Last Updated on October 22, 2020
One of the most important decisions that organizations facing ISO 27001 certification will make is their choice of an ISO 27001 registrar or audit firm. You might think it all comes down to cost—but there’s a lot more to consider.
This topic was covered in-depth on a recent episode of The Virtual CISO Podcast featuring Ryan Mackie, Principal and ISO Practice Director at the audit and compliance firm Schellman & Company. Host John Verry, Pivot Point Security’s CISO and Managing Partner is, like Ryan, a certified ISO 27001 Lead Auditor and has been across the table from Ryan on behalf of mutual clients.
The two experts agree that firms seeking ISO 27001 certifications (or really any third-party cybersecurity attestation) should factor in these 4 considerations for choosing a registrar/auditor:
#1: Experience Level
“One thing you need to look for, obviously, is the maturity of that registrar,” advises Ryan. “How long have they been around? How many audits have they undergone? Who is on their team, and how many audits have those team members performed?
“It’s really important because with ISO, as you probably know, when we go out there and do these audits, usually it’s maybe one person from the registrar who’s actually going out there doing the Stage 1, doing the Stage 2… So if your decision is solely pinned to one person getting comfort that you either meet the requirements or you don’t, you want to make sure that person knows what they’re doing,” Ryan recommends.
#2: Ongoing Support
Some audit firms look to develop longer-term relationships with clients, and frequently make their staff available year-round to answer questions outside the audit cycle.
“Certification bodies or registrars, they can’t do any sort of consulting work,” emphasizes Ryan. “But we can act as a sounding board.”
John points out: “Your ability to provide that year-round support is because you employ your own auditors [not 1099 contractors]. There’s a continuity of audit and a continuity of availability.”
Audit firms that use 1099 contractors aren’t generally able to offer the same level of continuity because they’re always using different people.
#3: Relationship Continuity
Many cybersecurity attestations, including ISO 27001, require periodic “surveillance audits” to verify ongoing compliance. Developing a relationship with a registrar and even one or more specific auditors thus offers several advantages.
One plus is that you experience a consistent audit structure and methodology, which helps reduce the chance of unpleasant surprises. “You lessen the risk that you’re going to have somebody come onsite that basically is… I’m not going to say ‘Wild West’ the thing… but you don’t know what you’re going to get,” says Ryan.
An auditor who certifies your business consistently gets to know you, yet also has that unbiased “third-party” view that can be so helpful.
“I understand there’s a familiarity risk there,” Ryan reassures. “But I can’t tell you how many times we’ve gone in and done an audit, and we’ve been looking through things and say, ‘Wait a second—three years ago… So it’s really beneficial for the organization to have that relationship with that auditor.” Because they see a change and can address it seamlessly.
“Obviously cost comes into play,” Ryan acknowledges. “But if we have an opportunity and cost is that much of a deciding factor, probably that’s not a client we want. And I hate to say that, but their objectives are different. They look at it [the audit] as if it’s not a benefit to the organization. It’s basically a budgeted item.”
“I agree with that completely,” concurs John. “Just be aware of that if you’re listening to this. You can get a low–ball price, but the auditors all roughly charge a similar amount per day. So if you want to normalize it, ask the auditor how many days are you doing, and then pick an auditor based on that.”
The number of audit days can vary because auditors have some latitude in defining the scope of the information security management system (ISMS), and hence the audit as well.
“Make sure that you’re doing an appropriate number of days to end up with the result that you’re looking for,” John clarifies. In other words, choose a cheaper audit scenario if you mainly just want to check the compliance box; e.g., for marketing purposes. Choose a more in-depth audit if you want to focus on improving your security posture along with achieving the competitive advantages of certification.
If your business is looking at ISO 27001 or any independent cybersecurity attestation, definitely don’t miss this episode of The Virtual CISO Podcast with Ryan Mackie.