Achieving ISO 27001 certification is an important and stressful process for organizations wishing to demonstrate their commitment to information security.

The certification process towards ISO27001 comprises two key stages: stage 1 and stage 2 audits.

dual – Photo by Possessed Photography on Unsplash

Stage 1: Preliminary audit

The Stage 1 audit, often referred to as the “document audit” or “preparation review”, is designed to assess the company’s readiness for the certification audit.

This involves reviewing Information Security Management System (ISMS) documentation to ensure that it complies with ISO 27001 requirements.

It is at this stage that the auditor validates that the ***minimum ***is in place, so as not to waste time – both his own and the customer’s – by finding major non-conformities and ending the audit with a large bill for the customer.

Main activities

  • Documentation review: Verification of security policies, scope of ISMS, whether risk analysis has been carried out and procedures in place.
  • Assessment of understanding: Discussions with staff to ensure they understand the requirements of the standard and their role in the ISMS.
  • Gap identification: Discover any gaps or areas for improvement before moving on to step 2.

Example for an SME

Let’s imagine an SME specializing in software development. During the Stage 1 audit, the auditor examines its documentation.

If he finds that the risk assessment is not sufficiently detailed, or that certain procedures are not documented, he will flag this up as an area for improvement before the Stage 2 audit.

The organization still has a few weeks to put things right.

How to prepare for step 1

  • Complete documentation: Ensure that all policies, procedures and risk assessments are well documented and up to date.
  • Staff awareness: Train employees in ISO 27001 requirements and their role in the ISMS.
  • Internal audit: Carry out an internal audit to identify and correct any shortcomings before the external audit.

Please note – This step is only available in the first year of certification. Years 2 and 3 are surveillance years.

Year 4 being another three-year cycle, the name of the year is “Recertification”. It is simply step 2. that is carried out, similar to the year.

Stage 2: Certification audit

The Stage 2 audit is an in-depth assessment of the implementation and effectiveness of the ISMS.

The aim is to confirm that the company’s practices comply with documented policies and procedures, and meet the requirements of ISO 27001.

Main activities

  • On-site verification: Direct observation of operations to ensure that safety controls are in place and operating as intended.
  • Staff interviews: Discussions with employees to assess their understanding of safety procedures and their day-to-day application.
  • Record review: Analysis of documented evidence, such as incident reports, internal audit results and management reviews.

Example for an SME

Let’s take the example of our software development SME.

During the stage 2 audit, the auditor could check that access controls to development servers are effectively applied, that employees follow incident reporting procedures and that regular security reviews are carried out.

If non-conformities are identified, they must be corrected before certification is granted.

How to prepare for step 2

  • Effective implementation: Ensure that all policies and procedures are not only documented, but also consistently put into practice.
  • Evidence gathering: Keep detailed records of information security activities, such as incident reports and management review meeting minutes.
  • Continuous improvement: Be ready to demonstrate how you monitor, measure and continuously improve the effectiveness of your ISMS.

In this other article I discuss why companies fail their audits.

I invite you to click on “Follow” to continue learning more about the field of information security.