The ISO 27001 audit process explained

Learn more about the ISO standard audit process, which is crucial to achieving ISO certification, below.

ISO 27001 audit process: getting started

Gaining and maintaining certification for your ISO 27001 Information Security Management (ISMS) system is not a single event. It’s a series of connected, ongoing audits and reviews to ensure that your organisation and Management System are compliant with the relevant ISO standard that you want to be certified to.

Once you’ve developed and implemented your ISO 27001 Information Security Management System, it needs to be audited so that you can get the system – and your organisation – certified.

You then enter a rolling, three year cycle to maintain your ISO 27001 certification. The same process applies for all ISO Management Systems.

All audits are based on the same principle of checking that you are actually doing what you say you are doing in your documented Management System and verifying that it’s compliant with the ISO standard.

ISO 27001 audit cycle

Initial ISO 27001 certification audit

This is the ISO 27001 audit you are subjected to in order to determine whether you should be awarded your certificate for the first time. It’s also known as an external audit, a third party audit or a registration audit and is conducted by a Certification Body. The Certification Body (CB) will appoint an Auditor or possibly a team of Auditors, depending on the size of your organisation, the number of sites and the scope of your Management System.

Ideally you should ensure that the Certification Body from which the Auditor comes is UKAS accredited.

An ISO 27001 Information Security Management System Initial Audit is split into two stages, with an optional pre-assessment.

PRE-ASSESSMENT (OPTIONAL)
This is an optional stage that some certification bodies like ISOQAR offer. A qualified Auditor will do this informal pre-assessment, like a dummy run of an audit. It helps you identify your strengths and weaknesses in preparation for the real thing.

Stage 1 ISO 27001 audit

The Stage 1 Audit is also referred to as the Document Review (or Document Audit) or sometimes as the Readiness Review. The basic objective of the Stage 1 Audit is to determine if you’re ready for the Stage 2 ISO 27001 Audit.

When is the Stage 1 Audit performed?
The Stage 1 ISO 27001 Audit should be performed when you’ve developed and implemented your Management System. This is so that you’ve had time to generate some evidence about the effectiveness of your system, such as having conducted Internal Audits and Management Reviews, and produced records for the Auditor to examine.

How long does the Stage 1 Audit take?
The length of the audit is determined by a formula set by UKAS. Factors such as the size of your organisation, risk and complexity are taken into account. It is measured in whole days. This means that whichever UKAS accredited certification body you choose, it will make no difference to how long the audit is. For most small or medium businesses, the Stage 1 Audit will be completed on-site within two days. The Stage 2 ISO 27001 Audit is usually longer.

Where does the Stage 1 Audit take place?
If you have more than one site, it will normally be conducted at your head office. Being on-site allows the Auditor to get an impression of the organisation and the site, but it can also be done remotely depending on the complexity of the Management System (as well as other considerations such as COVID-19).

What happens in the Stage 1 Audit?
The audit will typically focus on written words. You could describe it as a reconnaissance exercise, where the Auditor gets a flavour of what your organisation and Management System is all about. It may involve discussions with employees.

Your Certification Body should contact you in advance to let you know what will happen on the day so that you can gather the people and materials needed.

The main objectives of the Stage 1 ISO 27001 Audit are:

  • An audit of your ISO 27001 Information Security Management System documentation including the scope of the system, objectives and any relevant policies and documentation that support the operation of the system
  • A walk of the site to help planning for Stage 2
  • To obtain information about all company site(s) from which the organisation operates
  • To obtain information about key processes, procedures and any equipment used
  • To confirm all statutory and regulatory requirements applicable to the organisation and are documented
  • To establish whether all relevant personnel are prepared for the Stage 2 Audit
  • To establish the status of Internal Audits and Management Reviews
  • To plan for the Stage 2 Audit, including which sites to audit

If possible and if sufficient records are available, the following will also be audited:

  • Internal audit processes
  • Management review
  • Senior management commitment
  • Complaints
  • Purchasing
  • Objectives and targets

All of the above will help the Auditor plan for the Stage 2 Audit. If you haven’t already booked the dates for the ISO 27001 Stage 2 Audit, it’s now time to have a discussion with the Auditor to agree when it will take place.

What happens after the Stage 1 Audit?
You will receive verbal feedback from the Auditor at the end of the Stage 1 ISO 27001 Audit. You will also receive a written Audit Report normally within 5 days after the audit. Technically speaking, the Stage 1 Audit will not end in nonconformities, because you’re not yet at a stage where you’re claiming to conform to the requirements of the standard. Nevertheless, if there are any issues identified during the audit, the Auditor will issue Improvement Requests in the Audit Report. These need to be addressed before moving to the ISO 27001 Stage 2 Audit or they will be considered to be nonconformities at the Stage 2 Audit and could harm your chances of being awarded certification.

