ISO 27001 Audit

An ISO 27001 audit is a formal process used to evaluate an organisation's Information Security Management System (ISMS) and determine if it conforms to the requirements of ISO/IEC 27001.  The audit is conducted by either internal auditors (for internal audits) or external certification bodies (for external or certification audits) to assess whether your organisation’s ISMS effectively manages information security risks in line with ISO 27001.

The audit is a mandatory aspect of maintaining ISO 27001 conformance and helps ensure the continual improvement of your organisation's information security posture.

As one of the longest standing providers of ISO 27001 consultancy and auditing services, URM can offer effective and reliable outsourced internal auditing services which allow you to meet the internal auditing requirements of ISO 27001, and can support your preparation for certification or recertification audits.

Benefits of ISO 27001 Auditing:

Certification: Successful completion of an external audit leads to ISO 27001 certification, demonstrating your organisation's commitment to information security.

Risk Mitigation: Audits help identify weaknesses in the ISMS, enabling you to take corrective actions and reduce risks to information assets.

Compliance: Audits verify that the organisation meets the legal, regulatory, and contractual requirements related to information security.

Enhanced Security: Regular audits ensure that information security policies and controls are effectively implemented and continually improved.

Increased Stakeholder Trust: ISO 27001 certification and regular audits increase trust with clients, partners, and regulators by showing that your organisation prioritises information security, as well as privacy and data protection.

Continuous Improvement: Auditing provides insights that help improve the ISMS over time, adapting to new risks, technologies, and business changes.

What Does ISO 27001 Auditing Involve?

ISO 27001 audits are conducted in stages and follow a systematic process to assess the organisation’s ISMS against the requirements of the Standard.  Auditors review documentation, conduct interviews with staff, inspect security controls, and assess your organisation’s risk management processes.

Types of ISO 27001 Audits:

Internal Audits (1^st Party):

• Performed by your organisation's internal team or a contracted external auditor.
• Required for ISO 27001 conformance.
• Used to identify non-conformities and ensure that the ISMS is effectively implemented and maintained.
• Identifies opportunities for improvement to your organisation’s ISMS.

Supply Chain Audits (2^nd Party):

• Performed by or on behalf of an organisation on a vendor, usually focussed on suppliers of critical security products or services.
• Utilised as part of a mature supplier management process.
• Focus may include ISO 27001 or other contractual or regulatory requirements.

External Audits (Certification Audits / 3^rd Party):

• Conducted by an accredited certification body.
• Involves a 2-stage process: a review of documentation (Stage 1) and a detailed assessment of ISMS implementation (Stage 2).
• Successful audits result in your organisation obtaining ISO 27001 certification

Surveillance Audits (3^rd Party):

• Performed annually after certification.
• Ensures that the ISMS remains conformant to ISO 27001 and is continually improving.

Recertification Audits (3^rd Party):

• Conducted every 3 years to renew your ISO 27001 certification.

Key Steps for ISO 27001 Audits:

ISO 27001-conformant auditing (particularly internal auditing) will look slightly different for different organisations, however there are some key steps to the audit process that will be common to all organisations certified to the Standard.  

Certification Audits

Preparation and Planning:

First, you will need to define the scope of the audit, which includes the specific areas, systems, and processes within the ISMS to be audited.  You will also need to establish audit objectives and criteria based on ISO 27001 requirements and develop an audit plan, including a timeline and allocation of audit resources.

Document Review (Stage 1 Audit):

Here, the auditor will review key documents related to the ISMS, such as the information security policy, risk assessments, risk treatment plans, and procedures.  The goal is to verify that the necessary documentation is in place and complies with ISO 27001 requirements.

On-Site Assessment (Stage 2 Audit):

Next, the auditor will conduct an on-site inspection to assess the implementation of the ISMS.  This involves interviewing staff, observing operations, and testing security controls.  Auditors evaluate whether your organisation’s practices align with its documented policies and procedures.  They also assess how well the organisation manages information security risks.  

