top of page

Check out the brand new FREE ISO 27001 Information Security Toolkit!

Writer's pictureAlan Parker

ISO 27001 Audit & Certification Process Explained

Achieving ISO 27001 certification is a structured and rigorous process demonstrating an organisation's commitment to information security and best practices in data management.


Certification involves several key steps, particularly emphasising the auditing process and selecting the right auditor, which is crucial for establishing, maintaining, and continually improving an effective Information Security Management System (ISMS).


ISO 27001 certification helps manage security threats and builds trust with stakeholders by showcasing dedication to safeguarding information assets.



Certification Audit

Engaging an accredited certification body to conduct a thorough audit is a critical step in the certification process.


The certification audit typically (depending on the auditing organisation) involves two main stages, each designed to evaluate different aspects of the ISMS to ensure the system is comprehensive and fully operational:


Stage 1 Audit

This initial stage focuses on reviewing ISMS documentation to ensure that all policies, procedures, and frameworks are properly designed and aligned with ISO 27001 requirements.


The auditor will verify that the documented processes reflect the organisation's objectives, are appropriately scoped, and are comprehensive enough to mitigate potential information security risks.


During this stage, the auditor will also identify gaps that must be addressed before proceeding to Stage 2, allowing the organisation to make necessary adjustments.


Stage 2 Audit

In this second stage, the auditor assesses the actual implementation and effectiveness of the ISMS and the associated controls. This stage is more practical and involves observing operational processes, interviewing staff at all levels, and verifying records to ensure that the security controls are implemented effectively and consistently.


The auditor will check that all personnel understand their roles and responsibilities related to information security and that the controls are functioning as intended in day-to-day operations.


Upon successful completion of both stages, the organisation is awarded ISO 27001 certification. This certification is typically valid for three years, during which time continued adherence to the standards must be demonstrated.


Choosing the Right Auditor

Selecting the right certification body is a significant decision that directly impacts the success of the ISO 27001 certification process.


Choosing a qualified auditor ensures that the evaluation is both thorough and constructive.


Here are some key considerations for choosing an auditor:


Accreditation

Ensure that a recognised national accreditation body accredits the certification body. In the UK, this means selecting an auditor accredited by the United Kingdom Accreditation Service (UKAS).


UKAS is the sole national accreditation body recognised by the UK government to assess organisations that provide certification, testing, inspection, and calibration services against internationally agreed-upon standards.


A UKAS-accredited auditor assures that they meet high standards of competence, impartiality, and performance, which is critical for a successful certification process.


Accreditation guarantees that the auditor is competent, impartial, and capable of delivering a reliable and thorough assessment.


Accredited auditors have undergone rigorous training and evaluation, providing additional confidence in the quality of the audit process.


Industry Experience

Look for an auditor with relevant industry experience.


An auditor who understands your industry's specifics can provide more practical insights and identify areas for improvement that are particularly relevant to your sector.


For example, if your organisation operates in healthcare or finance, an auditor with experience in those fields will be more attuned to industry-specific challenges and regulatory requirements.


Reputation and Reviews

Consider the certification body's reputation and seek references or reviews from other organisations using its services.


A reputable auditor can make the certification process smoother and provide valuable guidance on best practices. Look for auditors with a track record of professionalism, reliability, and constructive feedback that helps organisations improve their ISMS.


Audit Approach

It is important to understand the certification body's audit approach. Some auditors may take a more collaborative approach, providing constructive feedback, while others might be strictly compliance-focused.


Choosing an auditor whose approach aligns with your organisation’s culture can lead to a more positive certification experience.


A collaborative auditor can help identify opportunities for improvement, while a compliance-focused auditor will ensure rigorous adherence to standards.


Cost and Availability

It is also important to consider the audit's cost and the auditor's availability. Costs can vary widely depending on the complexity of the ISMS and the size of the organisation, and availability may impact the timing of your certification.


Ensure the auditor’s schedule aligns with your project timeline to avoid unnecessary delays.


10 Questions to Ask Prospective Auditors

To help you, I've collated ten key questions to ask any auditing organisations you are evaluating, to see if they are the right fit for you;


  • Are you accredited by a recognised accreditation body, such as UKAS in the UK?

  • What experience do you have in our industry, and can you provide examples of similar clients?

  • How do you approach the audit process—would you describe your style as collaborative or strictly compliance-based?

  • Can you provide references or testimonials from past clients?

  • How do you handle conflicts of interest during the audit process?

  • What type of follow-up support do you provide after the audit is completed?

  • How flexible is your audit schedule, and can it accommodate our project timelines?

  • What is your fee structure, and are there any potential hidden costs we should be aware of?

  • How do you keep yourself updated with changes in ISO 27001 and related standards?

  • What kind of non-conformities have you seen commonly arise during audits, and how do you help organisations address them?


Ongoing Surveillance and Recertification

Once certified, maintaining the ISMS is an ongoing and dynamic process that requires consistent attention and improvements.


Regular surveillance audits, usually conducted annually, are required to ensure continued compliance and help identify opportunities for enhancement. These audits involve checking that the ISMS is still effective and updated and that the organisation is fully committed to continuous improvement.


Surveillance Audits

During these audits, the certification body will revisit the organisation to assess whether the ISMS meets ISO 27001 requirements.


The focus is ensuring that controls are effectively maintained, any new risks are properly managed, and organisational changes are appropriately reflected in the ISMS.


Surveillance audits help organisations stay vigilant against emerging threats and adapt their ISMS to the evolving security landscape. By identifying minor issues early, surveillance audits prevent them from becoming major compliance problems.


Recertification Audit

A recertification audit is conducted at the end of the three-year certification cycle. This audit is similar to the initial certification audit and involves a comprehensive review of the ISMS to confirm that it continues to meet ISO 27001 standards.


Successful completion of this audit extends the certification for another three years.


Recertification audits help verify that the organisation's ISMS has been effectively managed and that there is a culture of continuous improvement within it. They demonstrate that the organisation has not only maintained its ISMS but also adapted to changes in the environment, technology, and regulatory landscape.


The Importance of Continuous Improvement

Achieving ISO 27001 certification is not a one-time effort; it is the beginning of a journey towards continually improving an organisation's security posture.


Continuous improvement is a cornerstone of the ISO 27001 framework, encouraging organisations to regularly evaluate and enhance their ISMS to respond to new challenges and threats. This includes staying updated on emerging risks, adopting new technologies, and incorporating feedback from internal and external audits.


Organisations can anticipate potential risks and effectively protect their valuable information assets by maintaining an active approach to information security.


By focusing on a robust auditing process and selecting an experienced, reputable auditor, organisations can effectively achieve and maintain ISO 27001 certification. This will enhance their information security posture and demonstrate a commitment to protecting sensitive information. It will also help comply with regulatory requirements and instil confidence among customers, partners, and stakeholders that their data is handled with the utmost care and security.


Further Reading

Comments

1/23
image.png

Play Crossy Chicken

Never miss another article.

About the author

Alan Parker is an IT consultant and project manager who specialises in IT governance, process implementation, and project delivery. With over 30 years of experience in the industry, Alan believes that simplifying complex challenges and avoiding pitfalls are key to successful IT management. He has led various IT teams and projects across multiple organisations, continually honing his expertise in ITIL and PRINCE2 methodologies. Alan holds a degree in Information Systems and has been recognised for his ability to deliver reliable and effective IT solutions. He lives in Berkshire, UK, with his family.

bottom of page