ISO 27001 Audit: How to Conduct Successful Audit?

SaaS businesses need to inspire confidence and trust about how they manage and establish data security to clock continued growth. And the best way to build such trust is by gaining independent and internationally-recognized accreditations for your security controls.

The ISO 2700 certification is one of the most recognized international security standards. It demonstrates your commitment to upholding global best practices in information security and adds to your competitive advantage.

The ISO 27001 audit, therefore, is critical to determining whether your organization meets the ISO 27001 requirements. But what does the ISO 27001 audit checklist entail? And what are the auditors looking for? How can you know if you are audit-ready?

Read on to learn more about the ISO 27001 audit process, its types, and how to prepare for it.

What is an ISO 27001 Audit?

An ISO 27001 audit is the review of your organization’s Information Security Management System (ISMS) to ensure that it meets the requirements of the ISO standards. The ISMS is an organized approach to maintaining an organization’s confidentiality, integrity, and availability.

It helps in (1) the identification of potential threats to your organization’s information through a risk assessment and (2) the management of the identified risks by implementing security controls. 

What are the requirements of an ISO 27001 audit?

The requirements of ISO 27001 audit (internal audit) are described within the standard’s documents. All the requirements come under Clause 9.2 of the ISO 27001 standard. Let’s have a look at the sub-clauses to understand each requirement.

• Clause 9.2a – This clause states that you need to conduct internal audits at regular and planned intervals to provide information on whether your ISMS complies with the requirements for the ISMS.
  
  
• Clause 9.2b – This clause states that your internal audit needs to conform to the requirements of the ISO 27001 standard.
  
  
• Clause 9.2c – This clause states that the audit program must be planned, established, put into action, and maintained. This includes its frequency, procedures, roles, and reporting needs.
  
  
• Clause 9.2d – This clause requires you to define the audit criteria and scope for each audit. This should be documented to ensure that audit objectives are met.
  
  
• Clause 9.2e – This clause requires you to choose the team of auditors that ensures that the audit process is conducted impartially.
  
  
• Clause 9.2f – This clause requires that the results of the audit, upon successful completion, need to be reported to the relevant management.
  
  
• Clause 9.2g – This clause requires you to retain and document all the information regarding the audit process and results. This is also a requirement for ISMS owners under Clause 7.5.3.
  

Now that we understand the audit requirements let’s see the types of ISO 27001 audits.

What are the types of ISO 27001 Audits?

There are two types of ISO 27001 audits.

• Internal Audit
• External Audit

The ISO 27001 standard mandates organizations to undergo internal audits before they present themselves to an accredited external auditor for certification. Let’s take a look at both types of audits and the steps involved in each of them.

ISO 27001 internal audit

ISO 27001 internal audits are executed internally to evaluate whether their ISMS meets the requirements of the standard. The management can designate an internal team (known as an ISO 27001 internal auditor) or contract out the audits to external auditors.

The ISO 27001 internal audit is much like a reconnaissance. It’s the exercise of looking for gaps, non-conformities, and vulnerabilities in the ISMS before the external audit.

How to get started with an ISO 27001 internal audit?

Before we dive into what an internal audit report contains, let’s look at the steps that you should take to get started with the internal audit process.

1. Identify business and security objectives 

A brief alignment of your business and security objectives is a must. To do this, ask yourself which service, product, or platform your customers want ISO certified and what are your business-critical audit processes and products.

2. Define the scope of the audit

Select which information assets and systems to include in the ISMS in the Scope Statement, and ready the Statement of Applicability (SOA) by detailing which Annex A controls apply to your organization.

3. Risk assessment and treatment plan

Conduct an internal risk assessment of your assets and systems, identify the risks that could impact data confidentiality, integrity, and availability for these, assign a probability of their occurrence, and peg the impact levels (high to low). The risk treatment involves procedures to be taken to decrease the identified risks to an acceptable level.

4. Policies and Procedures to control information security risk

The ISO 27001 audits are heavy on documentation and require the organization to set up policies and procedures to control and mitigate risks to its ISMS. 

