A key component of ISO 27001 compliance is regular audits. 

Audits ensure that your Information Security Management System (ISMS) is not only in compliance with the ISO/IEC 27001 standard, but that it’s also effective in maintaining information security for your organization.

To ensure you’re ready, we’ll cover everything you need to know about ISO 27001 audits, including the different types and why they’re important.

What is an ISO 27001 audit?

An ISO 27001 audit is a review process for examining whether an organization's ISMS meets the standard’s requirements as well as the organization’s own information security best practices.

What are the ISO 27001 audit types?

Below is an overview of the different types of ISO 27001 audits. Find out what they are, who they’re conducted by, and how often they occur.

Internal audits

ISO 27001 requires organizations to plan and conduct internal audits in order to prove compliance. These audits are meant to review and assess the effectiveness of the company’s ISMS. 

They must be conducted on a regular basis and must document the audit process. 

These audits can be carried out by an organization’s own internal audit team. If a business doesn’t have an internal auditor they can use an outside party. These audits are called a “second-party audit.” 

External audits

External audits are carried out by a certification body to determine whether your organization satisfies ISO 27001 requirements on an ongoing basis.

The term “external audit” most commonly refers to the certification audit, in which an external auditor will evaluate your ISMS to verify that it meets ISO 27001 requirements and issue your certification. However, the term also refers to other types of audits conducted by certification bodies. Let’s take a look at all three types of external ISO 27001 audits below.

Certification audit

The certification audit is conducted by a certification body, and if you prove compliance, you will receive a certificate of compliance that’s valid for three years. During those three years, you’re obligated to maintain your ISMS and the processes, ISO 27001 controls, and requirements that helped you achieve compliance. 

This is the only type of ISO 27001 audit that is conducted only once, when you are first awarded your certificate of compliance. 

Surveillance audits

After achieving certification, you must schedule surveillance audits with a certification body.

These audits include:

• All clauses in the ISO 27001 framework
• Annex A requirements, which are divided between years one and two after your certification audit (your auditor will determine how the requirements are split) 
• Review of prior nonconformities found in the initial certification audit to determine whether they were remediated properly

Recertification audits 

After those three years have passed, your organization will need to undergo a recertification audit where you will provide evidence proving continuous compliance and proof of ongoing ISMS improvement. 

Who can perform ISO 27001 audits?

External audits must be performed by a certification body.

An internal audit is the only type of ISO 27001 audit that is not carried out by a certification body. Instead, an independent party with sufficient expertise can perform it. This party can be an internal or external resource as long as they are impartial and are not auditing functions or processes that they manage or helped create.

If your organization doesn’t have anyone who fits this criteria, you can recruit an external auditor to help you complete an internal audit.

ISO 27001 audit frequency

ISO 27001 is a rigorous standard that needs to be renewed frequently. This frequency varies by audit type.

ISO 27001 compliance requires an internal audit every 12 months to help ensure that controls are closely monitored over the long term and your ISMS is continuously improving. This makes it a lot easier for customers to trust you with their data and their business.

A certification audit is only required once. After you are awarded your certification, your organization will need to undergo surveillance audits in years one and two after your certification audit. In year three, you’ll need to undergo a recertification audit.

The Four Types of ISO 27001 Audits

Certification audit vs. internal audit: How are they different?

The main difference between certification audits and internal audits lies in the objectives included within the ISO 27001 standard. 

ISO 27001 states that internal audits are meant to:

1. Confirm that the ISMS conforms to the organization’s own requirements for information security management
2. Confirm that the ISO 27001 standard is effectively implemented and maintained

ISO 27001 states that the certification audits are meant to:

1. Confirm that the organization adheres to its own policies, objectives, and procedures
2. Confirm that the ISMS conforms to all ISO 27001 standard requirements and is achieving the organization's policy objectives 

The internal audit focuses on the effectiveness of the ISMS, however that might look within your company. The certification audit is used to test conformity of an ISMS against the ISO 27001 requirements. 

Why are ISO 27001 audits important?

Both internal and external ISO 27001 audits are important.

External audits provide third-party validation for your security posture. An auditor can offer an expert, objective opinion on your security controls and policies as well as insightful recommendations into what you could do to further improve your overall security posture. Certification audits in particular are important because they prove your commitment to security. A highly respected third-party certification like ISO 27001 can be a powerful competitive advantage. It can also speed up the sales cycle and enable you to move upmarket faster. 

Internal audits are important because the ISO 27001 standard requires them. Clause 9.2 of the standard mandates an internal audit program in order to prove an ISMS is in compliance and working effectively. Beyond being a requirement, they also provide companies with a variety of benefits, including the discovery of nonconformities and the chance to remediate them before a certification body does.

Other benefits of internal as well as external ISO 27001 audits include:

• Peace of mind that your ISMS is adequately implemented and meets the requirements of the standard
• Assurance that your ISMS is effective in reducing information security risks
• Knowledge that nonconformities are addressed in a timely manner
• Detailed documentation of information security weaknesses, events, and incidents that can help inform improvements and changes to strengthen the ISMS
• Commitment to continuous improvement

ISO 27001 audit timeline

Before your certification audit, you’ll need to complete several steps to prepare, including risk management and implementing security controls. First, you’ll need to define the scope of your ISMS and decide what information assets you’ll want to be represented on your ISO 27001 certificate. 

