If your organization has implemented ISO 27001, it must be audited by an accredited auditor to be certified. An ISO 27001 audit reviews your organization’s information security management system (ISMS) against a set of defined standards.
Once you are certified, it does not stop there. Maintaining it involves more work, both for you and the certifying body. This is where an ISO 27001 surveillance audit comes in.
What is an ISO 27001 surveillance audit?
An ISO 27001 surveillance audit is a part of a continuous evaluation process that ensures that your organization is adhering to the standards. The certification body sends an auditor to determine if the management system is still functional and meeting the key requirements.
In other words, they review if your organization is operating the way it claims to as per the expectations of the compliance framework. ISO 27001 surveillance audits are intensive in nature but may not cover every aspect of a business. These audits commonly include a review of:
- Your management
- Performance of key processes
- Processes to prevent and take action against incidents
- Internal auditing processes
- Areas of non-adherence
- Issues of serious concern
- Documents and records
- Implementation of suggestions post the internal audit
The ISMS surveillance audit enables you to demonstrate how your organization implements continuous improvement to meet the requirements. One of its primary focuses is to find out how well the non-conformities from the previous audit are addressed. The surveillance audit for ISO 27001 also helps you prepare for the recertification audit.
If major activities signal non-compliance, it implies that your systems and processes are insufficient to protect sensitive data. Even minor failures or gaps in the system are a cause for concern as they could potentially lead to substantial damages. If non-conformities are found, you are responsible for correcting them to ensure the validity of the certification.
ISO 27001 surveillance audit frequency
ISO 27001 surveillance audits are conducted the year after your ISO certification and the year that follows that. Surveillance audits are conducted once a year but in many cases, it may be conducted twice depending on business requirements.
Initial ISO 27001 surveillance audit certificates are valid for three years from the date of their issue.
How to Prepare for ISO 27001 surveillance audit
When it comes to ISO 27001 surveillance preparation, there is no strict checklist. There is no right or wrong approach to tackle for the surveillance visit. However, the preparation involves a lot of work and dependencies on internal resources.
Below are the 9 steps to prepare for the ISO 27001 Surveillance audit:
Set an agenda
First things first, you need to have the agenda ready for the visit. The agenda should be unique to your business needs. Usually, the certification body would have a copy from the last report.
Conduct internal audit
Internal audits help you understand if the current system aligns with the scope statement. Identify your business critical objectives and document the crucial processes. Conduct a risk assessment and address the high priority risks. Create a report for the finding and observations.
Confirm the location
Once you have that ready, confirm the location where the audit will take place. While this may not be an urgent task on your checklist, it is crucial to figure out when you have multiple locations.
Create a day-wise plan
If your surveillance is to be conducted over a period of multiple days, it is a good practice to plan out where the auditor will be and on which day.
Inform your employees
Keep your employees in the loop about the agenda and locations. Briefing them helps everyone plan their schedule around it. For example, ISO 27001 covers asset management and human resource security. Ideally, this concerns the security admins and HR department. If you discuss the agenda prior to the visit, it empowers them to help the auditor better.
If you are a fully remote organization, have your department heads detail the practices and measures they’ve implemented to ensure compliance.
Keep all the management systems and records updated before the visit so you have all the data ready to pull when needed. Also, check for non-conformities from the previous visit and ensure that you have implemented all recommendations.
Check changes and processes
Check if any new changes have been implemented and if those affect the scope of your ISO 27001 audit. At this stage, you should verify if the latest additions to your processes are working as they should and are included within the scope. The central idea here is to show that you are following the policies.
Thanks to the pandemic, many surveillance audits for ISO 27001 are conducted remotely. If that is the case for your organization, you need not worry about the nitty gritties of on-site inspection.
The auditor will ask a ton of questions to know how your security infrastructure aligns with the objectives of your selected controls. Be prepared and be specific – this helps the auditor understand better and also reduces the time of the surveillance.
Once you undergo one or more surveillance visits, you can use the takeaways as a checklist to prepare for the next one.
Also check out: ISO 27001 checklist
ISO 27001 is a lengthy list that adds a lot of work to your business. We know you would rather focus on things other than compliance – which is tedious but crucial.
Sprinto’s compliance automation for ISO 27001 helps you check the requirements of this long list. Its continuous monitoring solution combined with an employee training module helps you comply faster and easier. With Sprinto you can also perform internal audits and get visibility on your current systems and spot areas that need improvement to be compliant.
Talk to our compliance experts today to sail through your ISO 27001 journey.
What’s the difference between ISO surveillance and ISO audit?
ISO surveillance is an intensive audit and does not necessarily cover every aspect of a company. The business must adequately address all non-conformities. It is conducted every year.
ISO certification on the other hand is comparatively less intensive in nature and conducted in two stages. An ISO certification is valid for three years during which the auditor checks if everything is functioning as it should. These checks are surveillance audits.
Is ISO surveillance audit compulsory?
Yes, once you are ISO certified, these checks are compulsory to ensure that all processes are functioning as mentioned or as they ideally should.