We recently bid on an ISMS Internal Audit (ISMS IA) for an existing client at around $8,000, and were very surprised when the client let me know via email that they had decided to use another “qualified” firm that bid the project “at a cost that is less than half your proposal.”
We bid the project at a fixed price, figuring that it would require roughly five days’ worth of work:
- One day for planning (review previous internal audits, review certification audit, review most recent risk assessment reports, work with client to understand other areas of concerns, develop audit plan, gain consensus with client)
- Two days onsite auditing (interviews with all key personnel, gathering of audit artifacts)
- Two days for documentation (authoring Internal ISMS Audit Report, seeking clarification as necessary, following up on and reviewing artifacts promised to be provided post audit, report review/Quality Assurance, preliminary document report review, updates as necessary post review, support/development of Corrective Action Plans, etc.
Our “rates” are competitive so the logical inference is that our competitor can do this work in something like two days. The only logical way to compress the timeframe that much would be to greatly reduce the scope of the audit.
We are not comfortable doing this at Pivot Point Security, as missing something in the ISMS IA puts your ISO 27001 certificate at risk. To be clear, it’s possible (perhaps probable) that the reduced scope proposed by our auditor will be enough to maintain their certificate—but is that the goal of an ISMS IA?
That begs the question; “What is a reasonable scope for your ISMS IA?” I would argue that the following are helpful considerations to determine an appropriate scope:
- What are the objectives of the ISMS IA?
Is it to do the bare minimum necessary to keep your certificate? Or are you hoping to use the ISMS IA as a mechanism to truly gauge your current risk level? Consider a scope expansion? Identify opportunities for continuous improvement/risk reduction?
- How much time did the Registrar scope for the surveillance audit?
If the Registrar scoped five days for the surveillance audit it would make sense to scope at least five days for your internal audit, as you don’t want them looking at issues that you haven’t. In fact, I would argue that you would want to allocate a slightly higher level as the Registrar often uses the ISMS IA to scope/plan/conduct their audit.The better and more complete your ISMS IA, the more comfort/confidence the Auditor has in your ISMS. If portions of your ISMS are not covered by your ISMS IA, the Auditor will logically spend his or her time digging into those areas, which puts you at greater risk.
- What would be the impact to you and your company if you had a bad Surveillance Audit that put your certificate at risk?
Is reducing that risk to a very low level worth a little extra money (in this case, about $4,000)?
IMHO—even given a relatively small/simple ISMS scope—allocating at least five days for your ISMS IA is warranted. This level of effort will provide you a reasonably good measure of the efficacy of your ISMS and, if done properly, virtually assures a positive surveillance audit. If your ISMS objectives are more robust and/or your ISMS is larger/more complex, then scaling the ISMS IA up makes good business sense.
Gearing up for an ISO 27001 internal audit? Want to maximize the benefit of the effort while minimizing risk to your ISO 27001 certificate? Contact Pivot Point Security to talk over the plan and scope.