ISO 27001 Audit: What to Expect and How to Prepare

The ISO 27001 audit is the final critical step to getting certification and evidencing that your organisation's Information Security Management System (ISMS) aligns with the ISO 27001 standard. In doing so, you’ll enhance your organisation's credibility with clients, partners, and stakeholders. 

In this comprehensive guide, we'll explore what to expect during an ISO 27001 audit, particularly an audit from Tempo Audits (since we like to take a fresh approach!), and delve into each stage of the process. As we do so, we’ll provide actionable steps on how to prepare effectively for success.

Your ISO 27001 Audit Timeline

The ISO 27001 audit is a structured and systematic examination of your Information Security Management System (ISMS) to verify its compliance with the ISO 27001 standard. 

This audit evaluates whether your organisation has effectively implemented security policies, risk management procedures, and the ISO 27001 controls (or at least the ones applicable to your business) to protect sensitive information and manage information security risks.

The process consists of several key stages, each crucial for achieving and maintaining certification. Successfully navigating these stages not only ensures compliance but also strengthens your organisation’s security framework, improves resilience, and builds trust with clients, partners, and stakeholders.

1. Application and Planning

Firstly, your organisation must apply for certification with an accredited certification body, such as Tempo Audits. Primarily this application is to enable the certification body to calculate the length of audit required for your company (which is defined by ISO/IEC 27006, which sets out requirements for audit length based on company size and other risk factors) and create a proposal.

For Tempo, you would fill out the form contained here or jump on a call with CEO Rob to run through it together.

After receiving your company details, the certification body will create a proposal outlining the audit timeline, which considers your organisation's size and ISMS complexity, along with associated costs. Tempo aims to do this within a day of receiving your details.

Once you’ve agreed to proceed, you’ll be introduced to your auditor, and an audit will be scheduled, and you’ll receive a detailed audit plan. This plan will specify what documents and evidence will be reviewed, which team members need to be available, and the overall audit process.

2. Stage 1 Audit (Documentation Review)

The Stage 1 audit is the first stage of the certification audit. 

Typically, a Stage 1 audit lasts for one day (although it can be longer), and it’s a high-level review of your ISMS documentation to ensure it meets the requirements of ISO 27001. During this phase, the auditor will assess whether your policies, procedures, and risk management framework align with the standard. 

The goal of Stage 1 is for the auditor to confirm that the client organisation is ready to proceed to the Stage 2 audit, which is the main part of the certification audit..

At the Stage 1 audit, and in the subsequent report the auditor creates for the client, the auditor will identify “areas of concern” that the organisation should address before the Stage 2 audit. In reality, areas of concern are the same as “non-conformities” - except that certification bodies do not raise non-conformities at Stage 1 audits. If the client does not resolve these before the Stage 2 audit, they will be raised as Minor Non-Conformities at the Stage 2 audit. As a result, the list of Areas of Concern from a Stage 1 audit is a very helpful starting place for organisations to review and correct before the Stage 2 audit, since they give a view on what the auditor will be looking for at the Stage 2 audit.

In fact, Tempo likes to deliver a very thorough Stage 1 audit since we believe this can be helpful in allowing customers to discover (and therefore resolve) potential non-conformities in advance of the Stage 2 audit, making the Stage 2 audit a smoother process.

3. Stage 2 Audit (Main Audit)

The Stage 2 audit is the more in-depth assessment of how your ISMS operates in practice - and happens about 1 month after the Stage 1 (although it can be sooner - but typically a client needs sufficient time to resolve any issues highlighted at the Stage 1 audit). 

A Stage 2 audit can be anywhere from 1.5 days (the shortest possible length for a Stage 2 - which would be for organisations with a headcount of 1 to 10 employees and deemed to be low risk) to multiple weeks, depending on the size and complexity of the organisation.

To issue a certificate for ISO 27001, the certification body needs evidence that the client organisation conforms to every clause of the ISO 27001 standard and every applicable control. As a result, across the Stage 2 audit, the auditor will cover every single clause and control over the allotted days. The audit plan, which is shared by the auditor in advance of the audit, will explain the rough schedule for the audit and when and how long the auditor will spend covering certain clauses or groups of controls.

During the audit, the auditor will be looking for evidence of conformity for each clause and control, so will be asking questions and gathering evidence from the client organisation or their representative - which the auditor will use to write up their reports and notes to back-up their decision. As a result, you’ll need to make sure you have suitable evidence to show the auditor when they request it. 

Where there is evidence of non-conformity (or insufficient evidence of conformity), this will result in a non-conformity being recorded (either Major or Minor). Head down to the certification decision section below to understand how non-conformities affect the result of the decision and the timeline to certification.

TOP TIP: In advance of a Stage 2 audit, go through the standard clause-by-clause and control-by-control and consider whether you have met the requirements of the clause and what evidence you would show to the audit if they ask you!

