Part 39 - Getting Certified to ISO 27001 – The Stage 1 Audit
After you have selected your Certification Body and got them all signed up, now is the time to book in your Stage 1 audit.
Stage 1 is where the Certification Body (CB) confirms that you are ready for the full audit. The CB checks that you have in place all the required systems, processes, procedures and that your resources are ready and in place.
Most CBs will recommend that the Stage 1 audit is conducted on your site. However, if the CB already has experience of you and your industry, then this audit could be done offsite.
At Mango we had the stage 1 both offsite and onsite.
During the Audit:
During the audit, the auditor will review your scope of the information security management system.
Their job is to obtain information on your systems, processes and operations. They will look at the equipment and some of the levels of control that you have established.
The auditor will check your internal audits and management reviews. They will to ensure they are being planned and performed. They will also use the audits and reviews to pick up weaknesses you have identified.
They will the review the allocation of your resources. Resources like people, buildings, equipment, software etc.
After the Audit:
After the audit the CB will give you a Stage 1 report to outline the state of your readiness for the next stage - Stage 2.
They will identify any areas of concern that could be classified as potential non-conformance during the Stage 2 Audit.
The Stage 1 audit is much shorter in duration than Stage 2.
The audit will usually be carried out in one day. If you have more than one location, the audit would normally be conducted at your Head Office.
Typically there are a few weeks between a Stage 1 and a Stage 2 audit. This is to allow you to address any observations prior to the full audit (called a Stage 2 audit).
In addition the CB needs to determine the size of the audit team to conduct the audit. They also need to determine if they need technical experts are required to help with complex technicalities during the audit.
So the objective of a Stage 1 audit is to determine your readiness for their Stage 2 audit of your QMS.
Here at Mango, because we use our product Mango to manage our ISMS the auditor could do some of the stage 1 offsite. We gave the auditor a username login (and a password) to Mango. The benefit of this approach was:
- The auditor could do this in their own time.
- The audit didn’t hold up any of our personnel in a visit.
- Communication was all online.
- Questions were emailed though and easily answered.
- Auditor was not under pressure to rush through the audit.
Takeaways
To save time and money, ask the auditor to do the Stage 1 audit remotely.
- Make sure everything is ready:
- Internal audits are done
- Management Review done
- QMS documentation is ready
- Capture evidence that the systems are in place
- Learn from the findings from the CB audit report.
View previous blogs in this series "ISO 27001 Information Security Management Standard":
Part 1 - Reasons why you need to meet this standard
Part 2 - Principle 1 - Analysing the Protection of Your Information and then Applying Controls
Part 3 - Principle 2 - Awareness of the Need for Information Security
Part 4 - Principle 3 - Assignment of Responsibility for Information Security
Part 5 - Principle 4 - Incorporating Management Commitment and the Interests of Stakeholders
Part 6 - Principle 5 - Enhancing Societal Values
Part 9 - Principle 8 - Active prevention and detection of information security incidents
Part 10 - Principle 9 - Ensuring a comprehensive approach to information security management
Part 12 - ISO 27001 Information Security Management Standard: Clauses 0, 0.1, 0.2, 1, 2 and 3
Part 13 - ISO 27001 Information Security Management Standard: Clauses 4.1, 4.2, 4.3 and 4.4
Part 14 - ISO 27001 Information Security Management Standard: Clause 5.1
Part 15 - ISO 27001 Information Security Management Standard: Clause 5.2
Part 16 - ISO 27001 Information Security Management Standard: Clause 5.3
Part 17 - ISO 27001 Information Security Management Standard: Clause 6.1
Part 18 - ISO 27001 Information Security Management Standard: Clause 6.2
Part 19 - ISO 27001 Information Security Management Standard: Clauses 7.1 - 7.4
Part 20 - ISO 27001 Information Security Management Standard: Clause 7.5
Part 21 - ISO 27001 Information Security Management Standard: Clauses 8.1, 8.2, 8.3
Part 22 - ISO 27001 Information Security Management Standard: Clauses 9.1, 9.2, 9.3
Part 23 - ISO 27001 Information Security Management Standard: Clauses 10.1, 10.2
Part 24 - ISO 27001 Information Security Management Standard: Clause A5
Part 25 - ISO 27001 Information Security Management Standard: Clause A6
Part 26 - ISO 27001 Information Security Management Standard: Clause A7
Part 27 - ISO 27001 Information Security Management Standard: Clause A8
Part 28 - ISO 27001 Information Security Management Standard: Clause A9
Part 29 - ISO 27001 Information Security Management Standard: Clause A10
Part 30 - ISO 27001 Information Security Management Standard: Clause A11
Part 31 - ISO 27001 Information Security Management Standard: Clause A12
Part 32 - ISO 27001 Information Security Management Standard: Clause A13
Part 33 - ISO 27001 Information Security Management Standard: Clause A14
Part 34 - ISO 27001 Information Security Management Standard: Clause A15
Part 35 - ISO 27001 Information Security Management Standard: Clause A16
Part 36 - ISO 27001 Information Security Management Standard: Clause A17
Part 37 - ISO 27001 Information Security Management Standard: Clause A18
Part 38 - ISO 27001 Information Security Management Standard: Getting Certified to ISO 27001