Are you facing your initial certification audit soon, and you are getting nervous?
No worries, it’s not that bad. Let us give you a best practice “sneak-peek” on the ISO 27001 certification audit process, where you will learn everything about how to get through your first ISO 27001 audit without stress. (By the way, our tips apply to all management system audits, e.g. ISO 9001, ISO 20000-1, ISO 45001, as “best practice” and independent of the version of the standard).
Best Practice Step 1: The audit begins always before the audit
Believe it or not, preparing for your certification audit starts with choosing the right certification partner. We recommend that you start 6-12 months before your desired certification date. Certification companies sometimes have busy schedules. You want to anticipate that.
For example, we at JJK Consulting & Auditing in Fairfield, New Jersey can assist you with the quotation process. When selecting the certification body, we recommend that you also have a phone call (or video conference) with the potential certification auditor to ensure you can build good chemistry.
Nothing is more ugly than being committed to an auditor for several years with whom you have no real “connection” and who comes from a completely different world.
By the way: Depending on the size of your company, there is a certification auditor or a team (of two or more). The team can also be accompanied by observers (mostly auditors in training). However, these observers will not actively participate in the audit. The certifier will ask you about your scope, also there, in case, we can assist you with that important task.
Best Practice Step 2: The Stage 1 Audit
The certification audit is divided into two phases:
Phase 1 (usually called “Stage 1”) and Phase 2 (usually called “Stage 2”).
The Stage 1 audit is about the certification auditor looking at what policies and processes you have set-up in your company to meet the requirements of ISO 27001.
Since you usually have these process controls written down, it is common practice to simply send everything that is written down to the auditor (via access to a file cabinet or via email). Therefore, the Stage 1 audit is also sometimes called “document audit”.
PLEASE NOTE: Prior to the Stage 1 audit, you should already have a so called “Statement of Applicability” ready, an internal audit completed and have conducted a management review as well. The certification auditor expects documents on this. In this stage, the auditor primarily checks whether your regulations really reflect ISO 27001.
Best Practice Step 3: The Stage 2 Audit
In the Stage 2 audit, the certification auditor checks whether you also work according to your own regulations. For this purpose, the certification auditor visits you (and your team) at all properties that you have registered for the audit. (In some cases, the Stage 2 audit also takes place remotely as a video conference). When it comes to an audit team, it can split up.
In the Stage 2 audit, the auditor (or the team) gains also insights primarily through observations and interviews (and to a lesser extent: through reading documents).
Here are a few important tips for the Stage 2 audit:
You will receive an audit plan in advance from your certification auditor. This includes to the hour exactly when which topic is “on”. You are also welcomed to ask your auditors about this plan in good time (1-2 weeks before the audit at the latest), because you want to be able to have a competent person from your team at the start for each scheduled audit slot.
There is an obligatory opening discussion with everyone involved – both on your part and on the part of the auditor (team). This conversation has two functions:
Working relationship: Everyone gets to know each other and builds a first relationship with each other. The auditor explains how the audit works.
Part of the audit: The opening discussion is also an (informal) part of the audit. The auditor observes how you and your company relate to ISO 27001. Is someone from the management with you? Is this just a “running” issue for you? Do you even want that? Is the management really behind this? Is there one sleepy person sitting across from the auditor, or several engaged ones? Do you seem interested or absent?
You can set the course in the right direction in the opening discussion. Take the chance!
Interviews and observations: In the Stage 2 audit, the certification auditor gathers knowledge primarily through interviews and observations.
For you this means: You will have to answer a lot of questions. Admittedly, this sometimes feels like an “oral high school diploma”. But that’s not what it’s meant to be. It’s not about knowing everything off the top of your head. It’s about the auditor wanting to get an idea of whether the policies and procedures that you have set up and implemented for your own company are also working out as intended.
This can only be found out by lots of questioning on the part of the auditor.
Here it helps if the team members sitting across from the auditor know about the topics, or at least know where to look. Nobody needs to know everything by heart. It’s perfectly fine to respond to a question, “Wait, I’m looking, give me a minute.”
How to manage contradictions
There will be times when the certification auditor will not entirely agree with what you are showing them. You will notice this when the auditor expresses doubts that your implementation meets the requirements of ISO 27001.
Typically, audited companies react reflexively with a clear contradiction (“You’re seeing it wrong!”, “That’s not true!”, “You can’t say that like that!”). Contradiction of this kind will usually not get you anywhere. Take it upon yourself to explain why you have arranged things the way you have arranged them and why it is appropriate and effective for you, this will clarify the situation, also why any other type of regulation would not suit you and why the prevailing policy does what it should (according to ISO 27001). This will take you much, much further in the audit!
Alternatively, it can also help if you ask where exactly what the auditor is missing is specifically required in ISO 27001.
And: always remember, the sound makes the music. A “Oh really? Where is that supposed to be? Well?” gets you a lot less than “oh hopefully we didn’t miss anything there, what part are you referring to?”
Final talk: As a rule, at the end of each audit day there is a short end-of-day discussion (of 15 minutes or more) in which the auditor explains to you what he found today (e.g. “I have not found any arrangements for documented information.”) and what he concludes from this (e.g. “Unfortunately, the requirement from chapter 7.5 is not fulfilled.”)
At the end of the audit there is an overall final discussion in which there is enough time again for the above-mentioned content (30 minutes or more). It works when the management is present here again. This shows the importance of the topic and thus fulfills point 5.1 of ISO 27001 (and all other management system standards as well).
In the overall final discussion, you will find out how the audit went overall and whether the auditor will recommend to the certification body that the certificate be issued to you.
Our conclusion: It is worthwhile dealing with the subject of audits at an early stage and preparing for what is to come and when!
Do you still have questions about the certification audit or would you like to “simulate” one? With really “nasty” questions? It’s a pleasure! Just get in touch with us.
JJK Consulting & Auditing offers Gap assessment audits and training on the recently updated ISO 27001:2022 standard requirements for security management system implementations.
Our experts can certainly make you fit for the introduction or ongoing further development of your ISO 27001 information security management system (ISMS). With our step-by-step implementation methods, you can quickly fill your knowledge gaps on the entire updated range of ISO ISO 27001:2022.
Our experts are all ISO 27001 certified Lead Auditors with many years of implementation experience.
BECOME ISO 27001:2022 CERTIFIED ON TIME & BUDGET
JJK Consulting offers everything you need to implement an ISO 27001:2022 ISMS, you don’t need to go anywhere else. We guarantee ISO Certification for your company or organization (provided you follow our advice!). You benefit from real-world practitioner expertise, not just academic knowledge.
We offer ISO 27001:2022 – Implementation – Audit Service – Training – Services available in the NY Metro Area and Nationwide Onsite or within Remote/VPN secure teleconference meetings.
Ready to Explore New Possibilities?
Please contact JJK Consulting at your convenience for an initial consultation on ISO 27001:2022 Accreditation.
We’ll work with you one on one to determine a roadmap to success.
Call Today: 973-402-5889