Next you’ll need to perform a risk assessment to identify threats and create a risk treatment plan to decide how to reduce each risk to an acceptable level. You may also choose to hire an outside consultant to perform a gap analysis and provide guidance on how you can meet ISO 27001 requirements. 

At this time, you’ll also need to prepare documentation, including writing security and privacy policies, completing the Statement of Applicability (SOA), collecting evidence of controls, and conducting cybersecurity awareness training for your staff. 

Once you’ve completed this pre-audit phase, you’ll move onto Stage 1 and Stage 2 certification audits, surveillance audits, and recertification audits.

Year 1: ISO 27001 Certification Audit

Once you’re ready to prove to an auditor that you’ve established effective policies and controls and that they’re functioning as required by the ISO 27001 standard, you can schedule a certification audit.

A certification audit happens in two stages. First, the auditor will complete a Stage 1 audit, where they review your ISMS documentation to make sure you have the right policies and procedures in place.

Next, a Stage 2 audit will review your business processes and security controls. Once Stage 1 and Stage 2 audits are complete, you'll be issued an ISO 27001 certification that's valid for three years.

Year 2 and 3: ISO 27001 Surveillance and Internal Audits

Within your three-year certification period, you’ll need to conduct ongoing audits. These audits ensure your ISO 27001 compliance program is still effective and being maintained. 

Surveillance audits check to make sure organizations are maintaining their ISMS and Annex A controls properly. Surveillance auditors will also check to make sure any nonconformities or exceptions noted during the certification audit have been addressed. 

Internal audits are also part of this ongoing monitoring. Internal auditors examine processes and policies to look for potential weaknesses and areas of improvement before an external audit. This allows you to complete any necessary corrective actions before your recertification audit.

Year 4: ISO 27001 Recertification Audit

During the last year of the three-year ISO certification term, your organization can undergo a recertification audit.  

Similar to Stage 2, the auditor will complete a detailed assessment to determine whether your organization meets ISO 27001 requirements for process/control design and operating effectiveness. 

After completing the recertification audit, your organization’s ISO 27001 certification is valid for another three years. 

Surveillance, internal, and recertification audits must continue in year 5 and beyond in order for an organization to maintain ISO 27001 compliance.

How to conduct an internal ISO audit in 5 steps

An internal audit can help an organization prepare for all external ISO audits, including the first and only certification audit. So it’s essential you understand how to conduct one.

Since internal ISO audits are customizable to fit the particular needs and requirements of your organization, the process for conducting them will vary. We’ve outlined a few of the core steps to complete an internal ISO 27001 audit below.

1. Document review

First things first: Your designated auditor (whether internal or external) should review the documentation of how the ISMS was created. This will help to set the scope of the internal audit to match that of the ISMS, since that’s what the internal audit covers. 

The documentation should also identify the key stakeholders responsible for the controls and processes of the ISMS. This will help the auditor should they need to request more information about ISMS specifics. 

2. Planning and preparation

During this phase, management and the auditor(s) should create a detailed ISO 27001 internal audit plan of what needs to be done. When creating action plans, consideration should be given to the resources needed to complete the audit as well as the time frame. 

3. Fieldwork

Fieldwork is the proper audit process where the ISMS will be tested, observed, and reported on. During this phase, your audit team will interview employees and observe how the ISMS is implemented throughout the company. 

4. Analysis

The audit evidence should be sorted, filed, and reviewed in relation to the risks and control objectives set by your organization and the ISO 27001 standard. 

Once the evidence has been collected, it must be sorted and reviewed against the ISO 27001 standard. This process may reveal gaps in evidence collection and require the need for additional audit tests. 

5. Report to management

Once the fieldwork tests have been completed, your audit team will deliver a report for management review. Results should be maintained as a record of performance and proof that your company is in compliance with the standard’s ISMS requirements. 

This report typically includes:

• An introduction that clarifies the scope, objectives, time frame, and summary of the work performed 
• An executive summary of key findings, brief analysis, and conclusion 
• Detailed findings and analysis 
• Statement from the auditor(s) detailing recommendations and scope limitations

Once the report has been handed over to management, they are responsible for tracking the correction of nonconformities found during the audit.

How Secureframe can help you prepare for ISO audits

Oftentimes, organizations do not have anyone on staff qualified to complete an internal audit who is also not directly tied to the creation and maintenance of the ISMS. 

When this happens, it’s crucial to find an external auditor to help you complete the internal audit. Secureframe can help by matching you with a lead auditor that not only knows your industry, but also understands the standard inside and out. 

This will help you to efficiently and effectively assess your ISMS prior to the certification process. 

Secureframe can also help you prepare for your certification, surveillance, and recertification audits while saving you time and resources. Our automation vastly increases your chances of getting and maintaining your ISO certification by helping you monitor your systems, fix any vulnerabilities, integrate your security stack, and more.

To learn more about how Secureframe can help streamline the ISO 27001 certification process, schedule a demo today.