The report will include:

  • Assessment of your ISO 27001 Information Security Management System and determination of your readiness for a Stage 2 Audit
  • Assessment of your understanding of the requirements of the standard
  • Agreement of the scope of your ISO 27001 Information Security Management System and Scope of Certification
  • Plan for the Stage 2 Audit and agreement on the date(s) and sites
  • Improvement Requests and areas for potential improvement of the Management System

 

Top Tip for the Stage 1 Audit
This might be the first meeting with your Auditor, and you should use this time wisely. Be open and honest and don’t try to hide issues, because they will just pop up during the Stage 2 Audit and create issues with your certification. Although the Auditor isn’t allowed to help you with developing your ISO 27001 Information Security Management System, you can use the opportunity to air your ideas to hear if they conform to the requirements of the ISO standard. Your Auditor will also have visited many other organisations in similar a situation and can tell you about how they managed.

Stage 2 ISO 27001 audit

The Stage 2 ISO 27001 audit is the last stage before certification. It normally takes place on-site and is longer and more in-depth than the Stage 1 Audit.

The overall purpose is to determine if your ISO 27001 Information Security Management System is compliant with the standard and whether you can be awarded certification.

When is the Stage 2 Audit performed?
When you booked your Stage 1 ISO 27001 Audit, you probably also agreed dates for your Stage 2 Audit about 6 to 8 weeks later. Normally, your system should have been running for at least three months – ideally longer – before the Auditor comes in for Stage 2. You also need to leave yourself enough time to address any Improvement Requests from the Stage 1 Audit. The date of your Stage 2 Audit should have been confirmed with the Auditor at the end of the Stage 1 Audit.

Stage 1 and Stage 2 ISO 27001 audits should be performed no more than six months apart, otherwise the Stage 1 Audit may have to be repeated.

If you have total confidence in your Information Security Management System and you’re in a hurry for your certificate, it’s theoretically possible to have the Stage 2 Audit commence the day after your Stage 1 Audit, but this is not ideal.

How long does the Stage 2 Audit take?
As with the Stage 1 ISO 27001 Audit, the length of the audit is determined by the formula set by UKAS. The duration will be calculated before the Stage 1 Audit takes place. In exceptional cases, depending on the findings of the Stage 1 Audit, the length of the Stage 2 Audit may be adjusted but you will be told this in advance.

Where does the Stage 2 Audit take place?
A Stage 2 ISO 27001 Audit is usually conducted on-site at your head office and across a sample of sites  However, audits may be done remotely due to exceptional circumstances such as COVID-19. If you have multiple sites, the sites to be audited will be agreed at the Stage 1 Audit. The Certification Body uses the ‘square root’ rule to determine how many sites will be audited on the Stage 2 Audit. So, for example, if you have 25 sites in the scope of your certification, then at least five should be audited in an Initial Audit. This is a rule that is used by all UKAS accredited Certification Bodies.

Over the course of your three year certification cycle, all sites included in the scope of your certification will normally be visited at least once.

What happens in the Stage 2 Audit?
This is the most thorough audit of your ISO 27001 Information Security Management System.

The Stage 2 Audit will start with an Opening Meeting where the Auditor will explain what is going to happen. Some of the issues covered include:

  • Review of actions from the Stage 1 ISO 27001 Audit to ensure the Improvement Requests have been acted upon (also referred to as ‘closed out’)
  • Inspection of documented information for evidence that the Management System is compliant with the standard
  • The overall effectiveness of your Management System and whether it’s helping you achieve your organisational objectives
  • Audit of activities and processes to determine whether you have operational control and are operating in accordance with your policies and procedures
  • Evaluation of your own Internal Audits and Management Reviews
  • Effectiveness of preventive and corrective actions
  • Examination of key performance objectives and targets

 

What happens after the Stage 2 Audit?
At the end of the audit, the Auditor will hold a closing meeting with you to review the audit and talk about any nonconformities and potential corrective action. At the meeting, you will be told whether you have been recommended for ISO 27001 certification or not.

You will also receive a written report after the meeting which will include observations made by the Auditor and a summary of the findings. The report will identify minor nonconformities, major nonconformities and opportunities for improvement.

  • major nonconformity is the total breakdown of a system meaning you fail to meet a requirement of the standard. A number of minor nonconformities against one requirement can represent a total breakdown of the Management System and thus be considered a major nonconformity. Major nonconformities must be rectified before certification can be recommended by the Auditor. This may involve a further site visit by the Auditor.
  • minor nonconformity may be either a failure or a single observed lapse in some part of the management system. Minor nonconformities do not affect the recommendation for approval but must be addressed prior to the issue of your certificate.
  • Opportunities for Improvement (OFI). These relate to existing conditions which, according to the Auditor, may warrant clarification or investigation so as to improve the overall status and effectiveness of the Management System. They do not affect the recommendation for certification.

 

If there are any nonconformities – whether they are minor or major – you will not receive certification until corrective action has been taken. You will normally be allowed up to three months to do this.

