Skip to main content
Apr 10, 2019 Craig Thornton

ISO 27001 Information Security Management Standard - Certification Step 2

Part 39 - Getting Certified to ISO 27001 – The Stage 1 Audit

After you have selected your Certification Body and got them all signed up, now is the time to book in your Stage 1 audit.

Stage 1 is where the Certification Body (CB) confirms that you are ready for the full audit.  The CB checks that you have in place all the required systems, processes, procedures and that your resources are ready and in place.

auditor

Most CBs will recommend that the Stage 1 audit is conducted on your site.  However, if the CB already has experience of you and your industry, then this audit could be done offsite.

At Mango we had the stage 1 both offsite and onsite.

 

During the Audit:

During the audit, the auditor will review your scope of the information security management system.

Their job is to obtain information on your systems, processes and operations.  They will look at the equipment and some of the levels of control that you have established.

The auditor will check your internal audits and management reviews. They will to ensure they are being planned and performed.  They will also use the audits and reviews to pick up weaknesses you have identified.

They will the review the allocation of your resources.  Resources like people, buildings, equipment, software etc.

 

After the Audit: 

After the audit the CB will give you a Stage 1 report to outline the state of your readiness for the next stage - Stage 2.

They will identify any areas of concern that could be classified as potential non-conformance during the Stage 2 Audit.

The Stage 1 audit is much shorter in duration than Stage 2. 

The audit will usually be carried out in one day.  If you have more than one location, the audit would normally be conducted at your Head Office.

Typically there are a few weeks between a Stage 1 and a Stage 2 audit.  This is to allow you to address any observations prior to the full audit (called a Stage 2 audit).

In addition the CB needs to determine the size of the audit team to conduct the audit.  They also need to determine if they need technical experts are required to help with complex technicalities during the audit.

So the objective of a Stage 1 audit is to determine your readiness for their Stage 2 audit of your QMS.

Here at Mango, because we use our product Mango to manage our ISMS the auditor could do some of the stage 1 offsite.  We gave the auditor a username login (and a password) to Mango.  The benefit of this approach was:

  • The auditor could do this in their own time.
  • The audit didn’t hold up any of our personnel in a visit.
  • Communication was all online.
  • Questions were emailed though and easily answered.
  • Auditor was not under pressure to rush through the audit.

 

Takeaways

To save time and money, ask the auditor to do the Stage 1 audit remotely.

  1. Make sure everything is ready:
  2. Internal audits are done
  3. Management Review done
  4. QMS documentation is ready
  5. Capture evidence that the systems are in place
  6. Learn from the findings from the CB audit report.

 

View previous blogs in this series "ISO 27001 Information Security Management Standard":

Part 1 - Reasons why you need to meet this standard

Part 2 - Principle 1 - Analysing the Protection of Your Information and then Applying Controls

Part 3 - Principle 2 - Awareness of the Need for Information Security

Part 4 - Principle 3 - Assignment of Responsibility for Information Security

Part 5 - Principle 4 - Incorporating Management Commitment and the Interests of Stakeholders

Part 6 - Principle 5 - Enhancing Societal Values

Part 7 - Principle 6 - Risk assessments determining appropriate controls to reach acceptable levels of risk

Part 8 - Principle 7 - Security incorporated as an essential element of information networks and systems

Part 9 - Principle 8 - Active prevention and detection of information security incidents

Part 10 - Principle 9 - Ensuring a comprehensive approach to information security management

Part 11 - Principle 10 - Continual reassessment of information security and making of modifications as appropriate

Part 12 - ISO 27001 Information Security Management Standard: Clauses 0, 0.1, 0.2, 1, 2 and 3

Part 13 - ISO 27001 Information Security Management Standard: Clauses 4.1, 4.2, 4.3 and 4.4

Part 14 - ISO 27001 Information Security Management Standard: Clause 5.1

Part 15 - ISO 27001 Information Security Management Standard: Clause 5.2

Part 16 - ISO 27001 Information Security Management Standard: Clause 5.3

Part 17 - ISO 27001 Information Security Management Standard: Clause 6.1

Part 18 - ISO 27001 Information Security Management Standard: Clause 6.2

Part 19 - ISO 27001 Information Security Management Standard: Clauses 7.1 - 7.4

Part 20 - ISO 27001 Information Security Management Standard: Clause 7.5

Part 21 - ISO 27001 Information Security Management Standard: Clauses 8.1, 8.2, 8.3

Part 22 - ISO 27001 Information Security Management Standard: Clauses 9.1, 9.2, 9.3

Part 23 - ISO 27001 Information Security Management Standard: Clauses 10.1, 10.2

Part 24 - ISO 27001 Information Security Management Standard: Clause A5

Part 25 - ISO 27001 Information Security Management Standard: Clause A6

Part 26 - ISO 27001 Information Security Management Standard: Clause A7

Part 27 - ISO 27001 Information Security Management Standard: Clause A8

Part 28 - ISO 27001 Information Security Management Standard: Clause A9

Part 29 - ISO 27001 Information Security Management Standard: Clause A10

Part 30 - ISO 27001 Information Security Management Standard: Clause A11

Part 31 - ISO 27001 Information Security Management Standard: Clause A12 

Part 32 - ISO 27001 Information Security Management Standard: Clause A13

Part 33 - ISO 27001 Information Security Management Standard: Clause A14

Part 34 - ISO 27001 Information Security Management Standard: Clause A15

Part 35 - ISO 27001 Information Security Management Standard: Clause A16

Part 36 - ISO 27001 Information Security Management Standard: Clause A17

Part 37 - ISO 27001 Information Security Management Standard: Clause A18

Part 38 - ISO 27001 Information Security Management Standard: Getting Certified to ISO 27001

Published by Craig Thornton April 10, 2019