ISO 27001 Audit: Complete Guide

Is your company ready to prove its compliance with the requirements during an ISO 27001 audit? After all, a cyber attack is a risk that all organizations need to be aware of and best practices must be used to avoid a breach.

Studies by Cybersecurity Ventures, a cybersecurity research consultancy, indicate that, by 2025, globally, attacks will generate annual losses of US$10.5 trillion for companies.

Despite the financial damage, this also affects brand image and reputation

According to the World Economic Forum's Global Cybersecurity Outlook 2022 report, IT infrastructure failure caused by a cyberattack is the number one concern for security leaders, ahead of identity theft.

Concern about cybersecurity has long been on the radar of security leaders, but in our increasingly interconnected and fragmented world, the risks to people, organizations, services, and systems arising from cyber attacks have never been greater. As technology has become more sophisticated, so have cybercriminals.

Protecting a company's information against data breaches and hackers is an increasingly complex task, often involving many systems, tools, and people. However, all best efforts can lead to failure if the entire system is not managed effectively to ensure visibility into what works and what doesn't, and how it all fits into organizational structures and strategies.

The ISO 27001 standard is a globally recognized standard for implementing an Information Security Management System (ISMS), and provides companies of any size, and in all sectors of activity with requirements and guidance to establish, implement, maintain, and continuously improve its management.

All companies need to think strategically about their information security needs and how these relate to company objectives, processes, size, and structure.

Conformity proven after the ISO 27001 audit sends a clear signal that the company has efficiently implemented the system to manage risks related to the security of data owned or handled by the company, and that it meets all best practices and principles adapted to company size and needs.

Companies that adopt the holistic approach described in the SGSI will ensure that information security is integrated into organizational processes, information systems and management controls. Notably, by the end of 2022, around 71 thousand companies had already obtained ISO 27001 certification globally, according to the ISO Survey.

With cybercrime on the rise and new threats constantly emerging, it may seem difficult or even impossible to manage security risks.

ISO 27001 helps organizations become risk-aware, thus able to proactively identify and address weaknesses.

An information security management system implemented in accordance with this standard is a tool for risk management, cyber resilience, and operational excellence.

Certification is a way of demonstrating to stakeholders and customers that the company is committed and capable of managing information in a safe and secure way, providing an additional layer of trust.

After all, to be successful in the market you need to earn the trust of your customers.

An information security management system that meets the requirements of ISO 27001 preserves Confidentiality, Information Integrity and Data Availability: a system known as the CIA triad (Confidentiality, Information integrity and Availability of data), applying a security management process. scratchs.

Check the requirements and risks of each information security principle:

Confidentiality – only the right people can access information held by the organization

Risk: Criminals obtain customers' login data and sell it on the Dark Web

Information integrity – data processed for business continuity or stored for third parties is held reliably and is not erased or damaged

Risk: A team member accidentally deletes a line from a file during processing

Data availability – The organization and its customers can access information whenever necessary to meet business objectives

Risk: Corporate database goes offline due to server issues or backup failures.

An ISO 27001 audit involves a competent and objective auditor who will review the ISMS or elements thereof and test that the implemented system meets the requirements of the standard, the information requirements and objectives of the organization itself, and that the policies, processes, and other controls are effective and efficient.

The ISO 27001 audit is carried out based on another standard, ISO 19011, which establishes the best practices for internal and external audits, including all phases, such as planning, conducting, reporting, and assessing the competence of auditors.

The more prepared your company is for the ISO 27001 audit, the better. An internal pre-audit must be carried out weeks before the audit date.

The ISO 27001 certification process consists of several types of audits, including internal and external audits. All must be governed by an audit program and plan.

The lead auditor is responsible for developing the audit plan and may be assisted by a team depending on the scope of the audit. The number of effective personnel within the scope of the ISMS and the complexity of organizational processes are the key factors in determining the duration of the ISMS investigation (in terms of audit days).

Internal Audit

Clause 9.2 of the standard requires organizations to carry out internal audits at scheduled intervals to determine compliance with the requirements of the standard, and which need to be governed by a formal process.

Companies must hire auditors with proven expertise, who are part of the team of a certifying body such as TÜV Rheinland, as they are unlikely to have internal resources qualified for this process. This will ensure the quality and independence of the audit.

External audits

Stage 1 and Stage 2, Surveillance and Recertification audits are considered external audits, and must be carried out by external auditors, and in some cases, other interested parties may also perform these audits.

Phase 1 Audit

Although not mandatory, organizations can perform a gap analysis to verify the ISMS implementation status before proceeding to a Phase 1 audit. A Phase 1 audit is essentially a document review to ensure that the necessary documentation is in place for the ISMS to operate. The purpose of a Stage 1 audit is to assess an organization's maturity of the organization in managing their security information data for ISO 27001 certification.

Phase 2 Audit

Stage 2 audits focus on the implementation and effectiveness of an organization's information security controls, as well as its compliance with the requirements of ISO 27001. Stage 2 can be viewed as the initial certification audit.

