How to Prepare for an ISO 27001 Audit

ISO 27001 Audit

In the world of information security, there are many frameworks and countless guidelines. But among them all, one standard rules them all.

Originating from the Plateau of Gorgoroth in Northwestern Mordor, it towers high above the rest, peering deep into the very hearts of organisations like the Eye of Sauron; controlling information security for all the peoples of Middle Earth.

Ok, maybe that’s a bit much.

Achieving this esteemed certification is no small feat. It involves (alongside an effective risk assessment and treatment process) a diligent and systematic review of your organisation’s information security management systems (ISMS); processes known as internal and external audits.

“The Audit…”

This a phrase that strikes terror into the hearts of CEOs and Information Security managers everywhere who, like the Balrog facing down Gandalf in the Mines of Moria, fear to hear the words: “You Shall Not Pass!”

Though it’s true that audits guard the gates of ISO 27001 certification, what they require to open is not pain, blood, or a mysterious Elven password. They just require compliance and diligent a Risk Management process.

The Fellowship of the Audit

I know what you’re thinking.

“This is all just a tick-box exercise! Let’s get it out of the way, so we can keep doing business with our overly-fussy partners, who merely require our compliance! …And stop with the Lord of the Rings References!”

The point is that ISO 27001 is much more than mere box-ticking. If deployed properly, it’s a protective forcefield that helps guard your organisation’s sensitive information against potential threats and breaches. Like an Elven cloak. Sorry.

ISO 27001, My Precioussss…

At Risk Crew, we recommend being ISO 27001 compliant. Why? Because it prescribes a tailored, risk-based approach, one that involves an expansive range of controls. These encompass many security aspects, as diverse as physical security and incident management, all the way to business continuity planning and managing your third-party suppliers.

“How will I ensure these controls are effectively deployed and managed? The answer is simple: a well-chosen set of Key Performance Indicators (KPIs), along with internal auditing. More on those later.

One ISMS Framework to Rule Them All

For many, they read ‘audit’ and slip into a dark and dreamless sleep, never to return, as if they have been poked by a Nazgǘl Blade.

But this doesn’t need to happen. The word comes from the Latin root Audire, meaning ‘to hear’. In ancient times, auditors would listen to financial transactions to diagnose issues. Even now, the concept is essentially the same: to thoroughly ‘hear’ what’s up with your organisation. It’s a diagnostic tool and a crucial part of achieving ISO 27001 certification.

But we’re getting ahead of ourselves. Let’s start at the very beginning.

Hobbits to Isengard: The Audit Pathway

An essential aspect of the audit process is understanding (and tackling) non-conformities. A non-conformity arises when there’s a discrepancy between your existing information security management practices and the requirements of ISO 27001.

Identifying them is ultimately about avoiding an information security incident down the road; there is no need to try and hide them. Instead, focus on fixing them.

External auditors would prefer to see you’ve noticed the potential non-conformities and have begun making moves to correct them. Non-conformities are the canaries in your mine. Ignore them at your peril.

Non-conformities vary in severity. Some are minor; pretty easy to fix, whereas others might suggest a deeper, systemic problem that might take the whole team’s best efforts to put right. Prevention though, I’m sure you’ll agree, is always better than cure.

Stage 1 Audit – An Unexpected Journey

During a stage 1 audit, your friendly auditor will be looking at ‘documentary evidence’. This is often called a ‘tabletop audit’, or a ‘document review audit’.

They will look at all the required policy, process or procedure documents. Expect a review of your essential records, like your Information Security Policy, Statement of Applicability and Risk Treatment Plans. This stage will usually be handled by your information security team members. In short, the stage 1 audit is all about ensuring your ISMS is in place.

Stage 2 Audit  – The Orcs Enter the Shire

Stage 2 is all about the details. This stage is a Compliance Audit and more often than not, the auditor will physically visit your HQ.

Their first port of call: auditing the information security team, followed by the remaining departments. The auditor wants to know how you’ve implemented your security controls (and whether they’re working well enough to secure your information assets).

