What is ISO 27001 Audit? A Complete Guide

Organisations with an Information Security Management System (ISMS) must ensure compliance with ISO/IEC 27001:2013 guidelines for security controls. To maintain certification, regular internal and External Audits are necessary.  

According to Statista, only 57 per cent of large organisations were aware of the ISO 27001 Certification, while a survey by ISO found a 17 per cent increase in certifications in 2019. Organisations typically receive their ISO Certifications from an independent certification body in their country.  

The ISO 27001 Audit involves examining an organisation's Information Security Management System. For more details on the audit process, please read this blog. 

Table of Contents

1) What is ISO 27001 Audit ?

2) Importance of ISO 27001 Audit 

3) Types of ISO 27001 Audit 

   a) Internal Audit 

   b) External Audit 

4) How to prepare for an ISO 27001 Audit? 

   a) Check if the key processes of the ISMS are implemented and operational 

   b) Prepare all the documentation for the Audit beforehand 

   c) Make sure that evidential records are accessible and eay to locate 

   d) Prepare all employees for Audit interviews

5) Stages of the ISO 27001 Audit 

6) Performing ISO 27001 Audits 

7) How often do I need to conduct an Audit? 

8) Conclusion 

What is ISO 27001 Audit? 

The ISO 27001 Audit is an internationally recognised standard for managing Information Security. Originally published in collaboration between the International Organisation for Standardisation (ISO) and the International Electrotechnical Commission (IEC) in 2005, it was later revised in 2013 and, most recently, in 2022. This Audit serves as a review procedure that enables organisations to align their Information Security Management System (ISMS) with the latest best practices in IT security.

To obtain ISO 27001 Certification, a company must undergo an Audit. Moreover, Internal and External Audits must be conducted regularly to maintain Certification. The Audit proves that a company's ISMS regulations are sufficient for securing its data and other information assets. The certificate demonstrates the company's adherence to rigorous Security Controls aligned with international standards, making it more competitive.

To qualify for an ISO 27001 Audit, a company must undergo an External Audit from an objective accredited firm that is an approved ISO 27001 Auditor. The approved Auditor assesses the company's security processes and certifies their alignment with ISO/IEC 27001:2013 standards, proving the company's ongoing compliance with the ISO standard. By conducting regular Audits of its IT security regulations, a company can assess the level of its residual risk within its existing IT security standards. Residual risk refers to any remaining risk after identifying and eliminating all risks. It is an important type of risk to factor in the company's reassessment because it may still exist even after implementing security process improvements.


 

Importance of ISO 27001 Audit 

According to ISO guidelines, a complete 27001 Certification process requires a series of ISO 27001 Audits. An organisation can only claim its ISO Certification with international IT security best practices after completing the Audit Process. Regularly conducted audits can be especially helpful for organisations working with clients requiring compliance with ISO standards to enter or renew a contract. 

The Audit Process proves the effective performance of the company's systems, processes, and controls, ensuring that its security regulations are stringent enough to protect its information assets regularly. The ISO 27001 Certification typically occurs every three years and helps companies to review their security compliance. Companies need to ensure that their employees understand the rules and regulations, which can be achieved through regular team training.  

Failure to retain the Audit Certification can put a company at risk of being hacked by external threats. Lenient ISO 27001 Compliance processes can cost companies millions of dollars for every data breach, making cybersecurity a top priority for corporate management. The ISO 27001 Checklist reassures company leaders and like-minded customers that they are actively ahead of ongoing threats.  

The ISO Security Audit enhances user trust, and customers are more likely to avail of the services of trusted companies. Therefore, a company's demonstrated data security practices translate to increased business growth. Companies that are ISO 27001 compliant have the leverage of a cybersecurity culture at work. They document their ISMS scope, develop their Internal Security Controls, and regularly train employees on their best practices. 

Sign up for the ISO 27001 Lead Implementer course to implement techniques that increase your organisation’s security compliance with ISO 27001 standards! 

Types of ISO 27001 Audit

The ISO 27001 Audit process includes two types of Audits: Internal and External. The regularity of Audits varies among accredited organisations worldwide. However, companies must regularly submit their Internal and External Audit Reports to obtain or retain their Certification.   

Let's take a closer look at these two types of Audits: 

Internal Audit 

The ISO 27001 Internal Audit is a review of a company's ISMS Security Controls completed by either its internal staff or an external outsourced team. If an external firm on the contract is to carry out the Internal Audit, it is still considered internal if it is not part of an ISO Certification body.  