4. Certification Decision

At the Closing Meeting at the end of Stage 2, the auditor will share a recommendation based on the results of the audit. These are the 3 possible outcomes:

1. Recommendation to Certify - This only happens when there are no non-conformities. This is rare, since it’s unusual in a Certification Audit to have no non-conformities - but where it happens, it means the certification body can move quickly through to issuing your certificate (provided your Technical Review does not flag any other issues)

2. Recommendation to Certify, provided a corrective action plan is accepted to resolve non-conformities. This is where there were minor non-conformities highlighted in the audit (but no major non-conformities). This is a fairly likely outcome and is not a concern. You will simply need to provide an acceptable corrective action plan for each Minor non-conformity for the auditor to sign off. Once the auditor has signed off (and the certification body has approved the report), the certification body will be able to issue your certificate

3. No Recommendation to Certify - This is where there is one or more major non-conformities highlighted in the audit. Again, this is a relatively common occurrence and isn’t typically a cause for concern. You simply need to provide evidence in your Corrective Action Plan for how you closed the Major Non-Conformities. Once that is provided and the auditor has accepted it, the certification body can proceed to issue your certificate

After the end of the Stage 2 audit, you will likely have some major or minor non-conformities to close (options 2 or 3 above). At Tempo Audits, we encourage the auditor to share these non-conformities with you as soon as possible after the audit (hopefully at the closing meeting, but if the auditor needs more time to gather their thoughts, at least within a day or two of the close of the audit) - so that you can create your Corrective Action Plan - see the “Corrective Action Plan / Closing Non-Conformities” section below.

Alongside the Corrective Action Plan, the auditor will finalise their report so that the certification body’s technical reviewer can review it and sign it off. Depending on the certification body, this process can take anywhere between days, weeks, or (if a very slow certification body), months! At Tempo Audits, we aim to have the report finalised and “Technically Reviewed” within 10 days of the end of Stage 2, and often within a day or two. Some additional minor or major non-conformities might be highlighted in the Technical Review - in which case, these will be communicated to you so that you can include them in your Corrective Action Plan. 

As soon as non-conformities have been closed and the report has been Technically Reviewed successfully, your certification body will issue your certificate - and you will have achieved your ISO 27001 certification. Congratulations!

Once issued, your certificate will last for 3 years from the date of the issuance.

5. Surveillance Audits

In the first 2 years of your certificate being issued, your certification body will conduct shorter “Surveillance” audits. 

The first needs to be within 12 months of the certificate being issued. Tempo typically looks to arrange this around 11 months from your certificate being issued.

The Surveillance Audit is a shorter “check-in” audit - around a third of the length of a certification audit (and half the length of a recertification audit) - and is not a full-system audit. As a result, the certification body will not review every clause and control, but might sample a selection of clauses or controls (with the auditor taking a “risk-based approach” - ie checking on controls or clauses where there might be particular risk, or where changes in the business mean that these controls or clauses need particular review).

The core agenda for a Surveillance Audit will be as follows (and each of these sections might lead the auditor to review other areas of your ISMS that might be raised in the course of the conversation):

• Changes to your Business since Previous Audit (e.g. Staff Numbers, Locations,  Scope, Activities/Processes]

• Review of Non-Conformities raised at your last audit (this is an obvious place to prepare for ahead of a Surveillance Audit!)

• Use of certification marks (a review of how you’re using the certification body or accreditation body certification marks across your website and/or other materials)

• Review of Internal Audits and Management Review Meetings

• Complaints / Feedback from Interested Parties

• Review of Management System Changes

• Progress of planned activities aimed at continual improvement

• Effectiveness of the management system with regard to achieving the company’s objectives and the intended results of the respective management system

• Review of your Statement of Applicability and Information Security Risk Assessment

The 3 outcomes of an ISO 27001 surveillance audit are similar to those at Stage 2 of a certification audit, but this time, they relate to the “continued registration” of your certificate.

The process for closing any non-conformities highlighted is exactly the same as at the Stage 2 audit. However, if there are only Minor Non-Conformities highlighted, your certification body will maintain certification and will review the corrective action plan at the next assessment to check that the Minor Non-Conformities have been resolved. If Major Non-Conformities are highlighted, these will be closed following the Corrective Action Plan process. In this instance, the certificatino body will also conduct a review of the major non-conformities to determine if your certificate needs to be suspended until the Corrective Action Plan is approved - but even if this were to happen, once they are closed, then your certificate would be restored.

6. Recertification

A Recertification Audit happens in the 3rd year of your certification cycle, with the goal of providing evidence of conformity against every clause and applicable control of the standard so that your certification body can issue you a new 3-year certificate. A Recertification Audit is typically 2/3rds of the length of the Certification Audit and twice the length of a Surveillance Audit. Note that if your company has grown in the meantime, audit lengths might grow accordingly, based on the ISO 27006 audit length requirements.

The Recertification Audit is very similar to the Stage 2 certification audit, in the sense that it’s a full-system audit - so the certification body will cover every clause of the standard, and every applicable control.  Although by the time you’ve reached a Recertification Audit, you should be familiar with the audit process - so hopefully, it’ll be less daunting for you!

