Sitting through the Stage 1 of a ISO 27001 certification audit is pretty daunting; even as a seasoned Information Security Management (ISM) professional.
Although often referred to as a ‘documentation review’ or ‘Desktop audit’, the auditor is there to review your documentation to establish whether your ‘Information Security Management System’ (ISMS) meets the requirements of ISO 27001:2013.
Getting this far is a culmination of hard work by the stakeholders for the best part of the year.
You can consider this a pre-certification ‘dress rehearsal’ audit, an opportunity for your organisation’s staff to be fully prepared for the big day.
Completed on-site, the auditor is seeking to determine whether your ISMS meets the minimum requirements of Clauses 4-10 and the 114 Annex-A controls of the ISO Standard and therefore, ready for a ‘full’ (stage 2) certification audit.
Stage 1 focusses on the operation of your ISMS and not necessarily on the detail of the technical work that support the Annex A controls selected.
Think of this as more of a ‘reconnaissance’ audit, the auditor is going to do a high-level review of the ISMS and establish whether you carry out an internal audit programme, and do management reviews take place, as well various other controls.
Some auditors however want to see at Stage 1 that the internal audits have actually been conducted, with corrective action being taken where identified as being necessary.
In conjunction with a management review this shows the auditor that the ISMS is effective.
Others would like to see a full cycle of audits to have been completed (if the ‘cycle’ is one internal audit every 6 months say, then programme it for early in the 3-month period and get it completed early).
As output from the ‘pre-assessment’ audit, the auditor will point out any areas of nonconformity (Major and Minor), observations and opportunities for improvement of the management system.
Non-conformities are used in 1st Party (Internal), 2nd Party (Suppliers, customers etc) and 3rd Party (external Certification bodies). They are a “tool” by which the auditor will be able to judge up to which level your management system is compliant with a standard.
In other words, the more non-conformities, the less compliant you are – and vice versa.
When preparing for the ISO 27001 certification, major non-conformities are your obvious worry. A major non-conformity (i.e. a failure to meet the requirements set out in the standard) may result in the organisation not being recommended for certification.
Taking into account the work you will have already carried out by this stage I hope this won’t be the case. If it is you should prepare corrective action for each area identified and make sure the remediation is complete in line with the timescale agreed too, but this will of course cost extra time, money and resources.
With the ISO 27001 stage 1 assessment behind you, roll on stage 2.
Alex Loane, Information Security Manager.
15 years experience as a Chartered Accountant working for a big 4 accounting firm, Deloitte and a leading high tech and fast growth semiconductor company in Wales.