To maintain Compliance Standards, a regular ISO 27001 Audit program is necessary under Clause 9.2 of the ISO 27001. The approved Audit Plan determines the frequency of Internal Audits parties responsible for planning, completing and reporting the Audit results. Companies can determine the appropriate Audit frequency for their organisation by working with the certification body. An annual cycle of the ISO 27001 Audit is recommended for most companies. 

The Internal Audit typically includes the following: 

1) Review and maintenance of internal documentation for policies and procedures 

2) Sampling evidence from the ISMS during field reviews to ensure consistent abidance of policies and procedures 

3) Analysis of findings from both document and field review to ensure compliance with ISO 27001 Requirements

4) Implementation of necessary improvements based on Audit findings 

The internal Audit starts with the company's review of its existing IT processes and documentation of its ISMS Audit scope for external review. The company then pursues Certification through regularly conducted Internal Audits to maintain compliance. 

External Audit 

The External Audit phase involves companies preparing for and undergoing audits to confirm compliance with ISO 27001 Standards. Accredited certification firms or contractors typically carry out these audits in four stages: ISMS Design Review, Certification Audit, Surveillance Audits, and Recertification Audits.  

The ISMS Design Review involves hiring an Auditor to review the company's documentation and procedures and ensure their alignment with ISO Standards. Once the company meets the review requirements, the Auditor recommends certification. The Certification Audit involves a field review of the company's business processes and Security Controls to ensure compliance with ISO 27001 requirements and Annex A's 114 controls. 

To maintain ISO compliance, the company conducts periodic Surveillance Audits focused on specific ISMS areas, which are carried out by certifying bodies using random data samples. The company also undergoes an extensive Recertification Audit every three years, including all ISMS controls and imitating the initial Certification Audit. This Audit ensures continuous compliance with ISO 27001 Latest Version and addresses new risks as they arise.

How to prepare for an ISO 27001 Audit? 

As you prepare for an ISO 27001 Audit, it is of utmost importance that you have all the necessary documents in place, gather your thoughts, prepare for interviews, and assess your management practices. To make sure you are fully prepared, consider the following key factors: 

1) Check if the key processes of the ISMS are implemented and operational 

a) Organisational context: ISO 27001 Framework involves identifying and documenting the information security needs of the organisation and its stakeholders. 

b) Risk and opportunity management: Document a treatment plan to identify and analyse information security threats and opportunities in your organisation. 

c) Leadership: Your organisation should establish a written security policy with clear leadership and sufficient resources. 

d) Management review: Your organisation’s ISMS has to undergo a formal management review.  

e) Corrective action and continuous improvement: Your organisation must manage and implement continuous corrective and improvement actions efficiently and effectively. 

2) Prepare all the documentation for the Audit beforehand 

The following documents must be created to prove your organisation's adherence to ISO 27001: 

a) ISMS scope statement 

b) Organisational information security policy 

c) Risk Management method clause 

d) Risk register & treatment plan clause 

e) Statement of applicability clause 

f) Procedures & processes required under Annex A where controls are applicable. 

3) Make sure that evidential records are accessible and easy to locate 

You must ensure that papers and evidence of information ISO 27001 Physical Security issues are easily accessible to employees and subcontractors, as this is a crucial aspect of the Audit. 

4) Prepare all employees for Audit interviews 

It is essential to prepare employees who are being audited by informing them of what to expect and how to respond in advance. To achieve this, the following six steps can be followed:  

1) Explain the purpose of the Audit: Start by explaining the purpose of the Audit, its goals, and the benefits of ISO 27001 compliance to help individuals understand its importance and impact on the organisation. 

2) Provide an overview of the Audit process: Provide a detailed explanation of the Audit process, including the scope, timeline, areas to be audited, and expected outcomes. This will help individuals understand what to expect and how to prepare. 

3) Review the ISMS documentation: It is vital to go over the organisation's ISMS documentation with the individual to ensure their familiarity with the policies, procedures, and controls that are in place. This will help the person understand how information security is managed within the organisation and what their role is in this process. 

4) Conduct a mock Audit: Practice responding to questions and providing evidence of compliance with a mock Audit to prepare for the actual Audit process. 

5) Provide training on information security: Individuals should receive information security training to ensure compliance with Audit requirements. 

6) Address any areas of concern: During the Audit, discuss any problems with the individual to prepare them for related questions. 

Learn the skills to perform internal audits within your organisation with ISO 27001 Internal Auditor Course !

