ISO 27001 Certification

ISO 27001 Certification Audits Versus Internal ISMS Audits: The Difference is Important

Reading Time: 3 minutes

Last Updated on October 14, 2016

Many of our clients at Pivot Point Security want to know whether the internal audit of their information security management system (ISMS), as required by the ISO 27001 standard, can be viewed as a “mock certification audit” or “dry run” to make sure they’re ready for a certification audit or surveillance audit.
The answer is “yes and no.” Yes, you can use your ISO 27001 internal audit simply to prepare your organization for certification or surveillance audits conducted by a certification body—but this limits its business value, and could potentially compromise the effectiveness of your ISMS. Put simply, the ISMS internal audit is about management validating the effectiveness of the ISMS whereas the certification audit is about the auditor validating that your ISMS is compliant with the standard. The best way to illustrate why is to look at ISO’s requirements for the internal audit versus the certification audit.
Clause 9.2, “Internal Audit of ISO 27001:2013” states that the purpose of the internal audit is to determine whether the ISMS:

  • a) Conforms to the organization’s own requirements for its information security management system; and the requirements of this International Standard
  • b) Is effectively implemented and maintained

In contrast, Clause 9.2.3, “Initial Certification Audit” from ISO 27006 (the standard outlining requirements for bodies providing audit and certification of ISMSs) states that the objectives of the certification audit are:

  • a) To confirm that the client organization adheres to its own policies, objectives, and procedures
  • b) To confirm that the ISMS conforms to all the requirements of the normative ISMS standard ISO/IEC 27001 and is achieving the client organization’s policy objectives

ISO 27006 goes on to say:

The role of the certification body is to establish that client organizations are consistent in establishing and maintaining procedures for the identification, examination, and evaluation of information security related threats to assets, vulnerabilities and impacts on the client organization. Certification bodies shall

  1. require the client organization to demonstrate that the analysis of security related threats is relevant and adequate for the operation of the client organization.
  2. establish whether the client organization’s procedures for the identification, examination, and evaluation of information security related threats to assets, vulnerabilities and impacts and the results of their application are consistent with the client organization’s policy, objectives, and targets.

So what does all that mean? The key difference in the description of the requirements for the internal audit versus the certification audit is “effectively implemented and maintained.” What the standards are saying is that the internal audit should be used to help management determine if the ISMS is actually achieving management’s business objectives for information security. The certification audit, on the other hand, just helps the certification body determine if the ISMS complies with the organization’s own policies and the requirements of the ISO 27001 standard.
In other words, your internal ISMS audit should include substantive testing to report on the effectiveness of your ISMS. Whereas the certification audit emphasizes compliance testing to report on ISMS conformity. In fact, the ISO 27001 certification audit is required to rely on the internal audit and management’s review of the ISMS to ensure that the organization is maintaining an effective ISMS.
If you view your internal audit as a “mock certification audit,” it won’t provide management with a report on ISMS effectiveness. It will just indicate whether your ISMS complies with management’s policies—without telling you whether the ISMS is actually achieving management’s objectives.
The reality is that many companies are motivated to achieve ISO 27001 certification to drive competitive advantage by providing security assurance to customers and third parties; information security is secondary. But don’t let this bias extend to your internal audit. The ISO 27001 internal audit is a vital tool that gives security managers a way to actually provide additional value, and your company should use it as such.

ISO 27001 Audits and Costs Guide ThumbnailNeed answers regarding ISO 27001 certification requirements?

Learn about the audits you will face to achieve and maintain certification, what's involved, and the cost you can expect to pay to achieve and maintain certification

Download our ISO 27001 Cost Guide now!

Back to list

11 thoughts on “ISO 27001 Certification Audits Versus Internal ISMS Audits: The Difference is Important

  1. Björn says:

    About the ISMS internal audit: Shall the ISMS be fully audited by internal within one year or shall it be fully audited every 3 years including minimum of one audit per year?

    1. Jeremy Sporn says:

      Apologies for the delayed response… The entire scope of the ISMS needs to be covered by the internal audit during the 3-year lifecycle of the certificate. How much is covered during any one year is up to the organization to decide.

  2. Syed says:

    I am about conduct internal audit on ISMS, and management wants me to conduct audit as “mock certification audit”, reason being this was highlighted as a NC from the previous external audit. My point is, “mock certification audit” will get treated as requirement of standard clause being completed. But the intent or purpose of Internal audit is to give independent assessment/review on overall ISMS to the board and higher management, not just mock test for 2 or 3 days like external auditor does. Please provide your valuable feedback on this and how should we plan our internal audit. Do we need 2 separate audits one for board and another for standard clause requirement.

    1. Syed:
      I don’t think the two are mutually exclusive. You can satisfy management’s preference for the internal audit to prepare them for the certification audit and fulfill the requirements of the standard to provide information on whether the ISMS conforms to requirements and is effectively implemented and maintained. If management is not willing to approve an audit plan with enough time to report on the effectiveness of the ISMS, then I would recommend limiting the scope of the audit plan to what the surveillance audit will cover and report on the effectiveness of those areas. The key is explaining to management the value they will get from an internal audit that reports on the effectiveness of the ISMS and explaining that NOT reporting on the effectiveness of the ISMS can lead to a nonconformity as well because that IS a requirement of the standard. It may even make sense to have the certification body explain that requirement. Hope this helps. If you want to discuss further, please contact us and we’ll see how we can help. https://pivotpointsecurity.com/company/contact/

  3. thank u for posting this informative content

    1. Jeremy Sporn says:

      No problem!

  4. Lisa Tharaud says:

    How often does an organization have to be audited by an external auditor in order to keep its ISO27001 certification?

    1. Jeremy Sporn says:

      An ISO 27001 certified information security management system (ISMS) must be audited annually to maintain certification. Internal Audits must be done each year by a third party, like Pivot Point Security, or internal personnel with an appropriate level of expertise that has not been instrumental in building or running the ISMS. Objectivity is the key here.
      You are also required to be on a 3 year cycle of surveillance and recertification audits by the registrar you chose (the company who handed you your certificate). As an example, if you were certified in 2017 you would need to complete these audits with your registrar in the following years:
      • 2018 = Surveillance Audit
      • 2019 = Surveillance Audit
      • 2020 = Recertification Audit
      • 2021 = Surveillance Audit
      • 2022 = Surveillance Audit
      • 2023 = Recertification Audit
      • … and so on
      Hope this helps answer your question, if you need any more information please just reach out [email protected]. Thanks!
      Jeremy

  5. Hookman says:

    Thanks for this informative article. One query from me, should the audits be carried out by the Internal Audit Team from within the organisation or just anyone who is objective with the relevant skills?

  6. Jeremy Haziza says:

    Hello,
    My company is preparing the Audit 1 for the first time (we are not certified yet).
    In the meantime, we are trying to understand when (before the Audit 1? After?) we should perform our first internal audit (mentioned in the clause 9.2 of the ISO standard) and by whom? (the same organization that will perform the Audit 1 and 2? or another?)
    Thank you very much for your help.

    1. Jeremy Sporn says:

      Your ISMS Internal Audit should be conducted about 6 weeks in advance of your Stage 1 Audit. That will give you enough time to develop Corrective Action Plans for all Non-Conformities identified, get them through management review, and address those that can be addressed in advance of your audit. It’s important that the person conducting your ISMS Internal Audit is appropriately qualified and independent/objective of the design and operation of your ISMS.
      Wish you nothing but success!

Leave a Reply

Your email address will not be published. Required fields are marked *