Last Updated on September 16, 2020
If you’re facing your initial ISO 27001 certification audit, you’re probably wondering what the process will look like. How deep a dive is the auditor likely to take into your technical controls? Will s/he focus on control design? What about evidence of operation of controls, or evidence of control effectiveness? Will s/he check out most of your controls (or key people), or just a few?
To help you prepare for your audit with confidence, we invited Ryan Mackie, Principal and ISO Practice Director at audit and compliance leader Schellman & Company, to join a recent episode of The Virtual CISO Podcast. As host John Verry, Pivot Point Security’s CISO and Managing Partner, quipped, “I like to think I know a lot about ISO 27001. But Ryan’s the guy I call when I don’t know the answer to something.”
As Ryan explains, the purpose of an ISO 27001 certification or recertification audit is to make sure that the information security management system (ISMS) meets the standard’s requirements, and also complies with the organization’s internal policies.
As the auditor samples individual controls during the Stage 1 (aka “tabletop”) audit phase, s/he is primarily looking to achieve a “comfort level” that the ISMS is mature and functioning effectively. If the ISMS is deemed acceptably robust at Stage 1, the audit proceeds to Stage 2, which evaluates the ISMS’ conformance to requirements.
“Typically, we start with policy,” Ryan clarifies. “We understand what the directive from management is with regards to whatever that control is: DR, logical access, operational security, whatever. Then we move to the procedures and understanding, okay, here’s the directive from management, here’s the procedure that was documented to make sure the organization or whoever is responsible for that knows what they’re supposed to do.”
“Then we interview the control owners,” adds Ryan. “We want to make sure that if we say, ‘Okay, so what are you supposed to do in this event?’ they should know that, and that should match the policy and procedure. We have to make sure there’s an effective process there.”
Ryan continues: “From a control sampling perspective, say we’re looking at access reviews. … One access review may be completely sufficient for us to get comfort. But we’re also making sure that the policy and the procedure, and then the control owner who’s responsible for that process, all line up. Because that, to me, demonstrates that the management system is working. I don’t need to see four access reviews on a quarterly basis because then I’m just validating the control.”
This is the bottom line for Ryan: “I want to make sure that the organization understands as a whole what needs to be done, who needs to do it, when it needs to be done… So it’s really a different approach to make sure that we can get comfort that the controls are in place and effective. But we’re certifying a management system. We’re not certifying controls. This is not a SOC audit.
If the ISMS is mature, Ryan actually does less control testing because, “I’m comfortable that your organization is already going to find those issues.” That’s the beauty of a properly functioning ISMS.
Conversely, notes Ryan, “If we start testing the management system and it’s just not that mature, we’re going to do more control testing.”
In that event, the audit team is also more likely to issue multiple “nonconformities.” This helps the organization improve by obliging them to develop corrective action plans for each nonconformity. In most cases, especially if they are “major,” nonconformities will need to be addressed before scheduling a Stage 2 audit.
If your business is working towards an ISO 27001 certification, or contemplating doing so, listening to our podcast episode with Ryan Mackie is a must.