Interview with an ISO 27001 Auditor: How Do I Select an ISO 27001 Auditor?

  • November 09, 2021

Emily Bonnie

Senior Content Marketing Manager at Secureframe

Are you thinking about getting an ISO 27001 certification for your company? Not sure how or where to pick an ISO 27001 auditor?

Starting the journey toward ISO 27001 certification can feel overwhelming. Even finding an accredited auditor in your area can be a challenge.

We interviewed Mahtab Haider, Director of the ISO service line at The Cadence Group, to help give you an informed perspective. With over 15 years of risk and compliance experience, he knows exactly what your company should consider when picking your auditor.

We’ll cover what ISO 27001 is, why companies should get audited, how to find accredited auditors, and other factors that will impact your final choice.

What is ISO 27001 and why should companies get certified?

ISO 27001 is an international standard for security management systems. ISO 27001 helps companies demonstrate that their information security management system has the right security processes in place. It’s crucial for companies that digitally store customer data and other sensitive information — which is just about every company in the 21st century.

To prove that your company meets this standard, you need to get audited by an accredited auditor who oversees your procedures, systems, and working practices. Once you’ve passed the Stage 2 audit, you get your ISO 27001 certification and publicly market it.

With an increased focus on information security best practices and standardization, companies are looking toward globally recognized frameworks and standards. Getting one is the best way to showcase the effectiveness of your information security controls. 

Most startups find it easier to earn business with large companies if they’re ISO 27001 certified. In fact, some enterprises require all vendors they do business with to have ISO 27001 certification. If you can’t prove that their information will be secure with you, the deal is off.

If you’ve experienced that sort of ultimatum, you’re probably in a rush to find the right auditor for your company. That’s what we’ll cover in our next question.

Where can I find accredited ISO 27001 auditors? 

You can find accredited ISO 27001 certification bodies online on the official ANAB website in the accreditation directory.

Set the standard to ISO/IEC 27001, and enter your country, state, or other criteria. Press search, and you’ll see accredited auditors in your area.

ANAB (ANSI National Accreditation Board) is part of ANSI (American National Standards Institute), and as such is responsible for accrediting U.S. vendors.

In Europe and Asia, you may have to research other accreditation bodies’ websites for the same information.

These include:

These official sites are the only reliable source for confirming accreditation.

How can you verify an auditor is accredited by official accrediting bodies?

Before hiring an auditor for your company, always make sure the certification body is listed under the accreditation directory on the certification registrar’s website. 

You can do that using the links in the section above.

Ensure that the company name, business address, and certificate number all line up with what’s presented on the auditor’s website.

Are there other factors (beyond accreditation) to consider when choosing an auditor?

If just being accredited was the only consideration, you could just start messaging all local accredited auditors for price and availability.

But there are other factors to consider — including industry experience, other audit accreditations, and more.

Audit firms with a lot of experience in your industry will have a deeper understanding of emerging technologies, for example, cloud computing like GCP, AWS, and Azure. That means they’ll better understand industry practices and requirements, speeding up the audit process in its early stages.

It also means they can offer a lot more meaningful insight during the process of Stage 1 certification, where the auditor checks to see if the company is ready for an in-depth Stage 2 certification process.

It’s also important to make sure the audit firm can offer multiple certifications, especially SOC 2, FedRamp, and PCI.

Information security is such a priority that most companies feel more comfortable when you’ve proven you meet multiple international standards. More and more, we’re seeing that our clients want to expand their ISO audits with SOC 2 and FedRamp audit work to cover all their bases.

Considering future scalability while selecting an audit firm will save a lot of extra work down the line. In particular, audit evidence and audit interviews will be extra time-consuming.

Working with the same firm for multiple certifications makes the audit process a lot more efficient.

The last thing you want is to start from zero every time you want to get a new similar certification. Working with one audit firm that can handle multiple certifications can save both time and money.

What should companies do before hiring an auditor for an external ISO 27001 audit?

Most audit firms offer precertification and gap analysis services as the first step toward achieving certification.

Unless you have an information security expert in your company, these services are crucial to help you lay the foundation for a successful ISO audit in the future.

An experienced ISO 27001 lead auditor will work with you to identify all potential issues with your systems and procedures, so you don’t waste time preparing for multiple audits.

Once the gap assessment is complete, clients have a complete picture of the issues in their current environment that prevent them from meeting certification requirements. That plays a critical role in readiness towards the ISO 27001 certification audit.

After the gap analysis is complete, the next steps you need to take to prepare for your Stage 1 ISO 27001 audit include: 

  1. Documentation of policies: Document the policies you set in place to protect customer data — like two-factor identification, encrypted login keys, and more.
  2. Implementation procedures: Outline how these policies will look in practice, what your employees need to do, and more.
  3. Training of people: Train all your employees to actually follow these procedures and policies for handling data. An organization is only as secure as its weakest link. You don’t want someone logging into sensitive systems from potentially infected personal computers.
  4. Implementation and testing of security controls: Before you get audited, it’s time to put new security controls into place.
  5. Internal audit: set up spot-checks and audits to see whether staff follows procedures and whether they actually prevent potential issues from happening.

It’s a long, multi-stage process that will be a lot more challenging without an auditor’s insights from a gap analysis. It’s not something you can just learn from blog posts and YouTube videos.

The end goal is to set up a robust information security management system (ISMS) that monitors all of your company’s data handling practices. Onboarding and training new employees should be a reliable part of that system. That way, customer data remains secure throughout restructures, acquisitions, and other major events.

What are your final thoughts on ISO 27001?

ISO 27001 is the first step toward building and demonstrating information security controls and compliance. However, the journey doesn’t end once your company is certified.

Your organization needs to stay committed to the continuous improvement of the ISMS. It’s the only way you can keep up with the changing requirements, technologies, and risks in your industry.

That means continued investment and stakeholder involvement in the project of information security. If high-level executives lose interest, it can lead to a breakdown of cross-department collaboration.

The last thing you want is to fail your renewal audit in three years and start the project from scratch. Not to mention, in a worst-case scenario, becoming sloppy can lead to data breaches, lawsuits, and the loss of important clients.

You have every reason to keep investing in data security throughout your entire organization.

Information security is no longer optional

Companies are increasingly looking for ISO 27001 and comparable certifications when choosing vendors to do business with.

When a single data breach in 2020 costs $3.86 million on average, you can understand why companies take this seriously.

If you’re new to this journey and want to get more insight into the reliability of your systems and overall tech stack, you don’t need to hire expensive consultants. Secureframe lets you scan all the applications, platforms, and tools you use to handle information online. To see our platform in action, request a free demo today.