Undergoing regular audits is a key component of ISO 27001 compliance.

Regular audits ensure that your Information Security Management System (ISMS) is not only in compliance with the ISO 27001 standard, but that it’s also effective in maintaining information security for your organization over time.

In this blog, we’ll cover everything you need to know about ISO 27001 audits, including the different types and the purpose, requirements, and cost of each.

What is ISO 27001 audit?

An ISO 27001 audit is a review process for examining whether an organization's ISMS meets the ISO 27001 standard’s requirements as well as the organization’s own information security management requirements.

Unlike SOC 2 and other security frameworks, the ISO 27001 audit process consists of multiple types of audits. Completing this process provides several benefits, including:

• Peace of mind that your ISMS is adequately implemented and meets the requirements of the standard
• Assurance that your ISMS is effective in reducing information security risks
• Knowledge that nonconformities are addressed in a timely manner
• Detailed documentation of information security weaknesses, events, and incidents that can help inform improvements and changes to strengthen the ISMS
• Proof of your commitment to continuous improvement

ISO 27001 audit requirements

ISO/IEC 27001 requires organizations to undergo internal audits to comply with the standard. More specifically, Clause 9.2 mandates an organization conduct internal audits at planned intervals in order to verify that the ISMS:

• Conforms to the organization’s own requirements for its information security management system
• Meets the requirements of the ISO 27001 international standard
• Is effectively implemented and maintained

Completing an internal audit offers additional benefits beyond meeting this requirement. Namely, it can enable an organization to discover nonconformities and have a chance to remediate them before a certification body does.

ISO 27001 does not require organizations to undergo external audits to comply with the standard—but it does to achieve and maintain ISO 27001 certification. Many organizations undergo a certification and other subsequent audits because they provide third-party validation for their security posture. A third-party auditor can offer an expert, objective opinion on your security controls and policies as well as insightful recommendations into what you could do to further improve your security posture. 

So while not mandatory, a highly respected third-party certification like ISO 27001 can be a powerful competitive advantage and proof of your commitment to security. This can speed up your sales cycle and enable you to move upmarket faster, among other benefits. 

Now that we have a better understanding of the requirements and benefits involved in the ISO 27001 audit process, let’s dive into the different audit types below.

If you’re new to ISO/IEC 27001 and want to understand how to build a compliant ISMS and achieve certification, download the Ultimate Guide to ISO 27001 for all the details you need to get started. 

What are the ISO 27001 audit types?

ISO 27001 certification requires both internal and external audits. While internal audits can be performed by an organization’s own team or a “second party,” external audits must be carried out by a certification body to determine whether your organization satisfies ISO 27001 and your own information security requirements on an ongoing basis. There are three types of external ISO 27001 audits. 

Below is an overview of all four types of ISO 27001 audits. Find out what they are, who they’re conducted by, and how often they occur.

ISO 27001 Internal audit

ISO 27001 requires organizations to plan and conduct internal audits in order to prove compliance. The purpose of these internal audits is to evaluate whether:

• The ISMS meets the requirements of the ISO 27001 standard and the organization’s own requirements for its ISMS 
• The ISMS is effectively implemented and maintained

These audits can be carried out by an organization’s own internal audit team. If a business doesn’t have an internal auditor they can use an outside party. These audits are called a “second-party audit.” 

ISO 27001 internal audits must be conducted on an annual basis and must document the audit process. 

ISO 27001 Certification audit

The term “external audit” most commonly refers to the certification audit, in which an external auditor will evaluate your ISMS to verify that it meets ISO 27001 and your own requirements and issue your certification. 

ISO 27001 states that the certification audits are meant to:

1. Confirm that the organization conforms to its own policies, objectives, and procedures
2. Confirm that the ISMS conforms to all ISO 27001 standard requirements

The certification audit is conducted by a certification body, and if you prove compliance, you will receive a certificate of compliance that’s valid for three years. During those three years, you’re obligated to maintain your ISMS and the processes, ISO 27001 controls, and requirements that helped you achieve compliance. 

The certification audit is the only type of ISO 27001 audit that is conducted only once, when you are first awarded your certificate of compliance. 

