Last Updated on October 21, 2020
If yours is among the fast-growing number of organizations pursuing ISO 27001 certification, you know there’s a certification audit in your future.
What will your ISO 27001 certification audit look like and what will it focus on? What are you getting into and what do you need to be prepared for?
To get first-hand answers to these kinds of questions, we interviewed a top-gun ISO 27001 auditor on The Virtual CISO Podcast: Ryan Mackie, Principal and ISO Practice Director at Schellman & Company, a leading attestation and compliance firm. Ryan and host John Verry are both certified ISO 27001 Lead Auditors, and they cover the audit process in-depth from both auditor and consultant viewpoints.
A big area for questions about the ISO 27001 audit process are the Stage 1 and Stage 2 phases. What goes on in each and how do they relate?
Ryan explains: “The whole objective of the Stage 1 is to make sure that the management system [your information security management system, or ISMS] is ready for Stage 2. ISO 27001 has management system requirements, and then they have Annex A, which is a list of 114 control activities that support that management system to mitigate information security risk. So when we come in and do a Stage 1 review, we’re specifically looking to make sure that the organization has designed the processes, people, policies, et cetera, to be able to demonstrate that, from a design perspective, they meet the management system requirements. … So [at Stage 1] we come in, and I don’t want to say ‘kick the tires’… But we just get comfort that, okay, the management system itself can undergo a Stage 2 review.”
“Stage 2 is a completely different story,” continues Ryan. “From that perspective, we have to make sure that the management system is in full conformance with the requirements, all the controls that they’ve identified as being applicable based off of the risk assessment are in place and effective, and that they’re meeting their own internal policies and procedures. So it’s a much, much deeper dive compared to Stage 1.”
Another way to look at it is that Stage 1 is largely a “tabletop audit” or documentation review, whereas Stage 2 is a full-on system audit with a lot of control testing.
But that doesn’t mean Stage 1 is a cakewalk. As John notes, “The meaningful part of ISO 27001 is, what, 10 or 11 pages? You’re literally going clause by clause, and we might be sitting there for 12 hours, right? And you’re asking questions like, ‘Demonstrate that the information security management system considers confidentiality, integrity and availability as impact criteria. Go.’”
John and Ryan concur that the more detailed Stage 2 part of the audit may seem more familiar because the format is more like other audits companies may experience. But Stage 1 is vitally important because it reveals whether you have a robust ISMS. And a properly functioning ISMS will serve to ensure that you have viable security controls.
“What makes me a fan of ISO 27001 is the fact that it has the management system, and it’s the process by which you rationalize the actual implementation of the controls,” John clarifies. “So, as an auditor, you can look at that and say, ‘If I can trust the management system [Stage 1], I should, in theory, be able to trust the controls, so let me sample them appropriately to make sure.’ [Stage 2]”
That’s why an ISO 27001 certification audit has two parts, and why they are focused differently.
If your company is in line for an ISO 27001 audit, or contemplating ISO 27001 certification, you’ll want to listen to this show with Ryan Mackie end-to-end.