ISO 27001 Information Security Management Standard

Part 40 - Getting Certified to ISO 27001 – The Stage 2 Audit

Following your ISO 27001 Stage 1 Audit now is the time for you to arrange your Stage 2 on-site certification audit by your Certification Body (CB).

You have spent hours and hours creating, establishing and maintaining your information security management system (ISMS).

You may captured all sorts of records like internal audit reports, management review minutes, training records, improvement forms, supplier lists and all sorts of other compliance documents or records.

All this builds for your CB to come and visit and audit your ISMS.

Internal-Auditor-Training

The Stage 2 audit follows a set process.

1. Audit Plan

Prior to the audit (say 2 weeks prior) the CB will send through an audit plan for the time they are onsite. This will typically be structured around the clauses of ISO 27001 and Annex A (ISO 27002).

They will suggest Managers and Employees to be available at certain times. Make sure your staff are available in their time allotment.

2. Opening Meeting

On the day of the audit the auditors will call for an opening meeting.

The attendees you should invite to this meeting will be the heavy hitters in the ISMS. This will be representatives from Top Management and the Compliance Manager (or someone of a similar title).

This meeting sets the scene for the auditors to ensure everyone understands the objectives of the audit, the ground rules that are in place and the plan for conducting the audit.

3. Conduct Audit

The CB auditors will follow their plan. However, the auditors need to see evidence of your ISMS in action. To do that they need to:

Interview your staff.
Listen to your senior managers demonstrating leadership.
Poke around your organisation and look for evidence based on risk. Those high risk areas will be targeted first.
Measure a level of commitment and compliance to your system.

Don’t forget auditors are trained to seek the truth. To do that they will ask your staff open questions. They will ask:

“Show me where you keep records of that process”.
“Tell me what happens when an error occurs?”
“Let me see the why is it done that way?”
“Show me how you were trained when doing this job?”

During the audit the auditors will be highlighting issues and discussing whether some are non-conformances or opportunities for improvements (OFIs).

The auditors tread a fine line here because they aren’t permitted to consult. I have previously blogged on this issue here: http://www.mangolive.com/blog-mango/external-compliance-audits-top-tips-for-success

4. Closing Meeting

At the end of the audit the auditors will call for a closing meeting. The attendees at the opening meeting should also attend the closing meeting.

It is best practise that all non-conformances and OFIs are discussed in the meeting.

5. Audit Report

After the onsite audit the auditors will create an audit report summarising their findings. These will be the non-conformances and the OFIs.

Mango's Audit

Here at Mango our onsite Stage 2 audit was conducted by two auditor over a 3- day period. There was a Technical Auditor and a Management Systems Auditor.

We are a small company with 12 employees. However, we have 20 resellers that are based all around the world. So the management of them was a focus for the auditors.

To help we use our online QHSE software Mango to manage our systems. Because of this the auditors viewed much of the ISMS from their office before he had set foot in our office. This had saved time for all parties. This allowed was more time talking to our staff and less time on the administrative things like internal audit reports and management review reports that sometimes bogs audits down. So much time and effort is wasted with things like searching filing cabinets for files, travelling (or walking) long distances to see records or waiting for staff to turn up to see records filed somewhere on their desk. Time wasting like this just sucks, for everyone involved. I want value from my audits. Value that could help my business be more productive or make more money.

Takeaways

Ensure that your CB gives you an audit plan a couple of weeks before the audit.
Make sure your key staff are involved in the opening meeting.
Discuss the non-conformances during the audit. Don’t wait till the audit closing meeting. You don’t want surprises.
Have the same staff in the closing meeting as they are in the opening meeting.
If non-conformances are reported in the audit report that weren’t mentioned in the closing meeting send the audit report back and complain to the CB management.

View previous blogs in this series "ISO 27001 Information Security Management Standard":

Part 1 - Reasons why you need to meet this standard

Part 2 - Principle 1 - Analysing the Protection of Your Information and then Applying Controls

Part 3 - Principle 2 - Awareness of the Need for Information Security

Part 4 - Principle 3 - Assignment of Responsibility for Information Security

Part 5 - Principle 4 - Incorporating Management Commitment and the Interests of Stakeholders

Part 6 - Principle 5 - Enhancing Societal Values

Part 7 - Principle 6 - Risk assessments determining appropriate controls to reach acceptable levels of risk

Part 8 - Principle 7 - Security incorporated as an essential element of information networks and systems

Part 9 - Principle 8 - Active prevention and detection of information security incidents

Part 10 - Principle 9 - Ensuring a comprehensive approach to information security management

Part 11 - Principle 10 - Continual reassessment of information security and making of modifications as appropriate