The ISO 27001 audit process - the auditee's guide

Knowing how and when to prepare for an upcoming audit.

The time leading up to an ISO audit can be stressful, typically demanding preparations such as reviewing numerous out-of-date policies, locating audit trails for evidence and re-familiarising with the requirements of standards such as ISO 27001. 

 

If you have an upcoming audit and there is a possibility the auditor might call you in for questioning and evidence, this blog is for you. 

What is an ISO 27001 audit?

As the international standard used to manage an organisation’s Information Security Management (ISMS), ISO 27001 is a framework which defines best practices for managing cyber risk.

 

Achieving and maintaining ISO 27001 certification is also not only a means to prevent risk of data breaches and cyber attacks, but also a way to gain and sustain customer trust.

 

However, in order to successfully implement ISO 27001, the regular and independent conduction of audits, both internal and external, is a necessity.

 

ISO audits allow for an examination of your organisation’s ISMS to ensure it meets the standard requirements, measuring its performance as a result.

Why do we need to conduct ISO 27001 audits?

The reason for conducting both internal and external audits is to ensure the processes undertaken by the business to comply with ISO 27001 are aligned (or rather, without non-conformities).

 

For these reasons, audits can be an invaluable business tool, providing a means to verify whether a company’s internal procedures are being followed and implemented effectively.

In other words, the results can be highly informative when it comes to rectifying your company’s information management processes and procedures.

What are the three different ISO 27001 audit types?

Third-party audits

Third-party audits, also known as external audits, are conducted by a certification body. Simply put, it’s when an external third party audits your organisation.

Second-party audits

Second-party audits are external audits conducted by a contracted organisation on behalf of a customer, or when a customer audits a potential supplier.

First-party audits

First-party audits are also known as internal audits, and this is when an organisation audits itself, typically by an internal employee belonging to that organisation.

As an auditee – why you should prepare

Preparations must be made in advance if your organisation is due to be audited.

Being unprepared could see your organisation failing the audit with non-conformities that could have easily been avoided.

 

It is recommended to get started at least two weeks ahead of your ISO audit.

 

And we know that the time leading up to an audit can be nerve-wracking. 

 

After all, the audit covers not only your business’ ISMS, but also its supporting processes, procedures, technologies and people.

 

For this reason, reviewing ISO 27001 against the policies and guidelines you are responsible for, are the very first steps in preparing yourself to be on the right path to success.

As an auditee – how to prepare

Firstly, ensure you have access to ISO 27001, and an understanding of its requirements in the areas that are subject to be audited.

 

Secondly, ensure you have full access to all the documentation you are responsible for, this could be controls, policies, procedures, systems and records.

Re-read, review and re-familiarise yourself with these, ensuring they are all up-to-date.

 

Thirdly, for any documentation that might require an audit trail, ensure you have access to the corresponding evidence. 

 

During the audit, if the auditor calls you in to ask any questions, it is important that you are prepared and ready to provide supporting evidence, as not to waste yours, or the auditor’s time.

 

If there are internal employees experienced in conducting internal audits within your organisation, why not arrange a mock interview ahead of time. 

 

This can provide an opportunity to prepare and set expectations, without the pressure of the audit itself.

How Klarity Works can help you navigate an ISO audit

Klarity Works is ISO 27001 certified by a UKAS-accredited certification body, so we know navigating audits can be a time-consuming process with a lot of moving parts.

 

This is why Klarity Works allows you to create a compliance strategy that is simple, manageable and distributed, as this allows your people to stay aligned with the direction of your business.

 

This is achieved by allowing you to centralise all your documentation, giving you full visibility and access to your policies, procedures and guidelines.

 

Alongside this, policy management is made easy by allowing you to assign documents, giving the right people access to the right information.

 

Most importantly, you won’t need any training. Whether you prefer to learn by reading or learn by doing, simply sign-up and our extensive in-product onboarding will take you through on how to make the most out of Klarity’s features, so you can achieve and maintain ISO 27001 certification.

 

If you’d like to chat about your organisation’s compliance needs or book a demo – we’re here to help. 

Follow us on Linkedin and Twitter to stay up to date with all our product news.

More blogs you might like