An ISO 27001 audit is the process of evaluating an organization's ISMS to determine its compliance with the latest information security practices set forth in the ISO 27001 guidelines. The audit typically includes a review of the organization's information security policies, procedures and measures. It is a mandatory step in the ISO 27001 certification process, which is an independent evaluation of the effectiveness of an organization's information security practices.
Want to know more about ISO 27001? Contact a specialist without obligation.
Table of contents
What is an ISO 27001 audit?
An ISO 27001 audit is a review process that ensures that your organization's information security management system (ISMS) conforms to the latest information security best practices, as defined by the guidelines of ISO/IEC 27001:2022. Organizations must conduct a series of regular internal audits and external audits to ensure their ISO 27001 certification receive and retain.
ISO 27001 demonstrates that an organization's security measures are sufficient to secure its data, documents and other information assets. An ISO 27001 certification also gives companies a competitive advantage because it shows that their security measures are more stringent and aligned with international standards.
To qualify for certification, companies must undergo an external audit by a recognized, objective auditing company or an approved ISO 27001 auditor to demonstrate that their processes and systems meet the expectations of ISO/IEC 27001:2022.
Ongoing ISO 27001 audits demonstrate the efficiency and effectiveness of a company's security measures. In addition, these audits measure and demonstrate ongoing compliance with ISO standards. By conducting regular audits, organizations can review and assess the level of residual risk to their existing information security standards.
With the results of an IT audit for ISO 27001, organizations can continue to improve their ISMS measures and standards to make the residual risk more acceptable.
Importance of ISO 27001 audits
Basically, a series of ISO 27001 audits are required to complete the ISO 27001 certification process to be completed. Without successful completion of these audits, an organization cannot claim compliance with international best practices for information security management.
In some cases, organizations cannot work with customers or partners who require contractual compliance with ISO 27001 standards in order to enter into or renew a contract. This can make ISO 27001 audits essential for companies to attract or retain customers within their industry.
Even after an organization receives ISO 27001 certification, it must follow a regular audit schedule to demonstrate ongoing compliance with ISO 27001 standards to maintain certification. Audits demonstrate that a company's systems, processes and measures work effectively and protect information assets on an ongoing basis.
Regularly scheduled audits assess for new risks as the business expands, allowing companies to pre-emptively identify any weaknesses in their existing systems. These audits also uncover opportunities for organizations to strengthen their existing data management and IT security practices.
Types of ISO 27001 audits
Compliance with ISO 27001 requires two types of audits: internal audits and external audits.
Accreditation bodies around the world have different requirements for how often audits must be performed to remain in compliance, but all companies seeking or maintaining certification must submit regular internal ISO 27001 audit reports and periodic external audits.
These are the expectations for internal and external audits that organizations must follow to remain compliant.
Internal audit
An internal ISO 27001 audit is a review of a company's ISMS conducted by objective, internal personnel trained in ISO 27001 standards or an external contractor hired to work with an internal team. Even when an internal audit is performed by an external party, it is considered internal unless that party is part of an ISO 27001 certification body.
According to ISO 27001 chapter 9.2, a consistent ISO 27001 audit program is required to maintain compliance. An approved ISO 27001 audit plan defines how often internal audits are conducted, what methods are used to complete the audit, and who is responsible for planning, completing and reporting audit results.
Each company works with the certification body to determine the appropriate ISO 27001 audit frequency for their organization, but most companies will be recommended to conduct an annual ISO 27001 audit.
An internal ISO 27001 audit typically consists of:
- Review and maintain internal documentation for policies and procedures
- Taking samples from the ISMS as part of a field survey to demonstrate that policies and procedures are consistently followed.
- Analyze findings from document review and field research to ensure compliance with ISO 27001 requirements.
- Implement improvements as needed based on audit findings
External audit
When IT professionals ask "how to prepare for an ISO 27001 audit," they usually mean an external ISO 27001 audit. External audits are conducted by accredited, certifying bodies to confirm compliance with ISO 27001 standards.
