What is involved in an ISO 27001 compliance audit?

The international standards developed by the International Organization for Standardization, or ISO, have long been instrumental in many organisations’ efforts to ensure they meet certain quality criteria in relation to a broad range of aspects of their operations.

One such popular standard is ISO 27001, which relates to information security. But what else do you need to know about this standard, as well as the associated auditing procedures that your organisation may follow to help ensure compliance?

What is ISO 27001?

ISO 27001 is also often referred to as ‘ISO/IEC 27001’, on account of it being a joint product of the International Organization for Standardization (ISO) and the International Electrotechnical Commission.

It is an information security management standard that structures how businesses should manage the risk posed by information security threats.

The standard outlines information security guidelines, as well as requirements designed to protect an organisation’s data assets from loss or unauthorised access. Also defined within the standard are recognised means by which a business can demonstrate its commitment to information security management through certification.

What is an ISO 27001 compliance audit?

If your organisation is serious about achieving ISO compliance with, and perhaps even certification for ISO 27001, you will want to have a means of ensuring you have achieved such compliance, and are continuing to maintain this compliance over time.

After all, with ISO 27001 touching on such a fundamental aspect of a given organisation’s day-to-day operations, achieving compliance with the standard will not be a one-time act.

This brings us neatly onto the importance of audits in general. The purpose of an audit, broadly speaking, is to help ensure an activity meets a set of defined criteria.

In the case of the auditing of ISO management system standards such as ISO 27001, that will mean ensuring the given organisation’s management system meets the requirements of the relevant standard.

Auditing can also include ensuring that the organisation is satisfying its own requirements and objectives with its implementation of the standard, and checking that the particular business’s management system continues to be efficient and effective.

What’s involved in an ISO 27001 audit?

With regard to ISO 27001 audits in particular, such an audit will entail a competent and objective auditor reviewing the following aspects:

• The given organisation’s information security management system (ISMS), or elements of it, and testing that it satisfies the requirements of the standard
• The organisation’s own information requirements and objectives in relation to the ISMS
• The practicality and efficiency of the policies, processes, and other controls the organisation uses

It isn’t just your company’s ISMS’s all-round compliance and effectiveness that should matter to an auditor; given that ISO 27001 is designed to help a business lower its information security risks to an acceptable level, the auditor will also need to consider whether the controls put in place genuinely do decrease the risk to a level that is tolerable for the risk owner(s).

What are the types and stages of audits?

There are two broad types of audit that organisations wishing to achieve and maintain ISO 27001 compliance and/or certification should be aware of:

• Internal audits, which – as the name suggests – are audits an organisation might have carried out internally to help ensure its sustained compliance with a standard. This process can be carried out by competent and objective auditors in your own workforce, provided that you have such professionals on hand; otherwise, you could arrange for such audits to be carried out by a contracted supplier. Either way, internal audits – which are also sometimes referred to as “second-party audits” – will need to be objective if you are to truly achieve ISO 27001 compliance, and should not simply ‘tell you what you want to hear’.
• External audits, which are audits carried out by parties from outside your organisation. Examples of such parties could include prospective partners or customers that wish to assure themselves about the suitability and effectiveness of your organisation’s ISMS, before they enter into an agreement with you. However, the term “external audits” is most frequently associated with audits that a certification body might carry out before agreeing to certify the organisation in question for ISO 27001.

As far as external audits are concerned, these may also be split into multiple stages:

• A stage 1 audit is also sometimes referred to as a “document review”, “document audit”, “readiness review”. This should give you a sense of the overarching aim of the stage 1 audit; normally taking place at the organisation’s head office, it can be essentially considered a sort of reconnaissance exercise, providing the auditor with an opportunity to get a flavour of the given organisation and its current management system. The basic objective of a stage 1 audit, then, is to assess whether the organisation is ready to proceed to a stage 2 audit.
• The stage 2 audit represents the next stage after the stage 1 audit, and the final stage before certification. If any issues were identified during the stage 1 audit that would mean the organisation is not in compliance with ISO 27001, it is expected that these will have been addressed by the organisation before the stage 2 audit takes place. The stage 2 audit will typically be longer and more in-depth than the stage 1 audit, although like the stage 1 audit, it normally takes place at the organisation’s premises. The auditing work itself will encompass the inspection of documented information for evidence that the management system complies with ISO 27001, as well as assessment of the all-round effectiveness of the management system. After the auditing has been completed by the external auditors, the organisation will be told whether it has or hasn’t achieved what is necessary to be recommended for ISO 27001 certification.
• A surveillance audit – also sometimes referred to as a “periodic audit” – can be carried out at scheduled times between certification and recertification audits, and may focus on one or several areas of the organisation’s ISMS.
• Finally, a recertification audit is carried out prior to the expiry of the certification period, and provides a more thorough review than a surveillance audit. All areas of the standard are typically covered by a recertification audit.

Why are ISO 27001 audits so important?

Hopefully, the above will have given you a sense of just why ISO 27001 audits are so crucial; such auditing will verify how your business’s ISMS is managed and its present performance. In the absence of this, it will be much more difficult for you to be sure that you are truly achieving the objectives that you aspired to when your organisation took steps to comply with ISO 27001 in the first place.

Using software to manage your ISO audits

Don’t leave your business’s auditing processes to chance, whether in relation to ISO 27001 or any other international standard for which you may be seeking to achieve compliance or certification.

Our own Vision Pro audit management software can help take the hassle out of your organisation’s auditing processes, with features and benefits – such as easy-to-review dashboards, audit templates, and automatic email alerts for overdue or noncompliant audits – that are designed around an organisation’s typical requirements.

Simply call us today, and we will be pleased to discuss with you in greater detail how the Vision Pro platform could assist your organisation, as well as to arrange an online demo for you.