9. External Audit

Introduction

The external audit is a pivotal stage in the ISO 27001 certification process. It's the moment when an external, independent body evaluates the effectiveness and conformity of your Information Security Management System (ISMS) against the ISO 27001 standard. This chapter will delve into the intricacies of the external audit, providing a comprehensive guide to prepare and navigate through this crucial phase.

1. Purpose of the External Audit

The primary purposes of the external audit are:

• Validation: To confirm that the organization's ISMS aligns with the requirements of the ISO 27001 standard.

• Identification: To identify any non-conformities or areas of improvement.

• Certification: To grant the ISO 27001 certification if the organization meets the necessary criteria.

2. Choosing the Right Certification Body

Before the audit, you'll need to select a certification body. Here are the key considerations:

• Accreditation: Ensure the certification body is accredited by a recognized accreditation body, ensuring their competence in conducting ISO 27001 audits.

• Reputation: Research their track record, client reviews, and industry reputation.

• Expertise: Their auditors should have experience in your industry or sector, ensuring a more effective audit process.

• Location & Logistics: Consider their geographical proximity and availability to avoid logistical challenges.

3. The Two-Stage Audit Process

The external audit typically occurs in two stages:

Stage 1 – Readiness Review:

• Objective: To assess the organization's readiness for the stage 2 audit.

• Activities:

  • Review of ISMS documentation

  • Assessment of the scope of the ISMS and risk assessment approach

  • Verification of internal audit and management review processes

• Output: A report detailing findings, including any non-conformities or gaps. If significant gaps are found, the stage 2 audit might be postponed.

Stage 2 – Certification Audit:

• Objective: To evaluate the effectiveness of the ISMS in its entirety.

• Activities:

  • Deep examination of ISMS processes, controls, and procedures

  • Interviews with relevant staff and management

  • Evaluation of the organization's risk treatment and its effectiveness

• Output: A detailed audit report. If the audit is successful and any non-conformities from Stage 1 have been addressed, the organization will be awarded the ISO 27001 certification.

4. Non-conformities

During the audit, the auditor might identify:

• Major Non-conformities: Significant gaps or failures in the ISMS that need rectification before certification can be granted.

• Minor Non-conformities: Smaller issues or gaps that don't necessarily impede certification but must be addressed within a specified timeframe.

• Observations or Opportunities for Improvement: Suggestions by the auditor that don't require immediate action but can enhance the ISMS.

5. Preparing for the External Audit

Effective preparation can ease the audit process. Here's how to prepare:

• Documentation Review: Ensure all your ISMS documentation is up-to-date, accessible, and aligns with ISO 27001 requirements.

• Mock Audits: Conducting internal audits or mock external audits can help identify and rectify potential non-conformities.

• Staff Training: Train key personnel about the audit process, what to expect, and how to communicate effectively with auditors.

• Logistical Preparations: Organize schedules, book meeting rooms, and ensure auditors have access to necessary resources.

6. After the External Audit

Once the audit is complete:

• Review the Audit Report: Go through the auditor's findings, focusing on any non-conformities.

• Address Non-conformities: Prepare a corrective action plan to address any identified non-conformities and implement the necessary changes.

• Certification: If you pass the audit and address any non-conformities, you will be awarded the ISO 27001 certificate, typically valid for three years.

7. Surveillance Audits

Post-certification, the certification body will conduct surveillance audits, usually annually, to ensure ongoing compliance and continuous improvement of the ISMS.

Conclusion

The external audit is the gateway to achieving ISO 27001 certification. While it may seem daunting, with the right preparation and understanding, organizations can confidently navigate this process, ensuring their information security measures stand up to global standards.