SaaS businesses need to inspire confidence and trust about how they manage and establish data security to clock continued growth. And the best way to build such trust is to display it through independent and internationally-recognized accreditations of your security controls. The ISO 27001 certification is one such international recognition of the robustness of your security standards. It demonstrates your commitment to upholding global best practices in information security and adds to your competitive advantage.
The ISO 27001 audit, therefore, is critical to determining whether your organization meets the ISO 27001 requirements. But what does the ISO 27001 audit checklist entail? And what are the auditors looking for? How can you know if you are audit ready? Read on to learn more about ISO 27001 audits, its types, how to prepare it, and much more.
What is ISO 27001 Audit?
An ISO audit is the review of your organization’s Information Security Management System (ISMS) to ensure that it meets the requirements of the ISO 27001 standard. The ISMS is an organized approach to maintaining an organization’s confidentiality, integrity, and availability. It is based on the following:
1) identification of potential threats to your organization’s information through a risk assessment and
2) management of the identified risks by implementing security controls.
There are two types of ISO 27001 audits.
- Internal Audit
- External Audit
The ISO 27001 standard mandates organizations to undergo internal audits before they present themselves to an accredited external auditor for certification.
What is ISO 27001 Internal Audit?
ISO 27001 Internal audits are executed internally to evaluate whether their ISMS meets the requirements of the standard. These audits can be conducted by an internal team (aka ISO 27001 internal auditor) as designated by the management or contracted out to external auditors.
The ISO 27001 internal audit is much like a reconnaissance before the external audit and looks for gaps, non-conformities and vulnerabilities in the ISMS. The internal audit will assess ISMS performance and review your documentation before producing an internal audit report.
But before we dive into what an internal audit report contains, let’s look at some of the steps that you should take before the internal audit:
Identify Business & Security Objectives
A succinct alignment of your business and security objectives is a must. To do this, ask yourself which service, product, or platform your customers want ISO certified and what are your business-critical audit processes and products. Juxtapose your business needs to the security objectives (derived from customer requirements) and get your management’s buy-in. Remember to maintain a documentation trail for it all.
Define the scope of the audit
Select which information assets and systems to include in the ISMS in the Scope Statement, and ready the Statement of Applicability (SOA) by detailing which Annex A controls apply to your organization. The SOA should include justifications for the inclusion and exclusion of controls. The ISO 27001 has seven requirements (mandatory), with 114 security controls grouped into 14 sections (Annex A).
Risk Assessment & Treatment Plan
Conduct an internal risk assessment of your assets and systems, identify the risks that could impact data confidentiality, integrity, and availability for these, assign a probability of their occurrence and peg the impact levels (high to low). The risk treatment (remediation) involves procedures/measures to be taken to decrease the identified risks to an acceptable level. Again, have clear documentation of it all.
Policies and procedures to control information security risk
The ISO 27001 audits are heavy on documentation and require the organization to set up policies and procedures to control and mitigate risks to its ISMS.
Implement employee awareness & training
Employees are the first line of defence in the event of cyber attacks, breaches and hacks. Therefore, employee awareness and certification training play a significant role in the ISO 27001 standards. Organizations must ensure their employees receive relevant and regular infosec education and training and periodic updates on organizational policies and procedures.
Monitor the ISMS
Monitor the ISMS, do a gap analysis, remediate, test more and monitor – this endless cycle can help you strengthen your ISMS. Continual improvement is the name of the game.
What does an ISO 27001 Internal Audit checklist entail?
As you are possibly discovering about ISO 27001 audits, the devil is in the detail and, yes, in documentation! Here’s a look at what the ISO 27001 internal audit checklist will be like:
The internal auditor will review all the documentation, ensure the audit scope covers ISMS adequately and evaluate the controls to the ISO Standard for compliance.
The internal auditor will review the ISMS, conduct tests, and collect evidence to demonstrate what’s working and isn’t. They will also talk to different teams and understand how they comply with the ISMS.
Internal Audit Report
Based on their findings and analyses, the auditor will present an internal audit report to the management. The report will contain the scope, objective and extent of the audit. It will also detail which policies, procedures and controls are working and which aren’t with evidence.
For instance, if your organization’s security policy says that you would take system backups once a day and the auditor doesn’t find the backup log corroborating this, they would mark it as a non-conformity. In that, too, whether it’s a major non-conformity or minor non-conformity would depend on the control’s criticality and frequency of lapses, to name a few.
The report also details correction actions and recommendations, limitations and other observations. It includes remediation suggestions and course corrections before your organization can present itself for an external audit. The report is presented to the management.
The management goes through the internal audit report. The auditor and the management can discuss the list of major and minor non-conformities and action plans and review whether the organization is ready for the external audit and ISO certification.
*Note that ISO 27001 does not define how often an organisation must conduct an internal audit.
What is ISO 27001 External Audit?
Once the internal audit gives a clean chit, organizations are ready to undergo an external audit. The process of the external audit is the same as that of an internal audit, the difference being it leads to certification (or recertification, as the case may be).
The external audits are conducted as follows:
- Initial Certification Audit
- Periodic Surveillance Audits
- Recertification Audits
Initial Certification Audit
There are two stages in the initial certification process of ISO 27001 audits.
