ISO 27001 Audit & Implementation

For those new to ISO 27001, the audit process can indeed appear daunting. It’s a substantial, complex task that even seasoned professionals may find challenging. However, like many challenges, adequate preparation can help alleviate concerns. As you gain a better understanding of the process, it becomes less intimidating.

If your organisation is pursuing certification with the assistance of a consultancy like Red5, you can expect a pre-certification audit and assurance exercise to be conducted before your scheduled certification audit. This preliminary step aims to assess whether your Information Security Management System (ISMS) aligns with all the necessary criteria.

Think of this as a pre-certification “dry run” or “rehearsal” audit. It serves several purposes:

Issue Identification:
It helps identify potential issues that can be addressed before the actual certification audit.

Familiarisation:
It allows your organisation’s members to become familiar with the audit process, reducing anxiety on the actual certification day.
The certification audit, typically conducted by an independent third-party certification body (CB) selected by your organisation, consists of two stages: ‘Stage 1’ and ‘Stage 2’ audits.

The Stage 1 audit is often referred to as a ‘documentation review’ audit. During this stage, the assigned auditor examines your documentation process to ensure that the ISMS aligns with both ISO 27001 requirements and your organisation’s defined criteria. Your organisation must provide evidence of various aspects of the ISMS, such as policies, procedures, and processes. The extent of information required depends on the certification body’s requirements.

This stage is more of an ‘investigation’ or ‘exploration’ audit. The auditor conducts a high-level review to understand your ISMS and assess the design of security controls. The length of this assessment varies based on your organisation’s size and industry. After the Stage 1 audit, the auditor will highlight any nonconformities and suggest improvements. Nonconformities are typically categorised as minor or major, with major issues needing immediate attention.

If your organisation successfully clears the Stage 1 audit, the auditor will proceed to the Stage 2 audit, often referred to as the ‘certification audit.’ This stage involves a comprehensive, on-site assessment to confirm that your ISMS complies with ISO 27001.

During this assessment, the auditor reviews activities and procedures in more depth, ensuring they align with ISO 27001 standards. The auditor also conducts meetings and interviews with key staff to validate compliance. Evidence of adherence to documentation reviewed in Stage 1 is sought, including internal audits and management reviews.

If your organisation passes this stage, the auditor will recommend it for certification, subject to an internal review by the certification body. Once this process is completed, your organisation will receive an ISO 27001 certification, valid for three years.

To maintain your certification, annual surveillance activities and a full re-assessment every fourth year are required. Here are some measures for maintaining your certification:

• Keep your certification body informed of any changes affecting certification scope.
• Ensure key technical staff maintain their competence through training and sector event participation.
• Stay updated on regulatory changes in your sector.
• Subscribe to updates from certification authorities and technical publications.
• Notify relevant parties in advance of any premises relocation.
• Implement an internal audit regime.
• Maintain effective document control.
• Retain quality and technical records.
• Adopt the PDCA (Plan-Do-Check-Act) model for continuous improvement of cybersecurity processes and activities.

By following these measures, organisations can successfully maintain their ISO 27001 certification and ensure ongoing information security governance.

For more information on how Red5 can support your organisation, get in touch with our team for a confidential conversation.