After passing your internal audit and fulfilling the Statement of Applicability requirements, the next step in your ISO 27001 journey should be an external ISO 27001 audit. While this may seem intimidating initially, this goal can easily be met with proper guidance and preparation.
This article will describe the four primary audits required for ISO 27001 certification: Stage 1 Audit, Stage 2 Audit, Surveillance Audit, and Recertification Audit.
Stage 1
Document Review. Your auditor will inspect your ISMS documentation, verifying that all necessary elements have been included for a successful certification audit. These elements could consist of your ISMS policy, a description of the risk assessment methodology, procedures, and records from internal audits and management reviews.
If any nonconformities are discovered, your auditor will note them in an engagement report and classify them as either major or minor nonconformities. Any major nonconformities must be resolved before moving forward to stage 2, an ISO 27001 certification audit.
As with the audit and certification processes, an independent company for ISO auditing is recommended to maintain independence and avoid potential conflicts of interest. Most successful businesses achieve ISO certification using this approach—an arduous nine-month journey culminating in complete certification from start to finish.
Stage 2
After spending many hours building and establishing your ISMS and recording all internal audit reports, management reviews, improvement forms, and supplier lists, you are ready for your certification body’s on-site Stage 2 audit.
A document review audit is one of two assessments you will face as you work towards ISO 27001 certification. Your assigned auditor will conduct an extensive check of your documentation process in order to ascertain whether it fulfils ISO 27001’s standards as well as your written information security policy.
Stage 2 audits may include an audit of control testing against Annex A’s 114 controls and verification that any areas of concern identified in the Stage 1 audit have been addressed. You will also need to prepare a Statement of Applicability and Risk Treatment Plan before attending. If successful in passing these audits, certification as ISO 27001 will be awarded to your organisation.
Stage 3
At stage 3 of an ISO 27001 audit, an external auditor evaluates your organisation’s policies and procedures in action. With your Statement of Applicability as their guide, they assess the level of information security you’ve implemented through your ISMS; additionally, they take an in-depth look at configurations, protections, and roles to assess any gaps or weaknesses they might uncover on-site; typically, this can last from 1 week up to 7.
They analyse evidence gathered through documentation review, evidential sampling, and personal observations to confirm if your ISMS meets all requirements set out by the ISO/IEC 20000 standard. If major non-conformances are found during their review of ISMS operations, any findings will be shared with both yourself and the management team for resolution.
IT Governance’s team of seasoned, accredited, and industry-leading auditors has helped organisations in the United States, Europe, Australia, and Asia attain certification faster and cheaper. Find out how, with our 100% FREE no-commitment strategy session, you can certify 10x faster and 30x cheaper. Make an appointment now and book it now.
Stage 4
Once the internal audit has been completed and any major non-compliances have been addressed, stage 2, or ‘certification audit, begins. Here, an auditor will come on-site and conduct a more in-depth evaluation of your ISMS.
An audit should include a thorough documentation review, a field audit (interviewing colleagues and reviewing working practises), analysis, and a final report to management. An auditor will highlight any significant findings, observations, or opportunities for improvement that require further attention from management.
Management should discuss these with their auditor in a closing meeting and work out an action plan for conducting more in-depth gap analyses, risk assessments, or internal audits to address these issues. Your auditor will complete his or her report and submit it to your chosen certifying body, at which time your ISO 27001 certification will be officially conferred upon your business. Note: To keep its validity valid, it must be validated through surveillance audits each year.