Interview with an Auditor: Expert Tips to Prepare for an ISO 27001 Audit

  • May 11, 2022

Emily Bonnie

Senior Content Marketing Manager at Secureframe

Between establishing policies, creating documentation, and collecting evidence, an ISO 27001 audit usually takes months of preparation and a ton of paperwork. While our compliance automation platform is purpose-built to solve for all of this manual effort, we also know that there’s no substitute for expert advice. 

To help organizations better prepare for an ISO 27001 certification, we interviewed Hector Galvan, Senior Auditor at Prescient Security, to get his best preparation tips. 

What sets Prescient Security apart?

Prescient Security is a premier independent audit and security company serving SaaS companies worldwide. We offer clients multiple certifications and attestation services, including SOC 1, 2, and 3; ISO; GDPR; CCPA; GLBA; Google Oauth; and Microsoft SSPA; as well as penetration testing services in-house. We’ve fully adopted the digital audit era, with expertise in the latest cloud-native technologies. 

We are not your traditional CPA audit firm where auditors come from tax and finance backgrounds with no security credentials. We come from red team and cloud security backgrounds. All of our auditors are advanced security certified. The power of an audit report is in the quality of test descriptions founded on deeper evidence data. When your clients review our audit report, they know that the documentation is done by cybersecurity experts. 

What do you wish first-timers knew about ISO certification audits?

Aside from implementing processes and controls for your information security management system (ISMS), a big part of ISO is about documentation. If you review the ISO 27001:2013 standard, you’ll quickly notice that it requires many different documents and records, and even lists requirements and guidelines for how to document those items. Always verify that any document that is maintained by your organization follows the appropriate version and document control as specified in the standard.

The Ultimate Guide to ISO 27001

If you’re looking to build a compliant ISMS and achieve certification, this guide has all the details you need to get started. 

What advice do you have for companies preparing for an ISO audit?

First identify the scope of your ISMS, then complete a risk assessment, since that lays the foundation for other requirements such as the statement of applicability and the internal audit. Once you have a clear view of the risks and controls you already have, you can then focus on maintaining and continually improving your ISMS.

What best practices can you share for preparing key ISO documentation?

Be sure to first identify the scope of your ISMS, then outline your company’s risks and controls. Doing this will help you hone in on the processes, documents, and records that need to be in place for the audit. 

Always remember that your company chooses which controls are included in the scope within the statement of applicability, and the auditor will only audit those in scope. Additionally, make sure to document any external factors and legal and regulatory requirements that may already impact your services and operations. 

What do your most successful clients have in common?

Our most successful clients are prepared early in the process and they follow the standard requirements exactly as they are outlined. They also don’t rush through the audit and closely follow the ISO 27001 standard as well as ISO 27002 as a guide for improving their ISMS and overall security environment rather than looking at the certification as a checkbox.

What last words of advice, tips, and recommendations do you have to share?

ISO 27001 requires a lot of documentation. As long as your organization has processes in place to implement, retain and manage documentation, you should be fine. 

Secureframe does an excellent job of providing high-quality templates and implementation consultations so you can be fully prepared for your auditor. Request a demo with them today so we can help you reach your compliance goals quickly as one team. 

Simplify ISO 27001 audit prep with Secureframe

ISO 27001 has hundreds of requirements, including extensive documentation. We help organizations of all sizes write security policies, complete employee training, collect evidence, and monitor their security posture. Schedule a demo to see how Secureframe can streamline your ISO 27001 audit prep.