The 3 outcomes of the audit are the same as at Stage 2 of a certification audit - this time relating to the decision of whether to issue a new certificate for the following 3 years. 

The process for closing any non-conformities highlighted is exactly the same as at the Stage 2 audit. The auditor will share these non-conformities with you. In Tempo’s instance at the closing meeting, or, if the auditor needs more time to gather their thoughts, at least within a day or two of the close of the audit. You then close these out, and once they’re closed and the report is finalised and technically reviewed, the certification body can issue your renewed certificate for the next 3 years.

7. Corrective Action Plan / Closing Non-Conformities

To close out any non-conformities, you will need to provide the following 3 things:

• Root Cause Analysis: Here, you investigate what caused the non-conformity so that you can ensure that the underlying cause of the issue is addressed, rather than merely treating the symptoms. Here, you look at broader ISMS processes that might contribute to the non-conformity. For example, a missing control may indicate gaps in risk assessments, training, or leadership oversight - so you would summarise the causes here.

• Correction: A correction is an immediate fix to address the non-conformity, essentially resolving the problem at hand. For example, if a security incident is caused by improper access control, the correction would be restricting or updating user permissions. 

• Corrective Action: Corrective action is a longer-term solution designed to eliminate the root cause of the non-conformity, ensuring that it doesn’t recur. It involves identifying the underlying reasons for the non-conformity, making systemic changes, and possibly updating processes or policies. For example, in the case of improper access control, the corrective action might involve revising the access control policy and training employees on the new procedures.

For Minor Non-Conformities, you just need to make the plan by providing the 3 items above, and you do not need to have delivered the planned actions before the auditor closes them out (you simply need to have developed the plan, and the auditor needs to accept that the plan will be sufficient to close the non-conformity). The certification body will then review these and check that you delivered on the plan at the next audit.

However, for Major Non-Conformities, you need to have closed the non-conformity before the certification body can proceed to issue a certificate - so in this instance, the certification body and/or the auditor will need to see evidence (screenshots, PDFs, documents etc) to prove that the Major Non-Conformity is acceptably closed.

How to Prepare for an ISO 27001 Audit

Preparation for an ISO 27001 audit starts with ensuring that your Management System is fully compliant with the standard's requirements. This foundational step is essential for a successful audit outcome and should be prioritised well before the audit date. Tempo Audits can offer guidance on finding the right GRC platform or consultant tailored to your specific needs since choosing between the different offerings can be difficult if you’re not acquainted with the process!

Depending on the audit stage—whether it's Stage 1, Stage 2, a surveillance audit, or a recertification audit—it’s beneficial to review specific guidance to understand what will be expected during each phase. Familiarizing yourself with the audit process can help you avoid last-minute surprises and ensure a smooth experience.

In addition to ensuring compliance, take the following practical steps to facilitate a successful audit:

1. Conduct your Internal Audit: You need to deliver an Internal Audit programme as part of the Standard in any event - but this can be a fantastic dry-run to highlight any issues that an auditor might raise in your external audit and resolve them in advance!

2. Organise Documentation: Ensure that all relevant records, logs, and reports are readily available for review. An organised document management system can significantly improve audit efficiency.

3. Ensure Team Availability: Confirm that key team members are available during the audit days. These individuals should be well-versed in your ISMS, prepared to discuss their roles, provide necessary evidence, and respond to auditor inquiries.

4. Provide Auditor Access: If applicable, grant the auditor access to your Governance, Risk, and Compliance (GRC) platform. Providing timely access allows the auditor to review necessary documentation more efficiently, helping streamline the audit process.

Taking these preparatory steps helps streamline the audit process, minimise disruptions, and enhance your chances of achieving certification success

Conclusion

Achieving ISO 27001 certification is a significant accomplishment that demonstrates your organisation’s dedication to information security and continuous improvement. By understanding the audit process, effectively preparing your team, and proactively addressing any gaps in your ISMS, you can navigate the certification journey with confidence and clarity.

Once certified, it’s essential to maintain ISO 27001 compliance through regular surveillance audits and ongoing monitoring. This commitment ensures that your organisation remains aligned with ISO 27001 standards, reinforcing your security posture and enhancing your reputation in the industry.

Tempo Audits is here to guide your organisation through every stage of the certification process. From initial preparation to post-certification support, our experienced auditors provide expert guidance to help you build a strong security framework, meet ISO 27001 standards, and maintain your certification over time. If you're ready to begin your ISO 27001 journey or need assistance maintaining your certification, contact Tempo Audits today to schedule a consultation. Let us help you secure your future and strengthen your information security practices.

ISO 27001 certification not only strengthens your organisation’s resilience against cyber threats but also offers a competitive advantage by building trust with clients, partners, and stakeholders. With the right preparation and continuous effort, your organisation can leverage its ISO 27001 certification to drive business growth, secure valuable information assets, and solidify your reputation as a leader in information security for years to come.