The auditor will want to understand your choices in regard to the security controls you’ve deployed. This is all conversational, but it’s important you and your team are confident and conversant about your choices. The auditor will then meet with senior management before scurrying back into their cave to amass their report. But it’s probably best not to call them Gollum. Most auditors prefer Sméagol.

Stage 3 Audit  – The Return of the King

Generally called a ‘surveillance audit’, this is essentially a follow-up. It’s an annual event and validates that you’re keeping your ISMS alive and well (rather than locked in a basement somewhere). Ask yourself whether you’re focusing on continual improvement (or not); as that’s what the auditor will be asking. Here’s how to get ready for your audit:

  • Understand the Context, i.e., the internal and external factors affecting your organisation.
  • Make sure Leadership are committed and on board.
  • Plan for the audit – Make sure you’re confident about the controls you’ve selected, manage the risks in the register, scrutinise the results of your risk assessment and hone your risk treatment plan. Finally, develop your communication plan.
  • Finish any documentation – Define and implement all policies and procedures (and any other documents such as review and network logs and training records.
  • Schedule your Stage 1 Audit – Now you have all your documents in line.
  • Prepare the Team – Have each team member ready to give genuine examples when asked for evidence. Keep their spirits up and don’t give in to fear, uncertainty or doubt. And don’t drink the emergency brandy.
  • Fill any Gaps – After your Stage 1 Audit, there may be some gaps or issues identified by the auditor. Send this information back to the auditor for review.
  • Schedule Stage 2 Audit – This is the last lap, at the end of which you receive the ISO 27001 Certificate.
  • Party! Now you and the team can open the emergency brandy.
  • Read the Report: The cheat sheet below should help you

ISO 27001 Audit Report Cheat Sheet

ObservationsIssues that may not necessarily be non-conformities, but are noteworthy points identified during the audit. These observations can highlight potential areas for improvement or areas that may need attention in the future.
Opportunities for ImprovementThese findings refer to areas where the organisation is meeting the standard’s requirements, but there are opportunities to enhance the efficiency, effectiveness, or security of the processes and controls further.
Positive FindingsThese findings highlight areas where the organisation is performing well and is in compliance with ISO 27001 requirements. They recognise successful implementation and adherence to the standard’s guidelines.
Negative FindingsNegative findings refer to areas where the organisation is not meeting the requirements, indicating weaknesses or potential security risks that need to be addressed.
Major FindingsMajor findings refer to significant non-conformities or security weaknesses that require immediate attention and remediation. These could be critical security gaps that pose a high risk to the organisation.
Minor FindingsMinor findings are less severe non-conformities or areas of improvement that do not pose an immediate risk but still need to be addressed in the future.
Repeat FindingsRepeat findings are identified when the same non-conformities or issues that were previously found in an earlier assessment persist even after corrective actions were taken. These findings indicate a lack of effective corrective and preventive actions.

Get into the Hobbit of Mock Audits

Before the real one, conduct a mock audit along the lines above.

A ‘dress rehearsal’ internal audit and gap analysis will help with both preparedness and confidence. This involves assessing your ISMS to identify potential non-conformities and opportunities for improvement, ahead of the actual audit.

This will help ensure that all relevant documentation, like security policies, procedures, risk assessments, and evidence of control implementation, are all up-to-date and readily accessible.

  • Remind yourself the aim isn’t to annoy everyone in your office. It’s much more annoying when everyone has been locked out of their endpoints and a cybercriminal is demanding £1M in Bitcoin to unlock them again. The idea is to help the cogs of your machine run smoothly and cope when (and not if) a spanner is thrown into the works
  • The audit process is not a one-time event. It’s a cyclic process. If conducted properly, your ISMS should keep improving with age, just like fine Brandywine in a cool Hobbit hole. The aim is to keep it robust and resilient in the face of the ever-growing Orcish army of security threats out there.
  • Training is another great way to prepare you and your team. This includes training on ISO 27001 requirements, controls, internal audit procedures, and who is responsible for what during the audit. Risk Crew provide world-class training, so why not get in touch with one of our experts today for an informal chat?

Thinking of Getting Started with ISO 27001?

Risk Crew