“What is an ISO Audit?” This question arises most often with companies just starting their compliance journey. The ISO/IEC 27001 standard often feels insurmountable for organizations. The sheer size of the standard and its risk-based nature makes preparing for the ISO audit overwhelming in terms of documentation. To help prepare you, our primer below explains what an ISO audit is and how you can best manage the requirements of getting certified.
What Is ISO?
ISO stands for the “International Organization for Standardization.” In 1946, delegates from 25 countries congregated at the London’s Institute of Civil Engineers with a mission to coordinate industrial standards.
Currently, ISO’s members represent 162 countries forming 778 technical committees and subcommittees.
Today, the ISO quality assurance standards cover everything from manufacturing to data storage. They provide organizations with strategic tools that keep businesses competitive and productive.
What ISO Standards Apply to Information Security?
ISO/IEC 27001:2013 standardizes an Information Security Management System (ISMS). Unlike other standards such as PCI DSS, ISO 27001 bases its controls on risks rather than prescriptive measures. This risk-based approach allows a variety of organizations to and industries to apply ISO 27001. For example, commercial, government, and non-profits may all choose to comply with ISO while its flexibility means that markets ranging from banking, defense, healthcare, and education can also leverage it.
This flexibility makes it one of the most utilized information security standards. Moreover, ISO/IEC 27001 lists a series of controls in Annex A that acts more like a menu creating a choose-your-own-adventure style approach to security. These extended control sets offer management the option to avoid, transfer, or accept risks rather than mitigate them through controls.
What Is An ISMS?
A company’s ISMS is its policies and procedures for protecting sensitive data. An organization’s ISMS should address not only data and technology but also employee behavior. For example, employee security awareness and password protection awareness should be part of the overarching data protection corporate culture.
While ISO/IEC 27001 specifies creating an ISMS, it only offers suggestions for actions rather than requiring specific activities. Some of these ideas include internal audits, continual monitoring, and corrective or preventative measures.
What Is ISO Certification?
ISO certification requires meeting compliance as well as audit standards. Being certified means that an external certification body has reviewed your ISMS and determined that it complies with all the needed requirements.
The simple steps hide the complexity of certification. In short, certification requires a gap analysis, formal assessment, implementation, and audit.
Performing a gap analysis means reviewing the controls chosen for different standards and ensuring that you have met the needs for ISO/IEC 27001 in the process. For example, an organization may want to follow both the NIST framework and be PCI DSS compliant. While these overlap in some areas, they diverge in others. Assuming that your organization’s compliance with these meets ISO/IEC 27001 recommendations may leave you with a gap should you not review all the controls needed.
Once you complete the gap analysis, then you can create a formal assessment that incorporates not only the risks previously mitigated but determine whether to accept, mitigate, or transfer additional risks located.
The implementation process requires creating the policies and procedures that put new controls in place. This process can be time-consuming if your gap analysis notes several significant areas to be included and if your risk assessment determines that your company wants to control and mitigate numerous new risks rather than accept or transfer them.
Finally, the ongoing monitoring requirement of ISO/IEC 27001 required audits. Audits mean documentation which implies the time spent gathering the documentation.
How Long Does It Take to Become ISO Certified?
The short answer to this question is the one no one wants to hear, “it depends.”
Your organization’s current compliance stance and current controls dictate the speed at which you become ISO certified. The certification process can take anywhere from five months to twenty-four months. However, this time frame relies on whether you’re planning to get certified quickly, cheaply, or well.
What Is An ISO Audit Checklist?
An ISO audit checklist offers an easy way to get an overview of your current compliance stance. This questionnaire guides auditors and focuses them on the areas needing testing. For organizations trying to begin an ISO certification process, the audit checklist can be one of the most effective tools.
The audit checklist incorporates a review of policies, asset inventories, plans, and implementations of those policies, procedures, and plans. Moreover, the list guides auditors to review management’s responsibility for review and ongoing monitoring of the controls. From there, the checklist will guide the auditor through the process of ensuring that physical and electronic access is appropriate to the ISO standard.
What Is An Internal ISO Audit?
The ISO certification and audit process require that organizations incorporate internal audits as part of the ongoing monitoring requirement.
Internal audits act as good business practice. While the internal auditor should be separate from the process being evaluated, the person may be a corporate employee or an independent contractor. Often done throughout the year, internal auditors identify potential weaknesses and offer suggestions before the external auditor’s review. The internal auditor also tends to understand more intimately the individual company rather than hold the company solely to an external standard.
What is an ISO Certification Audit?
A certification audit determines whether your organization has aggregated the documentation, records, processes, and controls needed for being ISO/IEC 27001 certified. The auditor compares the documents against the daily activities to ensure that your organization is not only compliant with the standard on paper but also in practice.
Certifications last three years, but during that time, the organization wants to ensure that you remain compliant instead of just putting on a good face for a single visit.
What Is An ISO Surveillance Audit?
A surveillance audit is a review in between certifications. These audits occur annually, at a minimum, but may be as regular as twice in a year.
The surveillance audit focuses more on ensuring that organizations maintain a level of care over their ISMS. For example, if the certification auditor noted a weakness or a nonconformity during the initial certification audit, the surveillance auditor will review to ensure that management addressed the concerns.
Unlike the certification auditor who focuses on documentation, the surveillance auditor focuses on implementation. Your organization needs to show compliance in its actions, not just its words.
What Is An ISO Auditor’s Training?
Unlike IT security audits or Sarbanes-Oxley 404 audits where the American Institute of Certified Public Accountants (AICPA) governs auditors, the American Society for Quality (ASQ) controls the audit standard for ISO.
To facilitate ASQ auditing standards, they offer webinars and other resources for members in conjunction with the International Conference on Software Quality (ICSQ). To ensure that your internal and external auditors are appropriately reviewing your controls and policies, you should be reviewing their credentials.
How Can Automation Help You Be ISO Certified and Compliance?
ZenGRC’s pre-loaded content includes ISO 27001. Once our GRC experts onboard your organization, you have access to content that helps you map your controls across multiple standards.
When managing your compliance with shared drives or spreadsheets, seeing the overlaps and gaps in your compliance can leave you cross-eyed. ZenGRC’s SaaS compliance platform allows you to map your controls and then perform a gap analysis so that you can view the remaining work and manage your timeline better.
Finally, our platform provides a single-source-of-truth giving you one-click access to the documents the audit checklist requires for a successful audit.
Although an ISO audit without any ISO audit software to help you may seem overwhelming, with the help of ZenGRC’s automation, you can become compliant faster, more efficiently and with a lot less hassle.
Want to see what the buzz is all about? For more information on how ZenGRC can help your ISO certification process, schedule a demo.