5. Implement employee awareness & training

Employees are the first line of defense in the event of cyber attacks, breaches, and hacks. Therefore, employee awareness and certification training play a significant role in the ISO 27001 standards.

6. Monitor the ISMS

Monitor the ISMS, do a gap analysis, remediate, test more, and monitor – this endless cycle can help you strengthen your ISMS. Continual improvement is the name of the game.

What does an ISO 27001 internal audit checklist look like?

As you may discover about ISO 27001 audits, the devil lies in the details—that’s usually in the documentation. Here’s a look at what the ISO 27001 internal audit checklist will be like:

1. Documentation review

The internal auditor will review all the documentation, ensure the audit scope covers ISMS adequately and evaluate the controls to the ISO Standard for compliance. 

2. Field review

The internal auditor will review the ISMS, conduct tests, and collect evidence to demonstrate what’s working and what isn’t. They will also talk to different teams and understand how they comply with the ISMS.

3. Internal audit report

Based on their findings and analyses, the auditor will present an internal audit report to the management. The report will contain the scope, objective, and extent of the audit. It will also detail which policies, procedures, and controls are working and which aren’t with evidence.

4. Management review

The management goes through the internal audit report. The auditor and the management can discuss the list of major and minor non-conformities and action plans and review whether the organization is ready for the external audit and ISO certification. 

ISO 27001 external audit?

Once the internal audit gives a clean chit, organizations are ready to undergo an external audit. The process of the external audit is the same as that of an internal audit, the difference being it leads to certification (or recertification, as the case may be).

The external audits are conducted as follows: 

• Initial certification audit 
• Periodic surveillance audits 
• Recertification audits 

How to get started with external certification Audit

There are two stages in the initial certification process of ISO 27001 audits.

1. Documentation Review

The external auditor reviews the documentation created for ISO 27001, compares it to the ISO standard, and checks for compliance. The auditor will verify all documents created for the ISMS and will review them to ensure you have all the mandatory documents in place.

While organizations can define the scope of their ISMS, smaller organizations should keep the entire organization in scope. 

Apart from feedback, the Stage 1 ISO 27001 audit will end with an Audit Report, which includes an assessment of your ISMS, scope and certification, improvement areas, and audit readiness, among other things. 

You should perform Stage 1 and Stage 2 ISO 27001 audits within six months. Stage 1 Audit may otherwise need to be repeated.

2. Main Audit

The main audit entails an evidential audit (on a sample basis) to ascertain if your organization is operating the ISMS per the ISO standards.

The auditor verifies your organization’s documents, policies, procedures, and controls are implemented and operating effectively as per the standard and meets your organizational objectives.

The auditor assesses the effectiveness of preventive/corrective actions and reviews the Stage 1 ISO 27001 audit actions to ensure the incorporation of improvement requests.

For example, if your documents indicate daily system backups, the auditor will verify this by checking the backup logs. Missing backups on a few occasions would be flagged as a minor non-conformity, while a prolonged period without backups or no backups at all would likely be raised as a major non-conformity.

Minor nonconformities against a single requirement can add up and be considered a major one.

The auditor requires live evidence of compliance, such as logs (screenshots not accepted), obtained through documentation review, personal observations, and employee interviews.

At the end of the Stage 2 ISO 27001 audit, the auditor will submit a report including observations and a summary of the findings. It will detail minor nonconformities, major nonconformities and opportunities for improvement (OFI).

Note that in case of major nonconformities, certification doesn’t require you to go through the entire ISO 27001 audit process all over again. You must rectify the major nonconformities and share evidence of correction action with the auditor. Minor nonconformities typically, do not affect the recommendation for certification. 

The ISO 27001 audits certification holds a validity of three years; it, however, requires the organization to undergo Periodic Surveillance Audits every year.

3. Periodic surveillance audit

The periodic surveillance audits are mandatory to maintain your ISO 27001 certification and aren’t as comprehensive as the Stage 2 ISO 27001 audit. The audit is mostly done at the end of the first year and the second year after certification. 

