As the most well-recognized security certification around the world, ISO 27001 is a very popular – and fairly stringent – framework to adhere to.
If you’re a business operating anywhere in the world, and you want to achieve security levels that build confidence and open doors with customers and clients who value trust, ISO 27001 is a great option. It won’t let you work with the US Federal Government – you need a different framework for that – but it does let you work with thousands of other customers, agencies and entities around the world.
So, how can you go through the certification process? What do you need to do to achieve ISO 27001 certification? Let’s go through the process together.
Internal and External ISO 27001 Audits
First, let’s talk for a moment about the two types of audits: internal and external.
In order to achieve certification for ISO 27001 security, you need to pass an external audit. An external audit is conducted by a third party that is certified to conduct those audits, similar to a 3PAO in FedRAMP terminology. External audits must be passed to achieve certification.
External audits go through phases, as well. You have your initial audit for certification. Then, you have two surveillance audits, which are less stringent and meant to review your continued compliance with ISO 27001 standards on an ongoing basis. After the second year, you then have to go through a recertification audit, which is more stringent and similar to the initial certification audit.
In broad strokes, all of these audits are looking at the same things. Some, like the initial certification and recertification audits, simply dig deeper, require more proof and paperwork, and have higher standards for success.
Before you can even get to the external audit phase, however, you have to make sure your business is prepared. No third-party assessor wants to waste their time on a business that is nowhere near certification, so you are required to conduct and pass a thorough internal audit first.
An internal audit is very similar to an external audit in that it evaluates your overall security posture in terms of the various controls and security areas that ISO 27001 specifies. However, unlike an external audit, an internal audit is just that: internal. Your own company performs the audit (or hires a contractor on your own dime to do so, which is also common).
You are also free to complete routine internal audits however frequently you like as a form of internal verification, validation, and continuous monitoring to help smooth the process for annual surveillance and recertification audits.
What are the benefits of completing internal ISO 27001 audits?
There are several very good reasons to conduct internal audits.
The first, of course, is that it’s required as part of ISO 27001 clause 9.2. Clause 9.2 stipulates that:
- You must conduct internal audits at regular, planned intervals to monitor ISMS (information security management system) compliance.
- Your internal audits need to conform with ISO 27001 standards.
- Your internal audits must be planned, including how often they happen, what procedures take place, who conducts them, and how they are reported.
- Your internal audits must be well-documented.
- Your auditing team must be impartial.
- Your audit results need to be reported to relevant management.
- Auditing documentation must be retained.
If “you have to” isn’t a good enough reason, though, there are other benefits to performing routine internal audits.
- Internal audits promote strong security by identifying variance and noncompliance ahead of external audits or incidents.
- Internal audits allow you to evaluate your security posture in light of any new security risks that have developed since your last audit.
- Internal audits help ensure that your staff are all aware of their roles and responsibilities when it comes to security and what company policies are important to follow in the same regard.
- Internal audits help you identify weaknesses and areas where you can work on improvements to your overall security posture.
You are generally required to conduct an internal audit at least once per year, but you are free to choose exactly when you need to conduct it, and can conduct them more frequently if you wish. Some organizations conduct them every six months, some quarterly, and some even conduct them monthly, though this is rare due to how long they can take and how little tends to change in such a span of time.
How to Conduct an Internal ISO 27001 Audit
The process for conducting an internal audit for ISO 27001 compliance is, on the surface, simple. As with any security framework, however, the devil is very much in the details.
Step 1: Define your objectives
The first step is the least formalized of all of them, and it is simply the definition of what you are trying to achieve with ISO 27001 certification. Specifically, you need to define what services, products, platforms, or other elements of your business that you want certified.
This is important because you don’t need your entire business to be certified. You might, for example, have a consumer-grade version of your service and a commercial version and only seek certification for the commercial version. That said, you’re already doing most of the work; unless there’s a significant division behind the scenes, it’s often easier to certify all of your services.
It’s also helpful to obtain a copy of the ISO 27001 documentation (which costs about $150 USD) and potentially retain the services of an ISO 27001 consultant to help you through the process.
Step 2: Define the scope of the internal audit
ISO 27001 has 14 domains, which are similar to the control families that NIST defines for FedRAMP and other compliance efforts you may be more familiar with if you’ve worked as a federal contractor in the past.
The 14 domains include:
- Information security policies
- Human resource security
- Access control
- Physical and environmental security
- Operations security
- Supplier relationships
- Information security aspects of business continuity management
- Organization of information security
- Asset management
- Cryptography
- Operations security
- System acquisition, development, and maintenance
- Information security incident management
- Compliance
The first step of the audit process is to go through all of these domains and all of the individual elements of them and define which of them apply to you. You will need to create a statement of applicability (SOA) to define which apply and which do not. This helps prevent you, your consultants, and your future auditors from evaluating security controls that aren’t relevant or applicable to your business.
You will also need to define and develop your team for internal auditing. This might include an audit consultant, a third-party auditing organization that will be different from the organization you use for your external audits, or a dedicated internal team that are empowered to gather information and make impartial judgments.
