ISO 27001 Audits can be stressful for those involved as a lot riding on the audit’s outcome. This is especially true if it’s the organisation’s first audit and there’s a compelling commercial reason to achieve ISO 27001 certification. Heads might roll if they don’t pass the audit.
The ISO certification audit comes in two stages with stage 1 being the review of documentation. The ISO/IEC 27001:2013 standard defines several required documents, including a high-level Security Policy and a Statement of Applicability. Additionally, documentation relating to the Risk Treatment Plan and Internal Audits is a requirement. Some of these documents can be difficult to produce and may not correctly align with the requirements of the standard.
This brings me to the first area where an organisation is likely to fail an ISO 27001 audit – poor documentation. It might be missing, out of date or even worse, unpublished! Auditors hate this. You can fail an audit if a required document is unpublished.
Things like meeting minutes or internal audit reports provide documentary evidence that the organisation has adopted ISO 27001 and implemented a working Information Security Management System (ISMS). Producing the documents is one thing but consideration also needs to be given to how they will be stored. They should be easy to locate while being protected from accidental loss.
2: Implementation of the policies, procedures and processes
A stage 2 of the ISO 27001 audit looks at the implementation of the policies, procedures and processes defined in the organisation’s ISMS. The auditor will venture out and speak to staff which is where it can all go horribly wrong. The staff are my nominated second area where you are likely to fail in an ISO 27001 audit.
An organisation’s staff are the first line of defence while also having the potential to be the weakest link. In preparation for an impending ISO 27001 audit, I have seen quite a few organisations forget to involve their staff. This usually results in a panic followed by some hastily-convened communications which the staff have no time to digest.
Staff need to be briefed on the applicable policies, procedures and processes they are expected to comply with. They need to know where they can find policies and procedures. Regular training or interactive sessions are vital for keeping information security foremost in people’s minds. Having sessions which improve the security posture of an organisation while giving the staff useful information to keep them secure when using a PC at home always works.
3: Surveillance audit
The third area where you are most likely to fail an audit is on the very first surveillance audit. These occur roughly nine months to a year after you have achieved the dizzy heights of ISO 27001 accreditation. After being awarded the certificate an organisation will let out a collective sigh of relief and get back to doing their day job.
Things like internal audit and the Risk Committee meetings lose their urgency. Staff training becomes less frequent as other activities take precedence. I suppose the most apt phrase is taking your foot off the pedal. The problem is that the surveillance audit will arrive with an astonishing speed which normally results in a panic the week before when the information security team realise the documentation is out of date, meeting minutes aren’t there as there were no meetings and it’s been nine months since the last staff training or engagement session.
Of course, all of this could have been avoided if the ISMS had become engrained in the organisation’s culture and way of working. In fact, it needs to be if the organisation is going to fully realise the benefits of ISO 27001 compliance and the added security this brings.
Do you have any pressing questions on ISO 27001 Audits?
Feel free to add any questions in the comment area below and I’ll be happy to answer. Alternatively, you can contact one of our ISO 27001 Experts by sending in a web form or call us on +44 (0) 20 3653 1234.
Risk Crew can assist you with the ongoing management and upkeep of your ISMS management processes. Our service ensures that:
- Your ISMS is always current, compliant and delivering benefit
- Quicker identification of non-conformities, vulnerabilities and/or weaknesses
- ISMS documentation is always up to date
- You will have an independent, external view of your information security risk management strategies
- We free up your resource so you can concentrate on your core competencies
- Surveillance audits become a breeze!