September 30, 2020

Last Updated on January 13, 2024

Organizations across the board face escalating pressure from customers, regulators, management and other stakeholders to prove they can keep sensitive data secure. Thanks to this trend, the number of organizations seeking ISO 27001 certification—the global “gold standard” among information security attestations—is growing at an annual rate of over 90% in the US and 20% worldwide.
If your business is considering ISO 27001 certification or is already working towards it, you probably have some questions about your upcoming certification audit.

Who will perform your ISO 27001 audit? How long will it take? How much will it cost?

Who will perform your ISO 27001 audit?

The ideal person to address these questions is Ryan Mackie, Principal and ISO Practice Director at compliance and attestation leader Schellman & Company. As our guest on a recent episode of The Virtual CISO Podcast, Ryan and host John Verry (also an ISO 27001 Certified Lead Auditor) cover the ISO 27001 certification process from all angles.
Ryan starts out by clarifying what is probably the key idea about the ISO 27001 audit process: “An ISO 27001 certification audit is specifically with regards to making sure that the organization’s management system meets the requirements [specified in the standard]. This goes not only from a design perspective. We also have to make sure that the organization’s processes, controls and everything else is operating effectively as well—not only in conformance with the requirements but also their own internal policies and procedures.”
The entity that performs the audit and issues the certification must be an accredited certification body, also called a registrar. These registrars are, in turn, accredited and monitored by major multidisciplinary accreditation bodies like the ANSI National Accreditation Board (ANAB) in North America and the United Kingdom Accreditation Service (UKAS) in Europe.
The person conducting your audit (or the leader if it’s a team) must be trained and certified as an ISO 27001 Lead Auditor. “It’s not an easy certification to get,” notes John.

What’s the scope, timeframe and cost of your audit process likely to be?

According to Ryan, that depends mostly on how many people are in the scope of your information security management system (ISMS). This is per guidance in the ISO 27006 requirements document for registrars. In general, cost is directly proportional to ISMS/audit scope.
“So they’ve got different ranges, different buckets [in ISO 27006],” Ryan explains. “If you’ve got 10 people, it’s going to take 6 days. If you’ve got 200 people, it’s going to take 14 days. We can modify that audit time up to a certain extent. But we’re policed by the accreditation bodies to make sure we can demonstrate that we applied that audit time to an ISO 27001 audit based on ISO 27006.”
Ryan continues: “A law firm may have 1,000 people within scope, but 900 of those are attorneys. So it’s really who owns that risk within a law firm, which is going to be the IT function and compliance. So you do have the ability to modify that audit time, but you still have to make sure you meet the objectives of what the audit is, and get comfort that the organization can demonstrate that they have a management system in place that’s effective.”
If there is an ISO 27001 audit in your future, listening to this podcast episode with Ryan Mackie is a must. You can catch the full show here.
If you don’t use Apple Podcasts, click here.
If you want more detail into the costs and timeline associated with ISO 27001, download our ISO 27001 Audit & Cost Guide (link below).