A closer look at the difference between an ISO 27001 internal audit vs certification audit

While both review your ISMS, the internal audit focuses on effectiveness according to your organization’s own policies and the ISO 27001 standard, whereas the certification audit focuses on conformity to all ISO 27001 requirements and its own information security requirements to grant certification. In other words, think of the internal audit as a readiness check and the certification audit as the final exam.

ISO 27001 Surveillance audit

After achieving ISO/IEC 27001 certification, you must schedule surveillance audits with a certification body.

These audits include:

• All clauses in the ISO 27001 framework
• Annex A requirements, which are divided between years one and two after your certification audit (your auditor will determine how the requirements are split) 
• Review of prior nonconformities found in the initial certification audit to determine whether they were remediated properly

ISO 27001 Recertification audit 

After those three years have passed, your organization will need to undergo a recertification audit where you will provide evidence of continuous compliance and ongoing ISMS improvement. 

ISO 27001 audit cost​

The cost of an ISO/IEC 27001 audit can vary widely depending on your organization’s size, industry, number of locations, and the maturity of ISMS. 

In general, an average company that is seeking to implement ISO 27001 but not get certified can expect to pay $5,000 to $10,000 per year for internal audits. If a company is seeking to not only implement the framework but also achieve and maintain ISO 27001 certification, they can expect to pay $10,000 - $50,000 for the certification audit and roughly $15,000 to $60,000 per year for recurring internal, surveillance, and recertification audits.

Here’s a breakdown of the costs by audit type, as well as purpose and frequency:

Additional costs to consider

The cost estimates above only cover the audit process itself. Preparing for an ISO 27001 audit can involve significant additional costs, such as:

• ISMS implementation: The biggest cost factor is the time and resources required to implement ISO 27001 requirements and controls, including any necessary security tools, policies, and processes.
• Productivity: Employees may need to be taken off other projects to focus on audit readiness, or you may need to hire dedicated compliance staff.
• Consultants or advisory services: If you choose not to hire in-house, you can outsource this audit readiness work to an ISO 27001 consultant. An ISO 27001 consultant can cost anywhere from $3,000 to $40,000 depending on the complexity of your ISMS and the level of support needed.
• Training: Security awareness and compliance training for staff can be an ongoing expense.
• Compliance automation tools: Solutions that automate evidence collection, control monitoring, and reporting and offer proprietary employee training can free up internal resources and reduce costs required to achieve and maintain certification year after year.

ISO 27001 audit process

Before the ISO 27001 audit process begins—meaning before your certification audit—you’ll need to complete several steps.

First, you’ll need to define the scope of your ISMS and decide what information assets you’ll want to be represented on your ISO/IEC 27001 certificate. 

Next you’ll need to perform a risk assessment to identify threats and decide how to treat each risk. You may also choose to hire an outside consultant to perform a gap analysis and provide guidance on how you can meet ISO 27001 requirements. 

At this time, you’ll also need to prepare documentation, including writing security and privacy policies like the ISO 27001 Information Security Policy and data retention policy, completing the Statement of Applicability, collecting evidence of controls, and training your staff. 

At this point, you may choose to conduct an internal audit to identify any gaps in your compliance posture. 

Once you’ve completed this pre-audit phase, you’ll move onto Stage 1 and Stage 2 certification audits, surveillance audits, and recertification audits.

Below is an overview of this ISO 27001 audit schedule:

Year 1: ISO 27001 Certification Audit

Once you’re ready to prove to an auditor that you’ve established effective policies and controls and that they’re functioning as required by the ISO 27001 standard, you can schedule a certification audit.

A certification audit happens in two stages. First, the auditor will complete a Stage 1 audit, where they review your ISMS documentation to make sure you have the right policies and procedures in place.

Next, a Stage 2 audit will review your business processes and security controls. Once Stage 1 and Stage 2 audits are complete, you'll be issued an ISO 27001 certification that's valid for three years.

Year 2 and 3: ISO 27001 Surveillance and Internal Audits

Within your three-year certification period, you’ll need to conduct ongoing audits. These audits ensure your ISO 27001 compliance program is still effective and being maintained. 

