Introduction To the Audit Process
I've been involved in ISO 27001 audits for nearly 10 years now, so let's start by laying cards on the table and saying, 'It's not easy, but it is doable' for any organisation of any size to pass an ISO 27001 certification audit successfully.
Below are my key suggestions on how you approach audits.
What Are ISO 27001 External Audits?
An audit is when you are evaluated against the clauses and controls of ISO 27001. However, it's not usually that straightforward.
Because ISO 27001 can be tailored to your organisation's size, approach to risk, and other factors, any auditor will also look at how you document that you will run your Information Security Management System (ISMS).
What types of ISO 27001 certification audits are there?
Two main types of ISO 27001 audits: internal and external audits.
Internal Audits are periodically undertaken by an independent auditor(s) normally within your organisation to check things are running as they should. Consultants like myself can also undertake these. They are a mandatory part of the ISO standard and must occur at least annually.
External Audits are undertaken by a body independently certifying you against the ISO 27001.
Certification Bodies
There are two types of auditors under different styles of certification bodies, which impact the level of rigour in your audit;
Accredited certification bodies are overseen and audited to a high standard by an organisation such as UKAS in the UK. Typically, this is a more costly, evidence-based, and time-consuming approach. They'll normally want 6 months of records before starting. The positive side is that government agencies highly respect and value these audits, potentially making them mandatory for some contracts.
Non-accredited means nobody oversees their approach to auditing, and the auditor is free to evaluate against the standard to whatever degree they see fit. It is normally the quickest, inexpensive, and easiest approach for SMEs, but others sometimes perceive it as not having as much merit as an accredited audit. This approach is normally pragmatic and will support smaller businesses just starting, so the demand for historical evidence may only be for recent examples.
What are the benefits of passing an audit?
Being audited means demonstrating to customers or other interested parties how you have implemented security in your organisation. This boosts your credibility and trustworthiness as an organisation that protects the data it is entrusted with.
It is also very important as a method of ensuring your organisation's efforts to secure ISO 27001 ISMS and certification don't regress and bad practices start to creep in.
What do auditors look for in an ISO 27001 audit?
Evidence of compliance.
I was taught a mantra many years ago, which I will share.
"Say what you do,
do what you say,
and prove it."
This captures the essence of strong auditing and process management and is exactly what an auditor in ANY circumstance will be looking for;
Say what you do - Document your policies, procedures, and intentions.
Do what you say - Implement and consistently follow your documented processes.
Prove it - Keep clear records and evidence to demonstrate compliance during audits.
So, if you said you would introduce a specific procedure to check access rights, the auditor will expect to see evidence (records, outputs, etc.) from those checks.
From now on, I will assume your interest is in a certification audit and what that looks like. Still, please note my comments on the differences between accredited and non-accredited bodies because they mean the audit process can be wildly different.
Preparing for the Audit
There is no point in going into a certification audit without preparation. If it's your initial certification audit, you may want to undertake a gap analysis first to see how you measure up against the standard and will know that you conform to the ISO 27001 standards key components and your documentation.
So, I like to run a pre-flight check and a mini-gap analysis before any audit.
Conducting a gap analysis
In my full ISO 27001 toolkit, I have a document that can run you through the pre-flight checks through a quick internal audit. If you are interested, please check out my documentation toolkit.
However, what you need to do at the highest level is check the following;
Review ISO 27001 Clauses
Start by forming a list of the key clauses, reading them through them, and jotting down what they ask. Anywhere the standard says "shall..." or "must...", is a clue. Look at this cheeky little extract from 27001:2022;
In this part of Clause 4.3, regarding the scope of the ISMS, the word 'shall' appears twice, with criteria under one of them. That means it's mandatory, so there's something to put on your checklist, as an example.
Ensure the mandatory documentation exists.
So, there are some key documents that you absolutely must have. I've outlined those here, but a word of caution;
The standard is somewhat open to interpretation in some areas of 27001, so not everyone's lists of mandatory documents will be the same.
They'll overlap 90%, but some auditors may feel that some parts of the standard explicitly request certain documents and records be in place, while others may only see it as a recommendation.
Check the controls are documented and evidenced.
So, one of the key things at the heart of 27001 is the Statement of Applicability and the 93 controls you need to address. Normally, these are captured in a spreadsheet and updated to reflect how the organisation meets that control. Depending on the auditor, they'll either select a random sample of controls or go through each one looking for evidence.
The easiest thing to do here is to have a checkbox or flag that says 'met', 'not met', or 'partially met' so that you can track your compliance against the control. Remember: it's okay to mark a control in the SoA as 'not applicable' if you don't think your organisation needs it, so long as you give a reason.
