Audit = Worry
For many people the very word audit is enough to send them into cold sweats, however if your house is in order, so to speak, there is no reason for this to be the case. An external audit is a mandatory part of becoming certified at ISO 27001 standard. Part of attaining an ISO 27001 accreditation also obliges you to carry out your own, internal audits in order to ensure that the relevant standards of compliant are continuously met in your business.
What does an information security audit look like, in particular in regards to ISO 27001 certification?
ISO 27001 follows a three-step auditing process, which is the norm for information security standards, as well as other processes throughout the information technology sector. These steps are clearly broken down and defined so that any issues with non-compliance can be addressed prior to the next stage in the process of ISO 27001 certification.
Stage One: Your Documents
The first stage of ISO 27001 accreditation is an auditing of your documents. This will usually entail a rather informal visit from an external assessor to go through your existing paperwork, and assist you in adding any documents you need to in order to achieve the required level of compliance.
ISO 27001 contains a mixture of mandatory and optional measures. Obviously, the mandatory ones should be fully completed. Only the optional measures which are relevant to your business need be completed, however be prepared to write up more should the external auditor feel that you have not completed a certain one which would benefit your business.
Once all of your documents are in order and up to date, the auditor will leave and return for stage two.
Stage Two: The Audit Itself
This is a formal auditing of your business’ compliance to all of the mandatory guidelines, as well as your chosen optional ones, in ISO 27001. The audit will look to pick holes in your information security management system, and explore flaws which fraudsters and cyber criminals could potentially capitalise on. Take this stage for what it is, and appreciate any learning’s that come from it – you will get the opportunity to address any non-compliance.
Stage Three: Putting It Right And Certification
Stage three entails you carrying out any recommendations made by the external auditor, and providing evidence that these will be an on-going part of your information security processes.
Once these have been completed to satisfaction, you will be awarded the ISO 27001 certification.
Embrace the opportunities afforded by audits, and recognise how carrying out the necessary best practice to a high standard will leave you with nothing at all to worry about.
Iso27001standard provide resources, pdfs and video tutorials to help with implementing ISO 27001.