After this audit, the company receives its ISO 27001 certification.

Surveillance Audits

Surveillance audits occur annually between Stage 2 and Recertification audits. Its objective is to validate the operational compliance and continuous improvement of the ISMS.

Recertification Audit

Recertification audits are essentially another Stage 2 audit, where all requirements are assessed to verify the ISMS' compliance to standard. Recertification audits occur every three years at the end of the certification cycle and the ISMS is recertified for another three years.

The two main activities of an auditor consist of:

Document review: verification of the organization's documentation with the aim of evaluating adherence to the principles of the standard. The auditor will examine the organization's documentation to assess the integrity and adequacy of the ISMS. Its focus is on understanding how the organization intends to address information security risks and meet the requirements of ISO 27001.

Process review: this is the main part of the ISO 27001 audit, when the auditor verifies the organization's adherence to the ISO standard on site upon evaluating the effectiveness of the ISMS controls. It verifies that the company has taken the necessary measures to address security risks and protect confidential information. Following the on-site audit, a comprehensive report summarizing the findings and highlighting non-conformities is compiled. When and if nonconformities are identified, the organization is required to formulate and implement corrective actions to correct deficiencies. Corrective actions are critical to achieving compliance.

Keep in mind that an ISO auditor follows a strict schedule. Due to time constraints, he only has enough time to audit one or two examples of each key process.

Again, being prepared is your first line of defense or the auditor may get the feeling that the company is facing problems or is simply not sufficiently engaged.

When the requirements of ISO 27001 are met, the organization is able to operate an ISMS to protect its valuable, commercially sensitive, and private information. The main feature of the standard is a set of processes that help manage the risks of cyber attacks.

It also helps keep information security measures up to date by continually reviewing and improving the ISMS to deal with changes in the business environment and risks.

But how to assess the maturity of your information security and prepare to implement ISO 27001?

Evaluate the questions below and learn more:

Business context

Is the design and implementation of your ISMS based on an analysis of your organization's business context? To ensure you get the full benefits and value, the scope and configuration needs to match your business objectives.

Have you analyzed the needs and expectations of internal and external stakeholders? Any needs in terms of confidentiality, integrity, and/or availability of information must be met by the SGSI.

Leadership and commitment of senior management

Does senior management demonstrate leadership and commitment? For example, this can be achieved by taking an active role in engaging, promoting, monitoring, and reviewing the performance and effectiveness of the ISMS?

Does your organization have a documented information security policy? If so, is this policy regularly reviewed and updated to ensure it remains relevant and effective?

Have sufficient resources (financial, human, and technical) been allocated to support the implementation process?

Has senior management assigned the relevant ISMS roles and responsibilities to managers and employees?

Risk assessment and treatment

Have you carried out a comprehensive risk assessment to identify, analyze, and assess the risks you face in terms of loss of confidentiality, integrity, and availability of information? This is a fundamental and mandatory process for all organizations.

Are the results of the risk assessment used to determine the best option to mitigate the risks? A widely adopted approach is to select an appropriate set of information security controls to reduce risk, which can be obtained from a standard set of controls or developed by the organization.

Are controls regularly reviewed and updated to ensure your information security remains effective?

Competence, awareness and training

Does your organization guarantee that it has competent managers and employees for the tasks or activities relevant to the ISMS?

Have all employees received training on the importance of information security and do they understand the role they play in protecting the organization's information assets?

Is everyone’s training appropriate for their respective roles?

Performance evaluation

Do you regularly monitor, measure, analyze and evaluate your ISMS? This allows managers to answer the ever-present question: “Is our information secure?” The assessment also ensures that you will make improvements to the ISMS when necessary to keep it up to date.

Does your organization carry out impartial internal audits of your ISMS to ensure it is effectively implemented and maintained?

Implementing the information security framework specified in ISO 27001 helps your company to:

• Reduce your vulnerability to the growing threat of cyber attacks
• Respond to growing security risks
• Ensure that assets such as financial statements, intellectual property, employee data and information entrusted by third parties remain intact, confidential and available as needed
• Deliver a centrally managed structure that protects all information in one place
• Prepare people, processes, and technology across your organization to face technology-based risks and other threats
• Ensure the security of information in all forms, including digital, paper, and cloud data
• Reduce costs by increasing efficiency and eliminating expenses for ineffective security technologies

TÜV Rheinland auditors are certified at our own Academy, accredited by CQI IRCA to undertake audit manager courses. The IRCA course guidelines ensure a uniform level of auditor training. Subsequently, only organizations that demonstrate the necessary technical and training knowledge, as well as possess the ability to correctly assess and verify the performance of potential auditors and auditor trainers, will receive approval.

As a result, our information security specialist auditors have the knowledge and skills necessary to assess the compliance of an organization's information security management system with ISO 27001.

This entire ISO 27001 audit process seems extremely complex, but with our support, every step can be simplified.

Contact TÜV Rheinland and find out more.