9. External Audit


The external audit is a pivotal stage in the ISO 27001 certification process. It's the moment when an external, independent body evaluates the effectiveness and conformity of your Information Security Management System (ISMS) against the ISO 27001 standard. This chapter will delve into the intricacies of the external audit, providing a comprehensive guide to prepare and navigate through this crucial phase.

1. Purpose of the External Audit

The primary purposes of the external audit are:

2. Choosing the Right Certification Body

Before the audit, you'll need to select a certification body. Here are the key considerations:

3. The Two-Stage Audit Process

The external audit typically occurs in two stages:

Stage 1 – Readiness Review:

Stage 2 – Certification Audit:

4. Non-conformities

During the audit, the auditor might identify:

5. Preparing for the External Audit

Effective preparation can ease the audit process. Here's how to prepare:

6. After the External Audit

Once the audit is complete:

7. Surveillance Audits

Post-certification, the certification body will conduct surveillance audits, usually annually, to ensure ongoing compliance and continuous improvement of the ISMS.


The external audit is the gateway to achieving ISO 27001 certification. While it may seem daunting, with the right preparation and understanding, organizations can confidently navigate this process, ensuring their information security measures stand up to global standards.