- Role-based, attribute-based, & just-in-time access to infrastructure
- Connect any person or service to any infrastructure, anywhere
- Logging like you've never seen
In this article, we’ll cover everything you need to know about conducting ISO/IEC 27001 audits to receive and maintain your ISO 27001 certification. You’ll learn about ISO 27001 audit requirements, why an ISO 27001 audit is important, how long it takes to conduct audits, and who can conduct audits that prove your company follows up-to-date information security management best practices.
By the end of this article, you’ll understand the steps needed to complete both internal and external ISO 27001 audits for your organization.
What is an ISO 27001 Audit?
An ISO 27001 audit is a review process that ensures your organization’s information security management system (ISMS) aligns with the most recent information security best practices, as defined by ISO/IEC 27001:2013 guidelines. Organizations must conduct a series of regular internal audits and external audits to receive and retain their ISO 27001 certification.
ISO 27001 demonstrates that a company’s ISMS controls are sufficient to secure its data, documents, and other information assets. An ISO 27001 certificate also gives companies a competitive advantage, showcasing that their security controls are more rigorous and aligned with international standards.
To qualify for certification, companies must receive an external audit from an accredited, objective auditing firm or approved ISO 27001 auditor to prove their processes and systems meet ISO/IEC 27001:2013 expectations.
Continuous ISO 27001 audits demonstrate the efficiency and efficacy of a company’s security controls. Plus, these audits measure and show ongoing compliance with ISO standards. Regularly conducting audits allows organizations to review and assess the level of residual risk involved with their existing information security standards.
With the results from an IT audit for ISO 27001, organizations can continue to improve their ISMS controls and standards to make residual risk more tolerable.
Importance of ISO 27001 Audits
Fundamentally, a series of ISO 27001 audits are required to complete the ISO 27001 certification process. Without successfully completing these audits, an organization cannot claim to comply with the international best practices for information security management.
In some cases, organizations may not be able to work with clients or partners who contractually require compliance with ISO 27001 standards to enter into or renew a contract. This can make ISO 27001 audits essential for companies to attract or retain clients within their industry.
Even once an organization receives its ISO 27001 certification, it must follow a regular auditing schedule to demonstrate ongoing compliance with ISO 27001 standards to maintain its certification. Audits show that a company’s systems, processes, and controls are working effectively and continuously protecting its information assets.
Regularly scheduled audits assess for new risks as the company expands, allowing companies to identify preemptively any weaknesses in their existing systems. These audits also reveal opportunities for organizations to strengthen their existing data management and IT security practices.
Types of ISO 27001 Audits
ISO 27001 compliance requires conducting two types of audits: internal audits and external audits.
Accreditation bodies across the world have different requirements for how often audits must be completed to maintain compliance; however, all companies interested in obtaining or keeping their certification must submit regular ISO 27001 internal audit reports and complete periodic external audits.
Here are the internal and external audit expectations organizations must follow to remain compliant.
Internal Audit
An ISO 27001 internal audit is a review of a company’s ISMS completed by objective, internal staff trained in ISO 27001 standards or an external contractor hired to work alongside an internal team. Even when an internal audit is completed by an external party, it’s considered internal unless this party is part of an ISO 27001 certification body.
Under ISO 27001 Clause 9.2, a consistent ISO 27001 audit program is required to maintain compliance. An approved ISO 27001 audit plan defines how frequently internal audits are conducted, the methods used to complete the audit, and who is responsible for planning, completing, and reporting audit results.
Each company works with the certifying body to determine the appropriate ISO 27001 audit frequency for their organization, most companies will be recommended to complete an annual ISO 27001 audit.
Typically, an ISO 27001 internal audit involves:
- Reviewing and maintaining internal documentation for policies and procedures
- Sampling evidence from the ISMS as part of a field review, demonstrating that the policies and procedures are followed consistently
- Analyzing findings from document review and field review to ensure they meet ISO 27001 requirements
- Implementing improvements, as needed, based on audit findings
The ISO 27001 certification audit process begins with an internal audit, where your organization reviews its current IT processes and documents the scope of its ISMS audit for further external review.
