How does an ISO 27001 certification audit work?

Mathieu Briol is a qualified ISO 27001 auditor and subcontractor for several certification bodies (Certi-Trust, SGS, and Vinçotte).

After starting his career in networks and technical security, Mathieu began conducting security audits at Devoteam and then Deloitte. Since 2019, he has been working as an independent auditor and conducting ISO 27001 certification audits. He also provides consulting, training, and auditing services (outside of certification audits).

Good to know: each certification body has its own auditor qualification process. For each one, the expert must follow a procedure lasting around six months, comprising several training courses and practical cases: observing an audit and conducting an audit while being accompanied by a Lead Auditor.

The initial ISO 27001 audit

The initial audit is the first audit in a three-year certification cycle, consisting of the initial audit (year 1) and two surveillance audits (years 2 and 3).

Step 1

This first stage usually takes place over one day. The auditor's task is to get to know the client, but also to carry out an initial assessment of the ISMS design and its associated documentation.

"Step 1 will aim to ensure that the organization's management system has been properly designed. This means that it complies with the requirements of the standard, particularly in terms of documentation."

The main points of attention are as follows:

• Ensure that the overall workload of the audit has been correctly assessed;
• verify the relevance and consistency of the scope of the management system to be certified;
• verify that the essentials of the standard are covered—in other words, that the mandatory documented information required by the standard is present.

At the end of the day, the auditor indicates whether the client is ready (or not) to move on to step 2.

"If we identify significant gaps in the client's knowledge, there is no point in moving them on to the next stage: we explain that they are not ready, and it is then up to them to do what is necessary to come back later."

But even if the client seems ready, the auditor always provides them with a list of " areas of concern ": these are elements that could potentially give rise to non-compliance in stage 2. The company then has 4 to 8 weeks to correct these points and pass the "real" certification audit.

Good to know: certification auditors are not allowed to give advice to auditees! All points of attention are formulated as observations; it is up to the company to find ways to correct them.

Step 2

This stage can take between 2 and 25 days, depending on the size of the company and the scope. An audit can take up to 25 days for companies with more than 10,000 employees!

#1 The opening meeting

It all starts with the kick-off meeting: usually held by the audit team leader, its purpose is to provide a brief explanation of how the audit activities will be conducted. We review the audit organization, schedule, confidentiality management, overall logistics, etc. Everything must be clear to everyone before we begin.

#2 The heart of the audit

To conduct their audit, auditors use a variety of techniques: interviews, document reviews, system tests, visual inspections, etc., all with the assistance of the auditees.

"During the review, we will detail the mandatory and non-mandatory documents that are established within the framework of the SMSI. But we will also conduct interviews and system reviews with the auditees. In any case, everything is planned in advance: we know what will happen on a given day, at a given time... No surprises!"

Essentially, this involves ensuring that all the requirements of the standard (i.e., what is written in the text of the standard) are met. There are two distinct parts:

• Clauses 4 to 10, which explain how the WSIS should be implemented;
• Appendix A, which contains a (non-exhaustive) list of security measures that can be implemented.

Good to know: the company is not obliged to adhere strictly to the requirements of Appendix A. Based on its risk analysis, it may decide to implement additional measures specific to its own situation. However, it must compare the security measures it deems necessary (in relation to its security risks) with those in Appendix A to ensure that nothing has been overlooked.

"As an auditor, you must also ensure that the security measures that the client said they would implement are actually implemented as specified in their statement of applicability—a mandatory document for the audit."

Each organization may, in order to implement the security measures it deems necessary, formalize a series of specific policies and procedures that describe its own requirements on a particular subject. For example, in terms of logical access management, the organization may decide to formalize a logical access management procedure that describes precisely how an access request is handled. These requirements, which are specific to each organization and established to comply with the standard, also constitute audit criteria whose application must be verified.

"An example I often give to clients is: you have a procedure that says all your doors must be painted yellow. So I'll walk down the hallways and check to see if your doors are indeed painted yellow. And if I see that they're not, I'll note that as a non-compliance, because you're the one who decided to impose that requirement."

Based on the audit criteria, the auditor makes findings:

• major non-conformities (failure to comply with a requirement that poses a significant risk to the functioning of the SMSI);
• minor non-conformities (non-compliance with a requirement of lesser severity);
• strengths;
• opportunities for improvement.

"Obviously, everything is done on the principle of sampling: in 10 days, it's impossible to comprehensively audit an entire scope!"

At the end of each day, the auditor takes a few minutes with the auditee to review their findings for the day.

#3 The closing meeting

During this meeting, the auditor reviews all of his findings from the week. Based on what he has identified, he announces his decision to recommend (or not) certification.

Because yes: the auditor is not the one who directly awards the certification! They make a recommendation to the auditing company, which reviews the report and then makes the final decision.

"In an initial audit, if the auditee has major non-conformities, they will not receive certification. If they have minor non-conformities, it will depend on the number and severity of these."

If the auditor identifies major non-conformities or too many minor non-conformities, all is not lost: the auditee then has approximately 90 days (the duration may vary depending on the certification body, but never exceeds 6 months) to resolve them, using action plans validated by the auditor. When the auditor returns, he or she will only recheck the non-conformities identified previously.

If the result is positive, the auditor changes their recommendation: the company can then be certified!

"In my experience, about 2 out of 4 companies obtain their certification on the first try."

The years following ISO 27001 certification

In the two years following certification, a "surveillance" audit is conducted each year. It represents approximately one-third of the workload required for the initial audit. As part of this audit, the auditor reviews the non-conformities identified the previous year and verifies that the approved action plans have been effectively implemented.

Once again, everything is very predictable: at the beginning of the cycle, the auditor identifies what will be audited in the following years.

In the fourth year, the "renewal" audit takes place. It is largely the same as the initial audit, except that it does not include step 1, since we already know that the ISMS is in place.

‍

Let's conclude with a few points raised by Mathieu.

"It is important to be aware that once the auditee has written something down, they must do it. Clients are often surprised by the level of detail that the auditor goes into: they imagine that we will simply read the documents, but in fact, the objective is still to look at the system in concrete terms.

We carry out IT checks, but also non-IT checks: since we examine all of the organization's activities that fall within the scope of the audit, we may meet with the human resources director or the marketing department. Everyone needs to be ready!

Sometimes it's better to be a little more modest and say to yourself, "It would be great to implement this requirement, but maybe we're not ready to reach that level yet." In the meantime, we'll define an intermediate level.

Thank you to him for his time and expertise!

‍