Welcome to the third and final installment of Tugboat Logic’s ISO 27001 Bootcamp series. In the first and second installments, we looked at how to scope the audit project, implement ISO 27001 clauses and understand Annex A Controls.
In part three we look at the external audit process with the help of Chris Denton, Manager, Cyber and Risk Advisory Services at Marcum LLP. Chris leads the firm’s ISO practice and took some time to answer questions about the audit process for ISO 27001 during an AMA-style session. Chris’s responses are edited and condensed for clarity but check out the video if you want to get into the nitty-gritty details!
When Should Our Company Start Looking for an Auditor?
As soon as possible! You want to find an auditor that you feel comfortable working with and the evaluation and selection process for choosing an ISO 27001 auditor is a decent-sized lift. It’s going to take some time. Also, if you need help with implementation, your auditor can refer someone to you, which is another reason to choose your auditor early in the process.
When Choosing an Auditor, What Should We Look For?
There are a few things to consider. The first is the firm’s accreditation status. Accreditation is optional for auditors but those that go through the process not only hold themselves to a higher standard but are held to those standards by an accrediting body.
The Big Four and other large firms have a stronger brand and higher name recognition. If that’s important to your customers, that will influence your decision. But audit services from those bigger firms also cost more, so it really depends on how important the recognition factor is to your customer base versus how much you can or are willing to invest in the process.
Once We’ve Chosen an Auditor, What’s Next?
When you choose your auditor, they’ll ask you to fill out an application to help them determine the project scope, including the number of people who will be involved, the estimated timeline and the costs involved.
Once the application is completed and the project is scoped, the ball is in your court! You can engage the auditor as soon as your information security management system (ISMS) is in place.
What Does the First Stage of the Audit Process Look Like?
In the first of the two audit stages, the auditor goes through the initial scoping documentation, the statement of applicability, your internal audit and the setup of your ISMS.
If there’s anything that needs to be fixed before moving to stage two, the auditor flags it and gives the company time to address it. Usually, this process takes no more than 90 days. After that, the company can move on to stage two.
In very rare cases, the auditor may recommend that the company not move to stage two at all.
Why Would an Auditor Not Recommend a Company for Stage Two of the Audit?
Generally, auditors want to make sure that the company is prepared to successfully tackle stage two before they recommend moving forward. If the issue is fixable, they’ll advise the company to fix those areas before progressing.
But in some cases, the issue is big enough to be a blocker. These types of cases might include failing to complete the internal audit, not having a risk assessment in place or not having a fully fleshed-out Statement of Applicability (SoA).
What Happens During Stage Two of the ISO 27001 Audit Process?
To kick off stage two, the company receives a separate information request list from the auditor. It gives them a preview of what the auditor is going to look at during this stage.
While COVID-19 has created some unusual circumstances, ISO 27001 technically requires the auditor to be physically on-site so they can see the operations first hand and talk to individuals face to face.
On-site, the auditor takes a close look at the ISMS, the requirements for clauses four through 10, Annex A controls and the technical evidence for those controls. During this time, they engage the company in conversations to clarify what physical security looks like, how they’re handling access control, how they’re managing vendors and so on.
This part of the process requires plenty of face time. The average is about eight and a half days, which is the bulk of the auditor’s time with your internal teams.
At the end of this process, the auditor sets up a formal closing meeting to discuss any nonconformities they came across in the audit.
What Happens if the Audit Uncovers Nonconformities?
Nonconformities aren’t a big deal. Minor nonconformities come up 50 percent to 75 percent of the time. Maybe someone overlooked checking the competency of the people that are within the ISMS or the company’s ISMS in security awareness training isn’t proper. In these cases, the company just needs to come up with a correction to fix the issue before being certified. But they don’t need to create a corrective action plan to ensure the issue stays fixed until after the fact.
However, major nonconformities are a bigger deal and can delay certification. In these cases, the company needs to come up with a correction and develop a plan to monitor the issue going forward before they can be certified. Examples of major nonconformities include not conducting an internal audit, not fixing major nonconformities that came up during the internal audit, or not tying the SoA back to the risk assessment—or vice versa. These are issues that will lead to the breakdown of the ISMS.
What Happens After the Initial Certification Is Complete?
After completing the initial certification in year one, the company receives a certificate and a final report from the auditor. The report formally confirms that the company and their ISMS has been assessed and meets ISO 27001 standards and requirements. It also includes the auditor’s mark, which the company can use on their website and in promotional materials.
The company also receives a report that documents everything the auditor did, including what they looked at and what they tested.
Longer-term, your company will need to undergo a surveillance audit in year two and year three. This is a much lighter lift—about a third of the effort of the initial certification process. The goal is to ensure that everything is still in good standing. Then, in year four, you’ll need to go through the recertification audit, which is a heavier lift—about two-thirds of the effort required for the initial certification.
Have More Questions About ISO 27001 Audits?
Tugboat Logic is here to help! For more information about the ISO 27001 audit process, watch the original webinar on-demand. Chris Denton of Marcum LLP explains the entire audit cycle and provides insights on how to choose the right auditor and what to expect at every stage. Or, you can contact us. Our in-house team of ex-auditors are happy to assist you on your compliance journey.