Organizations interested in ISO 27001 certification must participate in four external audits:
- ISMS Design Review
- Certification audit
- Surveillance audits
- Recertification audits
Once your organization has determined the scope of your ISMS audit, ask an auditor from your country's accredited certification body to conduct the ISMS Design Review. During this external ISO 27001 audit, the auditor reviews your organization's documentation, processes and procedures to ensure that the measures and design of your ISMS comply with ISO 27001 standards.
If your organization meets the requirements of the ISMS Design Review, the auditor recommends your organization for certification and proceeds with the certification audit.
During the certification audit, an auditor assesses your organization's business processes and cmaatregleen through a field survey to ensure they meet the ISO 27001 requirements and the 114 primary measures referenced in Appendix A. If these requirements are met, your organization qualifies for full ISO 27001 certification.
To maintain compliance after certification, certification bodies conduct periodic audits, also known as Surveillance Audits, in which they take a random sample of data to check for compliance with the procedures and processes outlined in your documentation. These audits often focus on specific ISMS areas and take place before recertification.
Finally, organizations undergo a comprehensive recertification audit every three years to maintain their ISO 27001 certification. This audit covers all areas of the ISMS and mimics the initial certification audit, ensuring that the organization continually follows ISO 27001 standards and improves the ISMS as new risks arise.
Phases of an ISO-27001 Audit
As your organization prepares for ISO 27001 certification, it is important to understand the two phases that make up the initial certification audit. The audit criteria for ISO 27001 are defined by these two phases, and your company is eligible for certification only if it passes both audit phases.
Companies should note that organizations usually hire a separate external auditor to support them in completing Stage 1 compliance requirements before requesting an external audit from the certification body for Stage 2.
Phase 1
Phase 1 of the ISO 27001 audit is called the ISMS Design Audit. Before a company applies for an ISMS Design Audit, it is essential that the company prepare properly for what an ISMS Design Audit entails. A ISO 27001 audit checklist can help you prepare for your Phase 1 audit.
First, work with your compliance team to determine your company's risk tolerance and security guidelines based on your customers' or partners' expectations. You may also need to consider legal or contractual requirements. These elements determine the scope, security objectives and statement of applicability for your certification audit.
Next, thoroughly document all processes, procedures, policies, guidelines and measures for your ISMS based on the requirements outlined in ISO 27001 and ISO 27002. You should also conduct a risk assessment, risk treatment and gap analysis and submit it along with your documentation.
After you have implemented and documented the measures in your ISMS, an auditor will review your documentation during the ISMS Design Review to verify compliance with ISO 27001 requirements. Upon completion, the auditor will provide your organization with an ISO 27001 audit report.
The audit report includes findings and recommendations to improve your processes or measures before moving on to phase 2. Your organization's employees may also need to undergo additional security training to meet ISO 27001 Phase 1 audit standards before moving on to Phase 2 certification.
Phase 2
If an auditor recommends your organization for certification after Phase 1, your organization may choose to proceed to Phase 2 to pursue certification. During the Phase 2 audit of ISO 27001, an auditor from a certification body conducts an evidentiary field review to confirm that the business processes and measures within your ISMS conform to the documented and approved procedures from Phase 1. The auditor examines a thorough, random sample of data and information assets as evidence to confirm that your ISMS meets Stage 1 requirements.
The auditor examines a thorough, random sample of data and information assets as evidence to confirm that your ISMS is operating effectively and meets the requirements of ISO 27001 and the mandatory measures of Annex A. This evidence should demonstrate that your business processes and measures are consistent with the documented and approved Stage 1 procedures. This evidence should show that your business procedures are working as documented.
To complete their audit, auditors often interview key stakeholders responsible for managing the ISMS system, as well as members of the internal audit and compliance teams. They will also ask for evidence of previous audit reports and any adjustments made based on Phase 1 results. These audit reports inform them of nonconformities presented by the previous auditor, while management audits confirm that improvements were implemented after the audit.
