Scared of the ISO auditor? Hope this would help
When an organization has implemented information security management system (ISMS) (or for that matter any ISO) as per the ISO 27001 clause requirements, they would engage a certification body (CB) for a formal assessment. The call for a body should only happen when the organisation has completed one cycle of Plan-Do-Check-Act and is confident that key risks are ‘managed’ and controls identified are implemented.
CBs have a panel of lead auditors who would undergo a formal internal certification process before they can take up such roles. Undergoing and passing the lead auditor course is the first step. Thereafter they have to undergo at least 20 audits (this differs based on accreditation/CB requirement). The ideal auditor is someone who has the necessary knowledge and expertise and more importantly can make a ‘judgment’ about the ISO 27001 compliance. The role is akin a judge of a court who is paid for judgment based on evidence, and nothing else. The principle followed is ‘not guilty’ unless proven otherwise.
There are primary three keywords associated with any certification process when an organization gets certified, ‘intent, implementation and effectiveness’. In a simplistic view, documentation (such a security policy) is ‘intent’, records (such as change management) are ‘implementation’ and ‘testing’ (e.g. fire evacuation drill) is effectiveness.
The auditor performs two stages of audit, initial audit stage 1 and initial audit stage 2. Initial audit refers the first year and subsequent year refers to surveillance audits. You get certified for 3 years subject to annual surveillance audits.
Stage 1 audit also known as documentation audit is aimed at documentation readiness. The simple logic is if you have documentary proof of compliance, you have the necessary ‘intent’. Stage 1 is especially aimed at management system requirements especially ISO 27001 clause 4 to 10 compliance evidences. A good auditor would spend substantial amount of time in understanding organisation specific assets, asset valuation methodology, risk assessment methodology and risk assessment records. Subsequently they take a physical round of the premise, and then other issues such as ISMS manual. They also wish to meet top management to understand the business alignment and benefit of ISMS for the specific organisation.
Typically stage 1 ends with a formal report and if there are findings that are not adequate he or she may raise ‘minor non conformity’ or ‘major non conformity’. Non conformity is an auditor lingo of stating ‘I am not satisfied with the evidence to a specific clause’ where the clause reference is made for the client to perform further root cause analysis (RCA) or implementation. Once the auditor is satisfied, stage 2 can begin which can be spaced anywhere upwards 7-10 fays for most certification bodies.
Stage 2 audit is aimed at ‘implementation and effectiveness’. Auditors look at evidence of implementation by looking at applications, network infrastructure, and more importantly security controls that prevent, and/or detect security events. They cover wide variety controls (they have ISO 27001 114 controls to verify on a sampling basis) which covers technical controls, physical security controls, human resources controls and procedural controls. Ideally they should spend more time in technical controls but this can vary depending on an auditors’ own comfort on a subject topic. A lot of time is actually spent on meeting and interacting people, as ‘people’ are the greatest ‘risk’ as most risk assessment will show.
Stage 2 ends with a closing meeting where the auditor would say ‘you are recommended’ a message that everyone is waiting to hear (including consultants like us :-)) that says ‘I did not find any non conformity’ and ‘ I am recommending my CB to issue a certificate’.
Subsequently every year an auditor arrives and checks for the validity of the compliance policies set on year 1. The subsequent year assessments are a combination of documentation and implementation and is generally focused on ‘what is new?’. In the subsequent year they wish to see whether the organisation is improving their ISMS or losing the grip. They are looking at business lifecycle changes and changes in risk values, latter should be seen decreasing from the first year (assuming everything else remaining the same in that organisation). Theoretically if the auditor is not satisfied, he or she can request the certification body to revoke the certification, which rarely happens in the industry.
Hope this helps. Let me know your reaction.