Tips for working with an auditor

We’ve written a lot about ISO 27001 on our blog: its purpose and benefits, the certification process, control requirements, and costs. We’ve shared checklists, guides, and templates. It’s all an essential part of our mission to demystify the world of security and compliance for our customers. 

But there’s also something to be said for sharing our perspective as an organization that’s actually gone through the process of achieving ISO 27001 certification. What’s it really like? Is ISO 27001 certification worth it? 

As a compliance automation platform, we’ve always believed that a strong security posture fuels innovation and growth. We knew the investment would pay dividends. 

Today we’re sharing our first-hand experience of the recertification process and how we maintain continuous compliance, along with our advice for other fast-growing organizations getting ready to go through the same process. 

Our ISO 27001 recertification experience

As a customer-focused company, it made sense to undergo our own ISO 27001 certification not only for the security and organizational benefits but also to put ourselves in our customers’ shoes. 

We began preparations in the latter half of 2020, completed the Stage 1 and 2 audits through A-LIGN, and achieved certification in early 2021. We recently completed our recertification for surveillance year 1 with zero non-conformities! 

Being a team of experts at a security and compliance company made having available resources easier. But the recertification process can still be time-consuming. We continue to improve upon Secureframe’s security posture and compliance culture, and even update our ISO 27001 offering to incorporate lessons learned from our own audits. 

All in all, pursuing and maintaining certification is well worth the effort, and we’re happy to share additional insights from our first-hand experience.

Why we decided to be ISO 27001 certified 

As a security and compliance company, we understand the value of a respected international framework like ISO 27001. It’s one reason why we’re also compliant with SOC 2, GDPR, and CCPA. 

Second, while none of our customers specifically require us to be ISO 27001 certified, we know it helps build trust with our customers and business partners. We can say we’re a company that understands and delivers best-in-class security, but having an objective third-party auditor verify our claims about our own security posture gives added credibility. Being ISO 27001 compliant ourselves also sets us apart from our competitors, who have yet to achieve certification. 

The certification and recertification processes have the added value of giving us better insights into what our customers go through on their compliance journey. Having experienced the process first-hand, our entire team can more deeply empathize with our customers who are going through the same process. We’ve been there ourselves.

Our ISO 27001 recertification timeline

Preparing for an ISO 27001 audit is not an easy task. There are a lot of moving parts, a lot of people that need to be involved, and a lot of time that needs to be dedicated to the process. 

Going to audit for the first time (and during years where all controls must be tested) is more time-consuming than years requiring a surveillance audit, where only a subset of Annex controls are tested. 

For our initial certification audit last year, compliance tasks took up approximately 50-75% of 1-2 resources in the 3 months leading up to the audit — about 480-720 hours in total.  

During this past year, an additional 20 hours were dedicated throughout the year to prepare for our surveillance audit. 

These hours are for a team of compliance experts with decades of experience. Actual hours will likely look different for organizations that aren’t familiar with compliance audits, companies that hire a consultant, or businesses that need more time to get processes and policies in place or address non-conformities. 

Every business is different, which is why it’s so important to partner with experts who take the time to understand your unique systems and compliance needs. 

How we managed the audit preparation process

In our experience, having a single person or team responsible for driving the compliance process and ensuring tasks are completed on time is key. 

From a project management perspective, we also found it was important to identify our most strained resources (for us, that’s our Engineering team) and prioritize getting requests to them first. 

Building in this slack time allowed us to ensure we didn’t miss any internal or external deadlines. Being aware of dependencies, including people and activities, is essential. In our experience, having 80-90% of evidence uploaded before the audit kicks off is a good goal.  

Overall, the most important aspect of our preparation process was communication. Explaining the need for sample selections to the appropriate people ahead of time really helped them anticipate evidence requests and understand timelines. 

Communicating the audit timeline to the overall team ahead of time kept ad-hoc auditor requests from coming as too much of a surprise. Responding to those can be stressful, which is why Secureframe is in the compliance automation business in the first place. 

Our tips for working with an ISO 27001 auditor

We worked with A-LIGN for both our initial certification and our recertification. Developing a strong relationship with your external auditor helps tremendously with continuity. Going into our recertification, our auditor already had a working familiarity with our organization. 

For the recertification, we had a planning call in early November 2021 for an audit starting in late January 2022. Outside of those meetings, communication was primarily through email. 

We gave a high-level overview of our organization and shared screens to walk our auditor through the system. When you work with an auditor for multiple years, they already know what to look for and can use this deeper understanding to offer more tailored recommendations for improvement.  

As a team of experienced compliance experts, it was easier for us to interpret requirements, anticipate evidence requests, and be aware of potential gaps. 

For organizations that don’t have this kind of experience to leverage, we strongly recommend working with compliance experts at the start of your ISO 27001 certification journey. Without that expertise, it all can seem daunting and the time saved can be invaluable. 

How we approach continuous compliance 

While we definitely feel a sense of accomplishment on receiving our ISO 27001 recertification, our work isn’t finished. We plan recurring ISMS activities ahead of time and schedule them throughout the year. This keeps everything from being rushed in the months leading up to the audit.  

It’s important to adjust how you meet Annex controls based on how your organization has grown or changed. For example, if your physical locations have changed or if your organization went fully remote. If there are new or changed business risks or security threats, if processes have matured or changed to meet a larger headcount — all of these scenarios require you to reexamine your policies and internal controls.   

To maintain compliance, you’ll need to update your ISO 27001 documentation every year (i.e. policies, your Statement of Applicability, scope document, corrective actions, etc.). Other annual review and update activities include reviewing vendors, tabletop exercises, and inventory.  

An annual penetration test, employee security awareness training and performance evaluations, an ISO 27001 risk assessment should also be performed. ISMS objectives and KPI tracking, and internal audits are required as well. 

Your ISMS meeting should occur after the annual internal audit and risk assessment are completed to allow a proper review, and meeting minutes should be captured and documented. Access review and vulnerability scanning are recommended at least quarterly. 

Key takeaways

Getting ISO certified is a lot like running a marathon. Crossing the finish line feels great, but you can only get there with a lot of dedicated preparation. 

Condensing our experience into a handful of takeaways feels a bit like oversimplification, but if we had to boil it down, this would be our advice to other high-growth companies preparing for a compliance audit. 

• Prioritize communication — both with your internal team and your auditor. Everyone in your organization should understand why you’re pursuing certification, what their responsibilities are, and when they’re expected to act. 
• Build buffer time into your preparation planning. Compliance tasks take longer than you think, and you’ll need to rely on other teams to generate evidence and answer questions. 
• Spend time upfront familiarizing your auditor with your systems and processes. You’re building a long-term relationship with them, and the better they understand your organization, the smoother the audit process will be. 
• Schedule your maintenance tasks throughout the year so there isn’t a mad rush in the weeks leading up to your recertification audit. 
• Experience and expertise are invaluable assets. If you’re new to ISO 27001, consider hiring a consultant or partnering with a compliance solution to help you through it. Make sure to ask every vendor if they themselves are ISO 27001 and/or SOC 2 certified. 

We hope sharing our experience is helpful for other companies! If you’re interested in ISO 27001 certification, you can schedule a demo to learn more about our platform and team of compliance experts.