So, previously, we looked at how to get started on your 27001 project and followed up with steps to follow when implementing iso 27001. We’ve glazed over some of the nuances around implementing particular controls and with good reason. Every business can implement controls differently. There is an extensive spectrum of what is considered ‘okay’ for 27001; however, it really is down to your business’s risk appetite as to how diligently you implement those controls.
Let’s move on to understanding what the external audit process looks like when implementing iso 27001.
All certification audits follow a standard format, and I’ll try to break down the expectations for you. The first thing to note is that there could be a significant lead time to book your audit, so make sure you plan ahead. Picking a company to audit your business is no different to choosing a supplier to provide any other service. Speak to a few of them and get a gut feeling of whether they are a good fit for your organisation. Some are more expensive than others, and some auditors tend to be more pragmatic. Get some quotes and ask for some lead times.
Once you’ve picked your auditing company, they typically want to arrange dates for the first part of your audit.
Certification audits are divided into two separate audits. The first is called Stage 1, and the second is Stage 2. So, what’s the difference?
Stage 1 audits look at your ISMS readiness. The auditor will want to check that the ISMS you built meets all the standard's requirements stated in clauses 4-10. In my original blog, I recommended you purchase the standard, which is why. The standard states precisely what is required. The difficulty comes in interpreting the written words into something tangible that you can evidence. The auditor’s job is to tease out of you how you’ve gone about implementing each of those clauses and making sure it’s been understood correctly. In my experience, the majority of the audit time is spent understanding how you have managed risk.
Which risks have you logged, and which controls have you decided to implement in order to build your statement of applicability? At this stage, there should not be much emphasis on how you have implemented the controls. The auditor should be more interested in how you have determined which controls are relevant. There does tend to be some scope creep here, and plenty of auditors will want to see examples of control implementation. Don’t be surprised if it happens, but as you’re well prepared, you can answer any questions they might have at this stage.
What else will I have to evidence other than risk?
Well, you will need to prove you have an effective internal audit plan; they will want to understand and see evidence of how you are managing non-conformance and continual improvement, as well as how you are monitoring the performance of your ISMS and completing the appropriate management reviews.
That sounds difficult. What happens if I miss something?
There are a few possibilities. Missing something significant can result in a termination of the audit. Honestly, I’ve never seen this, and if you’ve done enough due diligence prior, then it is pretty unlikely. The other scenario is you will receive a minor conformance or an improvement request at the end of the audit. You will then have some time to fix whatever the issue was prior to your stage 2 audit. Don’t be annoyed if you pick up some level of non-conformance. It happens; people are human, and small mistakes can happen. Just make sure it’s resolved prior to your stage 2.
So, what happens in the stage 2 audit?
This is where you get to show the auditor how you have implemented the controls in your Statement of Applicability. These are usually show-and-tell sessions where the auditor will ask you to explain how you did something and then ask you to demonstrate what you did. Evidence is key here:
Do you have the signed contract for the new starter?
A helpdesk ticket for setting up their new accounts that you can show the auditor.
Some proof that they have read your policies.
Can you provide evidence their laptop was built correctly, that is, has appropriate disk encryption and anti-virus deployed?
These are all examples of what they might want to see. Remember, there are over 90 controls to choose from, and each one will need to be evidenced where possible.
What happens if I can’t evidence a specific control?
Good question! Some controls are more challenging to evidence than others. If you have an incident response plan but have had no incidents, then you can’t have proof that the plan is followed. This is normal. You can’t fail for not being able to positively evidence something.
Your auditor will now spend a number of days collecting evidence. They have a few different findings they can capture against each control that you have marked as applicable.
Compliant – everything is implemented as described and is ok.
Opportunity for Improvement – Its possibly meeting the requirement but adding some additional level of control may provide some benefit. The auditors have to be careful here as they are not allowed to consult whilst conducting audits. You may get some informal or ‘off the record’ advice also. Take it positively and decide if you want to implement any of those changes or not. You’re under no obligation to implement any opportunities for improvement.
A Minor non-conformance – the control didn’t quite hit the mark. Something was missed. A Step in a process wasn’t followed. There can be loads of reasons for picking these up. Some examples might be that your asset register was missing a device, or perhaps your supplier register was missing a supplier. Any minor non conformance will need to be resolved and evidence sent to the certifying company prior to you being issued with a certificate.
A Major Non-Conformance – You missed something big. The wording in the standard is that there is a material breakdown in the ISMS. Some examples might be no one has had any information security training; there is no asset register, none of the documents in your ISMS is version-controlled and changes are made to them without any appropriate procedure being followed. Perhaps you have not completed any management reviews.
A major non conformance may cause an auditor to end the audit, so it pays to make sure everything is in place when implementing iso 27001, prior to a stage 2 audit taking place.
Conclusion:
Audits always feel scary. The fear of the unknown can be enough to put anyone off. Don’t let it, though. Most auditors are really friendly and will work with you so you can provide positive evidence. If you think that you want some assistance, we can help. That can either be sitting in the audits with you or working through a pre-audit scenario to give you the confidence that you have everything you need to sit the audit by yourself.