"Uncontrolled access to data, with no audit trail of activity and no oversight, would be going too far. This applies to both commercial and government use of data about people.”
—John Poindexter
Audit preparation
Best practices
Audit closure
Audit Preparation
After spending several months on the ISMS implementation, your teams are progressing toward the final stage of the implementation, which is the certification audit.
Note
For organizations that do not want to go through the certification audit, the internal audit is considered the last stage of their first ISMS implementation.
It’s not really the last stage, as your focus should be to aim for the continual improvement in the implementation of the ISMS.
Before you move to the external audit phase, it is important to be sure the team is prepared. Facing an audit without being prepared will lead to failure. Time spent preparation is worth every second, as it will give your team confidence and make them audit-ready.
An external ISO 27001 audit can be eventful if you are new to the management standard framework. The good news is that it is structured in such a manner that beginners and small organization/business can be audited with ease.
An external audit in ISO 27001 can be divided into three stages, all of which are discussed in the following sections.
Stage 1 Audit
During a stage 1 audit, the auditor generally looks at the documentary evidence. This is sometimes called a tabletop audit or document review audit. Here , the auditor looks at the required process, policy, or procedure documents. The essential documents—such as the organizational information security policy, statement of applicability (SoA), and risk treatment plan—must be reviewed during a stage 1 audit.
You might wonder who all can attend a stage 1 audit. If you guessed the information security team, you would be correct. This team, on behalf of all the teams, showcases the defined policies and procedures. If there are any queries, they are handled by the security team.
Note
In some cases, the information security team won’t be able to answer all the queries. In such scenarios, specific department stakeholders can be consulted.
The aim of the stage 1 audit is to ensure that your organization ISMS is in place and ready for the stage 2 audit.
Stage 2 Audit
The stage 2 audit is detail-oriented, and this formal audit is sometimes called a compliance audit. During this audit , the auditor must visit the organization’s onsite office. The auditor first audits the information security team and then audits the remaining departments. The auditor reviews how the organization has implemented the security controls and whether they are effective and enough to secure the organization’s information/assets.
The auditor also attempts to understand, from discussions with the auditees, why a certain method/tool was chosen as a security control. Hence, as an organization/team, you must be clear and confident about these choices.
After meeting with all the auditees/teams, the auditor prepares their findings and reports. Before they give the findings in front of management, they present it to the auditees to ensure that they agree on the noted findings.
Note
There should not be any major conformance issues in the audit report, as this will delay the certification process.
After the auditor reports the findings, they meet with the senior management to close the meeting. The auditor then presents the final report.
The process of preparing the report and sending it to the customers and certifying bodies may take a few days to a few weeks, depending on the situation and the external auditor. After the report is validated by the issuing authority/certifying body and after the organization passes the audit, the organization will be issued the audit certificate, which is valid for three years.
Stage 3 Audit
The stage 3 audit is the follow-up review and is generally called the surveillance audit. This audit is conducted on an annual basis to validate that the organization is maintaining the ISMS effectively and focusing on continual improvement. If the organization wants to increase or decrease the scope of the audit, that can be done during the surveillance audit and should be communicated to the certifying body well before the audit.
The next sections discuss the steps that can help you be audit-ready.
Step1: Understand the Context
This step will help you understand the business context, which in turns helps you understand the internal and external factors that affect the organization. Here you may note the points that can affect the outcome of the ISMS implementation. For example, an information asset can be an internal issue that affects the ISMS outcome.
Note
When identifying external issues, try using the PESTLE method. PESTLE stands for Political, Economic, Sociological, Technical, Legislative, and Environmental issues.
Step 2: Ensure Leadership Commitment
This is a simple yet very important step during the external audit. You need to have commitment from management throughout the project. They can participate, suggest an action, and assign roles and responsibilities.
Step 3: Plan the Audit
Planning is always important during the ISMS journey. Here, you can plan for your audit, control selection, manage risk, address the risk assessment results, and develop a risk treatment plan.
Tip
The communication plan can also be developed during this step and this communication plan will vary from company to company, depending on how complex it is and its various roles and responsibilities.
