How to get ready for an ISO27001 certification audit

Written By Charbel Bassil
ISO 27001 Certification audit

If you’ve ever been involved in an audit, you know it can feel like a stressful experience, but it doesn’t have to be that way! When it comes to an ISO 27001 certification audit, understanding what’s expected of you as an auditee can help make the process smoother and less intimidating. In this article, we'll walk through practical tips and advice on how to navigate the audit, from preparation to the final handshake with the auditor.

What is an ISO 27001 Certification Audit

The audit itself is a formal review to assess whether your organization's ISMS complies with the ISO27001 standard. The audit typically happens in two stages:

  1. Stage 1 Audit (Documentation Review): The auditors assess whether your ISMS documentation aligns with ISO27001 standards. Basically they will go through clauses from 4 to 10 along with their required documentations.

  2. Stage 2 Audit (Implementation Assessment): This is where the auditors dig deeper into the practical application of your ISMS —how well your organization implements the security controls and policies you have outlined.

Now that we have the basics covered, let’s get into the details of how to approach the audit process with confidence.

Preparing for the audit

Preparation is half the battle! The better prepared you are, the smoother the audit will go.

  • Know the ISO 27001 standard inside and out.

  • Organize your documentation (Scope, SOA, Management review, Risk Management, Incident Management, Policies and Procedures…) and make sure they are well classified and the versioning is up-to-date.

  • Double check that internal audits are completed and that corrective action plans are in place.

  • Make sure the management team is involved, their participation and review are vital for the success of your ISMS.

  • Have a meeting room with a projector ready to avoid distractions and having the interviews at your desk.

  • Anticipate the auditor requests and prepare your evidence;

  • Mute your notifications and your phone call.

How to behave during the audit

Once the audit begins, it is normal to feel a bit anxious. However, the key to success is to remain calm and approach the process with a positive mindset. Here is how:

  • Stay calm and be professional, auditors are not there to judge you personally. Their goal is to ensure your organization complies with ISO.

  • Try not to mislead the auditor. Be honest

  • Do not hesitate to ask the auditor should you need further explanation.

  • Breath before you answer. Remember that silences when talking to auditors are OK.

  • Try to set a slow pace to the interview, do not rush and let the auditor lead the interviews.

  • Do not volunteer information. This is very important ! Stick to the facts and keep your responses concise and to the point.

  • One word answers are OK (Yes, No.

  • If you are not a subject matter expert, do not answer the question, refer the right person.

  • If you don’t know the answer, it’s okay to admit it and offer to follow up later with the correct information. Avoid guessing or giving incomplete information, as this can make the audit more difficult.

  • Answer questions firmly, do not give the impression that you are hesitating.

Providing evidence

One of the most common requests during an audit is for documentation. This is where all that preparation comes in handy!

  • Provide documents promptly,that shows that your organization is organized. Maybe it is better to have a folder ready with all the documents and evidences.

  • Do not share or show things unless you have been asked to. If you need to share something on a second screen, find it on your laptop/PC first then share it. Do not share your entire screen.

  • Do not show the auditor on screen what you are doing to find information.

  • When sharing a document do not scroll down or explain anything until asked by the auditor.

  • If you can’t find a specific document then inform the auditor that you will be sending it later on the same day.

  • Do not share sensitive or highly classified info my email or audit related communication channels. One way of doing it is by sharing the content on screen.

  • Do not forget to stop sharing your screen.

Responding to non-conformities

Non-conformities can happen to any organization, but it’s important to handle them correctly.

  • If the auditor identifies a non-conformity, acknowledge it and discuss it with them without becoming defensive. Auditors are not there to penalize you—they’re there to help your organization meet the ISO27001 standard.

  • Propose a “Corrective Action Plan” on the spot. This demonstrates that your organization is proactive in addressing issues.

  • Keep the management informed about non-conformities regardless of their criticality.

Post-Audit

Once the audit is over, your actual work starts:

  • Conduct a post-audit debrief once you the audit report is received. Conduct an internal meeting with relevant stakeholders to review the findings.

  • Implement a corrective action plan and root cause analysis. For any non-conformities or suggestions for improvement, create an action plan and start implementing those changes right away. The faster you can resolve issues, the better prepared you will be for future audits.

Final thoughts

An ISO27001 audit doesn’t have to be a daunting experience. With proper preparation, a calm and professional demeanor, and a commitment to transparency, you can make the process smooth and successful. Remember, the goal is not just to pass the audit but to strengthen your organization’s information security practices in the long run.

By following the tips outlined here, you will be well on your way to handling any audit with confidence and ease!

Charbel Bassil
Previous

Securing the 2024 Paris Olympics