.jpg?width=1448&height=726&name=Screen%20Shot%202023-02-09%20at%202.57.5-min%20(1).jpg)
February 9, 2023
The ISO 27001 and ISO 27701 certification processes can seem long and confusing. That’s because the standards are complex. Both require extensive documentation of policies, procedures, and risk assessments. And — because the regulatory environment is constantly evolving — it’s not a one-time effort, but an ongoing commitment to continuous improvement.
So, what do you need to know to feel more comfortable and confident as you prep for your ISO 27001 and/or ISO 27701 audit?
Here's a quick run-down of what you can expect during each stage of your audit.
The primary purpose of stage 1 is to assess the current state of your organization's information security management system (ISMS) and/or privacy information management system (PIMS) against the requirements of the ISO 27001 and ISO 27701 standards. Here's what typically happens during this stage:
Preparation includes selecting an audit team, reviewing existing documentation related to information security and privacy management, establishing audit objectives, outlining which areas and processes will be assessed, setting the date for the stage 1 audit, and deciding if it will be on-site or remote.
After the audit team assesses the organization's current information security and privacy management practices, they’ll identify strengths and weaknesses, compliance gaps, and areas where improvements are needed to meet the ISO 27001 and ISO 27701 requirements. If any significant non-conformities (aka non-compliance with standard requirements) are discovered during the gap analysis, they’re flagged and documented for further action.
During this part of stage 1, the audit team reviews the organization's ISMS/PIMS documentation to evaluate its completeness and alignment with ISO 27001 and ISO 27701 requirements. This documentation review includes policies, procedures, risk assessments, and records of incidents and controls. Any gaps or deficiencies in the documentation are identified, and recommendations for improvements are made.
The audit team prepares a report summarizing its findings, which typically includes an overview of the organization's readiness for stage 2 certification, a list of non-conformities (if any), and recommendations for corrective actions and improvements.
The organization receives the stage 1 audit report and reviews its findings and recommendations. If non-conformities or deficiencies are identified, the organization should develop and implement corrective actions to address these issues and improve its ISMS/PIMS in order to prepare for the stage 2 audit, which is the final step leading to certification.
Stage 2 of the ISO 27001 and ISO 27701 audit involves a detailed assessment of the implementation and effectiveness of your ISMS and/or PIMS based on the ISO 27001 and ISO 27701 standards. Here are the typical steps of the stage 2 audit:
The audit team conducts additional planning and preparation based on the findings from the stage 1 audit as well as the organization's readiness. As a result, a detailed audit plan is developed, specifying the audit scope, objectives, criteria, and methods.
The stage 2 audit can be conducted on-site at the organization's premises or remotely, depending on the circumstances and agreements made during stage 1.
The audit team thoroughly examines documentation and records related to information security and privacy management, including incident reports, risk assessments, and evidence of control implementation.
The audit team conducts interviews and discussions with relevant personnel across the organization to assess the implementation of ISMS/PIMS controls, policies, and procedures. In addition, the team may observe processes and practices in action to verify their compliance with the standards, using sampling to assess a representative portion of the organization's operations and activities.
The audit team compiles a detailed stage 2 audit report summarizing their findings during the audit and provides a recommendation on whether the organization should be granted ISO 27001 and/or ISO 27701 certification.
While ISO 27001 and ISO 27701 don’t have a formal "stage 3" in their certification processes — as corrective actions and the certification decision are typically part of the Stage 2 audit and post-audit process — it's essential to understand how these issues are handled within the context of the audit process.
If non-conformities are identified, the audit team documents these findings in their audit report. As a result, the organization is required to develop, implement, and provide evidence of corrective action plans, outlining how they intend to address and rectify the identified non-conformities, and then take them to the audit team for verification.
After the organization has completed the corrective actions, the audit team or certification body may perform a verification or follow-up audit to ensure that the issues have been effectively resolved.
The certification decision is made by the certification body or registrar after reviewing the stage 2 audit findings and any evidence of corrective action implementation during the post-audit phase. If the organization demonstrates compliance with the standards and successfully addresses the non-conformities, it may be awarded ISO 27001 and/or ISO 27701 certification.
If the certification decision is favorable, the organization receives an ISO 27001 and/or ISO 27701 certificate, signifying that it complies with the respective standards.
Strike Graph’s all-in-one compliance platform can help your organization streamline your ISO 27001 and/or ISO 27701 certification process and help ensure you’re audit-ready. And, you’ll be able to leverage the work you’ve already done for your ISO 27001 and/or ISO 27701 certifications to easily achieve SOC 2, GDPR, PCI DSS, CCPA, or HIPAA compliance. After all, why should you do more work when you don’t have to?
Copy URL
.png?width=300&height=180&name=get-certified-01_201%20(1).png)
