Information Security Management System Audit
An audit is a tool commonly used to verify that an activity satisfies a set of defined criteria. In the standards industry, audits are an inextricable part of the certification process and consist of a formal examination of an organisation’s management system to ensure that it meets the requirements of the standard sought. Not only that, audits conducted consistently and at regular intervals ensure that the management system is functioning effectively and efficiently and in alignment with organisational objectives.
ISO 27001 audit, what should we do?
An ISO/IEC 27001 — Information security management (ISO 27001) audit is a systematic, independent, objective and documented process used to evaluate, confirm, and verify activities related to information security within an organisation. It entails having a certified auditor evaluate the organisation’s information requirements and objectives for the Information Security Management System (ISMS) and complete a thorough review of all the relevant elements of their ISMS before testing them against the ISO 27001 standard requirements.
Moreover, the auditor will ensure that all implemented policies, processes, and controls are practical and efficient in terms of their ability to manage the organisation’s information security risks to a level that is tolerable and that satisfactory to the risk owner.
What are the two types of audits for ISO 27001?
Organisations are advised to conduct internal audits to ensure they comply with the ISO 27001 standard before they engage a Certification Body to conduct the external audit, also known as certification audit.
- Internal audit
Internal audits are audits conducted prior to the certification audit to ensure compliance against the ISO 27001 standard. They can be conducted using the organisation’s own resources, or can sometimes require external help as it is often the case with smaller organisations who do not possess sufficient human resources. These end up engaging what is referred to as a second party auditor. The services of a second party auditor can be requested at certification consultancies such as Edara Systems.
- External audit
External audits are audits conducted by a Certification Body with the objective of granting or extending certification. External audits may also refer to audits conducted by other interested parties with the aim of gaining a better understanding of the organisation’s compliance with their standards.
The importance of ISO 27001 audits
Audits are the most reliable way of determining if your ISMS is properly managed and performing at a level that matches the objectives set out by the organisation. Audits provide extra assurance and are a critical element of ensuring compliance with the ISO 27001 standard.
Auditing your ISMS plays a crucial role in ensuring that:
- You comply with Clause 9.2 of the ISO 27001 standard which dictates that organisations must conduct regular internal audits
- The ISMS is effectively implemented and managed
- The ISMS satisfies the requirements of the standard
- The ISMS fulfills organisational requirements
- The ISMS participates to information security risk reduction effectively
- Nonconformities and corrective actions are promptly actioned
- Information security weaknesses, events, threats and incidents are related, controlled, and corrected in the most effective and efficient of manners.
ISO 27001 internal audit process
Documentation review: consists of reviewing all manuals, policies, procedures and all other relevant documents to determine whether they still fulfill their intended purpose, and if not, applying the necessary changes to bring them up to par.
Field review: this part of the process requires collecting evidence that demonstrates compliance with policies and shows how standards and procedures are being implemented.
Analysis: the auditor reviews the information collected in the previous steps to determine if the ISO 27001 standard requirements are being met.
Audit report: as per Clause 9.2 a report must be generated and presented to upper management.
Management review: Clause 9.3 management is required to review audit findings and take any necessary corrective actions.
ISO 27001 external audit process
External audits basically follow the same process as internal audits, only they are carried out by certified auditors assigned by the Certification Body, who will decide on the programme of your certification audits following a systematic requirement. External or certification audits result in the obtention or extension of ISO 27001 certification.
Auditing types and frequencies
Initial certification audit
|Consists of 2 stages:
Documentation Review: to confirm that the organisation possesses all documentation necessary for a functional ISMS.
Evidential field audit: to verify that the organisation’s utilisation of the ISMS conforms with the standard.
Periodic surveillance audits
|1-2 a year
Can happen anytime after certification and before recertification. It usually focuses on specific elements of the ISMS.
|Every 3 years
As opposed to the surveillance audit, the recertification audit consists of a thorough review of the ISMS and covers all areas of the ISO 27001 standard.
Interested party audits
|Interested party audits are audits that are requested by a potential client, a project partner, or a regulatory entity. In the event of an interested party audit, the party requesting the audit will create an audits programme based on their own requirements.|