Many organizations stumble while executing the ISO 27001 ISMS and undertaking the subsequent audit. An ISO 27001 audit is mainly of two types - internal and external. Here we share some key practices to ensure that the audits are conducted efficiently.
Internal and external ISO 27001 audits
Internal audits are conducted by an in-house team or an outsourced agency, based on the policy framed for assessments. External audits are conducted by certifying bodies having different cycles. Some certifying bodies undertake assessment six months after the certification, known as surveillance audits. Generally the last surveillance audit can also be called a recertification audit.
An external ISO 27001 audit is broadly divided into three stages. Stage 1 involves a thorough review of key documents and the methodology adopted by the organization. Documents such as the organization's information security policy, Statement of Applicability (SoA) and Risk Treatment Plan (RTP) are checked. This stage also helps the auditors and the organization understand each other better.
Stage 2 is more detailed and formal and comprises an onsite visit, where the sample
Requires Membership to View
To gain access to this and all member only content, please provide the following information:
By submitting your registration information to searchSecurity.in you agree to receive email communications from the TechTarget network of sites, and/or third party content providers that have relationships with TechTarget, based on your topic interests and activity, including updates on new content, event notifications, new site launches and market research surveys. Please verify all information and selections above. You may unsubscribe at any time from one or more of the services you have selected by editing your profile, unsubscribing via email or by contacting us here
- Your use of searchSecurity.in is governed by our Terms of Use
- We designed our Privacy Policy to provide you with important disclosures about how we collect and use your registration and other information. We encourage you to read the Privacy Policy, and to use it to help make informed decisions.
- If you reside outside of the United States, by submitting this registration information you consent to having your personal data transferred to and processed in the United States.
size
is decided and audited. Many a times, this is the last stage and certification is awarded to the
organization that successfully clears it.
Stage 3 involves follow-up reviews or audits to confirm that the organization remains in compliance with the standard. It would be best for internal auditors to follow the same process. However, being a part of the system, a lot of assumptions are made and hence, a design flaw often gets overlooked. An internal audit generally ends up in a checklist oriented audit. Thus, ideally an experienced third party having domain expertise should be engaged to identify gaps in a holistic (people, process and technology) manner.
After the certification, an ISO 27001 audit should be done at least annually.
Be open to suggestions
ISO 27001 is a set of best practices and appropriate implementation would ensure tangible and intangible benefits. An organization should not be audit oriented. Aiming for zero non-compliance is like saying, “I’m not open to suggestions/improvements”. Non-compliance doesn’t necessarily imply something bad for the organization. External auditors (for certification or internal audits) have a lot of industry experience and hence, audits also help in identifying areas for improvements.
Having a proper document and record control guideline and following it in spirit helps during an ISO 27001 audit. An organization’s objective to acquire the certification also puts a lot of things into perspective. Quick certification to attract business often dilutes the effectiveness of the implementation. It also indicates whether the standard is implemented in spirit.
Sustaining the initiative
After the ISO 27001 audit, most organizations feel that nothing much remains to be achieved. On the contrary, mature organizations who have the culture of acquiring several certifications look at the certification as a milestone and not a destination. Several reasons could result in degeneration of the initiative and if not corrected in time, may lead to a complete failure and the certification being revoked.
Many organizations go in for an ISO 27001 audit immediately after ISMS implementation and hence, the momentum is sustained by all and change is considered temporary. However, when the business returns to normalcy, the momentum is lost and the organization starts striking a balance between functionality and security. It may also happen that relevant information is not provided to the management, due to which its commitment starts degenerating. The initiative then gets pushed to some line manager, paralyzing the implementation. Sustaining the initiative greatly depends on the organization’s capability to retain the buy-in of its stakeholders.
About the author: Deepak Varde is the head of Managed Information Security
Services at Mahindra Special Service Group and has been involved in designing and deploying
security frameworks that address the risk spectrum, covering people, process, and technology.
(As told to Dhwani Pandya)
This was first published in October 2010