Surveillance audits check to make sure organizations are maintaining their ISMS and Annex A controls properly. Surveillance auditors will also check to make sure any nonconformities or exceptions noted during the certification audit have been addressed. 

Internal audits are part of this ongoing monitoring as well. At least annually, internal auditors must examine your processes and policies to look for potential weaknesses and areas of improvement before an external audit. This allows you to complete any necessary corrective actions before your recertification audit.

Year 4: ISO 27001 Recertification Audit

During the last year of the three-year ISO certification term, your organization can undergo a recertification audit.  

Similar to Stage 2, the auditor will complete a detailed assessment to determine whether your organization meets ISO 27001 requirements for process/control design and operating effectiveness. 

After completing the recertification audit, your organization’s ISO 27001 certification is valid for another three years. 

Surveillance, internal, and recertification audits must continue in year 5 and beyond in order for an organization to maintain ISO 27001 compliance.

ISO 27001 audit frequency: A recap

ISO 27001 is a rigorous standard that needs to be renewed frequently. This frequency varies by audit type:

• An internal audit is required every 12 months to help ensure that controls are closely monitored over the long term and your ISMS is continuously improving. This makes it a lot easier for customers to trust you with their data and their business.
• A certification audit is only required once. 
• After you are awarded your certification, your organization will need to undergo surveillance audits in years one and two after your certification audit. 
• In year three, you’ll need to undergo a recertification audit.

How to prepare for ISO 27001 audit

An internal audit can help an organization prepare for all external ISO 27001 audits, including the first and only certification audit. So it’s essential you understand how to conduct one.

Since internal ISO audits are customizable to fit the particular needs and requirements of your organization, the process for conducting them will vary. 

Below we’ve outlined a few of the core steps to complete an internal ISO 27001 audit so you’re prepared for ISO 27001 certification.

1. Document review

First things first: Your designated auditor (whether internal or external) should review the documentation of how the ISMS was created. This will help to set the scope of the internal audit to match that of the ISMS, since that’s what the internal audit covers. 

The documentation should also identify the key stakeholders responsible for the controls and processes of the ISMS. This will help the auditor should they need to request more information about ISMS specifics. 

2. Planning and preparation

During this phase, management and the auditor(s) should create a detailed ISO 27001 internal audit checklist of what needs to be done. When creating action plans, consideration should be given to the resources needed to complete the audit as well as the time frame. 

3. Fieldwork

Fieldwork is the proper audit process where the ISMS will be tested, observed, and reported on. During this phase, your audit team will interview employees and observe how the ISMS is implemented throughout the company. 

4. Analysis

The audit evidence should be sorted, filed, and reviewed in relation to the risks and control objectives set by your organization and the ISO/IEC 27001 standard. 

Once the evidence has been collected, it must be sorted and reviewed against the ISO standard. This process may reveal gaps in evidence collection and require the need for additional audit tests.

5. Report to management

Once the fieldwork tests have been completed, your audit team will deliver a report to management. Audit results should be maintained as a record of performance and proof that your company is in compliance with the standard’s ISMS requirements. 

An ISO 27001 internal audit report typically includes:

• An introduction that clarifies the scope, objectives, time frame, and summary of the work performed 
• An executive summary of key findings, brief analysis, and conclusion 
• Detailed audit findings and analysis 
• Statement from the auditor(s) detailing recommendations and scope limitations

Once the report has been handed over to management, they are responsible for tracking the correction of nonconformities found during the audit.

How Secureframe can help you prepare for ISO 27001 audit

Oftentimes, organizations do not have anyone on staff qualified to complete an internal audit who is also not directly tied to the creation and maintenance of the ISMS. 

When this happens, it’s crucial to find an external auditor to help you complete the internal audit. Secureframe can help by matching you with an auditor that not only knows your industry, but also understands the ISO/IEC 27001 standard inside and out. 

This will help you to efficiently and effectively assess your ISMS prior to the certification process. 

Secureframe can also help you prepare for your certification, surveillance, and recertification audits while saving you time and resources. Our automations vastly increase your chances of getting and maintaining your ISO certification by helping you monitor your systems, fix any vulnerabilities, integrate your security stack, and more.

To learn more about how Secureframe can help streamline the ISO 27001 certification process, schedule a demo today.