What is an ISO Audit? (Everything on ISO Audits, ISMS, ISO Certifications)

A lot of companies that are just getting started with their compliance journey tend to wonder what an ISO audit is. The ISO/IEC 27001 standard can get quite overwhelming for organizations. The risk-based nature and vast size of the standard make it extremely tough to prepare for the ISO audit when it comes to documentation.

If you have been facing trouble in this regard, don’t worry - you are in the right place. In this article, I will help you understand what an ISO audit is and how you can ably manage getting certified.

What exactly is ISO?

iso audit

ISO stands for the International Organization for Standardization, which was developed in 1946 by a congregation of delegates from 25 countries for coordinating industrial standards.

Today ISO’s members represent 162 different countries and have formed 778 technical committees and subcommittees.

Modern ISO quality assurance standards cover everything from data storage to manufacturing. With their help, organizations gain strategic tools to keep businesses productive and competitive.

Checkout the pick of ISO tools →

What are the ISO standards applicable to information security?

ISO/IEC 27001:2013 standardizes an Information Security Management System (ISMS) and, unlike many other standards like the PCI DSS, its controls are based on risks instead of prescriptive measures. By virtue of this unique approach, various industries and organizations are able to apply ISO 27001.

For example, various non-profit, commercial, and government organizations can opt to comply with ISO. Since it is so flexible, a wide range of markets, including education, defense, healthcare, and banking, can leverage it as well.

Thanks to its flexibility, ISO/IEC 27001 is one of the most utilized information security standards today. It also lists a number of controls in Annex A, which serves more like a menu with a flexible approach to security, allowing one to choose their own style.

With these extended control sets, management has the option of accepting, avoiding or transferring risks instead of mitigating them through controls.

What exactly is an ISMS?

Basically, a company’s ISMS refers to its procedures and policies for protecting crucial information or data. Apart from technology and data, an organization’s ISMS should address the behavior of its employees as well. A good example is to make password protection awareness and employee security awareness a part of the overarching data protection culture.

ISO/IEC 27001 does specify the creation of an ISMS, but it only provides suggestions for actions instead of needing particular activities. Ideas mentioned in this regard include continual monitoring, internal audits, and preventive or corrective measures.

What is meant by ISO certification?

For receiving ISO certification, you will have to meet compliance and audit standards. Basically, being certified means that your ISMS has been reviewed by an external certification body and has been found to comply with all the necessary requirements. The main steps involved in certification are gap analysis, formal assessment, implementation, and audit. These steps seem to be simple, but the process of certification itself can actually be quite complicated.

Carrying out a gap analysis refers to reviewing the controls selected for various standards and making sure that the requirements for ISO/IEC 27001 have been met in the process. After the gap analysis has been completed, you will have to create a formal assessment that incorporates the risks previously alleviated and also determines whether to mitigate, transfer, or accept additional risks detected.

After the formal assessment comes the implementation process, in which you will have to create the procedures and policies involved in putting new controls in place. If your risk assessment determines that your company wishes to mitigate and control several new tasks instead of accepting or transferring them or your gap analysis detects numerous prominent areas to be included, then the implementation process can get quite lengthy.

The final step of the ongoing monitoring requirement of ISO/IEC 27001 requires audits, which refer to the documentation that implies the time dedicated to gathering the documentation.

How much time does it typically take to become ISO certified?

The time taken for the certification process to be completed can be quite variable. It is largely influenced by your organization’s present controls and compliance stance. Depending on those factors, it can take anywhere from 5 months to 24 months. Keep in mind that this time frame also depends on whether you intend to get certified cheaply, speedily, or properly.

What is an ISO audit checklist?

You can conveniently get an overview of your present compliance stance with the help of an ISO audit checklist. It is basically a questionnaire that guides auditors and directs their attention towards areas that require testing. It is a particularly useful tool for organizations that are planning to start an ISO certification process.

What is an internal ISO audit?

Modern ISO certification and audit processes mandate organizations to include internal audits as part of the ongoing monitoring requirement. This type of audit serves as a good business practice. The internal auditor should be separate from the process which is being evaluated, but he or she can be an independent contractor or a corporate employee.

Internal ISO auditors are mainly supposed to look for possible weaknesses and put forward suggestions before the external auditor’s review. The internal auditor’s opinions are valuable because he or she knows the individual company more closely than holding the company to an external standard alone. 

What is an ISO certification audit?

A certification audit is used for determining whether your organization has gathered the controls, documentation, processes, and records required for being ISO/IEC 27001 certified. To make sure that your organization complies with the standard not merely on paper but in practice as well, the auditor compares the documents against the daily activities. Certifications last for a period of three years, during which the organization wishes to make sure that you constantly remain compliant.

Also see: COSO vs Cobit

What is an ISO surveillance audit?

This is a review in between certifications that focuses primarily on making sure that organizations maintain a certain level of care over their ISMS. Such audits usually take place on a yearly basis at a minimum, though they could be as regular as twice a year as well. Unlike the certification auditor, who is concerned with documentation, the surveillance auditor mainly concentrates on implementation. Your organization must demonstrate compliance in its actions and not merely in theory.

What is an ISO auditor’s training?

The audit standards for ISO are controlled by the American Society for Quality (ASQ), applicable all over the world. For facilitating ASQ auditing standards, they host webinars and various other resources for members together with the International Conference on Software Quality (ICSQ). You should review your external and internal auditors' credentials to make sure that they are reviewing your policies and controls appropriately.

I hope this article helps you properly understand all the important details regarding ISO audits. To convince an auditor that your organization deserves to be certified, you must prove that you comply with all the standard clauses and demonstrate that you and your team understand the ethos behind the standard. As long as you prepare with these points in mind, you will certainly  succeed in getting your company certified.