Stages of the ISO 27001 Audit 

As an organisation prepares for ISO 27001 Audit, it should focus on the two stages of the initial Certification audit, determining the company's eligibility for ISO Certification. Usually, organisations hire an Auditor to support them in completing stage 1 compliance requirements before requesting an external audit from the certifying body for the second stage. 

Here are the two stages of the initial Certification audit explained: 

Stage 1 

The ISO Certification Audit's first stage is called the ISMS Design Review. The company must prepare adequately for the ISMS Design Review before it requests an ISMS Design audit. The company can also refer to the checklist for the ISO 27001 Audit to prepare itself for the first stage of the Audit.   

The checklist comprises a framework containing a series of ten stages. The checklist helps IT security teams gather the necessary information for the Certification's preparation and streamline the process. A company can also streamline its process with the help of this checklist and ensure that the teams cover every aspect over four to twelve months. The time of coverage depends on the size of the organisation.  

The company can then proceed to document all its processes, policies and guidelines for its ISMS depending on the requirements of ISO 27001. It can then assess its risk, followed by a risk treatment procedure and a gap analysis to submit the documentation.   

The external Auditor will review the company’s documentation during the ISMS Design Review. They do this to make sure the documentation aligns with the ISO requirements. The Auditor's findings and suggestions for process improvement will be included in the audit report before starting Stage 2. Furthermore, the company’s employees may need to pursue additional security training to meet the audit standards for Stage 1.   

Stage 2 

The organisation may proceed to Stage 2 upon Auditor's recommendation for certification after completing Stage 1. In the second stage of the ISO 27001 Audit, the certifying body's Auditor conducts a field review to confirm the alignment of business processes and Security Controls with approved procedures in Stage 1.  

A random data sampling is then done as evidence to confirm the ISMS's effective operation, compliance with ISO 27001 requirements, and mandatory ISO 27001 controls stated in Annex A. The evidence should prove that business procedures work as documented.  

Key stakeholders responsible for ISMS management, Internal Audit members, and compliance teams are interviewed as part of the Audit Process. Auditors also request prior Audit Reports and any rectifications made based on Stage 1 results. The Auditors interpret any non-conformities from these reports, while Management Audits confirm post-audit improvements' implementation.  

After certification in Stage 2, organisations can define their processes, including security awareness training and the Internal Audit process. These two parts must be documented for achieving and maintaining continuous compliance with ISO 27001 Standards. 

Organisations are ISO certified for three years upon successfully clearing Stage 2 of ISO Certification. They must still submit annual surveillance audits to follow the internal audit schedule to the certification body and prove the continuous operation of their controls as intended. 

Gain in-depth knowledge about the information systems audit process; register for the CISA Certified Information Systems Auditor course now! 

Performing ISO 27001 Audits 

The ISO 27001 Audits need to be done by experienced Auditors who can demonstrate their knowledge of the ISO standard. Although formal certifications generally prove Auditor’s knowledge, the certifying body can choose to approve them based on their competence with ISO 27001 Audit questions.   

The Auditors will need to belong to a team outside the stakeholders for the Internal Audits, and this ensures that they are not performing self-reviews and maintaining the ISMS standard. Companies that do not have a separate auditing team will typically hire a formally experienced firm to assist with the Internal Audit process. The formally trained firms generally employ Auditors certified with the ISO 27001 Lead Auditor course.   

How often do I need to conduct an audit? 

ISO 27001 does not specify how frequently to carry out an Internal Audit as each ISMS is unique. Industry experts recommend conducting Internal ISO 27001 Audits at least once a year. However, this may only sometimes be practical. Therefore, it is necessary to undertake an audit at least once every three years.  

This is the duration that most ISO 27001 Certification authorities validate an organisation's ISMS. After this period, there is a significant likelihood that the organisation may no longer comply with the regulations. 

For External Audits, various accreditation bodies worldwide have different requirements for the certification Audit Program. However, in the case of United Kingdom Accreditation Service (UKAS) accredited certificates, this will include: 

a) Initial certification Audit – conducted in 2 stages. 

b) Periodic surveillance Audits – typically at six monthly or, at a minimum, annual intervals. 

c) Recertification Audits are conducted every three years.

Conclusion 

The ISO 27001 Audit helps companies keep their security compliance standards in check with the ISO guidelines. Regular Audits need to be conducted within companies by external certified bodies to retain their certifications. Considering the lengthy nature of the Audit process, companies can proactively prepare themselves by training the teams regularly. Continuous and successful ISO Audits will help companies stay competitive and stand out in the market. 

Learn the skills required to audit ISO 27001 information security management systems; sign up for the ISO 27001 Lead Auditor course now!