ISO Icons

An Insider’s Guide to the ISO27001 Audit Process

Published 30 September 2020

Following our recent blog that answered the most common ISO27001 questions, it’s worth exploring the audit process so that businesses know what to expect.

Read the blog - All the answers to your most common ISO27001 questions 


ISO27001 certification offered by Bridewell is performed against the ISO27001:2013 standard and it is important to differentiate it from ISO27002, which is the guidance that supports the implementation of the 114 controls from within Annex A of ISO27001. Organisations do not get certified against ISO27002.

Stage 1 Audit

This audit is a confirmation that the required documented information within the ISO27001 standard exists. This involves auditors speaking to key stakeholders and reviewing all documented information within the ISMS. Should stage 1 be successful, you will be recommended for Stage 2.

Stage 2 Audit

The Stage 2 audit is focused around the operational effectiveness of the ISMS and supporting policies, procedures and processes that make up the ISMS. It covers all of the clauses within the standard and the Annex A controls. Depending on your maturity and the outcome of the Stage 1 audit, the Stage 2 audit can take place weeks or months after Stage 1. If all goes well, after this audit you will be recommended for ISO27001 certification.

Surveillance Audits

Surveillance audits are an additional set of audits that are spread over the certification cycle. The surveillance audits cover the ISMS implementation over the three year cycle and are used to assure ongoing effectiveness.

ISO27001 certifications are valid for three years and subsequently the certification process consists of three audit stages. Two of those stages are concerned with obtaining certification and the third is about ensuring ongoing effectiveness of the ISMS:

ISO27001-Infographic BRIDEWELL

What are the biggest issues after passing ISO27001 certification?

The biggest issue after passing ISO27001 certification is the anti-climax and ongoing management of the ISMS. Many organisations make a big effort to improve their security posture and embed the ISMS to achieve certification, only to have resources moved away or discontinue the work with their onboarded consultancy. ISO27001 is a continual process that should work for the business but these things can often get dropped after a certification audit. Don’t waste all that good work – ensure the ISMS is resourced effectively with people that have the expertise to effectively managed the ISMS moving forward.

What happens if we do not pass the ISO27001 certification?

Audits can make people feel apprehensive of the entire certification and the fear of failure is natural. Should the worst happen and you fail or receive multiple findings, it is important to understand the root causes of the failure. A failure of a certification audit can happen if you are unable to demonstrate that you have designed an effective ISMS which meets the requirements of the standard in addition to a complete breakdown of a control or a selection of controls. A common problem can be misunderstanding the requirements of the standard and not having the competence to design and implement the information security management processes effectively.

And finally

ISO27001 certification is a daunting task that involves information security expertise and the ability to implement change effectively. While some organisations try to implement the standard internally, we would recommend seeking some expert support. This is worth the investment because it can provide you with confidence, help to improve your own knowledge of ISO27001 and provide a higher chance of success. A good cyber security consultancy will be able deliver an ISMS tailored to your organisation’s needs and provide tangible risk mitigation.