In the process of securing a business and achieving a full certification with ISO 27001, there are many different tasks that need to be accomplished, and many different people who need to be working towards achieving those tasks.
In fact, a key part of a successful certification and a passing audit is accountability. Different people will need to take on different roles and responsibilities, some of which are for the purposes of the audit, and others for ongoing security.
Two of the most important roles in the ISO 27001 process are the Lead Implementer and the Lead Auditor. What are the responsibilities of these roles, how do they differ, which do you need, and what do you need to know? Read on to find out.
BLUF - Bottom Line Up Front
In the ISO 27001 certification process, key roles include the Lead Implementer, who designs and implements the Information Security Management System (ISMS), and the Lead Auditor, who evaluates compliance. Auditors handle internal, third-party, and rare second-party audits. Implementers focus on policies, risk management, and continuous improvement. Both roles have distinct responsibilities but are crucial for achieving and maintaining certification. Choosing between them depends on goals; implementers focus on implementation, while auditors focus on evaluation.
What is a Lead Auditor?
As you might expect from the name, a lead auditor is the person in charge of conducting an audit to ensure compliance and a valid security posture as defined by the goals and controls outlined in ISO 27001.
A lead auditor steps in at different phases of the certification process, depending on your goals and needs. They may conduct partial audits or “casual” audits, effectively providing a baseline for a gap analysis to identify what work still remains to achieve ISO 27001 certification. Or, they may be the person in charge of leading the final certification audit or a recertification audit every three years to maintain your certification.
There are two primary kinds of ISO 27001 audits, as well as a third that may crop up, all of which will involve a lead auditor at the helm.
The first is a First Party Audit, also known as an Internal Audit. These are audits performed by your own company’s employees. In order to effectively perform these audits, you will need someone on staff who is trained in ISO 27001 auditing procedures. There are certification courses to achieve this, so you can have a lead security officer or chief security director achieve this certification; alternatively, you can hire someone who is already certified or even retain the services of a consulting firm to perform an internal audit on your behalf.
The second is the Third Party Audit, which is the external audit. This is what is generally referred to as the final certification audit, and it is quite expensive, time-consuming, and thorough. It cannot be done by someone on your staff; it must be performed by an impartial, unbiased, independent auditing firm. Unlike an internal audit, the external audit is authorized to issue the final certification. Audits performed by an external firm will be led by a lead auditor, just like internal audits, though they may be more detail-oriented and less inclined to let details slip in the process.
The third kind of audit is less common but can still happen. It’s the Second Party Audit, and it’s a sort of hybrid between internal and external audits. It’s performed by an external firm, but that firm is usually part of your supply chain, or a customer or contractor who would be working with you. Sometimes, potential partners want their own independent verification of your security posture. Other times, they may have additional requirements on top of ISO 27001, and their audit looks for these.
Second party audits are relatively rare when you’re just talking about ISO 27001, since a big part of the point of ISO 27001 is to provide an independent, trustworthy validation of a business’s security posture, so other people don’t have to perform their own analysis.
All three kinds of audits are, regardless of purpose or source, led by a lead auditor. In fact, any kind of audit for any purpose – financial, security, compliance, operational, forensic – will be directed by a lead auditor. It’s a high-responsibility role, especially for external auditing processes.
What Are the Responsibilities of the Lead Auditor?
The lead auditor is in charge of leading the audit. Simple, right?
To itemize the duties, a lead auditor will generally:
- Plan the organization and process for an audit according to the best practices and processes outlined in ISO 27001.
- Conduct the actual audit by guiding an auditing team to gather information and review documentation.
- Assess the level of compliance of your organization’s ISMS according to each of the security controls and required level of security, often as a checklist.
- Lead a team of auditors to ensure a coordinated and thorough auditing process of the whole business ISMS.
- Create a report for stakeholders, internal and external, to report the findings of the audit.
- Help the organization with an analysis of the gap between the audit results and an appropriate security posture, if necessary.
- In some cases, help the organization establish processes for continuous monitoring and ongoing improvement to ensure compliance not just now but as time passes and the world changes.
Training courses and a certification course are available to become a certified lead auditor in ISO 27001. It’s generally a very high-proficiency role and requires previous achievements and courses in ISO 31000 risk analysis and previous ISO 27001 certifications. In fact, one of the prerequisites for becoming an ISO 27001 lead auditor is passing the course for being an ISO 27001 lead implementer. So, what is the lead implementer, and what is their role?
What is a Lead Implementer?
If you think of ISO 27001 as being “homework”, the auditor is the teacher checking over the finished product to make sure it’s accurate, while the implementer is the person actually doing the task assigned to them.
The lead implementer is one of the most important internal roles in the ISO 27001 process. They are the individual responsible for leading the design and implementation of an organization’s ISMS from the ground up. That means they need to have a deep and detailed knowledge of the ISO 27001 security controls and the framework they fit into, as well as practical knowledge of how they are implemented in the real world.
Since ISO 27001 is not prescriptive – that is, it sets goals, not steps to follow – this role necessarily requires a high amount of critical thinking and analytical abilities. It’s also a leadership position, and requires being able to direct a team of implementers, as well as working with stakeholders and other teams who are responsible for different parts of an organization’s overall security.
Unlike auditors, there are not really variations on the lead implementer role. You don’t have internal and external implementations – though you could hire a consultant to lead your compliance. You would still need to have an internal stakeholder designated as your implementation lead, who can continue to maintain your ISMS once the consultancy is over.