Next, the organization completes a risk assessment and gap analysis, presenting these audits alongside other documentation to external auditors or a certifying body.
Finally, if a company chooses to pursue certification, organizations must conduct regularly planned internal audits to maintain compliance.
External Audit
When IT professionals ask “how do you prepare for an ISO 27001 audit,” they’re commonly referring to an ISO 27001 external audit. External audits are conducted by accredited, certifying bodies to confirm compliance with ISO 27001 standards.
Organizations interested in ISO 27001 certification must participate in four external audits:
- ISMS Design Review
- Certification Audit
- Surveillance Audits
- Recertification Audits
Once your organization defines the scope of your ISMS audit, you’ll request an auditor from your country’s accredited certifying body to complete the ISMS Design Review. During this ISO 27001 external audit, the auditor reviews your organization’s documentation, processes, and procedures to ensure your ISMS controls and design align with ISO 27001 standards.
If your organization meets the ISMS Design Review requirements, the auditor recommends your organization for certification and moves on to the Certification Audit.
During the Certification Audit, an auditor will review your organization’s business processes and controls through a field review to ensure they meet ISO 27001 requirements and the 114 primary controls referenced in Annex A. Meeting these requirements makes your organization eligible for full ISO 27001 certification.
To maintain compliance after certification, certifying bodies conduct periodic audits—known as Surveillance Audits—where they take a random sample of data to ensure it follows the procedures and processes defined by your documentation. These audits often focus on specific ISMS areas and happen before recertification.
Finally, organizations are subject to an extensive Recertification Audit every three years to maintain their ISO 27001 certification eligibility. This review covers all areas of the ISMS and mimics the initial Certification Audit, ensuring that the organization is continuously following ISO 27001 standards and improving its ISMS as new risks arise.
ISO 27001 Audit Stages
As your organization prepares for ISO 27001 certification, it’s important to understand the two stages that make up the initial certification audit. The audit criteria for ISO 27001 are defined by these two stages, and your company’s certification eligibility is contingent on passing both audit stages.
Companies should note that, commonly, organizations will hire a separate external auditor to support them in completing stage 1 compliance requirements before requesting an external audit from the certifying body for stage 2.
Stage 1
Stage 1 of the ISO 27001 audit is called the ISMS Design Review. Before a company requests an ISMS Design audit, it’s critical that the company properly prepares for what an ISMS Design Review entails. An ISO 27001 audit checklist can help you get ready for your stage 1 audit.
First, work with your compliance team to determine your company’s risk tolerance and security baselines based on the expectations of your clients or partners. You may need to consider legal or contractual requirements, too. These elements will define the scope, security objectives, and statement of applicability for your certification audit.
Next, thoroughly document all the processes, procedures, policies, guidelines, and controls for your ISMS based on the requirements detailed in ISO 27001 and ISO 27002. You’ll also need to complete a risk assessment, risk treatment, and gap analysis to submit with your documentation.
Once you’ve implemented and documented the controls in your ISMS, an auditor will review your documentation during the ISMS Design Review to ensure it meets the ISO 27001 requirements. Once completed, the auditor will provide your organization with an ISO 27001 audit report.
The audit report includes their findings and recommendations to improve your processes or controls before pursuing stage 2. Your organization’s employees may also need to complete additional security training to meet ISO 27001 stage 1 audit standards before moving forward with stage 2 of the certification process.
Stage 2
If an auditor recommends your organization for certification after stage 1, your organization can choose to move forward with stage 2 to pursue certification. In the ISO 27001 stage 2 audit, an auditor from a certifying body will complete an evidential field review to confirm that the business processes and controls within your ISMS align with the documented and approved procedures from stage 1.
The auditor surveys a thorough, random sampling of data and information assets as evidence to confirm that your ISMS operates effectively and meets the requirements dictated by ISO 27001 and the obligatory Annex A controls. This evidence should provide that your business procedures work as they’ve been documented.
To complete their audit, auditors will often interview key stakeholders responsible for managing the ISMS system as well as members of the internal audit and compliance teams. They’ll also request evidence of prior audit reports and any remediations completed based on stage 1 results. These audit reports inform them of non-conformities presented by the previous auditor, while management audits confirm that improvements were implemented after the audit.
