The certification journey could be a long one, but the final test comes with the step that is intended to validate your Information Security Management System (ISMS): the external audit 😱
The external audit is where an accredited auditor (by a recognised certification body) reviews your ISMS in detail. Auditors will look at the policies you've created, the processes and procedures of your ISMS, and evidence/documentation in relation to how said ISMS is working. This is to confirm that not only is the ISMS functioning as intended, but as part of the ISMS, the processes are in place to maintain it and make sure you're implementing best practices.
All the above is intended for your organisation to be safer and manage its information security risks in the best way possible. Be conscious that auditors are not your enemy, they can become an incredible ally if you let them.
Table of Contents
1. Audit Duration
2. External Auditors
3. First External Audit
4. Second External Audit
5. Frequency of Future Audits
How long will this take?
Well, this process can take anywhere from a few weeks to as long as half a year for startups and SMEs. The duration depends on the complexity of your organization, resources deployed by the auditor, and how well prepared is your documentation: is it easy to understand and navigate? is it complete? how much time does it take for you to produce more for the auditor when required?
Nobody likes to be stuck in long audit (not even auditors 😅); to prevent it, ensure you're on top of all your documentation and controls and organise it in such a way that it's understandable by third parties without much explanation.
Who do I look for to get externally audited?
There are multiple options out there. What you need is an accredited "Lead Auditor", as recognised by the accreditation body of your "main" country or geography. In Singapore, it would be those recognised by the SAC. (Don't worry, we'll save you some googling and publish a list of Lead Auditors soon).
Many auditors can produce a certificate, but also be aware that some may specialize in a certain industry. Although a minute detail, some organisations find value in working together with an auditor that understands their industry.
It is okay to be picky and take time to find the right auditor for your organisation. We advise looking for one that also understands your industry. Remember that your ISMS is unique to your organisation and business environment, thus it is always best to work with someone that understands how your business and security needs align.
Initial Stage and Desk Review
Although there are differences among practitioners, there are commonly two main stages for the audit.
The initial stage is the shortest "visit", it has predominantly a set of interviews made with the intent to understand your business and ISMS. It's also when auditors do a desk review of all documentation you have at hand with regards to policies, processes, procedures that make your ISMS. Auditors would commonly spend between 1 or 2 weeks here.
Auditors will have comments, questions and findings as part of this initial stage. This could be good thing or a bad thing for you: it's a good thing if you can address those and pass with flying colours, but it's a bad thing when you can't. When findings are unattended, they might reflect poorly on the next stage or visit. Companies that cut corners in their implementation may find themselves at a disadvantage here, since they don't have sufficient time between this visit and the next to fix the findings.
Final Stage and Evidence Review
In this stage, auditors will take a deeper look at your controls (and evidence of their implementation). You can think of this as an appraisal of whether your organization can “walk the talk”. This is a critical step of a successful certification. Your ISMS will be evaluated for its implementation, and evidence validated for the controls that you (on paper) say you have. This is why it's important not to "overdo it" and avoid implementing more controls than you can track.
Obviously, do not forget to address all previously mentioned findings raised by the auditors. Following this stage, you will be officially ISO27001 certified!
Frequency of Subsequent Audits
You're not totally off the hook, you might get new findings 😕, and as long as those aren't material, you're fine. Keep track of them because your certificate is only valid for 3 years.
What happens then? Well, obviously 3 years from now you’ll have to do something called a re-audit (this one is faster and thus cheaper).
Some auditors offer packages that has some “pit stops” in between certification audits. They’ll help you stay honest on your ISMS and would decrease the amount of time required for getting re-certified. Since they already know your business, it’s really less burdensome for both parties.
The ISO27001 framework requires constant updating to keep your organization safe as it goes through changes over time. Some people outsource the internal audit requirements as well, which helps them stay in good shape for any external audit. These might also help to pace the workload that would happen during an external audit, you do not want employees to be swamped with tasks around correcting non-conformities brought up during the external audits.
Ending Note and TLDR
TLDR: The audit is spread in two, first stage will be a desk/initial review with findings to be addressed and second stage will be a second visit (couple weeks thereafter) where they look at how you fix those findings, your controls and evidence in detail.
Although it’s not easy, there are several benefits to an ISO27001 certification such as business benefits (e.g., more trust and shorter B2B sales cycles) and technology benefits (e.g., protection against information security risks).
Most importantly, to ensure a successful external audit, you must nail the implementation process. If you have not checked out our previous article, where we discussed the implementation of the ISMS, do check it out HERE. We hope you have a fruitful journey ahead!
Ready for ISO 27001?
A certification can greatly boost the confidence your partners and customers have in your business. With a better understanding of ISO 27001, we hope you can start planning the roadmap and ISMS for your organization. Get in touch with us if you have more questions about security or you would like help getting certified.