Where do Businesses Fail in an ISO 27001 Audit? Plus Mistakes to Avoid

ISO 27001 Audit Due

ISO 27001 Audits can be stressful for those involved as a lot riding on the audit’s outcome. This is especially true if it’s the organisation’s first audit and there’s a compelling commercial reason to achieve ISO 27001 certification. Brand identity may be negatively affected if the business doesn’t pass. In this article, we explore the common areas where businesses fail to meet the standard.

Where do most people fail in an ISO 27001 audit? Most businesses fail an ISO 27001 audit, or a surveillance audit, for a number of reasons. These include: 

  • Missing, unpublished or out-of-date, information
  • Staff failing to follow proper processes, policies and procedures
  • Failure to maintain standards once the certification is awarded
  • Lack of staff training once accreditation has been awarded

Read on to find out which areas businesses fail in the most when trying to get ISO compliance, and the steps you can take to increase your chances of passing the audit.

What Are the Common Reasons for Failing an ISO 27001 Audit?

The ISO certification audit comes in two stages with stage 1 being the review of documentation. The ISO/IEC 27001:2013 standard defines several required documents, including a high-level Security Policy and a Statement of Applicability. Additionally, documentation relating to the Risk Treatment Plan and Internal Audits is a requirement. Some of these documents can be difficult to produce and may not correctly align with the requirements of the standard.

1. Documentation

The first area where an organisation is likely to fail an ISO 27001 audit is in documentation. This might mean that important documents are missing, out of date, o, unpublished! You can fail an audit if a required document falls under any of these categories.

Things like meeting minutes or internal audit reports provide documentary evidence that the organisation has adopted ISO 27001 and implemented a working Information Security Management System (ISMS). Producing the documents is one thing but consideration also needs to be given to how they will be stored. They should be easy to locate while being protected from accidental loss.

2. Implementation of Policies, Procedures and Processes

A stage 2 of the ISO 27001 audit looks at the implementation of the policies, procedures and processes defined in the organisation’s ISMS. The auditor will venture out and speak to staff which is where it can all go horribly wrong. The staff are my nominated second area where you are likely to fail in an ISO 27001 audit.

An organisation’s staff are the first line of defence while also having the potential to be the weakest link. In preparation for an impending ISO 27001 audit, we have seen quite a few organisations forget to involve their staff. This usually results in a panic followed by some hastily-convened communications which the staff have no time to digest.

Staff need to be briefed on the applicable policies, procedures and processes they are expected to comply with. They need to know where they can find policies and procedures. Regular training or interactive sessions are vital for keeping information security foremost in people’s minds. Having sessions which improve the security posture of an organisation while giving the staff useful information to keep them secure when using a PC at home always works.

3. Surveillance Audit

The third area where you are most likely to fail an audit is on the very first surveillance audit. These occur roughly nine months to a year after you have achieved the dizzy heights of ISO 27001 accreditation. After being awarded the certificate an organisation will let out a collective sigh of relief and get back to doing their day job.

Things like internal audit and the Risk Committee meetings lose their urgency. Staff training becomes less frequent as other activities take precedence. I suppose the most apt phrase is taking your foot off the pedal. The problem is that the surveillance audit will arrive with an astonishing speed which normally results in a panic the week before when the information security team realise the documentation is out of date, meeting minutes aren’t there as there were no meetings and it’s been nine months since the last staff training or engagement session.

Of course, all of this could have been avoided if the ISMS had become engrained in the organisation’s culture and way of working. In fact, it needs to be if the organisation is going to fully realise the benefits of ISO 27001 compliance and the added security this brings. 

How Can You Ensure ISO 27001 Compliance?

Hiring a consultant is the best way to achieve ISO 27001 compliance in all of the key audited areas (find out more on these in this blog post). Here at Risk Crew, we offer a service tailored to your organisation. 

Our ISO 27001 compliance services are delivered by certified and seasoned ISO 27001 certified Practitioners and Auditors who also possess a host of industry-recognised information security governance, and risk and compliance certifications. Our consultants will consider and address your business objectives throughout the compliance cycle. Find out more on how to choose the right ISO 27001 certification body in our recent blog post.

ISO 27001 Compliance with Risk Crew

Risk Crew can assist you with the ongoing management and upkeep of your ISO 27001 management processes, such as: Our thorough compliance service ensures that:

  • You gain a competitive edge over competitors that may not be ISO 27001 certified.
  • You enhance your global reputation by following an internationally recognised standard.
  • You avoid financial penalties and reputational damage associated with a data breach.
  • Your business can easily implement controls that help ensure compliance with business, contractual, legal and regulatory requirements.
  • You strengthen internal processes and set clear goals and responsibilities.
  • You gain vital insight from audits for continual improvements.

Learn more about our ISO 27001 services or explore our website to learn more about our range of bespoke security services. If you have any questions on ISO compliance, leave a comment below or get in touch with our team for advice. Alternatively, you can contact one of our ISO 27001 Experts by sending in a web form or call us on +44 (0) 20 3653 1234.

Free ISO 27001 Gap Assessment

Risk Crew