Find an auditor
Find an auditor through an audit by following the guidelines provided in this article.
Going through an audit can be an overwhelming process. When it comes to ISO 27001, an audit is an auditor’s informed opinion on how well your organization’s controls meet the relevant clauses. Here are a few things you should consider when selecting an auditor:
- Accreditation: Ensure that your auditor is a member of the ANSI National Accreditation Board (ANAB). ANAB assesses and accredits certification bodies. Only certified bodies can issue an ISO 27001 certification.
- Find a reputable firm. Any firm with a good reputation is sufficient. If you need guidance in this area, TrustCloud provides recommendations.
- Experience matters. An auditor with more experience is likely to have a better and more thorough understanding of ISO 27001, how to evaluate controls against your organization, and the best practices that apply.
- It’s important that your auditor understand your business so they can expertly assess if there are any gaps or deficiencies.
Auditors are guided by the IIA Standard Code of Ethics, which tasks auditors with being independent and objective. The documentation you developed as evidence is seen by an auditor as proof that a particular control exists and helps them evaluate operational effectiveness (whether or not the control is performing as it should).
Using a combination of techniques, an auditor obtains an in-depth understanding of your program and how it fits into the ISO 27001 framework. These techniques may include:
- Observation: Observing you perform a task relevant to specific control
- Inquiry: Interviewing you or your team to learn about a specific process.
- Inspection: Requesting evidence of compliance with a control
Stage 1 vs. Stage 2 Audit
The audit process for ISO 27001 is broken down into two distinct stages.
Stage 1
In stage 1, an auditor reviews the ISMS, typically on-site, to determine if mandatory requirements are being met and whether the management system is good enough to proceed to stage 2. This initial review is primarily focused on validating whether your ISMS is appropriately designed and whether the documented processes exist, are effective, and comply with the standard requirements. The auditor gauges your own understanding of the standard and discusses planning for stage 2. Ideally, stage 1 should take place at most two to four weeks before stage 2, so that the management system does not substantially change between the two stages.
Stage 2
In stage 2, the auditor thoroughly assesses your ISMS and evaluates whether its implementation effectively meets ISO 27001 requirements.
In order to satisfy the auditor’s needs, it’s imperative that documentation be complete and accurate. The source of information in the document is identified and verified; the content of the document is written with integrity; and the documentation is easily accessible and retrievable for audit purposes. It is important to get an auditor to come to the same conclusion about the state and health of your information security program as you do. You can help them come to that conclusion.
Once an auditor has reviewed your work and determined that your controls, policies, and procedures meet all requirements, and after you have implemented the corrective actions to address the auditor’s findings raised during stages 1 and 2, your auditor gives you their stamp of approval and can now recommend you for certification.
Your ISMS files are then reviewed by an independent and certified body, which decides in your favor and grants you certification. You can now shout out (or post on your website) that you are ISO 27001 compliant, for now.
An ISO 27001 certificate is valid for three years, which in the world of compliance is relatively long. However, ISO 27001 imposes an additional “continual improvement” requirement. To maintain your certification, you must go through surveillance audits every year, ensuring that you’re continually improving and adhering to your information security protocols.
