ISO 27001 is a globally recognized framework, part of the ISO/IEC 27000 series, for governing an organization’s information security program by providing a clear set of requirements for an Information Security Management System (ISMS).
What is an ISMS?
ISMS, which stands for Information Security Management System, is a collection of documents including policies, processes, procedures, and controls that together implement an effective risk management process.
You wouldn’t start a journey without knowing where you’re going and how you’ll get there. In that same way, to truly prepare for an ISO 27001 audit, you must understand the standard and what it requires of you and your organization. In this post, we’ll walk you through everything you need to know as you prepare for your ISO 27001 audit.
When building out your ISMS, it’s your responsibility to ensure that the controls, policies, and procedures you adopt (more on this below) help you meet the following information security objectives:
- Confidentiality: ensuring that only authorized individuals have access to data.
- Integrity: data is always complete and accurate.
- Availability: data can easily be accessed by authorized individuals.
If you are brand new to ISO 27001 or need to refresh your memory, have a quick read through our “Introduction to ISO 27001: The Only Guide You’ll EVER Need” to understand some of the basics before continuing on with this article.
Understanding the Audit Process
Before we dive into the details around preparing for an ISO 27001 audit, let’s take a step back and start by outlining the three stages that make up the ISO 27001 certification process itself. Keeping this broader view in mind will save you time and help you better structure your preparation.
In stage 1, the auditor you selected will review your ISMS, typically on-site, to determine if mandatory requirements are being met, and whether the management system is good enough to proceed to stage 2.
This initial review is primarily focused on validating whether your ISMS is appropriately designed — whether the documented processes exist, are effective, and comply with the standard requirements. The auditor will also gauge your own understanding of the standard, and discuss planning for stage 2. Ideally, stage 1 should take place two to four weeks before stage 2, so that the management system does not substantially change between the two stages.
What will I need to show the auditor?
You should come prepared to this meeting with all documented procedures/policies relevant to your ISMS:
- ISMS objectives, scope and policy
- Statement of Applicability
- Monitoring plans including an internal audit plan
- Information Security policy
- Management Review policy
In stage 2, the auditor will conduct a more thorough assessment of your ISMS, and evaluate whether it is implemented effectively and meets ISO 27001 requirements.
In order to satisfy the auditor’s needs, it’s imperative that documentation is both complete and accurate. The source of any documented information must be identified and verified, documents must be written with integrity, and documentation has to be easily accessible and retrievable for audit purposes. At the end of the day, you want your auditor to come to the same conclusion about the state and health of your information security program as you would. It’s your job to help them come to that conclusion.
What will I need to show the auditor?
At this stage, the auditor will want to review your ISMS in its entirety. You should prepare documentation and evidence supporting your Annex A controls, as well as your implementation of an ISMS. This stage is about more than simply evaluating your policies and procedures — it’s about providing evidence to prove that your policies are an accurate reflection of reality. Here are the top five items you would need to show your auditor:
- Providing documentation evidence that you have performed an inventory of all your assets, data and systems
- Providing documentation evidence that all accesses to critical systems are documented and tracked
- Providing documentation evidence that your infrastructure is protected from unauthorized access
- Providing documentation evidence that all your vendors have gone through a due diligence review prior to being onboarded
- Providing documentation evidence that all incidents are tracked, documented and resolved
Once the first two stages are completed, you can now apply for certification. This process can be facilitated by your auditor, who will assist in submitting your ISMS files to a formally accredited certification body. You can find a list of reputable certification bodies in the ANAB directory.
However, the ISO 27001 process doesn’t end when you obtain your certification. To maintain your certification, you must go through surveillance audits every year, in order to ensure that you’re continually improving and adhering to your information security protocols, rather than letting them stagnate. Additionally, the certification itself is only valid for three years!
Understanding the certification process is important as it helps you gauge the continual effort you need to put into maintaining compliance.
Preparing for an Audit
You now understand the level of commitment, time and dedication required to implement and manage an effective ISMS program. Now that you know what you are in for you can start to gauge your level of readiness.
Take an Inventory
A good starting point is to take stock of your resources and team. Given the level of effort required to become ISO 27001 compliant, it is important that knowledgeable team members lead the effort. If your team doesn’t have the right skill set, you may want to consider hiring people with the appropriate expertise. In fact, having the right people in place is a key requirement to demonstrate compliance with clause 7.2, which dictates that your ISMS must be managed by competent, properly trained employees.
