How to Prepare for ISO 27001 Certification Audit

Most of the people believe & think that if you think writing a bunch of documents related to information security is enough to get ISO 27001 certificate, you're wrong. It would be best if you implemented all the activities defined in your documents, but that's not the end - you also need to follow specific steps in the final phase of your ISO27001:2013 project

ISO 27001:2013 Certification Process

All ISO Certification process is divided into two steps: Stage-1 audit, and Stage-2 audit.

1. Stage 1 audit is also called a documentation review, and the certified auditor verifies whether your documentation is compliant with ISO 27001 requirements.
2. Stage 2 audit is also called the Main audit, and the certified auditor validates whether all your activities are accommodating with both ISO 27001:2013

Hence, you need to pay attention to both appropriate writing documentation for your needs and committing to implementing information security in your Organization. How to get certified against ISO 27001?

Management review is an official way for the management steering committee team to consider all the appropriate facts about information security and make the right decisions, where the management steering committee team should conduct SWOT Analysis. The point of ISO 27001:2013 is to reach such conclusions as part of a rational decision-making process

Lastly, the Organization needs to rectify all the problems detected by internal auditors, managers, and document how these problems can be resolved, and this process is called corrective actions.

Some of the many issues related to the corrective action process are:

1. Poor documentation of requirements
2. Failure to document and communicate updates or process improvements following corrective action
3. Inability to trace training documents
4. Corrective actions that are outdated or closed without validation
5. Missing or misplaced data
6. Failure to monitor critical controls

Reference: https://www.bsigroup.com/LocalFiles/en-GB/entropy/BSI-Corrective-and%20Preventive-Actions-Whitepaper-EN-GB-UK.pdf

It is also recommended to take preventive measures as well, - to try to prevent potential problems before they happen. The preventive action process can contribute to the overall continual improvement effort.

How to assess ISO 27001 implementation?

Firstly, to ensure all these mandatory steps are covered, it is useful to assess whether all applicable controls are in place, however, ISO Standard demands and mandates an Internal audit (annually once at least) but conducting Internal audit should be conducted quarterly once and the internal auditor should be qualified and should do religiously, this results in chances for successful ISO certification, provided Internal auditor recommendation taken seriously.

Doing the ISO 27001 validation means that everyone who has a role in ISMS must assess whether everything he/she is responsible/accountable for functions as required by the ISO 27001 standard.

Such validation is not the same thing as an ISO 27001 internal audit (which involves a thorough examination of your organization's ISO 27001 (# ISMS) to ensure that it meets the standard requirements). During an internal audit (led by a qualified auditor who's certified as an ISO 27001 Lead Auditor), it is the auditor who goes through the organization assessing things, while what I'm referring to here is that almost every employee needs to think hard whether he/she has done everything that is also required ISO Standards expect 100% awareness training for all employees, Also, the respective stakeholders should be aware of the respective risk. In such a way, you not only decrease the chances of something going wrong but also raise the awareness of your employees.

Audit Preparation

Facing the #Auditor

An audit becomes more direct when we are prepared for it.

1. Let us look at the external audit as an opportunity for improvement and not as a fault-finding exercise (As per the requirement). The audit happens annually once during the certification audit. It happens in two stages)
2. An encouraging and constructive attitude toward auditing can make it an enjoyable experience for both the auditor and the person being audited.

Be Persistent

1. Keep the ISO standard and plan handy. Wait for the auditor to ask a question. – Be patient.
2. Listen carefully before answering any question(s).
3. If you are not sure you understand the question, ask the auditor to repeat it, ensure the respective stakeholder is available (in case of any emergency move the respective stakeholder to the next meeting)

Ask questions.

1. Never answer a question that you do not understand.
2. Ask for explanations.
3. If you still do not understand the question, ask the auditor to explain better

Be specific.

1. Always tell the truth.
2. Don't try to hide facts from the auditor.
3. Give only the required information.
4. Don't try to answer a question for another person. Tell the auditor whom they should ask.

DONTs

1. Never make exceptions for the auditor.
2. Never confront the auditor

ISO 27001 – Fingertips - Readiness Check

1.      Buy IS0 27001 Standard

2.      ISMS Objectives, Plans, Roles, and Responsibilities

3.      Asset Register

4.      Risk Assessment & Risk Treatment

5.      Statement of Applicability

6.      Establish ISMS Governance

7.      ISMS Policies and Procedure

8.      Training and Awareness

9.      Physical and HR Security Documentation and Awareness

10.  Audit - Internal