Let's help you to understand the ISO27001 audit a.k.a The External Audit.
The 3 Phases to Expect on Your ISO 27001 Certification Journey
Not sure how to implement ISO 27001? Let us break down the ISO 27001 process for you to better prepare for certification as an SME or startup.
A lot of start-up founders and business owners hear “certification” and think of the ISO/IEC 27001 process as extremely daunting; like a never-ending marathon where the finish line is nowhere in sight. The truth is, the process can always be shorter than you think, depending on how you go about it.
I must caution you: every organization is different. Everyone takes a different amount of time to complete the certification process. Your industry, level of complexity, technology maturity, and organisational commitment could affect the outcome. What is a reasonable estimate for start-ups? Somewhere in between a few weeks to 12 months. The good news are it’s entirely up to you!
The ISO 27001 certification process can be broken down into 3 phases. Rather than setting a deadline on the whole certification, set reasonable deadlines for each of the milestones or phases. The 3 key phases are as follows:
ii) External audit
iii) Maintenance and continuous improvement.
In order to get your new shiny certificate, you have to complete phases I and II. Phase III is important for your overall security, and to help you maintain your certificate (hey it took you great effort, might as well keep it).
See the details below 👇🏼:
Phase I – Implementation
Know yourself and prepare
This is where you should focus most of your time. The Implementation phase is where you begin to understand why you need security, what is required of you by your environment, and how to turn that into an information security program (also referred by ISO as an ISMS, or Information Security Management System).
An ISMS is the collection of policies, processes, and technology needed to keep your company safe and compliant. An ISMS is should manage, update, and monitor itself; hence, it also includes different sets of controls that help you monitor it.
You will spend most of your time creating policy documents, communicating ISO across your organization, setting-up controls in your technology (so the system is compliant), embedding security in the rest of your organisational processes, or creating new processes and training your employees on them. We’ll talk about implementation in coming posts.
Many organisations get stuck here, as they find themselves lost in the non-prescriptive nature of the ISO standard. Some companies prefer to implement themselves (and buy ISO toolkits online), which is the cheapest way to do it (but might take longer). The fastest way would be to use an implementation consultant; you just have to be mindful of costs and that although they do most of the leg-work for you, there are still many things left for your organization to manage, communicate, and maintain.
Recommendations: We’ve seen that having a clear and prescriptive roadmap for implementation is what works best. It will cut down on the time spent on research and guesswork.
Phase II – External Audit
Explain your security to others
The external audit is arguably the most crucial part of the certification process, as you only get officially certified once you pass the external audit. This is where you hire external auditors to audit your ISMS. Evidence is presented and reviewed to ensure proper implementation of controls.
The audit duration depends very much on the provider that you’ve selected. It’s important that you select an auditor right when you start your implementation! Don’t wait until the last minute, because many auditors are already booked several months in advanced. Your audit can be broken down into two parts (although this depends on the auditor):
- Part 1: A 1 to 3 days desk review on your existing documentation. The audit team collects information from your company to do a desk review and asks standard questions, then proceeds to provide you with a short list of findings and recommendations.
- Part 2: Happens 4 to 6 weeks later, a second review on how you implemented said recommendations and an in-depth review of the ISMS (can last 5 to 12 days).
Recommendations: Have all the evidence and documentation ready beforehand (if you can classify it according to the ISO Standard it’s even better). This could simplify the auditor’s job, reduce the amount of questions asked and, more importantly, reduce the timing to certification! It’s a win-win situation for both you and your auditors.
Phase III – Maintenance
Turn compliance into an asset
Congratulations, you are now officially ISO certified! Your certification will usually last 3 years and have yearly audit checks in between. As your organization grows and changes, your ISMS must grow together with you. More controls may be implemented or you may need to amend your current controls.
Remember you’d have to run a re-certification audit at year 3.
Gladly, you’ll skip the implementation phase next time and just run a shorter version of Phase 2 (as your auditor may be more familiar with your company). This is when you can look beyond your certification and turn ISMS into an asset: You’ll be able to communicate your security to stakeholders, use your security program to enable strategic business decisions and adapt it constantly as your company (and the environment) changes.
Ready for ISO 27001?
A certification can greatly boost the confidence your partners and customers have in your business. With a better understanding of the certification journey, we hope you can take the proper first steps on planning the roadmap and ISMS for your organization.
Get in touch with us if you have more questions about security or you would like help getting certified.