Once an experienced team is in place, you’ll need to create an inventory of your business, systems, and assets, and map those to the control requirements outlined in ISO 27001’s ten clauses and Annex A. You can generally do this in one of two ways:
You can open up Excel, and start manually mapping each of the clauses and subsequent requirements to your existing controls, policies, and procedures. This requires you to have (or, most likely, obtain) a deep understanding of the standard’s often complex requirements.
Using A Compliance Automation Tool
With a compliance automation tool such as TrustOps, you simply upload your business stack, sit back, and watch as the tool auto-generates controls, tests, and policies, each mapped to the appropriate ISO 27001 clause or control.
We’ve experienced the DIY route first-hand, and decided to build a tool to save you from having to spend countless months buried in spreadsheets. We sincerely hope that you learn from us and don’t pick the DIY option.
Once your mapping is complete, you’ll need to compare what you have with what the standard requires, and find where your gaps are. You’ll then use this gap analysis to help add and implement specific processes, documentation, and controls. Your gaps are now your to-do list.
Implementing a Management Review Program
When it comes to ISO 27001, senior management has a tremendous amount of responsibility. If you thought you could simply hire a dedicated team and take a step back, you will be disappointed. In fact, clause 9.3 explicitly states: senior management shall review the organization’s Information Security Management System at planned intervals to ensure its continuing suitability, adequacy, and effectiveness.
ISO 27001 also requires the implementation of a management review team. This team should be composed of senior management, and reviews should take place often enough to ensure that the ISMS continues to be effective. Additionally, these meetings must conform to specific guidelines: they must occur on a predefined, periodic basis; meeting notes and action items must be recorded; specific agenda items must be discussed.
How often should I conduct management review meetings?
These meetings have to occur frequently enough throughout the year to demonstrate that maintaining an ISMS is a top priority for your organization. The exact frequency at which the team meets is dependent on the size of your organization and the complexity of your ISMS. Larger organizations with more complex ISMSs may want to conduct these reviews weekly or monthly. Smaller organizations may find that holding a bi-monthly or quarterly review meeting is enough.
Your to-do list will quickly become overwhelmed with documents and controls that you need to have in place.
If you’re using a compliance automation tool such as TrustOps, you should be covered! At TrustCloud, we’re always working to save you from wasting your time and energy on spreadsheets and menial tasks, so we’ve analyzed the ISO 27001 requirements and designed a comprehensive set of controls and policies for you to adopt.We’ve also mapped out the evidence requirement for each control in plain English, translated from the original legalese. We’ll automatically learn where you are, and help you understand what you need to do to get where you want to go.
Some ISO 27001 controls require you to implement security tools and services to improve your security and business processes, and you will need to research, purchase, and configure these appropriately. Examples include performing pen testing, enrolling in asset management, and conducting background checks.This is another area where it pays to do your homework, or have some guidance — depending on your organization’s processes, as well as the workload of your employees, the procurement process can stretch on and become a significant risk factor in your adoption of the standard.
Throughout this process, you should be gathering evidence to show that you are accurately compliant with all relevant controls, writing or amending policies, and documenting procedures that explain how certain controls are satisfied.
Conducting an Internal Audit
One of the biggest pain points for companies preparing for an ISO 27001 audit is meeting the requirement for clause 9.2. This clause requires that the organization conduct internal audits, to provide information on whether the ISMS both conforms to the organization’s own requirements for its ISMS (9.2a) as well as conforms to the requirements of the standard (9.2b).
In order to fulfill these requirements, an independent and objective auditor must conduct internal audits at (frequent) planned intervals, and any issues or non-conformities must be tracked, documented, analyzed, and remediated.
Why is this problematic for most companies?
The issue lies with the words “independent and objective auditor”. A “regular” company employee cannot maintain independence or objectivity if they take part in the day-to-day operation of the company — they would essentially be auditing their own work, and thus would not be objective. The only way to comply with this requirement while keeping the internal audit as an in-house activity is to create an Internal Audit (IA) team, whose function and main responsibility is to audit the organization’s internal controls. To maintain their independence, the IA team must not participate in any operational activities.
Some companies choose to instead hire an external consultant. This can be a good option, as long as the consultant is competent and has unrestricted access to records and personnel to perform their review without issues.
If you’re leaning towards this second path, we’d be remiss if we didn’t mention that we offer an internal audit review for customers who build an ISO 27001 program in TrustOps. Because we’re fanatical about seeing our customers succeed, we have a dedicated auditor, who has not been involved in the process of control design and implementation, and can serve as your internal auditor.
With the internal audit complete, you are now ready to start the formal audit and certification process. Good luck!