The auditor follows a similar process to the Stage 2 ISO 27001 audit, reviewing nonconformities, corrective actions, document updates, maintenance, and ISMS performance, among other things. The second surveillance audit would probably go over different aspects of your ISMS. 

A report with findings and nonconformities is submitted to management at the end of the audit. Corrective action and evidence must be provided within three months for major nonconformities.

Failure to do this could risk your certification. Minor nonconformities, if any, also need to be corrected, and their evidence shared with the auditor. These, however, don’t have a bearing on your certification status. 

4. Recertification audit

The recertification audit, much like your Stage 2 ISO 27001 audit, includes an examination of nonconformities from earlier audits and OFIs. It reviews the overall effectiveness of your ISMS, the scope of your certification, and its appropriateness (if it’s appropriate three years later too).

The audit includes reviewing policies, procedures, controls, operational effectiveness, corrective/preventive actions, internal audits, and management reviews, among others. 

The ISO 27001 audit result is a written report from the auditor with details of the findings, non-conformities, and OFIs. It’s critical to address nonconformities before the end of the third year (from the date of your certification). Failure to do so can risk your certification status. It is, therefore, a good idea to time your recertification process three-six months before the end of three years.

Doing this would leave room for corrective actions in case of major non-conformities. On successful completion of the audit, a new ISO 27001 certification is issued,  and the three-year cycle of internal audit and surveillance audit will begin again.

Who Performs ISO 27001 Audit?

Generally, an external auditor with relevant experience and certification performs the ISO 27001 audit to assess the organization’s compliance with the set standards and requirements by examining the ISMS. The external auditor can be either an individual or a third-party auditor firm that performs ISO 27001 audits.

An internal auditor can also perform the ISO 27001 audit. To perform an audit, they should have completed a specified number of audits and hours of training. However, the final ISO certification is issued by the certification body itself.

How Long Does it Take to Complete ISO 27001 Audit?

There are two phases of the ISO 27001 audit that takes up to 6 months to complete. After the first phase of on-site inspection and documentation audit, the organization needs to work on the correction of non-conformities to get ready for the second phase. Based on the size of the organization and the number of major non-conformities, the time for the Phase 2 audit varies.

So, if you address the non-conformities by implementing your ISMS in an efficient and compliance-driven way, the audit process will take less than 5-6 months.

What happens if you fail an ISO 27001 audit?

Failing an ISO 27001 audit poses the risk of having the certified status revoked until the organization addresses the audit concerns. An external audit often uncovers areas of improvement and issues within the ISMS that require attention.

After failing an ISO audit, you can then analyze the security posture and your ISMS to improve compliance and implement the required things to get back on track. The certification body gives you enough time to rectify the issues found in the audit.

Generally, organizations conduct an internal assessment after a failed audit to review the company’s systems. This allows you to identify and fix any non-conformities effectively.

The Sprinto Way

Sprinto’s compliance automation platform is built to help SaaS firms make confident strides in their security journey. From intelligently mapping and minimizing risks to breaking down the entire process into logical, tactical steps, your compliance experience with Sprinto is designed to be easy, error-free, and fast. 

From defining the scope of your ISMS to setting up robust information security policies, deploying entity-level checks, and implementing infosec training programs for employees, Sprinto does everything for you. 

Want to learn more? Speak to our experts today.

FAQs

What is ISO audit for?

Companies conduct an ISO audit to analyze and verify processes related to the quality and security of the services/products, ensuring effective implementation of the information security management system.

Who can audit ISO 27001?

Both internal and external auditors can perform the ISO 27001 audit to assess the organization’s compliance with the ISO standards and requirements.

Who can perform an ISMS external audit?

ISO 27001-certified auditors, who work with a certification body, are the only ones qualified to evaluate and examine your ISMS for external audits. To qualify, they must complete a specified number of audits and hours of training. The certification body is responsible for granting the final certification.