PHASE VI: CERTIFICATION AUDIT
With phases I-V successfully completed, your organization should be ready, prepared, and confident when the time comes for an ISO/IEC 27001 accredited certification body to begin the auditing process. Think of all the things you’ve done to prepare for the audit - ISMS was agreed upon and established, an SoA was developed, all gaps were identified and remediated, and a well-developed Continuous Monitoring Program (ConMon) was put into action.
Bottom line - you’re ready to move forwardWith our years of experience in helping organizations prepare for ISO/IEC 27001 certification, expect the following in terms of the actual ISO/IEC 27001 audit:
- Auditors will want to do a deep dive in understanding your ISMS and SoA - specifically, how you came about in determining scope, what Annex A controls were included and excluded, and more.
- Auditors will expect - and request - your organization’s information security, cybersecurity, privacy policies, procedures, programs, and plans. To be clear, auditors focus heavily on examining documentation that discusses policies and processes related to the Annex A controls that were chosen.
- Auditors will want to ask questions - many of them - which means you should expect rounds of interviews, Q&A, and healthy discussion on everything related to an organization’s ISMS.
Understanding the Different Types of Audits
If you want your organization to successfully achieve ISO/IEC 27001 certification, then it’s important to understand the different types of audits that will be required throughout the lifespan of your ISMS. The four (4) main types of audits are the following: (1). Initial ‘Certification’ audit. (2). Annual ‘Internal’ audit. (3). A ‘Surveillance’ Audit, and finally, (4) a ‘Re-certification’ audit.
Each of these audits are crucial in their own right, and in order for an organization to become ISO/IEC 27001 certified - and keep it - each one must be properly performed, with a satisfactory outcome. As for the four (4) main audit types, they are as follows:
Certification Audit: The first and most significant audit for ISO/IEC 27001 is the certification audit. This audit is carried out by an outside assessor (i.e., an accredited ISO certification body) and should ONLY be performed after completing a comprehensive scoping & gap assessment, and then successfully remediating all gaps and deficiencies. To be clear, the ‘Certification’ audit, which evaluates your ISMS's compliance with the standard in great depth, is the audit that awards an organization ISO/IEC 27001 certification - provided the overall audit findings are successful for receiving certification.
Internal Audit: The Internal Audit is used to evaluate your organization's adherence to ISO/IEC 27001 and is carried out by your staff or an external organization, such as MorganHill. Every criteria of ISO/IEC 27001 should be covered by the internal audit, which is to be performed at a minimum, annually. The purpose of the internal audit is to find any areas where your organization needs to improve upon its controls, and to create a plan of action to deal with any non-conformities.
Specifically, per 9.2.2 - Internal Audit Programme - from ISO/IEC 27001:2022, "The organization shall plan, establish, implement and maintain an audit programme(s), including the frequency, methods, responsibilities, planning requirements and reporting.” One of the best ways to prepare, undertake, and efficiently manage a successful ‘Internal’ audit program is to have a well-developed Continuous Monitoring Program (ConMon) in place. With a ConMon, organizations can use it to meet the stated objectives of an internal audit as prescribed in 9.2.2 - Internal Audit Programme - from ISO/IEC 27001:2022.
Surveillance Audit: A ‘Surveillance’ audit is held in years one and two after the initial ‘Certification’ audit is performed by an assessor body. The audit, which focuses on clauses 4 - 10 of ISO/IEC 27001, must also be performed by a valid assessor body (i.e., an accredited ISO certification body). While generally not seen as intensive as the initial ‘Certification’ audit, nevertheless, it still requires the organization to provide evidence that their ISMS is functioning as designed, with appropriate controls in place.
And the ‘Surveillance’ audit also helps organizations prepare for their ‘Re-certification’ audit, and just as important, it helps test the effectiveness of one’s Continuous Monitoring Program (ConMon)/internal audit functions that were required to be put into place after the initial ‘Certification’ audit.
Re-certification Audit: Held every three (3) years, the ‘Re-certification’ audit requires organizations to provide a wealth of evidence to a valid assessor certification body that one’s ISMS is functioning as designed, with appropriate controls in place. To be clear, this is similar to the initial year one (1) ‘Certification’ audit, so expect quite a bit of time and resources to be given for ensuring you successfully pass and maintain ISO/IEC 27001 certification status.
We offer industry leading security documentation for helping organizations develop all required Information Security Management System (ISMS) policies, procedures, programs, and plans in accordance with ISO/IEC 27001 & 27002:2022.