Preparing for an ISO 27001 audit

Preparing for an ISO 27001 audit? Here are some things to keep in mind when drafting your audit preparation strategy. If you’ve been through an audit before, you are well aware of how tedious and time-consuming it can be for your team and yourself. If you haven’t, just imagine spreadsheets.

The people

Here are points to remember: Create a task force of employees from the IT or security team, with support from team members familiar enough with your technical systems. Assigning an executive or manager to this process will be hugely beneficial.

The ISO 27001 audit process requires commitment, and team members may need to take time away from their other tasks to focus on preparing for an audit. You should account for a loss in productivity and ensure you are staffed accordingly.

Read the “ISO 27001 preparation time for companies of different sizes” article to learn more!

The ISO 27001 audit process

Examine ISO 27001’s ten clauses, as well as Annex A, and determine which are applicable to your business. The following five steps guide you in this process, but if this feels like an overwhelming decision, contact the TrustCloud team.

Step 1: Understanding the audit process

Before preparing for an ISO 27001 audit, start outlining the three stages that make up the ISO 27001 certification process itself. Keep this broader view in mind to save time and help you better structure your preparation.

Stage 1

In stage 1, your auditor reviews your ISMS, typically on-site, to determine if mandatory requirements are met and whether the management system is good enough to proceed to stage 2.

This initial review is primarily focused on validating whether your ISMS is appropriately designed and whether the documented processes exist, are effective, and comply with the standard requirements. During this stage, auditors gauge your own understanding of the standard and discuss planning for stage 2. Ideally, stage 1 should take place two to four weeks before stage 2 so that the management system does not substantially change between the two stages.

Stage 2

In stage 2, the auditor conducts a more thorough assessment of your ISMS and evaluates whether it is implemented effectively and meets ISO 27001 audit requirements.

In order to satisfy the auditor’s needs, it’s imperative that documentation be complete and accurate. The source of any documented information must be identified and verified; documents must be written with integrity; and documentation must be easily accessible and retrievable for audit purposes. It is important to get an auditor to come to the same conclusion about the state and health of your information security program as you do. You can help them come to that conclusion.

Stage 3

Once the first two stages are completed, you can now apply for certification. Your auditor will assist you in submitting your ISMS files to a formally accredited certification body. You can find a list of reputable certification bodies in the ANAB directory.

However, the ISO 27001 process doesn’t end when you obtain your certification. To maintain your certification, you must go through surveillance audits every year, ensuring that you’re continually improving and adhering to your information security protocols. Additionally, the certification itself is only valid for three years!

Understanding the certification process is important, as it helps you gauge the continual effort you need to put into maintaining compliance.

As you understand the level of commitment, time, and dedication required to implement and manage an effective ISMS program, you can start gauging your level of readiness.

Step 2: Take an inventory

Take stock of your resources and team. Given the level of effort required to become ISO 27001 compliant, it is important that knowledgeable team members lead the effort. If your team doesn’t have the right skill set, you can consider hiring people with the appropriate expertise. It is a key requirement to demonstrate compliance with clause 7.2 that your ISMS is managed by competent and properly trained employees.

Now you can create an inventory of your business, systems, and assets and map those to the control requirements outlined in ISO 27001’s ten clauses and Annex A. You can do this in one of two ways:

DIY

You can open up Excel and start manually mapping each of the clauses and subsequent requirements to your existing controls, policies, and procedures. This requires you to have (or, most likely, obtain) a deep understanding of the standard’s complex requirements.

Using a compliance automation tool

With a compliance automation tool such as TrustOps, you simply upload your business stack, and the tool auto-generates controls, tests, and policies, each mapped to the appropriate ISO 27001 clause or control.

Once your mapping is complete, you can compare what you have with what the standard requires and find where your gaps are. This gap analysis helps add and implement specific processes, documentation, and controls. Your gaps are now on your to-do list.

Step 3: Implementing a management review program

When it comes to ISO 27001, senior management has a tremendous amount of responsibility. Clause 9.3 explicitly states, “Senior management shall review the organization’s Information Security Management System at planned intervals to ensure its continued suitability, adequacy, and effectiveness.”

ISO 27001 also requires the implementation of a management review team. This team should be composed of senior management and should review the ISMS often enough to ensure that it continues to be effective. Additionally, these meetings must conform to specific guidelines: they must occur on a predefined, periodic basis; meeting notes and action items must be recorded; and specific agenda items must be discussed.

Step 4: Adopt controls

Your to-do list will quickly become flooded with documents and controls that you need to have in place.

If you’re using a compliance automation tool such as TrustOps, you are covered! TrustCloud is working to save you from spending your time and energy on spreadsheets and menial tasks. It has analyzed the ISO 27001 requirements and designed a comprehensive set of controls and policies for you to adopt. It has also mapped out the evidence requirement for each control in plain English, translated from the original legalese. It automatically learns where you are and helps you understand what you need to do to get where you want to be.

Some ISO 27001 controls require you to implement security tools and services to improve your security and business processes, and you have to research, purchase, and configure these appropriately. Examples include performing pen testing, enrolling in asset management, and conducting background checks. Depending on your organization’s processes and the workload of your employees, the procurement process can stretch on and become a significant risk factor in your adoption of the standard, but TrustCloud takes care of it all.

Throughout this process, you need to gather evidence to show that you are accurately compliant with all relevant controls by writing or amending policies and documenting procedures that explain how certain controls are satisfied.

Step 5: Conducting an internal audit

One of the biggest challenges for organizations preparing for an ISO 27001 audit is meeting the requirement for clause 9.2. This clause requires that the organization conduct internal audits to provide information on the organization’s own requirements for its ISMS (9.2a) and conform to the requirements of the standard (9.2b).

In order to fulfill these requirements, an independent and objective auditor must conduct internal audits at (frequent) planned intervals, and any issues or non-conformities must be tracked, documented, analyzed, and remediated.

Some organizations choose to hire external consultants. This can be a good option, as long as the consultant is competent and has unrestricted access to records and personnel to perform their review without issues.

The audit