Background to ISO 27001
ISO 27001 is an information security management system (ISMS) Standard which, along with ISO 27002 (code of practice) provides organisations worldwide with a framework for managing their information security. Certification or registration against ISO 27001 entails an external assessment of an organisation's ISMS by an accredited certification body and provides organisations with the best means of independently demonstrating its information security commitment and capabilities to internal and external stakeholders.
When implementing ISO 27001, organisations must follow the Plan-Do-Check-Act (PDCA) process of continual improvement which requires the completion of a series of activities and the production of a number of specified deliverables that will assist in the establishment of an ISMS. A key activity within the Check Phase involves the auditing and review of the management system to ensure it is operating as required. This auditing process is an ongoing activity with regular audits to be conducted for every organisation which has achieved and looking to maintain certification.
URM's ISO 27001 Auditing Services
Having been involved in over thirty certification projects, URM has gained extensive experience in assisting organizations develop an internal auditing programme. URM can support the development of an internal auditing programme or provide access to one of URM's auditing specialists to conduct the audit. Where URM conducts the audit, it will encourage the organisation to shadow the URM auditor as part of its knowledge transfer philosophy.
Naturally, the audits will be bespoke to the organisation but typically include the operation of the management system (e.g. document management procedures or the preventive and corrective actions process) or the applicable controls. The audit of the controls can be IT related (e.g. user account administration, change control process or third party service delivery) or more general (e.g. staff recruitment and termination, awareness training or incident management).
URM has considerable experience in conducting audits of third parties on behalf of clients. These audits may be on specific aspects or more general topics such their approach to information security. URM manages the full ISO 27001 internal audit process for a number of clients.