Stage 1 – Documentation Review
The external auditor reviews the documentation you created for ISO 27001, compares it to the ISO standard and checks for compliance. The auditor will ask to see all the documents created for the ISMS and will review them to ensure you have all the mandatory documents in place. While organizations can define the scope of their ISMS, smaller organizations should keep the entire organization in scope.
Apart from feedback, the Stage 1 ISO 27001 audit will end with an Audit Report, which will include an assessment of your ISMS, scope and certification, improvement areas and audit readiness, among other things.
You should perform Stage 1 and Stage 2 ISO 27001 audits within six months. Stage 1 Audit may otherwise need to be repeated.
Stage 2 – Main Audit
The main audit entails an evidential audit (on a sample basis) to ascertain if your organization is operating the ISMS per the ISO standards. The auditor will check if your organization’s documents, policies, procedures and controls are implemented and operating effectively as per the standard and whether it helps meet your organizational objectives. The auditor will also evaluate the effectiveness of preventive and corrective actions and review the actions from the Stage 1 ISO 27001 audit to ensure the improvement requests have been incorporated.
For instance, if your documents state that system backup is done once daily, the auditor will check the backup logs to verify it. If they find that it wasn’t done on a couple of occasions, it will get flagged off as a minor non-conformity. But if it were never done or not done for a protracted period, in all likelihood, it would be raised as a major non-conformity. Minor nonconformities against a single requirement can add up and be considered a major one.
Note that the auditor will ask for live evidence of compliance, such as logs. Screenshots aren’t acceptable. The auditor will go about evidence collection of compliance (or non-compliance) by checking your documentation, making personal observations and interviewing some of your employees.
At the end of the Stage 2 ISO 27001 audit, the auditor will submit a report including observations and a summary of the findings. It will detail minor nonconformities, major nonconformities and opportunities for improvement (OFI). Note that in case of major nonconformities, certification doesn’t require you to go through the entire process all over again. You must rectify the major nonconformities and share evidence of correction action with the auditor. Minor nonconformities, typically, do not affect the recommendation for certification.
The ISO 27001 audits certification holds a validity of three years; it, however, requires the organization to undergo Periodic Surveillance Audits every year.
Periodic Surveillance Audit
The Periodic Surveillance Audits are mandatory to maintain your ISO 27001 certification and aren’t as comprehensive as the Stage 2 ISO 27001 audit. The audit is mostly done at the end of the first year and the second year after certification. The auditor goes through a similar process as was followed in Stage 2 ISO 27001 audit and reviews nonconformities and corrective actions, document updations, maintenance and performance of the ISMS, among other things. The second surveillance audit would probably go over different aspects of your ISMS.
Again, a report detailing the findings and nonconformities is submitted to the management at the end of the audit. In case of major nonconformities, you must take corrective action and share evidence within three months. Failure to do this could risk your certification. Minor nonconformities, if any, also need to be corrected and their evidence shared with the auditor. These, however, don’t have a bearing on your certification status.
The Recertification Audit, much like your Stage 2 ISO 27001 audit, includes an examination of nonconformities from earlier audits and OFIs. It reviews the overall effectiveness of your ISMS, the scope of your certification and its appropriateness (if it’s appropriate three years later too). The audit also includes a review of policies, procedures and controls and their operational effectiveness, corrective and preventive actions, evaluation of internal audits, and management reviews, to name a few.
The ISO 27001 audits result is a written report from the auditor with details of the findings, nonconformities and OFIs. It’s critical to address nonconformities before the end of the third year (from the date of your certification). Failure to do so can risk your certification status. It is, therefore, a good idea to time your recertification process three-six months before the end of three years. Doing this would leave room for corrective actions in case of major nonconformities.
On successful completion of the audit, a new ISO 27001 certification is issued, and the three-year cycle of internal audit and surveillance audit will begin again.
What and who can make an ISMS audit?
Only ISO 27001 certified auditors are qualified to evaluate and examine your ISMS for external audits. To qualify, they must work with a certification body and complete a specified number of audits and hours of training. And the final certification can be given only by a certification body.
ISO 27001 Certification Steps
Here’s a quick look at the entire ISO 27001 checklist with an overview of what needs to be done.
- Information Security and Management System Scope statement (Clause 4.3)
- Organizational information security policy (Clause 5.2)
- Risk management method (Clause 6.1.2 and 6.1.3)
- Risk assessment and treatment plan (Clause 6.1.3e)
- Statement of applicability (Clause 6.1.3d)
- Annex A policies and procedures with controls
ISO 27001 Template – the Sprinto Way
Sprinto’s compliance automation platform is built to help SaaS firms make confident strides in their security journey. From intelligently mapping and minimizing risks to breaking down the entire process into simple, logical and easy-to-understand steps, your compliance experience with Sprinto is designed to be easy, error-free and fast.
From defining the scope of your ISMS to setting up robust information security policies, deploying entity-level checks and implementing infosec training programs for employees, Sprinto does everything for you. Sprinto’s continuous monitoring system not only validates your compliance with proof, it even alerts you when something isn’t done or done incorrectly. Sprinto replaces all the manual, error-prone, repetitive busy work with automation and gives you a dashboard view of it all!
Book a demo with us and learn about how Sprinto can help you.