How The ISO 27001 Audit Process Works & Questions

wondering woman sitting at a desk looking away from a laptop

Your company must successfully complete two audit stages to gain ISO 27001 certification: Stage 1 covers reviewing your ISMS documentation, while Stage 2 examines its implementation within your company.

Internal audits provide an effective means of testing ISMS processes and identifying areas for improvement, providing continuous progress towards making residual risk more acceptable.

wondering woman sitting on a couch next to a laptop

Stage 1

As part of the initial stage, your auditor will assess your documentation process, which includes how you document ISO 27001 policies and procedures. They’ll also ensure any mandatory documents, such as risk assessment methodologies, statement of applicability documents, internal audit reports, or management reviews, are in use and documented accordingly.

ISO 27001 mandates that your ISMS documentation be organised so it’s easily found, read, and understood by employees. That means making policies and procedures readily accessible; creating a central repository may be the solution here.

Please remember that your ISMS documentation is more than a mere record; it forms the cornerstone of your entire system and plays a pivotal role in successfully passing an ISO 27001 audit. Therefore, it’s critical that it remain accurate, current, and pertinent at all times.

Your auditor will look out for any nonconformities during their document review and list them in their report, categorising them into either major or minor nonconformities. Please be aware that if any major nonconformities arise, your ISO 27001 certificate may remain inactive until these issues have been corrected.

At this stage, your auditor will inspect ISMS Framework Clauses 4–10 and sample some Annex A controls; this process is commonly referred to as a “tabletop audit” or documentation review, with the primary goal being to ascertain whether your policies and procedures are actually being adhered to rather than just sitting on shelves somewhere.

Therefore, for maximum objectivity and the avoidance of conflicts of interest, it’s wise to hire separate firms for your ISMS documentation review and audit processes. This separation helps maintain impartiality.

At this point, your auditor will assess if your company is ready for the main part of the audit, which is an in-depth system evaluation and testing of ISMS controls. They’ll do this by visiting your workplace, interviewing staff, and looking through records such as documents, procedures, and reports.

Stage 2

The second stage of an ISO 27001 audit, known as a certification audit, involves an onsite visit from your certification body (CB). This step is crucial in showing that your ISMS actually exists rather than just sitting on paper; additionally, it ensures it functions according to plan.

This stage of an ISO 27001 audit can often be the most demanding. The Certified Body (CB) will assess how you put information security policies and controls into action, looking closely at both your ISMS as a whole as well as individual components like organisational structure, roles and responsibilities, security configurations, and responses to events like employee discipline or vendor terminations. The onsite phase typically lasts 1-2 weeks, with your team required to attend meetings and discussions regularly during that period.

In certain instances, your auditor may suggest not advancing to the next phase of an audit if they detect major issues with your information system. In such cases, they will give you enough time to address them before returning for another round of auditing.

Suppose any issues cannot be rectified before your designated audit date. In that case, your Certified Body (CB) will not certify your information system, making preparation as essential as ever for the stage 2 audit.

Your team should collect all relevant records related to ISMS setup for this stage of the audit, such as internal audit reports, management review minutes, training records, and improvement forms.

At this phase, the Certified Body (CB) will review all documentation to ensure accuracy and completeness, conduct walkthroughs of your ISMS, inspect supporting documentation, and evaluate any nonconformities identified as either major or minor; usually, they require that any significant nonconformities be fixed before issuing your certificate.

Stage 3

Your company has invested time and energy in building, establishing, and maintaining an information security management system. After its Stage 1 onsite audit, all internal audit reports, training records, improvement forms, and supplier lists have been recorded to build a solid foundation for ISO 27001 certification. Now it is time for certification!

At this phase, an external auditor will conduct tests of your controls and assess their ability to mitigate risk and support business processes. They’ll also review all documentation related to your ISMS, such as its statement of applicability, risk assessment report, and treatment plan, as well as interview personnel responsible for various processes, physical areas, or departments for an in-depth understanding of their perceptions regarding compliance with implemented controls.

Nonconformities discovered at this stage are crucial, as any noncompliance found can delay ISMS implementation and lengthen the certification journey significantly. Common issues at this point include failing to implement an internal audit programme, connecting the Statement of Applicability back to Risk analysis, or not creating a training and awareness programme for personnel.

Once the onsite inspection is completed, your auditor will provide a comprehensive audit report outlining any identified non-conformities and recommendations to address those nonconformities to meet both ISO 27001 standards and your own internal expectations.

Once all nonconformities have been corrected and you have passed your ISO 27001 certification audit, your auditor will submit a final report to an independent ISO certifier, who will award your company an ISO certificate. The ISO certificate demonstrates to consumers, investors, and other stakeholders that your organisation is meeting international information security standards in terms of managing data safely by GDPR or HIPAA compliance pressures, assuring their trust that their data is secure.

Final Report

After your audit, your auditor will present a final report. This document is an integral part of auditing and should be shared with management to enhance ISMS compliance with the ISO 27001 standard. A good report should include an accurate description of findings as well as recommendations to improve ISMS performance; any major or minor findings must also be outlined along with plans on how they will be addressed in future audits.

An informative summary report can help enhance your ISMS and prepare for audits in the future. Keep this report current as your ISMS evolves, as you’ll need to refer back to it periodically to check that processes are running as intended.

After reviewing the initial scoping documentation, an auditor will typically move on to the next phase of an audit, the second-level audit. This audit takes a more in-depth approach by inspecting clauses of ISO 27001 rather than Annex A controls, using your Statement of Applicability as evidence that your ISMS meets requirements set by this framework, and using Statement of Applicability information from you to make their determinations. Typically, this stage takes place onsite.

The second-level audit is a more in-depth assessment of your ISMS than the first. Your auditor will review all evidence pertaining to it, such as its scope. They’ll also look at its effectiveness and ability to effectively control information security risks using a risk-based approach, specifically examining any risks identified during risk assessments and any efforts by your ISMS that aim to treat, transfer, or eliminate them.

An internal audit of your ISMS is an integral step of the ISO 27001 certification process, yet it can be daunting. With adequate preparation and knowledge, an internal audit should be a positive experience for you and your organisation. Use this blog post’s five-step checklist as an effective way to prepare yourself and be ready for external auditors!