How ISO 27001 Certification Works: Audit and Certification

It’s time to get ISO 27001 certified! You’ve spent time carefully designing your ISMS, defined the scope of your program, and implemented controls to satisfy the standard’s requirements. You’ve executed risk assessments and an internal audit. Whew.

Now, let’s make it official.

After delivering an internal audit report to management, the team will need to determine if there is necessary remediation. If the internal audit was unsatisfactory, there should be a pause to place additional controls prior to executing the external audit.

Once management feels as though the internal audit was successful, they can move into the certification process.

Who can audit my ISMS?

Only ISO 27001 certified auditors can examine your framework and only a certification body can issue the final certification. This differs significantly from SOC 2, which can be performed by any CPA. Any ISO 27001 auditor must work with a certification body and must complete a specified number of audits and hours of training to qualify.

ISO 27001 Audit

ISO 27001 audit is broken into two stages. This section covers both and the official certification process.

Stage 1

During the first stage, auditor(s) reviews your company’s ISMS from a design perspective. This usually takes place in person but can continue via conference call if needed.

Your auditor will examine the policies and procedures listed in your ISMS. This stage walks through ISO 27001 at a high-level, and determines if there are any of the following types of findings:

• Major nonconformities
• Minor nonconformities
• Observations
• Opportunities for improvement

This stage determines if your company is ready to start stage 2 of the audit. Auditors look at the clauses, or requirements, of ISO 27001 but do not necessarily examine Annex A controls. Using your Statement of Applicability, they determine if the correct level of information security has been designed with the ISMS.

Stage 2

Once the auditor returns a preliminary report to management and provides them with an opportunity to solve any major or minor nonconformities, they can commence stage 2. Like the first stage, this typically takes place onsite.

This stage dives into policies and procedures in action. That means collected evidence of each clause and control that has been put into place during implementation. Using your Statement of Applicability as a reference, auditors confirm the requirements and examine configurations, protections, roles, and more.

The focus of this stage is on the operating effectiveness of controls and how they’ve been implemented. Your team likely needs to explain the intentionality of the design, how you anticipate dealing with particular circumstances like employee discipline, and reperform controls as needed.

The process of inspection, observation, and inquiry into each control requires significant time from each control owner. Expect your team to be involved in audit meetings for a full week.

ISO 27001 Certification

Finally, the certification! After stage 2 of the audit, your auditor will hold a closing meeting where the results of the audit will be provided to management, including any nonconformities that require remediation.  Management should provide a response in the form of a corrective action plan, which includes the issue, the actions to remediate, and a timeline for completion. Once those action plans have been drafted, the auditor will include them within the audit report which is normally completed within 1-2 days of the closing meeting.

At this point, auditors should be able to indicate if they believe you will be ISO 27001 certified, but the final decision lays with the certification body. Even with a few minor nonconformities, you can expect to be certified within the week! Congratulations!

Surveillance Audits

ISO 27001 does not require an annual certification, but you will need to perform a surveillance audit in the off-years. The 2 years following your certification, an auditor from a certification body will perform a surveillance audit to ensure that the organization is still operating the controls as designed.

This audit includes all clauses in the ISO 27001 framework, but each year only 50% of Annex A requirements need to be examined–how it is divided is up to the auditor.  Additionally, the auditor will revisit any nonconformities found during the initial certification audit and determine if the organization remediated the issues properly.

At the end of these audits, the auditor will share any findings with management, similar to the first year, and produce an audit report to the certification body indicating whether the organization is still satisfying the requirements of the standard to maintain certification.

ISO 27001 Recertification

The 3rd year after certification, you’ll need to repeat the whole certification process again. During this time, your business has likely grown and changed. This means your ISMS and SoA should have changed with it, as reflected in your annual surveillance audits.

What’s the timeline for ISO 27001 audits?

ISO 27001 certification is usually an in-person audit process, performed by an ISO 27001 certification body.

However, in the time of remote work, ISO 27001 audits move forward via video conferencing. If the design of the ISMS is found to be sufficient, the second stage can commence. Otherwise, the company must remediate any nonconformities in a reasonable amount of time to avoid re-doing the first stage.

The second stage examines the controls and requirements, and can similarly take place over a video conference. This typically lasts about twice the amount of time as the stage one audit.

The ISO 27001 audit report will be authored within 24-48 hours of completion of the audit and passed to the certification body for review.

Because ISO 27001 is a fairly rigid framework, you’ll likely need expert guidance on how to scale your controls up as your business grows. We get that. Reach out to our team with questions, comments, or concerns as you tackle the ISO 27001 process!