Step 4: Complete the Documentation
During this step, you need to define and implement the policies, procedures, and other record documents, such as review logs, network logs, and training records that are mandatory, as per the ISO 27001 standard guideline.
Step 5: Schedule Your Stage 1 Audit
At this point, you should have all the documents ready and the preparation complete. It’s time to schedule the stage 1 audits with the external agency or auditor. You can get guidance from the auditor and clarify any doubts. This is your best chance to improve.
Step 6: Prepare Your Team
Now it’s time to prepare your team for the audit. Discuss with the team and send an email if required about what they should expect to be asked and how to reply. The best way to reply to an auditor is to give real-life examples when you’re asked for evidence.
Step 7: Close the Gaps
During this step, you need to close all the gaps or issues shared by the auditor during the stage 1 audit. By this time, the team will have confidence and will understand the audit cycle, as they already went through a stage 1 audit. Once the gaps are closed, they need to be sent back to the auditor for review. You need to obtain the auditor’s approval that the issues have been resolved.
Step 8: Schedule Stage 2 Audit
This is the final step before receiving the ISO 27001 certificate. Schedule your stage 2 audit and relax. You have done everything you can, and you have the evidence that will be required by the auditor.
Step 9: Celebrate
This is an optional step, but your team has done well and earned this valuable certificate. Time to celebrate this achievement.
Best Practices
Clearly understand the scope: The scope must be clear to all participants who will be audited during the internal audit. For example, auditees and the senior management must be on the same page during the scope of an audit.
Focus on critical areas: Pay attention to the critical areas of your business operations, which might have had ongoing open issues that you closed recently, a few months before the audit. Ensure that if any such areas are being audited, they remain complaint. Otherwise, non-compliance (NCs) could be reported in the audit.
Information security policy awareness: All the teams must be aware of the information security policies. The information security team can hold awareness sessions in which they educate teams about the security policies.
Conduct mock audits: This practice makes the team aware of which kinds of questions may come from the auditor. If the team is going for an ISMS audit for the first time, doing a mock audit is really helpful. The mock audit will make them familiar with the course of the audit and show them how to present evidence to the auditor.
Get approval on policy and procedure: Organizations going for the certification audit for the first time must ensure that they perform checks on all the newly written policies and procedures to ensure they are reviewed and approved. Be sure to check that old defined policies has been reviewed for any changes.
Check software/tool expiration: The organization should ensure that the software/tools used by the teams are licensed and that their expiration date is not before the audit.
Ensure traceability: Teams should ensure that the business process or the part of the business process that they execute should be able to show end-to-end traceability. For example, any task in process should able to show a clear path of execution until its closure.
Keep manual execution to a minimum: The organization should ensure that their business processes are executed by the help of software/tools/automation, as this will minimize the chance of security errors during execution. Having such tools helps the organization maintain its ISMS efficiently.
Audit Closure
This section covers how you mark an audit as closed. When the auditor has met all the department/stakeholders based on the audit schedule and has covered the complete audit scope, it’s time to close the audit.
The audit was conducted to inspect your organization’s security controls as per the defined policies and procedures. Hence, this audit helps you determine how well your business processes are helping to secure your organizational information/asset. The audit closure is the opportunity to understand the effectiveness of the implemented controls in your ISMS.
In general, most of you know when an audit is completed, which document you will receive as part of this phase. It is your audit report that will describe the audit’s finding and the best practices you have implemented. This audit report will be presented during the audit closure report presentation.
Reiterate audit scope and objective: The auditor will reiterate the audit scope and objective to ensure that he has covered the complete audit scope. For example, the objective of the audit was to evaluate how effectively the management system conforms with the requirements of the ISO 27001:2013 standard and the organization's policies. Also, the auditor will mention that the audit is conducted on a sampling basis.
Preliminary findings: This is the key part of the closing meeting. The auditor explains all the findings in the audit to the team to make sure that the communication is clear and everyone understands it. The finding should be based on the available pieces of evidence.
Clarifications: Clarifications about the findings can be done with the auditor during the preliminary and the final finding presentation. The team or management might clarify points and ask questions, if required. Someone on the team might not agree with the findings and be able to present other evidence to show that a given finding is not valid. This discussion is important, as it can impact the final audit report.