What Are the Responsibilities of the Lead Implementer?
The lead implementer is a leader, a manager, and an architect. They need to have a deep knowledge of ISO 27001 in practical terms so they can apply it to your organization.
Their specific duties can include:
- Developing an organization’s ISMS from the ground up by evaluating the business and its processes, determining what elements of ISO 27001 apply, and building out a process for implementing them.
- Establishing and codifying the specific security policies and procedures for the organization, including employee training and behavior requirements, mandatory reporting rules, risk management and mitigation processes, overall security policies, threat mitigation, and disaster response and recovery procedures.
- Assessing risks, identifying risks that apply to the organization, and identifying how they can be dealt with or managed.
- Establishing a process of continuous monitoring and improvement to make sure that the ISMS never falters or is left to lapse and that changes in overall cybersecurity, the threat environment, the technologies, or the techniques involved in attacks are well-addressed.
- Building out employee training requirements and programs or obtaining third-party training systems that are effective at addressing the needs of the organization’s staff and security needs.
Of course, the lead implementer is not doing all of this on their own. They will generally be tasked with guiding and directing all of these tasks, but the actual ground-level work will be done by the staff and teams built for the implementation. The lead implementer is the manager of the whole process.
Often, the lead implementer is also the person tasked with interfacing with the organization’s stakeholders to report on the progress of building the ISMS and obtaining certification. They order internal audits, analyze the results, and make iterative changes until they believe the organization stands a good chance of passing the certification. They also work closely with the lead auditor to gather and process paperwork and other details necessary to achieve certification.
Like the lead auditor, the lead implementer is also a defined role that has its own training program and certification process. It’s considered a little less advanced than the lead auditor role – and is in fact a prerequisite for becoming a lead auditor – but it’s not an entry-level role itself. To become a lead implementer, an individual will need to take courses about risk management, particularly with ISO 31000.
Which is More Important: Lead Auditor or Lead Implementer?
The lead auditor and the lead implementer are two sides of the same coin. One creates and implements the ISMS; the other evaluates and approves it. The ISO 27001 certification process cannot function without both of them.
In terms of focus, the auditor verifies compliance, but the implementer is responsible for identifying what compliance means for the organization.
In responsibilities, the auditor assesses the ISMS and its function, and develops a report on it, while the implementer is tasked with designing it and implementing it in the first place.
Both roles require an analytical mind, a detail-oriented mindset, the technical and managerial knowledge to perform their tasks, and a deep understanding of what is contained in ISO 27001.
In a majority of cases, the lead implementer is an employee of the organization seeking ISO 27001 certification. An external implementer may not have the required knowledge of the organization’s business processes; an internal perspective is generally better. Conversely, the lead auditor is generally an external force and is usually tasked with performing the certification audits. While internal audits are important, they don’t actually require a certified lead auditor to perform since the requirements and stakes are a bit lower than the external audits.
In many ways, the two roles are equivalent. The only way they aren’t equal is in the fact that the auditor requires lead implementer experience or training to take on their role, whereas the lead implementer does not need auditing experience for theirs.
Which Should You Have: A Lead Implementer or a Lead Auditor?
If your business is seeking to achieve full ISO 27001 certification, you will eventually need to contact both of these roles.
However, you generally won’t need to hire an auditor; in fact, your final audit cannot be performed by an internal staff member. It needs to be performed by an impartial third party to be valid.
As such, the lead implementer role is the one you will need for your business. Other audits can be done more causally or by contracting with an auditing firm temporarily for a lower-stakes internal audit.
If you’re an individual deciding which role you would like to take on, a lot depends on your goals and your professional interests.
- If you have a detail-oriented mind and prefer to analyze various unique situations, the lead auditor role is ideal for you. The auditor generally travels the country (or the world) and evaluates different business ISMSs every few months, so the challenges are always unique and varied.
- If you like designing systems and implementing security procedures, and you want to be very hands-on with a specific business – and if you want a more stable location and employment – the lead implementer is more likely to be the role for you.
Both roles require their own certifications, and both require starting by familiarizing yourself with ISO 27001 in general, as well as accessory documentation like the ISO 27002 best practices and the ISO 31000 risk management framework. If either role is your goal, these are a good place to start.
Max Aulakh is a distinguished Data Security and Compliance leader, recognized for implementing DoD-tested security strategies and compliance measures that protect mission-critical IT operations. His expertise was shaped in the United States Air Force, where he was responsible for the InfoSec and ComSec of network hardware, software, and IT infrastructure across global classified and unclassified networks. He also developed strategic relationships with military units in Turkey, Afghanistan, and Iraq. After his tenure with the USAF, Max played a pivotal role in driving Information Assurance (IA) programs for the U.S. Department of Defense (DoD). As a Senior Consultant for a leading defense contracting firm, he led a team that ensured data centers met Air Force Level Security audits for regulatory requirements like HIPAA, SOX, and FISMA. Currently, as the CEO of Ignyte Assurance Platform, he is at the forefront of cyber assurance and regulatory compliance innovation, catering to defense, healthcare, and manufacturing sectors. Max is also an esteemed speaker, having presented at several conferences on topics including cybersecurity GRC, medical device security, and cybersecurity perspectives in vendor management. You can follow him in LinkedIn here.