You may wish to validate the controls against the guidance of 27002, the supporting standard that makes recommendations on how to implement them.
However, my website explains all of the controls and provides examples of how to meet them, so if you are stuck on one, you can use the search tool on my site to find guidance. However, under copyright laws, I can't reproduce 27002's actual guidance and wording, so again - get a copy of 27002!
Confirm staff awareness of security policies and procedures.
As part of external audits, the auditor may ask to speak to staff members about their responsibilities under 27001, so make sure everyone is briefed and has reviewed policies, procedures, etc.
Key Audit Stages and What to Expect
So, it's down to the auditors to determine exactly what stages they will go through, but let's assume it's a rigorous (and expensive) process (if uncertified, it could be as little as 1 - 2 days of audit).
Pre-Assessment
The auditors may suggest a pre-audit assessment. I struggle with this if you've already done your homework and preparation. If not, you can consider it a gap analysis, and then you'll need to go off and prepare for 27001.
However, at this point, your auditor should NOT consult with you and tell you how to do it. The standard demands independent verification and auditing.
So, if someone tells you you need a pre-assessment audit, question why, what the benefits are, and how much it'll cost. It's an audit process without a certificate.
Stage 1 Audit - Documentation Review
During the first phase, the auditor will likely be remote and ask to see evidence of your policies, procedures, processes, etc. You'll supply the requested documentation to them; they'll review it and ask questions.
This is another checkpoint to see how your organisation rates against the 27001 requirements. If you are missing key documents or something isn't right, they may ask you to amend the issue and go through this stage again.
Yes - they are effectively printing cash at this point.
Stage 2 Audit - The Implementation Review & Audit Report
This stage is probably for a day or two on-site, with the auditor(s) meeting staff, holding reviews, and collecting supporting evidence regarding your documentation processes and procedures.
They may ask to speak to staff on the IT help desk or HR to ask them for examples of new starters, access rights requests, etc. They'll need to pull out evidence that they have these things under control and follow the documentation from Stage 1.
Suppose nonconformities are found where gaps exist in the ISMS documentation. In that case, they'll issue these in an audit report and ask you to amend and resubmit before issuing a certificate.
Post Certification Process Surveillance Audits
Once you get your certificate, it should last 3 years. However, the auditors want more regular recurring income and suggest surveillance audits.
These do have value, so I don't mean to disparage them. You'll inevitably put a lot of effort into the 27001 certification and then take your foot off the pedal after you have the certificate. Job done, right?
Well, no.
27001 should be an ongoing cycle of 'plan, do, check, act'. If you fail to check/act, the boulder you've just pushed up the hill will roll back on you.
When the next audit comes around, you'll have to desperately pull together evidence and documents and check processes the night before the audit, and it probably won't be sufficient.
These audits tend to check the major required documents, key procedures and some random controls from the SoA.
Recertification
It's time to revisit the audit. This will be a thorough review, but it will likely start back at Stage 2, with an on-site review—the theory being that the surveillance audits should be enough to keep you on track and highlight any major issues.
How long does an ISO 27001 audit take?
How long is a piece of string? (This is a flippant but true answer.) Audit days can be between one day and potentially weeks or months.
It depends on the size of your business, the complexity of your scope and technical environment, and the type of certification you are undergoing.
However, let's say it's something like this if you go for the stage 1 and stage 2 style auditor.
Audit Type | Purpose | Typical Duration | Frequency |
Stage 1 Audit | Document review and readiness assessment | 1–3 days | Initial (one-off) |
Stage 2 Audit | Full certification audit | 3–10 days | Initial (one-off) |
Surveillance Audits | Ongoing monitoring of ISMS effectiveness | 1–4 days per audit | Annually |
Recertification Audits | Comprehensive review for recertification | 2–7 days | Every 3 years |
How much does ISO 27001 cost?
I've written more about costs you can expect in an article here, but as a summary, here's what you might expect. Again, it all depends on the type of audit, certification type, size and scope of the ISMS.
Cost Component | Typical Range (£) |
Gap Analysis | £2,000 - £15,000 |
Pre-Certification Consultancy | £3,000 - £50,000 |
Internal Resources | £10,000 - £80,000 |
Training | £1,000 - £10,000 |
Technology and Tools | £5,000 - £20,000 |
Certification Audit | £5,000 - £30,000 |
Surveillance Audits | £3,000 - £10,000 per annum |
Recertification Audit | £5,000 - £15,000 every 3 years |
Common questions auditors ask about information security management systems
It'll depend upon whom they are talking to and why, but here are some examples of certification audit questions and their style so you know the kind of thing you'll face;
1. General Awareness and Policy Understanding
Can you describe the main objectives of your Information Security Policy?
