Preparing for an ISO 27701 audit

Preparing for an ISO 27701 audit? Here are some things to keep in mind when drafting your audit preparation strategy. If you’ve been through an audit before, you are well aware of how tedious and time-consuming it can be for your team and yourself. If you haven’t, just imagine spreadsheets.

The People

Typically, ISO 27701 is done in conjunction with ISO 27001. After you’ve made the decision to pursue an ISO 27701 and ISO 27001 attestation, here’s something to keep in mind when drafting your audit preparation strategy. Create a taskforce of employees from the IT or security team, with support from team members familiar enough with your technical systems. Assigning an executive or manager to this process will be hugely beneficial.

The ISO 27001 and ISO 27701 processes require commitment, and team members may need to take time away from their other tasks to focus on preparing for an audit. You should account for a loss in productivity and ensure you are staffed accordingly.

The Process

Examine ISO 27001 and ISO 27701 clauses and Annexes. ISO 27701 is an extension of ISO 27001; therefore, all 10 clauses and Annex A must be implemented first before you can implement the requirements of ISO 27701. The following five steps guide you in this process, but if this feels like an overwhelming decision, contact the TrustCloud team.

Step 1: Understanding the Audit Process

Before preparing for an audit, you need to start by outlining the three stages that make up the ISO 27701 certification process itself. Keeping this broader view in mind saves time and helps you better structure your preparation.

Stage 1

In stage 1, the selected auditor reviews your ISMS-PIMS, typically on-site, to determine if mandatory requirements are being met and whether the management system is good enough to proceed to stage 2.

This initial review is primarily focused on validating whether your ISMS-PIMS is appropriately designed and whether the documented processes exist, are effective, and comply with the standard requirements. The auditor also gauges your own understanding of the standard and discusses planning for stage 2. Ideally, stage 1 should take place two to four weeks before stage 2, so that the management system does not substantially change between the two stages.

Stage 2

In stage 2, the auditor conducts a more thorough assessment of your ISMS-PIMS, and evaluates whether it is implemented effectively and meets ISO 27001 & ISO 27701 requirements.

In order to satisfy the auditor’s needs, it’s imperative that documentation be complete and accurate. The source of information in the document is identified and verified; the content of the document is written with integrity; and the documentation is easily accessible and retrievable for audit purposes. It is important to get an auditor to come to the same conclusion about the state and health of your information security program as you do. You can help them come to that conclusion.

Stage 3

Once the first two stages are completed, you can now apply for certification. An auditor will assist in submitting your ISMS-PIMS files to a formally accredited certification body. You can find a list of reputable certification bodies in the ANAB directory.

However, the ISO 27001-ISO 27701 certificate is valid for three years, which in the world of compliance is relatively long. However, it imposes an additional “continual improvement” requirement. To maintain your certification, you must go through surveillance audits every year, ensuring that you’re continually improving and adhering to your information security protocols.

Understanding the certification process is important as it helps you gauge the continual effort you need to put into maintaining compliance.

Now that you understand the level of commitment, time, and dedication required to implement and manage an effective ISMS-PIMS program, you can start to gauge your level of readiness.

Step 2: Take an Inventory

Start taking stock of your resources and team. Given the level of effort required to become ISO 27001-ISO 27701 compliant, it is important that knowledgeable team members lead the effort. If your team doesn’t have the right skill set, you can consider hiring people with the appropriate expertise. To demonstrate compliance with clause 7.2, it is a key requirement that your ISMS-PIMS is managed by competent and properly trained employees.

Now create an inventory of your business, systems, and assets and map those to the control requirements outlined in ISO 27001-ISO 27701’s ten clauses and Annexes. You can do this in one of two ways:

DIY

You can open up Excel and start manually mapping each of the clauses and subsequent requirements to your existing controls, policies, and procedures. This requires you to have (or, most likely, obtain) a deep understanding of the standard’s complex requirements.

Using A Compliance Automation Tool

With a compliance automation tool such as TrustOps, you simply upload your business stack, and the tool auto-generates controls, tests, and policies, each mapped to the appropriate ISO 27001-ISO 27701 clause or control. 

Once your mapping is complete, you can compare what you have with what the standard requires and find where your gaps are. This gap analysis helps add and implement specific processes, documentation, and controls. Your gaps are now on your to-do list.

Learn more about TrustCloud’s continuous ISO 27001 compliance with TrustOps for ISO 27001.

Step 3: Implementing a Management Review Program

When it comes to ISO 27001 and ISO 27701, senior management has a tremendous amount of responsibility. Clause 9.3 explicitly states: Senior management shall review the organization’s Information Security Management System at planned intervals to ensure its continued suitability, adequacy, and effectiveness.

ISO 27001-ISO 27701 also requires the implementation of a management review team. This team should be composed of senior management, and reviews should take place often enough to ensure that the ISMS-PIMS continues to be effective. Additionally, these meetings must conform to specific guidelines: they must occur on a predefined, periodic basis; meeting notes and action items must be recorded; and specific agenda items must be discussed.

Step 4: Adopt Controls

Your to-do list will quickly become flooded with documents and controls that you need to have in place.

If you’re using a compliance automation tool such as TrustOps, you are covered! TrustCloud is working to save you from spending your time and energy on spreadsheets and menial tasks. It has analyzed the ISO 27001 and ISO 27701 requirements and designed a comprehensive set of controls and policies. It has also mapped out the evidence requirement for each control in plain English, translated from the original legalese. It automatically learns where you are and helps you understand what you need to do to get where you want to be.

Some ISO 27001 and ISO 27701 controls require you to implement security tools and services to improve your security and business processes, and you need to research, purchase, and configure these appropriately. Examples include performing pen testing, enrolling in asset management, and conducting background checks. Depending on your organization’s processes and the workload of your employees, the procurement process can stretch on and become a significant risk factor in your adoption of the standard, but TrustCloud takes care of it all.

Throughout this process, you need to gather evidence to show that you are accurately compliant with all relevant controls by writing or amending policies and documenting procedures that explain how certain controls are satisfied.

Step 5: Conducting an Internal Audit

One of the biggest challenges for organizations preparing for an ISO 27001 and ISO 27701 audit is meeting the requirement for clause 9.2. This clause requires that the organization conduct internal audits to provide information on whether the ISMS-PIMS both conforms to the organization’s own requirements for its ISMS (9.2a) and conforms to the requirements of the standard (9.2b).

In order to fulfill these requirements, an independent and objective auditor must conduct internal audits at (frequent) planned intervals, and any issues or non-conformities must be tracked, documented, analyzed, and remediated.

Some organizations choose to hire external consultants. This can be a good option, as long as the consultant is competent and has unrestricted access to records and personnel to perform their review without issues.

The Audit

The ISO certification obtained is valid for three years. An ISO ‘surveillance’ audit needs to be performed annually to continually reassess the conformance of your ISMS.