Stage 2 is also the time to define the processes moving forward after certification. This includes security awareness training procedures and the internal audit process, which must be documented to achieve certification and maintain continuous compliance.
Once your organization has passed the stage 2 ISO 27001 audit process, your company will be ISO 27001-certified for three years. However, companies are still required to complete and submit yearly surveillance audits to follow the required internal audit schedule submitted to the certifying body and show that their controls are continuously operating as intended.
Who Can Perform ISO 27001 Audits?
Valid internal and external ISO 27001 audits must be conducted by objective, competent, and experienced auditors with demonstrable knowledge of the ISO 27001 standard. Demonstrable knowledge is commonly indicated by formal education or certification. However, a certifying body may approve an auditor who can show their knowledge through relevant ISO 27001 audit questions and answers.
For internal audits, auditors must belong to a team that’s separate from the stakeholders maintaining the ISMS to ensure they are not reviewing their own work or creating a conflict of interest. For organizations without a separate compliance division or auditing team, it’s common to hire a formally trained contractor or auditing firm to support your internal audit plan. These firms can help you learn how to avoid common ISO 27001 audit mistakes.
Certification agencies have approved and accredited auditors who perform external certification, surveillance, and recertification audits. Often, these auditors have completed the ISO 27001 Lead Auditor course or a similar formal training-certification course.
ISO 27001 Audit Timeline
Auditing a company’s ISMS for certification can be a lengthy process. For most small to mid-sized businesses, the initial certification process takes between 6 and 12 months to complete from start to finish. Larger organizations with a more comprehensive ISMS or more extensive scope can expect the process to take up to 18 months.
Companies should expect to prepare documentation extensively even before pursuing the stage 1 ISMS Design Review. This process alone can often take 6 to 10 months. You may need to complete multiple internal audits and implementations before your ISMS is ready to start the certification process.
Once you begin the certification process, an auditor will work with your organization to create an ISO 27001 audit schedule. This schedule determines the timeline for an auditor to review thoroughly the documentation in stage 1 and collect enough evidence to prove compliance in stage 2.
While document review during stage 1 typically takes about a week to complete, stage 2 often takes longer because auditors interview stakeholders and spend more time examining your ISMS.
During either step, auditors may present remediations that must be completed before the organization can move forward with certification. Depending on what remediations are necessary to meet ISO 27001 standards, completing the necessary improvements can further extend the timeline for ISO 27001 certification.
How Can StrongDM Help with Your ISO 27001 Audit?
With StrongDM’s comprehensive Zero Trust Privileged Access Management (PAM) platform, internal and external auditors can easily review sessions, queries, and commands across your entire IT infrastructure from a single platform. Our platform keeps all your organization’s logs centralized in one place, making collection a breeze.
Our detailed logs can help external auditors view controls in place at a glance, streamlining the collection of evidence for both your initial certification process and your periodic surveillance audits for ISO 27001 compliance. Plus, internal teams save time during internal audits and provide comprehensive logs to certifying bodies in alignment with their ISO 27001 internal audit procedures.
Auditing doesn’t have to be time-consuming or resource-intensive. With StrongDM, your team can know your information assets are secure with these built-in features that directly support ISO 27001 controls. These features help you easily achieve and maintain ISO 27001 compliance without the headaches.
Want to learn more? Get a free, no-BS demo of StrongDM today.
About the Author
John Martinez, Technical Evangelist, has had a long 30+ year career in systems engineering and architecture, but has spent the last 13+ years working on the Cloud, and specifically, Cloud Security. He's currently the Technical Evangelist at StrongDM, taking the message of Zero Trust Privileged Access Management (PAM) to the world. As a practitioner, he architected and created cloud automation, DevOps, and security and compliance solutions at Netflix and Adobe. He worked closely with customers at Evident.io, where he was telling the world about how cloud security should be done at conferences, meetups and customer sessions. Before coming to StrongDM, he lead an innovations and solutions team at Palo Alto Networks, working across many of the company's security products.