With the ‘dress rehearsal’ stage 1 ISO 27001:2013 audit behind you, stage 2 is upon you all too quickly.
Following the stage 1 audit, you may still have further work to do. If the auditor found any major or minor non-conformances, observations or opportunities for improvement – you must have put a corrective action plan in place as a minimum. It’s unlikely that any auditor or auditing body would recommend you for certification with any major non-conformances still outstanding so this ‘showstopper’ is where you should likely start.
A major non-conformance suggests an absence or a complete breakdown in your Information Security Management System (ISMS), preventing you from meeting the ISO 27001 requirements. This could also relate to several minor non-conformances that are related to the same process or if a minor non-conformance hasn’t been resolved within the deadlines specified on the corrective action plan as mentioned previously.
A further note of caution.
If you state that your ‘product’ is to be ISO 27001 certified but in fact, your self-declared scope only covers the process or internal infrastructure then this could also be a major non-conformance.
If the major non-conformance was due to there being no internal audit program or, that no audit had taken place yet, then the auditor will need you to put a corrective action plan in place. On the nonconformance report, you must show that internal audits (note the plural) have been carried out before the next audit. ISO 27001 clause 9.2 states that the internal audits should be conducted at planned intervals, ensuring that the audit criteria and scope are defined and that results are reported the relevant management.
The more evidence you can show, the more confidence the auditor will have in the program of work being demonstrated and showcased.
With this mind, it is also prudent to review the internal audits at any senior management reviews planned.
After the work on non-conformances is underway, observations and opportunities for improvement (OFI) should be tackled next. An observation or OFI could be a non-conformance waiting to happen so doing some work now will prevent this happening and therefore prevent the auditor from investigating this further.
When all these observations or OFIs have been mitigated then the next step – in my opinion – is to go back through the ISO 27001 standard and check that clauses 4 – 10 have been sufficiently addressed by your Information Security Management System (ISMS) and also – more importantly – that you also have evidence to support this.
This documentation will take the form of internal audits, management review minutes, ISMS objectives, and the all-important information security policy. Showing evidence that support clauses 4-10 is essential as these are mandatory requirements.
Checking the list of Annex A controls is next.
Out of the 114 controls you don’t have to use all of them if you can justify a reason for exclusion but remember, you should add justification for inclusion on each control.
In order to help you with the audit, I have a few hints and tips that I found useful:
- List all 114 Annex A controls in a spreadsheet with the control heading and the section e.g. A5.1.1 Policies for information security
- Add a column for the justification for inclusion or exclusion, write a synopsis of your reasoning.
- Another column for the risk listing the risk identifier for each risk where you use that control. This also helps to justify the inclusion of that control as well as linking between documents to easily show the auditor the connection.
- Adding links to the policy will also help. The auditor will ask what policies and procedures you have associated with each section so by adding in the links this will help you find them, but again also give the auditor confidence that your ISMS is working.
Although every organisation is different and therefore, every ISMS is unique – the fundamental aspects of ISO 27001 are the same for everyone. Every ISMS is a working system with continuous improvement at its core, so if you prepare as much as you can before your stage 2 audit then that certification should be hanging on your office wall very soon.