standard quality control collage

ISO 27001 Audit Facts in 2023

Your ISO 27001 internal audit should meet the standards outlined in clause 9.2. This means selecting resources who are impartial, not having been involved with creating your ISMS or operating or monitoring the controls they will audit.

Your organisation must pass both phase 1 and phase 2 audits successfully; this typically takes six months on-site.

standard quality control collage concept

Pre-Audit Phase

An internal audit is an integral component of ISO 27001 certification and should take place at least annually. An internal audit ensures your information security management system satisfies ISO standards while identifying areas requiring improvement to help attain and retain certification. A full internal audit review includes reviewing documents, policies, procedures, and controls against ISO standards to make sure they conform. It requires active participation by department supervisors and employees so findings are accurate while issues requiring feedback are documented quickly and resolved efficiently.

At this phase of an audit, auditors interview departments, managers, and staff members in your organisation in order to gather information on your processes, systems, and internal control measures. This phase is essential in assessing whether your organisation meets ISO 27001 requirements and is ready for further audit phases. It is typically conducted by members of ISO 27001 audit teams, but some external providers also offer this service.

The second phase of an ISO 27001 audit involves on-site observations and testing to evaluate your organisation’s implementation of the requirements specified in Annex A. In this phase, auditors conduct document reviews, interviews with key stakeholders, and random data sampling to make sure business procedures are working efficiently.

Audits conducted during Stage 1 will also test the implementation of any preventive and corrective actions taken to make sure they are being carried out as planned. For example, they might request backup logs from your organisation in order to check accuracy; failure to regularly back up data would constitute nonconformance that could jeopardise its ISO certification status.

Phase 1

At this stage of an ISO 27001 audit, an extensive review is performed of your ISMS documentation, Statement of Applicability, and any internal audits you’ve conducted. An auditor also interviews key stakeholders and conducts an evidential audit on a sample basis to assess whether your business complies with ISO standards.

An auditor will also scrutinise security policies and procedures, including the examination of details like access levels, protection measures, and roles that comprise security controls. This process may last up to one week in its entirety.

Once completed, an auditor will provide a report to management outlining their findings and any non-conformities, which your organisation must correct to achieve compliance. Be mindful that major non-conformities could result in your certification being revoked if not addressed promptly.

Your organisation must conduct internal audits regularly in order to stay compliant. In addition to the external audits required for certification, these internal reviews help maintain compliance. Audits are an integral component of ISMSs, and your internal auditors can identify areas for improvement that could enhance the effectiveness of overall security measures. Your internal auditors can suggest areas in which training should be heightened to better protect sensitive information. Audits may be conducted either by yourself, by an outside third party, or as part of the surveillance and recertification processes of ISO certification bodies.

Phase 2

After spending hours or days creating ISMS documentation, writing security and privacy policies, completing the Statement of Applicability, and gathering evidence of controls, it’s finally time for your initial certification audit. Here, an auditor will assess how effectively your ISMS has been implemented as well as whether or not it meets both internal requirements and ISO 27001’s.

An auditor may perform multiple walkthroughs during this phase of an audit to observe how your employees carry out processes and inspect relevant documentation. They will also review any areas of concern from the ISMS Design Review (Stage 1) to see if they have been addressed and confirm this in their audit report if needed.

As part of your audit preparations, it’s crucial that all documentation be in order. This includes internal audit reports, management reviews, improvement forms, training records, and supplier lists.

Once your documentation is reviewed and non-conformities addressed, an auditor will make a determination as to how best to continue with their audit. This includes identifying both major and minor nonconformities for inclusion in your report; major non-conformities will require acceptable corrective action plans as evidence prior to being issued a certificate.

ISO 27001 compliance shows customers that your company has a strong cybersecurity culture and is taking active steps against any emerging threats, which in turn increases trust with existing and potential new customers, opening the door for additional sales and revenue streams.

Phase 3

Once the documentation and internal audit phases have been successfully completed, an external ISO 27001 audit is essential to ensuring effective implementation. This audit should be conducted by an impartial third-party company (Certification Body or CB), accredited with ethics and integrity as standards of behaviour. An effective auditor should possess both qualifications and experience to evaluate your information security management systems (ISMSs) to make sure that they are being carried out effectively and efficiently.

CBs can conduct ISO 27001 audits both onsite and remotely, reviewing all documents accumulated up to this point as well as reviewing your organisation’s ISMS and controls using your Statement of Applicability to assess whether they meet ISO 27001 requirements. Usually this stage of an audit only needs to take place once, although repeat assessments within every three-year certification cycle are possible if needed to ensure compliance.

CBs also perform in-depth analyses on information gleaned from document review and evidential sampling phases before creating an audit report, which must then be shared with management for review, visible to anyone needing access—an activity required under Clause 9.2d of the ISO 27001 standard.

After the CB completes an audit of your organisation, they will issue a report showing that it’s ready for the final phase of the certification process. From here, your journey towards ISO 27001 certification begins, but once achieved, ongoing surveillance audits by CB must take place throughout its three-year certification period in order to maintain it.


As your company moves towards certification, employees should be reminded to adhere to policies that instill habits such as locking their computers when leaving the office and adhering to a clean desk policy that requires any documents, USBs, or devices containing sensitive information to be stored safely. They should also be encouraged to attend security training courses that equip them with the tools and skills needed to protect the data of their company.

Once the stage 1 audit is complete and any nonconformities or OFIs are addressed, companies can move onto stage 2: the recertification audit. This involves an extensive examination of documentation collected during stage 1, as well as checking whether preventive and corrective actions are working as intended.

An ISO 27001 recertification audit will examine whether your ISMS remains suitable and meets all the requirements of the ISO 27001 standard. For optimal results, schedule your recertification audit three to six months in advance to provide yourself with enough time to address any potential problems that may arise during certification renewal.

Selecting an experienced auditor for an ISO 27001 audit is crucial for its success. Most certifying bodies require that auditors possess demonstrated knowledge of ISO 27001 through formal education or certification programmes; some allow you to select an auditor with no formal background who possesses sufficient skills for effective ISO 27001 auditing. Choosing a qualified auditor could save you money, increase your chances of passing your audit more successfully, and reduce the work required to keep your certification up-to-date.