INITIAL 27001 CERTIFICATION AUDIT
This is the ISO 27001 audit you are subjected to in order to determine whether you should be awarded your certificate for the first time. It’s also known as an external audit, a third party audit or a registration audit and is conducted by a Certification Body. The Certification Body (CB) will appoint an Auditor or possibly a team of auditors, depending on the size of your organisation, the number of sites and the scope of your Management System.
Ideally you should ensure that the Certification Body from which the Auditor comes is UKAS accredited.
An ISO 27001 Information Security Management System Initial Audit is split into two stages, with an optional pre-assessment.
This is an optional stage that some certification bodies like ISOQAR offer. A qualified Auditor will do this informal pre-assessment, like a dummy run of an audit. It helps you identify your strengths and weaknesses in preparation for the real thing.
STAGE 1 ISO 27001 AUDIT
The Stage 1 Audit is also referred to as the Document Review (or Document Audit) or sometimes as the Readiness Review. The basic objective of the Stage 1 Audit is to determine if you’re ready for the Stage 2 ISO 27001 Audit.
When is the Stage 1 Audit performed?
The Stage 1 ISO 27001 Audit should be performed when you’ve developed and implemented your Management System. This is so that you’ve had time to generate some evidence about the effectiveness of your system, such as having conducted Internal Audits and Management Reviews, and produced records for the Auditor to examine.
How long does the Stage 1 Audit take?
The length of the audit is determined by a formula set by UKAS. Factors such as the size of your organisation, risk and complexity are taken into account. It is measured in whole days. This means that whichever UKAS accredited certification body you choose, it will make no difference to how long the audit is. For most small or medium businesses, the Stage 1 Audit will be completed on-site within one day. The Stage 2 ISO 27001 Audit is usually longer.
Where does the Stage 1 Audit take place?
If you have more than one site, it will normally be conducted at your head office. Being on-site allows the auditor to get an impression of the organisation and the site, but it can also be done remotely depending on the complexity of the Management System (as well as other considerations such as COVID-19).
What happens in the Stage 1 Audit?
The audit will typically focus on written words. You could describe it as a reconnaissance exercise, where the Auditor gets a flavour of what your organisation and Management System is all about. It may involve discussions with employees.
Your Certification Body should contact you in advance to let you know what will happen on the day so that you can gather the people and materials needed.
The main objectives of the Stage 1 ISO 27001 Audit are:
An audit of your ISO 27001 Information Security Management System documentation including the scope of the system, objectives and any relevant policies and documentation that support the operation of the system
A walk of the site to help planning for Stage 2
To obtain information about all company site(s) from which the organisation operates
To obtain information about key processes, procedures and any equipment used
To confirm all statutory and regulatory requirements applicable to the organisation and are documented
To establish whether all relevant personnel are prepared for the Stage 2 Audit
To establish the status of Internal Audits and Management Reviews
To plan for the Stage 2 Audit, including which sites to audit
If possible and if sufficient records are available, the following will also be audited:
All of the above will help the Auditor plan for the Stage 2 Audit. If you haven’t already booked the dates for the ISO 27001 Stage 2 Audit, it’s now time to have a discussion with the auditor to agree when it will take place.
What happens after the Stage 1 Audit?
You will receive verbal feedback from the Auditor at the end of the Stage 1 ISO 27001 Audit. You will also receive a written Audit Report normally within 5 days after the audit. Technically speaking, the Stage 1 Audit will not end in nonconformities, because you’re not yet at a stage where you’re claiming to conform to the requirements of the standard. Nevertheless, if there are any issues identified during the audit, the Auditor will issue Improvement Requests in the Audit Report. These need to be addressed before moving to the ISO 27001 Stage 2 Audit or they will be considered to be nonconformities at the Stage 2 Audit and could harm your chances of being awarded certification.
The report will include:
Assessment of your ISO 27001 Information Security Management System and determination of your readiness for a Stage 2 Audit
Assessment of your understanding of the requirements of the standard
Agreement of the scope of your ISO 27001 Information Security Management System and Scope of Certification
Plan for the Stage 2 Audit and agreement on the date(s) and sites
Improvement Requests and areas for potential improvement of the Management System
Top Tip for the Stage 1 Audit
This might be the first meeting with your Auditor, and you should use this time wisely. Be open and honest and don’t try to hide issues, because they will just pop up during the Stage 2 Audit and create issues with your certification. Although the auditor isn’t allowed to help you with developing your ISO 27001 Information Security Management System, you can use the opportunity to air your ideas to hear if they conform to the requirements of the ISO standard. Your Auditor will also have visited many other organisations in similar a situation and can tell you about how they managed.