to be fixed before progressing to stage two, your auditor will flag it and give your company time to address the issue. Usually, this process takes no more than 90 days. After that, the company is recommended for stage two of the audit process.
Why wouldn’t an auditor recommend a company for stage two?
In very rare cases, your auditor may recommend a company not move to stage two at all. Auditors want to make sure a company is prepared to successfully tackle stage two before they advise them to move forward. If the issue is fixable, they’ll advise the company to fix those areas before progressing.
But in some cases, the issue is big enough to be a blocker. For example, the company may fail to complete the internal audit, not have a risk assessment in place, or lack a complete Statement of Applicability (SoA). These are all requirements to pass an ISO 27001 audit and prevent a company from moving on to the next stage.
Stage two of the ISO 27001 audit process
In stage two of the ISO 27001 audit process, your company receives a separate information request list from your auditor. It gives a preview of what auditors will look for during this second stage.
Most ISO 27001 audits require your auditor to be physically on-site so they can see the operations first-hand and talk to your teams in person.
While on-site, the auditor will look closely at the ISMS, Annex A controls, the technical evidence of those controls, and the requirements for ISO 27001 clauses four through ten.
Auditors will also engage individuals in conversations to clarify what physical security looks like, how they handle access control, how they manage vendors, and similar protocols.
This part of the process takes an average of eight to nine days, which represents the bulk of the auditor’s time with your internal team.
At the end of the second stage, your auditor will set up a formal closing meeting to discuss any nonconformities they discovered during the audit.
What happens if the audit uncovers nonconformities?
For most companies, nonconformities are nothing to worry about. Minor nonconformities occur in 50–75% of audits, with possible examples being the need to update security awareness training or fixing a small detail overlooked within the ISMS.
In these cases, the company simply needs to offer a method of correction to address the issue before being certified.
On the other hand, a major nonconformity can delay certification. If major nonconformities are discovered, a company will have to offer both a correction and detailed plan to monitor the issue before they can be certified.
Examples of major nonconformities include failure to conduct an internal audit, the inability to fix nonconformities from an internal audit, or not sufficiently tying the SoA back to the risk assessment. These issues eventually lead to the breakdown of the ISMS.
What happens after initial certification is complete?
Once the first ISO 27001 audit is complete, your company receives a certificate and a final report from your auditor. This report formally confirms your company and its ISMS were externally assessed and found in compliance with ISO 27001 standards.
It also includes the auditor’s mark, which can be published on your website and other promotional materials. Another report document will further include everything the auditor did, what controls were looked at, and what was tested.
Following the initial certification, companies are required to undergo a surveillance audit in the second and third year. These are much easier audits as the main goal is to check whether your systems are still in good standing.
In the fourth year, however, companies will need to undergo a recertification audit similar to the initial certification process in order to renew their ISO 27001 certificate.
Learn more about gaining compliance by downloading this eBook about the ISO 27001 journey. To request a demo for OneTrust’s Certification Automation tool, go here.
