- 2024-07-25
Good preparation is essential to ensuring that an audit runs smoothly. But what exactly does good preparation mean?
To shed some light on this question, the purpose of an ISO/IEC 27001 audit is to determine whether your organization is claiming that it is running a management system in conformity with the ISO/IEC 27001 standard requirements and whether the technical and organizational measures in place are adequate to manage risk. The auditor’s task is to collect and evaluate objective evidence to identify whether your management system is effective.
That’s it.
However, understanding ISO requirements can be challenging. The reason might be that ISO/IEC 27001 has been primarily written for auditors rather than implementers. ISO/IEC 27001 has a flesh readability score of 26, which means it can take up to 26 years of schooling to understand it easily.
Here are some tips to help you prepare for an audit:
1. Learn ISO terminology
The words used in ISO/IEC 27001 might sound like everyday language but frequently have their own ISO definition (e.g., “documented information” means more than just having a document). It is crucial to become familiar with ISO’s definitions of these terms. ISO 27000 and ISO 27003 are both excellent resources for this purpose.
2. Treat ISO 27001 as what it is: a catalog of requirements
ISO 27001 is not a cookbook with a step-by-step guide. Instead, it outlines what must be observed to ensure information security management effectively, but not the recipe for how to get there.
3. Limit documentation to what is necessary
Producing more documentation than necessary for running the ISMS can work against you in an audit:
- The more you write, the more effort to write and maintain it.
- The more you write, the higher the chance of not being read by staff members.
- The more you write, the higher the chance that can lead to inconsistencies.
To prevent possible problems, keep the documentation concise and include only the essential details.
4. Write intelligible policies that match top management intentions
Do not include anything in a policy or procedure you do not intend to follow – just because it sounds nice and you want to impress the auditor. The auditor will quickly identify any discrepancies, leading to negative consequences. Exceptions are allowed but they must align with the top management’s intentions.
5. Be explicit about what you want to achieve with the ISMS
You cannot eliminate all information security risks. You have a limited budget and priorities. Do not pretend you want to save the world (“Information security is of utmost importance, and we strive to eliminate all information security risk as far as possible”). Focus on achieving realistic security goals that will provide benefits worth the cost.
6. Processes first, documentation second
If you think that ISMS implementation mainly involves creating documentation, you might have a skewed view of what an ISMS entails. Think about which processes you need to manage security controls and how to get them running. Documents are meant for communication: to give the same information to a potentially unlimited number of people in parallel. A process and a documented description of a process are two things. The document is only the necessary artifact but not the target of implementation.
7. If it seems that ISO/IEC 27001 requires you to do something meaningless, consider that you have not understood it.
ISO/IEC 27001 is a logical framework that requires careful consideration of each requirement. The Statement of Applicability) is perceived as a tedious exercise. Many organizations create Excel sheets with now 93 rows for enumerating all ISO Annex A controls, stating that they are applicable and giving some generic justification like “best practice” because that’s their understanding of the requirement in clause 6.1.3. If you have produced the SoA like this, it is a meaningless exercise. But that is not the requirement. It is only a flawed implementation based on your current understanding.
8. Don’t ask the auditor to give advice
Certification auditors must not give consultancy to you while auditing. While this might sound like a customer-unfriendly rule, it is the opposite. As auditors are humans, they are limited in what they know. How much is gained if the auditor proposes a sub-optimal or even wrong solution, you are implementing it, and then the auditor checks whether you have done what he advised? If you want to be audited, hire an auditor. If you require consultancy, hire a consultant.
9. Don’t leave the task to spot nonconformities mainly to the certification auditor
Eliminate all nonconformities before you present the ISMS to a certification auditor. It is mandatory to perform a proper internal audit and have top management review the ISMS. If you spot nonconformities, correct them – before the certification audit.
10.The name of the game is continuous improvement
Information security is messy because the world is messy. There is no discipline where you can achieve perfection. Perfection in information security is not only unaffordable, it is even theoretically unachievable. You do not need a perfect ISMS set to pass the audit, but you need to have resilient ISMS processes in place that enable you to see where there is room for improvement – which will lead to new plans.
About Author
Friedhelm Düsterhöft is a Managing Director at msdd.neT GmbH. He is an esteemed auditor with over 30 years of professional experience, specializing in governance, risk, and compliance (GRC). With a background spanning various industries, including critical infrastructure sectors like energy, telecommunications, and finance, Friedhelm has become a trusted advisor known for his ability to navigate complex regulatory frameworks and deliver comprehensive solutions.
Throughout his career, Friedhelm has held positions of increasing responsibility, offering valuable insights to organizations, and fostering long-term relationships built on trust and integrity. His expertise in conducting thorough assessments and communicating complex regulatory requirements has empowered organizations to establish robust governance structures and enhance operational efficiency.
Friedhelm aspires to mentor the next generation of auditors and contribute to the advancement of the profession. His commitment to staying updated with industry regulations and emerging compliance areas, such as data privacy and cybersecurity, reflects his proactive approach to addressing evolving challenges in today’s digital landscape.
Since joining MSECB’s auditors’ network in 2017, Friedhelm Düsterhöft has led numerous audits, including ISO/IEC 27001, ISO/IEC 20000-1, and ISO 9001 standards. His attention to detail and unwavering commitment to accuracy have earned him admiration from both MSECB and its clients.