Step 3: Collect evidence and develop documentation
The third step of the process is to gather all of the information, evidence, and documentation that will be necessary for the audit. There are a lot of possible pieces of evidence and documents you will need, including:
- Your statement of applicability and definition of scope.
- Your high-level organizational information security policy.
- Management review meeting minutes.
- Gap analysis results and corrective action reports.
- Your business continuity policy.
The biggest documentation you will need, though, is your risk assessment and treatment plan. This is an internal analysis of your assets and systems aimed at identifying the risks and chances of a fault in that element of security, as well as what the impact level of that fault would be in an incident.
From there, you identify what the ideal security posture would be and perform a gap analysis across the board to figure out how far from “ideal” security you are. The results of this gap analysis are part of your overall evidence and are also part of the roadmap to achieving full compliance.
Finally, you need to identify the route you need to take – what policies and changes need to be implemented – in order to close that gap.
Step 4: Perform and report on your internal audit results
Next up, you need to perform your full internal audit with all of the above in mind and document it every step of the way. You will create a report on the results of the audit, which will identify where your current security lies and how to achieve full compliance from the state you’re currently in.
An internal audit report should generally include an introduction that summarizes the overall scope, timeline, and objectives of the audit. It should have an executive summary with key findings and guidance on who should review the report. Depending on your business, you may also need to specify some or all of the results as classified information. Finally, it should also include the detailed findings of the audit, along with recommendations on corrective actions to take to fix any issues uncovered in the audit.
Step 5: Audit reporting and management review
A critical step is to present the audit reports to the management in charge of security and compliance.
It is their job to read the report and evaluate what changes need to be made, develop policies and implement strategies to achieve compliance, and put it all into action.
Step 6: Improve and repeat the process
At the end of the audit, you have the opportunity to implement changes and fix gaps in your security posture. If you fail the internal audit, you certainly won’t pass an external audit or achieve certification, so it’s not worth trying.
Instead, focus on making changes and improvements, including employee awareness, training, process hardening, better encryption, and anything else that needs to be adjusted. Depending on the scope of your business, of your service or product, and of your security as it stands, this might be a relatively small change, or an immense overhaul.
This is also a good time to set up continuous monitoring if you don’t already have it. Continuous monitoring using a platform like the Ignyte Platform to aggregate documentation will make it easier to collaborate and make improvements by removing the need to use siloed software. It can also make future audits easier by maintaining your documentation in one secure location.
Finally, if you think you have closed the gap, you can repeat the audit process and generate a passing report. Once this happens, you can proceed with the process to an external audit.
External Audits and ISO 27001 Compliance
The external audit process is very similar to the internal audit process but is framed differently.
It begins with an overview of your ISMS design and the scope, scale, and objectives of your security. Rather than developing these, however, the external auditor is evaluating them for relevance, comprehensiveness, and accuracy. If gaps are found, they are evaluated in terms of critical or non-critical issues. You are generally given an opportunity to fix any of these before proceeding to stage two.
Once this process is complete – and assuming you pass – you proceed to state two. Stage two is the full audit process, where your security controls and processes are evaluated. Variance and problems are categorized as observations, chances for improvement, minor nonconformities, or major nonconformities. This is the most detail-oriented phase of the audit and analyzes your security inside and out.
If you pass this phase of the audit, you can then proceed to certification. The certification process begins with a closing meeting presenting the results of the audit. If you’re close but not quite ready for certification, you may be able to address an immediate corrective action plan and proceed; if you’re too far from success, though, you will need to start over.
Finally, if you are declared certifiable by the auditor, your results are sent to the certification body, which will perform a final overview and either grant or deny certification.
Certification lasts for three years. During this time, you will have surveillance audits reviewing around 50% of the security controls each year. In the third year, you will have another full audit to recertify. Internal audits are also required along the way and help you ensure that you’re primed for recertification without issues.
Then, when you’re done, your ISO 27001 certification will be complete, and you can proceed with any business partnerships, governmental contracts, and other relationships that are now open to you. Alternatively, you can use this strong security basis to roll into additional certifications using other frameworks.
Max Aulakh is a distinguished Data Security and Compliance leader, recognized for implementing DoD-tested security strategies and compliance measures that protect mission-critical IT operations. His expertise was shaped in the United States Air Force, where he was responsible for the InfoSec and ComSec of network hardware, software, and IT infrastructure across global classified and unclassified networks. He also developed strategic relationships with military units in Turkey, Afghanistan, and Iraq. After his tenure with the USAF, Max played a pivotal role in driving Information Assurance (IA) programs for the U.S. Department of Defense (DoD). As a Senior Consultant for a leading defense contracting firm, he led a team that ensured data centers met Air Force Level Security audits for regulatory requirements like HIPAA, SOX, and FISMA. Currently, as the CEO of Ignyte Assurance Platform, he is at the forefront of cyber assurance and regulatory compliance innovation, catering to defense, healthcare, and manufacturing sectors. Max is also an esteemed speaker, having presented at several conferences on topics including cybersecurity GRC, medical device security, and cybersecurity perspectives in vendor management. You can follow him in LinkedIn here.