Background to ISO 27001
ISO 27001 is an information security management system (ISMS) Standard which, along with ISO 27002 (Code of Practice), provides the best means of identifying and implementing appropriate and effective controls to protect an organisation’s important information assets and demonstrating to your internal and external stakeholders and other interested parties your commitment to information security.
When implementing ISO 27001, organisations must follow a process of continual improvement and assure themselves that the controls they have implemented are working as intended. A key activity is performance evaluation, which includes the auditing and review of the management system and the implemented controls. The auditing process is an ongoing activity for every organisation which has achieved and is looking to maintain certification and in fact, should be adopted irrespective of certification.
Challenges Associated with ISO 27001 Auditing
One of the biggest challenges faced by organisations when it comes to auditing, is ensuring that you have sufficient and suitable resources. Auditors need to have sufficient skills and knowledge to conduct effective audits. This very often means that they need to be able to audit a number of specialist areas (e.g. IT, legal, HR, production areas) or may need to visit geographically diverse locations. The auditors need to, not only be available to travel, but also be able to demonstrate a level of independence from the area being audited. The people most likely to have sufficient knowledge, and therefore, assuming they also have audit skills, be the most appropriate auditors, often have a conflict of interest and may not be able to conduct the audit. There is also the additional burden of conducting audits of third parties who form part of the supply chain.
URM’s ISO 27001 Auditing Services
Having been involved in over 150 certification projects, we have gained extensive experience in assisting organisations develop effective and reliable internal audit processes. We can support you in the development of a complete internal audit programme as well as conduct specific audits on your behalf. If one of your barriers is simply a lack of knowledge of auditing techniques or how to audit specialist areas then we encourage, if desired, your staff to shadow our auditor as part of our knowledge transfer philosophy. For more detailed training and insights, you can also attend our Practitioner Certificate in Information Security Auditing course.
Naturally, any audits will be bespoke to your organisation but typically will focus on the operation of the ISMS (e.g. document management procedures or the preventive and corrective actions process) and the applicable controls.
The audit of the controls can be IT related (e.g. user account administration, change control process or third party service delivery) or non-IT related (e.g. staff recruitment and termination, awareness training or incident management).
We have considerable experience in conducting audits of third parties on behalf of our clients. These audits may be on specific aspects or more general topics such as your suppliers’ approach to information security.