Acknowledgment: The team acknowledges that they understand the findings.
Report: The auditor communicates the timeline with the company to share the final audit report, as they must submit the report for verification with the certifying body.
By following these simple steps, the audit meeting can be closed. It seems like an easy job, right? (Irony intended.)
Audit Report
The final audit report was mentioned in the audit closure meeting section, previously. So, what is an audit report and how does it look?
An audit report, as its name suggests, is a detail-oriented report of the ISMS audit. The report structure may change according to the certifying body, but some of the important areas that it covers are described in the following sections.
Executive Summary
The company has implemented ISMS in its software development, maintenance, support department. The company uses an AWS (Amazon Web Services) cloud for its application development and hosting requirements.
The ISMS objectives, along with its policies, were verified with reference to the ISMS Manual v1.0 dated (date here).
Information Security Policy v1.0, ISMS-Roles, Responsibilities, and Authorities v1.2 dated (date here).
Risk Assessment Procedure v1.0 dated (date here), Statement of Applicability v1.1 dated (date here).
The only control excluded is A.14.2.7, outsourced software development, as the organization does not use outsourced software development services.
All candidates went through pre-employment checks as per the Reference Check Policy. Confidentiality forms are part of the employment terms. All employees must give an undertaking at the time of issue of any company assets.
As the company uses cloud services, all IT server infrastructure is on the cloud. The IT infrastructure in the facility includes laptops, fileserver, router/firewall, LAN switches, and Internet links.
The development, staging, and the live environments are on the cloud.
Firewall alerts/alarms are configured to trigger an email to the IT manager.
The software development methodology used is a mixture of SDLC and Agile. The technology used is JAVA, J2EE, Node.Js, Machine Learning, and Big Data.
Patch management is automatic for Windows laptops and manually done for servers. Vulnerability management is done by scanning systems once a month using Nessus.
The applicable legal, statutory, and regulatory requirements have been identified and documented in the Legal Authorities Register v1.0 dated (date here) and the organization has implemented mechanisms to ensure compliance.
The internal audits are conducted once a year as per policy. The last internal audit was conducted on (month and year). All findings of the audit have been closed with appropriate RCA. The next round of internal audits will be performed on (month and year).
The management reviews are conducted once every six months as per policy. The last management review was conducted on (date here). The next management review is scheduled for (month and year).
Note The Executive Summary points mentioned here are for understanding purposes only; the description can be modified based on the organization or industry.
SWOT Analysis
In this section, the auditor writes down the Strength, Weakness, Opportunity, and Threats (SWOT) observed during the stage 2 audit.
- Strengths
Leadership commitment toward information security
Expertise and strong domain understanding
- Weaknesses
No significant weaknesses observed
- Opportunities
ISMS monitoring mechanisms may be improved
Coverage of documented operating procedures may improve
- Threats
Adverse economic and political conditions in the client countries
Any adverse changes in the outsourcing policies of client companies
Scope Description Control by Control
The score descriptions are universal to all management systems and cannot be customized by the auditor. This ensures consistency of interpretation and standardization of audit results worldwide. The scores provided to your organization are for benchmarking purposes only and are based on the audit team’s evaluation. Here the auditor will mention whether you meet all the controls and share the ratings for each control.
Finding Summary
In this section, the auditor will share a summary of the key findings that were issued during the stage 2 audit. The findings are categorized as Minor or Major. If the auditor identified any opportunities for improvements, that can also be noted in this section.
Evidence Summary
In this section, the management system evidence that the auditor audited can be summarized. The auditor is supposed to share their detailed evidence summary based on the audit.
Lead Auditor Recommendation
Here is where the final recommendation part comes in. The auditor will write her recommendation about whether the company should be awarded a certificate or not. For example, “the management system conforms with the audit criteria and can be considered effective in assuring that objectives will be met. Certification is therefore recommended.”
Front Page
Sample audit report front page showing basic details
Summary
This chapter taught you the external audit process, including how you need to prepare and manage the audit. You also learned about the best practices that can be followed to smoothen the audit pace. At the end of this chapter, you learned about the audit closure and important points to remember so you can close the audit successfully.