Many organizations stumble while executing the ISO 27001 ISMS and undertaking the subsequent audit. An ISO 27001 audit is mainly of two types - internal and external. Here we share some key practices to ensure that the audits are conducted efficiently.
Internal and external ISO 27001 audits
Internal audits are conducted by an in-house team or an outsourced agency, based on the policy framed for assessments. External audits are conducted by certifying bodies having different cycles. Some certifying bodies undertake assessment six months after the certification, known as surveillance audits. Generally the last surveillance audit can also be called a recertification audit.
An external ISO 27001 audit is broadly divided into three stages. Stage 1 involves a thorough review of key documents and the methodology adopted by the organization. Documents such as the organization's information security policy, Statement of Applicability (SoA) and Risk Treatment Plan (RTP) are checked. This stage also helps the auditors and the organization understand each other better.
Stage 2 is more detailed and formal and comprises an onsite visit, where the sample size is decided and audited. Many a times, this is the last stage and certification is awarded to the organization that successfully clears it.
Stage 3 involves follow-up reviews or audits to confirm that the organization remains in compliance with the standard. It would be best for internal auditors to follow the same process. However, being a part of the system, a lot of assumptions are made and hence, a design flaw often gets overlooked. An internal audit generally ends up in a checklist oriented audit. Thus, ideally an experienced third party having domain expertise should be engaged to identify gaps in a holistic (people, process and technology) manner.
After the certification, an ISO 27001 audit should be done at least annually.
Be open to suggestions
ISO 27001 is a set of best practices and appropriate implementation would ensure tangible and intangible benefits. An organization should not be audit oriented. Aiming for zero non-compliance is like saying, “I’m not open to suggestions/improvements”. Non-compliance doesn’t necessarily imply something bad for the organization. External auditors (for certification or internal audits) have a lot of industry experience and hence, audits also help in identifying areas for improvements.
Having a proper document and record control guideline and following it in spirit helps during an ISO 27001 audit. An organization’s objective to acquire the certification also puts a lot of things into perspective. Quick certification to attract business often dilutes the effectiveness of the implementation. It also indicates whether the standard is implemented in spirit.
Sustaining the initiative
After the ISO 27001 audit, most organizations feel that nothing much remains to be achieved. On the contrary, mature organizations who have the culture of acquiring several certifications look at the certification as a milestone and not a destination. Several reasons could result in degeneration of the initiative and if not corrected in time, may lead to a complete failure and the certification being revoked.
Many organizations go in for an ISO 27001 audit immediately after ISMS implementation and hence, the momentum is sustained by all and change is considered temporary. However, when the business returns to normalcy, the momentum is lost and the organization starts striking a balance between functionality and security. It may also happen that relevant information is not provided to the management, due to which its commitment starts degenerating. The initiative then gets pushed to some line manager, paralyzing the implementation. Sustaining the initiative greatly depends on the organization’s capability to retain the buy-in of its stakeholders.
About the author: Deepak Varde is the head of Managed Information Security Services at Mahindra Special Service Group and has been involved in designing and deploying security frameworks that address the risk spectrum, covering people, process, and technology.
(As told to Dhwani Pandya)