How to conduct an ISO 27001 external audit

Implementing an ISMS (information security management system) takes a lot of effort – particularly when you’re following the best practices outlined in ISO 27001. Unfortunately, your work isn’t done once everything is in place. You will need to regularly review your systems to make sure everything still operates as it should.

However, you can’t rely solely on your own judgement. An internal assessment should be the precursor to an external audit, in which a third party reviews your organisation’s ISMS. Organisations that pass an external audit will achieve (or maintain) ISO 27001 certification, which comes with many benefits.

How do external audits work?

The ISO 27001 external audit process is split into three stages.

  1. Initial audit: Before diving into their investigation, the auditor will make sure the organisation’s ISMS has been developed in accordance with ISO 27001. This involves requesting copies of certain documents related to the organisation’s ISMS. The amount of information that needs to be provided depends on the requirements of the certification body.
  2. Documentation review: This involves a more thorough assessment of the organisation’s processes and policies. The auditor will pay close attention to the organisation’s information security policy, SoA (Statement of Applicability) and RTP (risk treatment plan).
  3. On-site review: The auditor will visit the organisation to make sure staff are following policies and procedures. They will also interview key employees about the ISMS.

How often do you need to be audited?

Like many standards, ISO 27001 doesn’t specify how frequently an organisation needs to be audited. That’s because every ISMS is different and must be treated as such.

However, most experts recommend carrying out internal and external audits once a year. This won’t always be possible, but at the very least you should be audited once every three years. This is the length that most ISO 27001 certification bodies validate an organisation’s ISMS for. Once you get beyond this point, your ISMS is probably no longer ISO 27001-compliant.

Preparing for the audit

Here are three tips to help you pass your audit:

  1. Be prepared: You can get a good idea about your level of compliance by conducting an internal audit. Any problems it raises should be addressed before you undergo an external audit.
  2. Choose an accredited certification body: Non-accredited bodies usually don’t operate in line with the international standards for certification bodies, so a certificate from one doesn’t necessarily mean you are ISO 27001-compliant.
  3. Use proven, easy-to-understand tools: You’ll need to use software and other tools when creating an ISMS. Make sure these allow you to store all your documentation in one place, as this will make it easier to review and amend your processes.

Become an external auditor

If ever there was a time to develop a career in information security, this is it. ISO 27001 certifications have spiked across the globe in the past few years, including in the Gulf. The ISO 27001 Survey 2017 found that 510 GCC (Gulf Cooperation Council) organisations have certified to the Standard, which represents a 42% increase compared to 2016.

The widespread adoption of the Standard has created a pressing need for ISO 27001 experts. Organisations are looking for people to help them implement the Standard and maintain compliance, but you might find that external auditing is the ideal role. It’s well paid, comes with a lot of responsibility, gives you the opportunity to travel and allows you to help organisations protect themselves from cyber criminals.

You’ll obviously need a thorough understanding of ISO 27001 and its audit procedure. This might sound daunting, but you can learn everything you need to know by enrolling on our upcoming ISO27001 Certified ISMS Lead Auditor Training Course in Dubai.

This four-and-a-half-day course shows you how to lead, plan, execute and report on an ISO 27001 external audit. It’s delivered by experienced trainers, who work from a framework created by ISO 27001 expert and IT Governance Director Steve Watkins.

Find out more >>