Failure to be recommended for ISO 27001 certification on the day does not necessarily mean that the Auditor will have to visit and audit you again. You will probably just need to provide evidence that you have taken corrective action.

Annual surveillance ISO 27001 audits

One of the main objectives of ISO 27001 Information Security Management System is to ensure continual improvement. The principle of Plan – Do – Check – Act supported by audits and reviews will help achieve this aim.

The Annual Surveillance Audits are a major component of this. This is a mandatory requirement to maintain UKAS accredited ISO certification.  

When is the Annual Surveillance Audit performed?
In most circumstances, your organisation will undergo an Annual Surveillance Audit at the end of Year 1 and Year 2. The first of these will actually be performed a little before the end of the first year with ISOQAR. This is so that the three year cycle is set to allow your Recertification Audit to take place before the end of Year 3. This is important because if any nonconformities are discovered at the end of the third year, there could be a lapse in your certification while you take corrective action.

Some larger organisations like to have their Annual Surveillance Audits performed more frequently, spread out over the calendar. The schedule can be agreed with the Auditor.

How long does the Annual Surveillance Audit take?
As with other audits in the cycle, how much time is dedicated to an Annual Surveillance Audit is determined by the formula set by UKAS. It is normally shorter than a Stage 2 ISO 27001 Audit.

Where does the Annual Surveillance Audit take place?
The Annual Surveillance Audit is usually conducted on-site. However, audits may be done remotely in exceptional circumstances such as COVID-19. If you have multiple sites, then your head office will always be audited plus different sites than those chosen for the Initial ISO 27001 Certification Audit. Different sites again will be selected for the second Annual Surveillance Audit and Recertification Audit although the head office will be included on every audit.

What happens in the Annual Surveillance Audit?
On an Annual Surveillance Audit, the Auditor will take a similar approach to that of the Stage 2 ISO 27001 Audit. However, less time will be spent on some areas of your Management System and probably only parts of your organisation will be audited.

Much of what happens will be driven by what the Auditor discovered on previous audits, for example, examining areas of weakness. The following will be covered as a minimum:

  • Review of nonconformities and corrective actions from previous audits
  • Maintenance and performance of the Management System
  • The effectiveness of your Internal Audits
  • Consideration of your Management Reviews
  • Preventative and corrective actions
  • Updates to documentation

 

The second Annual Surveillance Audit in the three year certification cycle will likely examine different aspects and operations in your organisation. The aim is to audit all processes within the cycle.

What happens after the Annual Surveillance Audit?
As with other audits, the auditor will summarise the findings at the end of the visit. A written report will also be submitted outlining any nonconformities.

If there are any major nonconformities, you will have up to three months to take corrective action and provide evidence that you have done so. Failure to do so could mean that your ISO 27001 certificate will be withdrawn.

For minor nonconformities the Auditor will agree a plan with you. Depending on the risk and severity, the Auditor will use their discretion to establish how the nonconformity can be ‘closed’. It can potentially be closed at the next audit, or through evidence being sent to the Auditor, or maybe even another audit.

Recertification ISO 27001 audit

Your ISO 27001 certificate is valid for three years from the date of issue. In order to maintain your ISO 27001 certification, in year three, you get a thorough Recertification Audit similar to the original Stage 2 Audit.

When is the Recertification Audit performed?
It’s best to have your Recertification Audit done at least three months before the end of Year 3. This is because if you want to avoid any break in your certification, you need to allow time to take corrective action on any nonconformities (either minor or major) identified in the audit.

How long does the Recertification Audit take?
A Recertification Audit is typically about two-thirds the time allocated to the Initial Audit.

Where does the Recertification Audit take place?
The Recertification Audit is usually conducted on-site. If you have multiple sites, it will always include your head office plus sites not included in your Initial Audit and Surveillance Audits.

Audits may be done remotely due to exceptional circumstances such as COVID-19.

What happens in the Recertification Audit?
The Recertification Audit is more comprehensive than the Surveillance Audits and similar to the Stage 2 ISO 27001 Audit.

The audit will cover items including:

  • Issues that arose at earlier audits such as nonconformities and areas for improvement
  • The overall effectiveness of your Information Security Management System and whether it’s helping you achieve your organisational objectives
  • Review of the scope of your certification and whether it’s still appropriate
  • Audit of activities and processes to determine whether you have operational control and are operating in accordance with your policies and procedures
  • Evaluation of your own Internal Audits and Management Reviews
  • Effectiveness of preventive and corrective actions
  • Examination of key performance objectives and targets


What happens after the Recertification Audit?
The same applies here as to what happens after the Stage 2 Audit. There will be a closing meeting followed by a written report from the Auditor.

It’s essential that you address any nonconformities identified by the Auditor before the third anniversary of the date your certificate was issued. If you fail to do this, then your certificate could be withdrawn.

Assuming everything goes well, you will be issued with a new ISO 27001 certificate and the three year cycle begins again.