October 14, 2016

Last Updated on October 14, 2016

Many of our clients at Pivot Point Security want to know whether the internal audit of their information security management system (ISMS), as required by the ISO 27001 standard, can be viewed as a “mock certification audit” or “dry run” to make sure they’re ready for a certification audit or surveillance audit.
The answer is “yes and no.” Yes, you can use your ISO 27001 internal audit simply to prepare your organization for certification or surveillance audits conducted by a certification body—but this limits its business value, and could potentially compromise the effectiveness of your ISMS. Put simply, the ISMS internal audit is about management validating the effectiveness of the ISMS whereas the certification audit is about the auditor validating that your ISMS is compliant with the standard. The best way to illustrate why is to look at ISO’s requirements for the internal audit versus the certification audit.
Clause 9.2, “Internal Audit of ISO 27001:2013” states that the purpose of the internal audit is to determine whether the ISMS:

  • a) Conforms to the organization’s own requirements for its information security management system; and the requirements of this International Standard
  • b) Is effectively implemented and maintained

In contrast, Clause 9.2.3, “Initial Certification Audit” from ISO 27006 (the standard outlining requirements for bodies providing audit and certification of ISMSs) states that the objectives of the certification audit are:

  • a) To confirm that the client organization adheres to its own policies, objectives, and procedures
  • b) To confirm that the ISMS conforms to all the requirements of the normative ISMS standard ISO/IEC 27001 and is achieving the client organization’s policy objectives

ISO 27006 goes on to say:

The role of the certification body is to establish that client organizations are consistent in establishing and maintaining procedures for the identification, examination, and evaluation of information security related threats to assets, vulnerabilities and impacts on the client organization. Certification bodies shall

  1. require the client organization to demonstrate that the analysis of security related threats is relevant and adequate for the operation of the client organization.
  2. establish whether the client organization’s procedures for the identification, examination, and evaluation of information security related threats to assets, vulnerabilities and impacts and the results of their application are consistent with the client organization’s policy, objectives, and targets.

So what does all that mean? The key difference in the description of the requirements for the internal audit versus the certification audit is “effectively implemented and maintained.” What the standards are saying is that the internal audit should be used to help management determine if the ISMS is actually achieving management’s business objectives for information security. The certification audit, on the other hand, just helps the certification body determine if the ISMS complies with the organization’s own policies and the requirements of the ISO 27001 standard.
In other words, your internal ISMS audit should include substantive testing to report on the effectiveness of your ISMS. Whereas the certification audit emphasizes compliance testing to report on ISMS conformity. In fact, the ISO 27001 certification audit is required to rely on the internal audit and management’s review of the ISMS to ensure that the organization is maintaining an effective ISMS.
If you view your internal audit as a “mock certification audit,” it won’t provide management with a report on ISMS effectiveness. It will just indicate whether your ISMS complies with management’s policies—without telling you whether the ISMS is actually achieving management’s objectives.
The reality is that many companies are motivated to achieve ISO 27001 certification to drive competitive advantage by providing security assurance to customers and third parties; information security is secondary. But don’t let this bias extend to your internal audit. The ISO 27001 internal audit is a vital tool that gives security managers a way to actually provide additional value, and your company should use it as such.