How does your role contribute to information security at this organisation?
Where can you find the security policy documents?
2. Risk Management System
How are information security risks identified and evaluated (i.e. what's your risk assessment process)?
Can you show me the risk register or risk assessment documentation?
What recent risks have been identified, and how have you addressed them?
3. Controls and Procedures
Can you explain the procedures for accessing sensitive or confidential information?
How do you manage user account creation, modification, or deletion?
What steps do you follow when responding to an information security incident?
4. Documentation and Records
Can you show me documentation (logs, tickets, records) supporting the processes you described?
Where do you store information security records (such as access logs and training attendance)?
Can you demonstrate how documents and records are version-controlled and protected?
5. Incident Management and Response
What constitutes a security incident in your organisation, and how do you report one?
Can you describe how a recent incident or security event was handled?
What roles are involved in incident response, and what is your role?
6. Training and Awareness
Have you attended any recent information security training sessions?
Can you outline key information security practices you must follow?
How often do you receive refresher training on information security?
7. Physical Security Controls
What procedures are followed when visitors access your office or sensitive areas?
How do you handle confidential documents or storage media?
How do you secure equipment when working remotely or from home?
8. Continuous Improvement
How do you identify areas for improvement within your security processes?
Can you describe any recent improvements implemented in your area?
How frequently do you review and update your information security policies or controls?
Common ISO 27001 Audit Findings and How to Avoid Them
First, auditors love to find things to capture as nonconformities in information security management systems. It's their job and the whole purpose of existence. I like to often deliberately throw them a bone. Have something where you say, 'Yeah... I agree... we should do better in that area.'
It doesn't have to be a full nonconformity; it might just be an OFI (Opportunity for Improvement). Let them have something. Don't fight for every inch in an audit; equally, you'll sometimes have to stand your ground.
Here are the top things I see, but remember that I'm not an auditor. I'm a consultant who doesn't walk into audits without knowing I'm in good shape.
Incomplete Documentation & Compliance Requirements
Go through the mandatory documents, the SoA, and the key documents. You can even train an AI on the standard and have it review the documents for you (not the best approach, but certainly worth it if you are on your own).
Having an infosec policy is great—it's a mandatory document—but there's more to it than just having a policy. That policy needs to contain certain aspects.
If we look at the following snippet of the standard;
The policy must have security objectives or a framework and a commitment to satisfy requirements. Thus, this small example shows that you must consider and review more than just ticking off the policy as an activity (and this is exactly the kind of detail AI can't currently cope with, by the way).
Under-Estimating the Statement of Applicability Controls
Get 27002, the guide to implementing controls in information security management systems. It's that simple. Review the content for a control and understand what it means. I honestly don't believe it can be done any other way.
You don't have enough information to work on if you just read the content in Annex A for each control in ISO 27001's appendices. The auditor will certainly have access to 27002 and will be using that as a yardstick by which to measure you.
That doesn't mean you need to address every piece of guidance in 27002, but you need to understand it and what it wants and then be ready to defend your decision on how you have implemented that control or why you have chosen not to.
Allowing an Auditor to walk over you because you lack understanding of the standard.
Consider external audits like being interviewed by a lawyer. They'll cross-examine you, ask for evidence, etc - ultimately to make a judgement about you. Therefore, you need a robust defence.
Sometimes, this comes through training, digesting the 27001 and 27002 standards, and 'getting good' (as my video game-playing kids say). However, if you have expert guidance as a consultant onboard (like me!), they can act as an advocate on your behalf and challenge / push back on the auditor.
I've seen auditors misunderstand the standard or drift into other ISO standards during an audit. Nobody knew that but me because of my experience, but it allowed me to push it back on track.
Conclusion
To wrap up, I want to underline the parameters that would shape a certification audit, from your ISMS scope and approach to the style and type of auditor.
Yes, all audits are against the same ISO standard, but not all audit processes are the same, nor do they require the same level of evidence.
Alan Parker is an experienced IT GRC consultant who’s spent over 30 years helping SMEs and IT teams simplify complex IT challenges. With an Honours Degree in Information Systems, ITIL v3 Expert certification, ITIL v4 Bridge, and PRINCE2 Practitioner accreditation, Alan’s expertise covers project management, ISO 27001 compliance, and service management best practices. Recently named IT Project Expert of the Year (2024, UK),
Alan shares practical insights and approachable guidance on all things IT governance. He produces a wealth of content on his website, iseoblue.com and has published training and documentation toolkits via shop.iseoblue.com
Comments