ISO 27001 - The Audit Procedure
Overview
Having implemented an Information Security Management System (ISMS) in accordance
with ISO 27001, the next step towards certification is to complete a questionnaire
and return it to us. We need this information to understand the main elements
of your business and how the security of information may affect it. The questionnaire
also helps us identify the correct knowledge, expertise and time needed for
the audit. Following receipt of your questionnaire we will send you a detailed
quotation.
Gain ISO 27001 certification by completing our Free Quote form.
Quotation
This gives you the cost for the audit and details of what
to do next if you would like us to carry out your audit. An audit to ISO 27001
is in two stages.
Stage 1 Audit
This usually takes place at your premises.
During this stage, we look at your documentation to see
if you have considered and covered everything applicable to your business. We
ensure you have addressed all requirements of standard. We evaluate the methods
you have used for risk assessment and the resulting conclusions from it. We
examine the statement of applicability (SOA), the justification for any exclusions
and methods for monitoring the risks. We also look at how your ISMS addresses
continuous improvement.
So as you can see, an important function of Stage 1 is to
identify any oversights or omissions of how the requirements of ISO 27001 have
been interpreted. A comprehensive report of any recognized shortfalls is left
with you. These should be addressed in advance of the stage 2 audit.
The stage 1 audit also provides
a good opportunity to produce a plan and audit schedule for stage 2 and identify
a convenient date for the audit to be scheduled.
Stage 2 Audit
We audit on-site practice and the records to ensure compliance
with ISO 27001 and your information security management system.
During the audit we:
- Follow audit trails, paying particular attention to the
risks identified together with the control objectives determined. We aim to
establish that there is evidence to demonstrate that the ISMS is working in
practice.
- Look at responsibilities at all levels in the organisation,
communications and controls within and outside the organisation, the monitoring
of incidents and any resulting actions for continuous improvement.
We identify opportunities for improvement. Where necessary,
we raise non-conformance reports and where there are problems agree corrective
actions and timescales with you.
At the close of the audit, the Lead Auditor will leave
his/her recommendation with you.
Certification
Following the audit, the auditor’s report is reviewed by the certification
review team. We also review the corrective actions you have implemented
to resolve any non-conformances raised. On satisfactory completion of these
two activities a certificate will be issued.
Surveillance
ISOQAR's certification is valid for a period of three years and is monitored
at regular intervals by a registered auditor with information security experience.
All visits to your company are by appointment, thereby ensuring availability
of relevant personnel.
Please note that all audits are performed on the basis of
limited sampling. If discrepancies are not discovered, there is no guarantee
that they do not exist.
Extension to Scope of Certificate
Amendments or extensions to the initial certified scope
can be undertaken if an organisation wishes to introduce new processes or alter
existing processes. Questionnaires to obtain a quotation for this can be supplied
on request.
Logos
Following certification your company can display the ISOQAR
shield of approval. If your company operates within ISOQAR's accredited scope
you can also display the UKAS Accreditation Mark (often referred to as the 'Crown
and Tick').
Rules for Appeal
In the event of an audit which results in a recommendation
not to approve registration to the standard (or at a later stage if notified
that a certificate is to be withdrawn) a written appeal may be sent to the Chief
Executive of ISOQAR.
All appeals will be heard by an Appeals Panel selected from
the Governing Board. Your company has a right to object to any member forming
part of the chosen panel. The Governing Board will then select a different panel.
If the appeal is upheld, the findings of the Auditor will be overruled. If the
Auditor is found to be correct, your company will be required to pay for a partial
or full re-audit and the cost of the appeal.
Such appeals are exceptionally rare.
Additional Information
Integrated Management Systems
We are pleased to audit integrated systems, providing that
all the relevant requirements of the ISO 27001 standard have been covered.
There are some areas where the integration of systems is
an advantage. It can mean having just one document control system, one management
review and one round of internal audits against any number of standards.
There are of course some items that are only included in
one of the standards. For example, communication with interested parties is
currently only a requirement of ISO 14001 (the environmental standard).
There are some areas where integration can be made,
but care must be taken that the system or activity does not favour one standard
over another. For example, combined audits for ISO 9001 and ISO 14001 need to
ensure that both quality and environmental areas are audited and reported.
