ISO 27001 Implementation Guide
Your ISMS is ready for the certification process
Create relevant treatment plans and map controls for a successful Information Security Management System (ISMS)
This page is dedicated to informing you about conducting your internal, stage 1 and 2 audits and ultimately operating your approved ISMS. We’ll go through each audit step-by-step to show you what the auditing path typically looks like:
Reading time: 4 minutes
What to expect during a Stage 1 audit
The Stage 1 audit is a “desktop” audit. This means only your documentation will be reviewed and you will not be asked to evidence your implementation at this stage.
In fact, you are not expected to have fully implemented your ISMS as it makes sense to see if your documentation complies with the standard first (see the two levels of compliance in the internal audit section), before you go ahead and implement it all.
This means you don’t have to have implemented your risk treatment plans, delivered any training, carried out any internal audits, or held a management review. You will, however, be expected to have identified your risks, determined your treatment plans, produced your Statement of Applicability and set up your ISMS Tracker.
Ahead of your audit, one of our ISO Consultants can do a full review for you if you wish – if you’ve used our templates, this takes 2 person days of our time. You will get a report with any gaps you may have and instructions on how to fill those gaps. Contact email@example.com if that’s of interest.
Use the ISMS Manual as the starting point for the audit. It will give the assessor a good overview of your ISMS. It’s also good for questions in relation to clauses 4 to 10 if you can’t remember exactly where you have documented something.
Performing internal audits
It’s unlikely you’ll get to performing internal audits before your external Stage 1 audit. It’s not required, so if you’re pushed for time prior to the audit, leave this until after. Bear in mind that you will need 2-3 months’ worth of audits having taken place to show as evidence at the Stage 2 audit. You can agree on how many months with your assessor during the Stage 1 audit.
Internal auditing against ISO 27001 is quite specialised. Most lead auditor courses are 4-5 days long.
Having said that, our ISO consultants have often trained internal people with no prior audit experience to do it themselves through some light-touch handholding in a few hours.
Alternatively, we can act as your internal auditor (even if we’re external) and perform the audits for you.
The key point to remember is that the internal auditor must be independent of their auditing area. So, you couldn’t have the person who has set up the whole ISMS documentation and is actively managing the ISMS Tracker audit the main clauses of the standard. They would be marking their own exam. They could, however, audit some of the Annex A controls if they are not responsible for their implementation.
Operating your ISMS
After passing the Stage 1 audit and being recommended to go through to Stage 2, your ISMS will now be live!
Typically, there will be three months between your Stage 1 and Stage 2 audits. During that period, you will need to implement your documentation and gather evidence that you are doing so.
This simply means that in addition to performing internal audits, you will need to implement your risk treatment plans and keep your ISMS tracker up to date. Make sure your Change Management Procedure is implemented and hold a Management Review.
An ISMS is a set of live processes, and from Stage 1 onward, it needs to become embedded within your regular business processes.
Stage 2 audit - the final step
This is it; you’re almost there!
Different certification bodies have slightly different approaches to the exact requirements for giving certification and issuing a certificate. Some will require you to have no findings (another word for nonconformities) at all. If there are any, they will ask you to issue a corrective action plan and show evidence of having implemented the plan.
Others will issue a certificate as long as there are no major non-conformities. They’ll still ask you to submit a corrective action plan, but they won’t ask for evidence of having implemented the plan until the next audit.
Make sure to ask what approach to findings your chosen certification body has.
Here is our quick readiness checklist, assuming your documentation passed Stage 1 with flying colours.
- Recorded any nonconformities and opportunities for improvement identified in the Stage 1 audit report into your ISMS tracker and addressed them?
- Implemented the priority risk treatment plans? Some certification bodies will look for the “red risks” to be treated before issuing a certificate.
- Communicated the relevant documents to employees and recorded their awareness confirmation in a form that can be shown as evidence?
- Recorded evidence of information security awareness training having taken place?
- Performed at least 3 months’ worth of internal audits as per your schedule?
- Recorded the findings from your internal audits into the ISMS Tracker and shown progress?