Culture ISO27001 ITSM Ops

Delivering ISO27001 — Part 4 of 4 — The Audit

In the last blog post I covered the things you need to spend time on to get yourself into good shape, ahead of your ISO27001 audit. That post was a long boi. This one should take you a little less time to read. 😎

Not read the last post yet? You should do that immediately!

Caught up? Good! Today let’s cover off what to expect during your ISO27001 audit. Including, “it’s OK to be nervous”, “make your life easier” and “don’t be a dick”. Are you sitting comfortably? Then I’ll begin.

The big day

On the first day of the audit, you’re probably going to be nervous. I know I usually am. I normally end up thinking;

Have I missed something?

What if the x process isn’t well documented enough to pass the audit?

What if I get a terrible auditor who is really picky?

I still do this now, after multiple ISO27001 audits. I want you to know that this is normal. This nervousness is rational. By this point, a huge amount of work has gone into being prepared for the audit, so why wouldn’t that raise your blood pressure a bit?

It’s important to remember that you would not be in the position to be audited if the auditors didn’t think you were ready for it. At this point, they’ve conducted the Stage 1 audit and made their decision to press on with the Stage 2 audit, based on the information they’ve seen so far. So listen to your head, not your heart here. You got this, boo.

The Audit Process

The audit involves auditor(s), auditing (shock) the controls you’ve previously committed to in your statement of applicability. If you have office space(s), the auditors will also want to view the physical controls you have in place in those.

🦠 Due to the COVID-19 pandemic, instead of attending your office or datacentre physically, you will be asked to record a video of your physical controls (such as secure media storage and access control systems) for the purpose of the audit.

The audit process could go on for days or even a week. This is entirely dependant on what’s included within your ISMS scope.

Think about the polar bears

I’ve supplied evidence for audits in a few different ways. You might prepare all of your policies in a “pack” and hand that over to your auditor, or you might join us in 2020 and use an evidence management system for this. 😜

The issue with a physical, printed pack of documentation, is that it’s labour-intensive to put together and as soon as you have it, it’s pretty much out of date.

I like using TugBoat Logic for evidence collection. Auditors log in, review uploaded policies, review your evidence, in real-time, and can ask questions. This is especially useful for remote audits (“new normal” buzzword bingo alert). In our last audit, we simply screen shared and reviewed the evidence together. No printing. No additional work.

Another benefit of using an evidence management system is that as soon as you update or publish your polices, they’re there and ready for your auditors to review. The documentation shared with the auditor, is always the latest version. Super nice.

FYI Tugboat Logic doesn’t pay me for this, their system is just really good!

Friends. BE NICE.

Being an auditor must be difficult. They generally have a terrible reputation for being mean or difficult. It’s not a job I think I could do easily. Having to consistently give people feedback that they might not want to hear, must be difficult. I can imagine that it’s a pretty thankless task at times, too!

However, all of the auditors I’ve worked with so far have been great people. They have been helpful, generous with their time, and generous with their advice. They’ve been partners, parents, and people with lives outside of their role. So, please remember that. Your auditors, are people just like you. They don’t want an adversarial or combative engagement with you. They are the experts on this subject and they’re in a position to help you.

It’s completely up to you how your audit and engagement goes. Try not to take anything personally. An auditor’s goal is to assess your ISMS (not you!) and give you the information to make it a better version of the state they found it in. So don’t be defensive, keep an open mind, and you take that help with both hands.

This fox just passed his ISO27001 audit. Mmm mm mmmmm.
This fox just passed his ISO27001 audit.

After the audit

On the last day of your audit, your auditors will arrange a review meeting to discuss how the audit went, and the outcome of your audit.

The outcome will be broken down into major nonconformities, minor nonconformities, and advisory actions.

Major nonconformities — If a policy or control defined within the ISO27001 standard is not implemented, you will not pass your audit. But don’t panic, you get six months to resolve major nonconformities.

Minor nonconformities — If you are practicing a control, but don’t perhaps document every single aspect of this, that could be classed as a minor nonconformity. Or if you back up your data, but for some reason miss a day, that would be classed as a minor nonconformity. Many nonconformities, could add up to be a major nonconformity. These are recorded on your ISO27001 report.

Advisory actions — Advisory actions are things you could do better to meet or exceed the ISO27001 standard.

All being well, you will recieve your ISO27001 certificiation within 2–4 weeks!

And here we end

And here we end the whistle-stop tour of the former mystery known as ISO27001. I’ve enjoyed writing these posts and I hope that you’ve learned a thing or two, too! ISO27001 isn’t difficult, nor is it a dark art. It’s a scientific process and the information you need is readily available to you.