Phase 2 is also the time to define the processes for the future after certification. This includes security awareness training procedures and the internal audit process, which must be documented to achieve certification and maintain ongoing compliance.
Once your organization completes the Phase 2 ISO 27001 audit process, your company is ISO 27001 certified for three years. However, companies are still required to conduct and submit annual surveillance audits to follow the required internal audit schedule submitted to the certification body and demonstrate that their measures are continuously working as intended.
For more information on ISO 27001 implementation, check out our article ''How is ISO 27001 implemented?''.
How long does an ISO 27001 audit take?
Auditing a company's ISMS for certification can be a lengthy process. For most small to medium-sized companies, the initial certification process takes 6 to 12 months from start to finish. Larger organizations with a more extensive ISMS or scope can expect the process to take up to 18 months.
Companies must consider extensive documentation preparation even before going through the Phase 1 ISMS Design Review. This process alone can often take 6 to 10 months. You may need to complete multiple internal audits and implementations before your ISMS is ready to begin the certification process.
Once you begin the certification process, an auditor will work with your organization to create an ISO 27001 audit schedule. This schedule defines the time frame for an auditor to thoroughly review Phase 1 documentation and gather sufficient evidence to demonstrate compliance in Phase 2.
While Stage 1 document review usually takes about a week, Stage 2 often takes longer as auditors interview stakeholders and spend more time examining your ISMS.
During both steps, auditors may suggest improvements that must be implemented before the organization can move forward with certification. Depending on what improvements are needed to meet ISO 27001 standards, completing the necessary improvements can further extend the timeline for ISO 27001 certification.
Who conducts an ISO 27001 audit?
Internal and external ISO 27001 audits are performed by different parties. The internal audit can be conducted by a team within the organization or by a qualified external party, while the external audit is conducted by an accredited certification body.
An internal ISO 27001 audit should be conducted by auditors who are both competent and objective. To be competent, an auditor must have certain skills and be able to present the following:
- Expertise in physical security, cyber security, computer security or other forms of information security
- A comprehensive knowledge of the standard and the audit process.
- An ISO 27001 Lead Auditor training or recognized audit qualification and proof of understanding of the standard.
- An awareness of the organization's mission and goals, as well as its culture and willingness to take risks.
An auditor's competence can be demonstrated even without formal training. However, this can lead to problems with your certification body. There must also be a clear separation between the auditor's function and his reporting lines to demonstrate objectivity.
For organizations looking for clearer objectivity, it may be more practical to use a certified auditor such as Enshore Security. In fact, certifying bodies have competency-tested their auditors and can verify this upon request.
ISO 27001 audits in brief
An ISO 27001 audit is an essential part of maintaining compliance with your organization's ISMS. With the main goal of ensuring that an organization's ISMS is adequately implemented and executed, accreditation in ISO 27001 will enable your organization to retain customers and stakeholders with confidence.
It is also fundamental for organizations to understand when ISO 27001 audits are required and assess the importance of having certified auditors to perform the task.
Enshore Security advises organizations of various backgrounds on topics such as Privacy by Design and Default, data sharing with third-party service providers and erasure principles.
Need help navigating the world of information security or preparing for a certification audit? We'd be happy to help - contact one of our experts today.
Articles
How is ISO 27001 implemented?
How does implementing this standard work? In this article, we will take you through the world of ISO, the ISMS, the benefits, the investment and how to maintain an ISMS.
ISO 27001:2022 and ISO 27002:2022: What will change?
A new version of ISO 27002 was released in February 2022. What does that mean for your ISO 27001 certification?
Risk analysis tool
Are you in the process of achieving ISO 27001 compliance? We have developed a tool for your risk analysis that is free and non-binding to use. The information you enter can be downloaded as a PDF, but will not be saved.
Open the Risk analysis tool