Scared of the ISO auditor? After reading this blog, hopefully you will be less scared.
When any organisation implements ISO 27001 information security management system (ISMS) (or for that matter any ISO) they would engage a certification body (CB) for a formal assessment. The call for a body should only happen when the organisation has completed one cycle of Plan-Do-Check-Act and is confident that key risks are ‘managed’ and controls identified in the risk assessment are implemented.
CBs have a panel of lead auditors who would undergo a formal internal certification process before they can take up such roles. Undergoing and passing the lead auditor course is the first step. Thereafter they have to undergo at least 20 audits (this differs based on accreditation/CB requirement). The ideal auditor is someone who has the necessary knowledge and expertise and more importantly can make a ‘judgment’ about the ISO 27001 compliance. The role is akin a judge of a court who is paid for judgment based on evidence, and nothing else. The auditor makes a judgment based on the principle of ‘not guilty’ unless proven otherwise, where prove equates to evidence of ISO 27001 clause wise implementation.
There are primary three keywords associated with any certification process when an organization gets certified, ‘intent, implementation and effectiveness’. In a simplistic view, documentation (such a security policy) is ‘intent’, records (such as change management) are ‘implementation’ and ‘testing’ (e.g. fire evacuation drill) is effectiveness.
The auditor performs two stages of audit, initial audit stage 1 and initial audit stage 2. Initial audit refers the first year and subsequent year refers to surveillance audits. You get certified for 3 years subject to annual surveillance audits.
Stage 1 audit also known as documentation audit is aimed at documentation readiness. The simple logic is if you have documentary proof of compliance, you have the necessary ‘intent’. Stage 1 is especially aimed at management system requirements especially ISO 27001 clause 4 to 10 compliance evidences. A good auditor would spend substantial amount of time in understanding organisation specific enterprise context, key information, assets, asset valuation methodology, risk assessment methodology and risk assessment records. Subsequently they take a physical round of the premise, and then start their audit journey. They also wish to meet top management to understand the business alignment and benefit of ISMS for the specific organisation.
Typically stage 1 ends with a formal report and if there are findings that are not adequate he or she may raise ‘minor non conformity’ or ‘major non conformity’. Non conformity is an auditor lingo of stating ‘I am not satisfied with the evidence to a specific clause’ where the clause reference is made for the client to perform further root cause analysis (RCA) or implementation. Once the auditor is satisfied, stage 2 can begin which can be spaced anywhere upwards 7-10 days for most certification bodies.
Stage 2 audit is aimed at ‘implementation and effectiveness’. Auditors look at evidence of implementation by looking at gap closures from stage 1. In this the focus is assets and controlling processes. They cover applications, network infrastructure, and more importantly security controls that prevent, and/or detect security events. They cover wide variety controls (they have ISO 27001 114 controls to verify on a sampling basis) which covers technical controls, physical security controls, human resources controls and procedural controls. Ideally they should spend more time in technical controls but this can vary depending on an auditors’ own comfort on a subject topic. A lot of time is actually spent on meeting and interacting people, as ‘people’ are the greatest ‘risk’ as most risk assessment will show.
Stage 2 ends with a closing meeting where the auditor would say ‘you are recommended’ a message that everyone is waiting to hear (including consultants like us :-)) that says ‘I did not find any non conformity’ and ‘ I am recommending my CB to issue a certificate’.
Subsequently every year an auditor arrives and checks for the validity of the compliance policies set on year 1. The subsequent year assessments are a combination of documentation and implementation and is generally focused on ‘what is new?’. In the subsequent year they wish to see whether the organisation is improving their ISMS or losing the grip. They are looking at business lifecycle changes and changes in risk values, latter should be seen decreasing from the first year (assuming everything else remaining the same in that organisation). Theoretically if the auditor is not satisfied, he or she can request the certification body to revoke the certification, which rarely happens in the industry.
Hope this helps. Let me know your reaction.