Non-Conformities and Observations:

During the audit, the auditor may identify non-conformities, i.e., the areas in which the ISMS does not meet ISO 27001 requirements.  Non-conformities can be categorised as minor (less significant and do not jeopardise certification) or major (critical issues that must be addressed to achieve or maintain certification).  Observations or opportunities for improvement (OFIs) are less critical issues or aspects of the ISMS that could be improved, but which do not directly violate ISO 27001 requirements.

Audit Report:

After the audit, the auditor will compile a detailed report that summarises the findings.  The report will include details of non-conformities, OFIs, recommendations for corrective actions, and will indicate whether you have passed or failed the audit.

Corrective Actions:

If non-conformities are identified, your organisation is required to implement corrective actions to resolve them.  You will, typically, have a defined period in which to address these issues before a follow-up audit or review is conducted to verify that they have been corrected.

Certification Decision:

If your external audit is successful, the certification body will issue your ISO 27001 certificate, indicating conformance the standard.  Certification is valid for three years, with periodic surveillance audits to ensure ongoing compliance.

Ongoing Monitoring and Improvement:

After certification, your organisation must continue monitoring, reviewing, and improving its ISMS.  This includes conducting internal audits, regular risk assessments, and implementing corrective and preventive actions.

Internal and Supplier Audits

Internal and supplier audits are not dissimilar from external audits; like with certification audits, you will need to establish audit objectives and criteria based on ISO 27001 requirements.  You will also need to develop an audit programme (our blog on Planning Your ISO 27001 Audit Programme has some useful advice on how to do this).  The scope of the audit should be defined, including the specific areas, systems, and processes within the ISMS to be audited.  You can then develop an audit plan, which includes a timeline and audit resource allocation.  The audit will then be conducted, the audit report prepared and communicated, and audit follow-up conducted as necessary.  The audit programme will also need to be regularly reviewed for potential improvements.

Plan and Conduct Internal Audits

URM’s consultants can assist your organisation to:

• Plan and scope an internal audit programme, which may include critical supplier audits
• Conduct internal and supply chain audits, providing audit reports in your organisation’s format where requested
• Support the follow up of audit findings or re-audit where serious concerns have been raised
• Work with you to improve your internal and supplier audit programmes.

Where necessary, ISO 27001 internal audits may be integrated with the requirements of other standards, such as ISO 9001 (Quality), ISO 14001 (Environment), ISO 27701 (PIMS) or regulatory requirements including the UK or EU General Data Protection Regulations (GDPR) and other relevant legislation.

URM’s ISO 27001 Audit

When conducting internal audits, URM is hugely experienced in understanding the assessment requirements of certification bodies.  This knowledge has been gained through assisting hundreds of organisations achieve certifications, sitting in on many of the assessments, as well as the fact a number of URM’s auditors are ex-certification body assessors.  As such, when conducting internal audits, we will ensure the same reporting approach to nonconformities, etc. will be adopted.  It is also guaranteed that all of the mandatory internal audit requirements from Clause 9.2, along with the control requirements from ISO 27001 will be satisfied if the whole of your internal audit programme is outsourced to URM.

Why URM for ISO 27001?

Risk management expertise

Getting the assessment and management of information security risk right is critical. It is also an area where URM excels and where clients can take advantage of URM’s in-house risk management module, Abriska, with its robust and proven risk assessment methodology and the extensive experience and expertise of its ISO 27001 consultants.

Achieving optimum balance

When helping develop your ISMS, URM’s goal is to achieve the optimum balance between meeting the mandatory management system requirements of ISO 27001 and ensuring your management system is fully sustainable and tailored to your organisation’s size, culture and business objectives

Track record

URM has an unparalleled track record of assisting over 400 organisations to achieve and maintain ISO 27001 certification and is proud to have never been involved in a failed certification project.  Our clients have ranged in size from micro businesses to multinationals and come from a diverse range of market sectors and, due to our tailored approach, every one of the 350+implemented ISMS’ has been different.

Practice what we preach

URM has been certified to ISO 27001 ever since the Standard was first introduced in 2005.  Furthermore, it became one of the UK’s first organisations to transition to ISO 27001:2022 in April 2023.  The experiences gained in maintaining and transitioning certification helps to ensure our consultancy and training services remain current and relevant.