Unit 3

ISMS Auditing and Certification

Prof. Sonam Sharma

Cyber security trainer
 Syllabus

Introduction to ISMS Auditing, Planning and Conducting ISMS Audits Internal vs. ,
External Audits, Audit Reporting and Follow-Up, Corrective and Preventive Actions,
Compliance Audits and Certification Process, Challenges and Pitfalls in ISMS
Auditing, Maintaining ISMS Certification, Case Studies and Best Practices in ISMS
Auditing
 Introduction to ISMS Auditing
• An ISMS audit enables the review of an organization’s ISMS by an objective and competent
auditor. It tests the components of the ISMS based on standard requirements mandated
by the International Organization for Standardization (ISO).

• You can compare it to an evaluation of a building’s physical security. An ISMS audit, like the
physical security audit, tests how well the system works against all threats.

• An ISMS internal audit should ideally be performed every six months but can be conducted
once a year. External ISMS audits conducted by ISO-certified agencies, meanwhile, should
be performed every three years for certification.
Why Is an ISMS Audit Necessary?
.
An ISMS audit tests all the elements of an ISMS according to standard requirements. It is
necessary because:
• All organizations need insights to determine how well the ISMS can meet its needs and
business goals.
• It measures how efficient and practical the organization’s policies and procedures are.
• It also enables organizations to take note of positive findings to ensure they are
maintained and further developed for continual improvement.
• The benefits of conducting an ISMS audit include ensuring ISO 27001 standard
compliance, spotting process-related inefficiencies, identifying good practices that can be
replicated, looking for potential areas of improvement, and ensuring adherence to all
applicable regulations apart from the ISO 27001 standard.

• An ISMS audit has five stages—scoping and pre-audit survey, planning and preparation,
fieldwork, analysis, and reporting.
Certification process
Create a project plan: Educating yourself on ISO 27001 standards
and its 114 controls is a key part of this process. A great place to
start is our in-depth guide to ISO 27001.

Define the scope of your ISMS:

Each business is unique and houses different types of data. Before
building your ISMS, you’ll need to determine exactly what kind of
information you need to protect.
For some companies, the scope of their ISMS includes their entire
organization. For others, it includes only a specific department or
system.
Your team will need to discuss what you want to be represented in
the scope statement of your ISO 27001 certificate.
Start by asking yourself:
“What service, product, or platform are our customers most
Conti….
perform a risk assessment and gap analysis:
• A formal risk assesment is a requirement for ISO 27001
compliance. That means the data, analysis, and results of your
risk assessment must be documented.
• To start, consider your baseline for security. What legal,
regulatory, or contractual obligations is your company being
held to?
• Many startups that don’t have a dedicated compliance team
choose to hire an ISO consultant to help with their gap analysis
and remediation plan. A consultant who has experience working
with companies like yours can provide expert guidance to help
you meet compliance requirements.
• On top of that, they can help you establish best practices that
strengthen your overall security posture.
Conti…..
Design and implement policies and controls:
• Now that you’ve identified risks, you’ll need to decide how your
organization will respond. Which risks are you willing to tolerate,
and which do you need to address?
• Your auditor will want to review the decisions you’ve made
regarding each identified risk during your ISO 27001 certification
audit. You’ll also need to produce a Statement of Applicability
and a Risk Treatment Plan as part of your audit evidence.
• The Statement of Applicability summarizes and explains which
ISO 27001 controls and policies are relevant to your organization.
This document is one of the first things your external auditor will
review during your certification audit.
• The Risk Treatment Plan is another essential document for ISO
27001 certification. It records how your organization will respond
to the threats you identified during your risk assessment
Conti…

The ISO 27001 standard outlines four actions:

• Modify the risk by establishing controls that reduce the
likelihood it will occur
• Avoid the risk by preventing the circumstances where it could
occur
• Share the risk with a third party (i.e., outsource security efforts
to another company, purchase insurance, etc.)
• Accept the risk because the cost of addressing it is greater
than the potential damage
Next you’ll implement policies and controls in response to
identified risks. Your policies should establish and reinforce
security best practices like requiring employees to use multi-
factor authentication and lock devices whenever they leave their
Complete employee training:
ISO 27001 requires all employees to be trained about information
security. This ensures that everyone within your organization
understands the importance of data security and their role in both
achieving and maintaining compliance.
Document and collect evidence
To get ISO 27001 certification, you’ll need to prove to your auditor
that you’ve established effective policies and controls and that
they’re functioning as required by the ISO 27001 standard.
Collecting and organizing all of this evidence can be extremely
time-consuming. Compliance automation software for ISO
27001 can eliminate hundreds of hours of busy work by collecting
this evidence for you.
Conti…
complete an ISO 27001 certification audit:
• In this phase, an external auditor will evaluate your ISMS to
verify that it meets ISO 27001 requirements and issue your
certification.

• A certification audit happens in two stages. First, the auditor

will complete a Stage 1 audit, where they review your ISMS
documentation to make sure you have the right policies and
procedures in place.

• Next, a Stage 2 audit will review your business processes and

security controls. Once Stage 1 and Stage 2 audits are
complete, you'll be issued an ISO 27001 certification that's
valid for three years
Conti….
Maintain continuous compliance:
ISO 27001 is all about continuous improvement. You’ll need to keep
analyzing and reviewing your ISMS to make sure it’s still operating
effectively And as your business evolves and new risks emerge,
you’ll need to watch for opportunities to improve existing
processes and controls.

The ISO 27001 standard requires periodic internal audits as part of

this ongoing monitoring. Internal auditors examine processes and
policies to look for potential weaknesses and areas of improvement
before an external audit.
Internal vs External Audit
Internal vs External Audit:
To achieve ISO 27001 certification, organizations must undergo a thorough audit process.
However, here's where the journey diverges into two distinct paths: internal audits and
external audits. Understanding these differences is essential for anyone embarking on the ISO
27001 compliance journey or seeking to gain insights into how information security is upheld
within an organization.
Purpose for ISO 27001 Audits:
Internal Audit (ISO 27001): Internal ISO 27001 audits aim to assess and improve an
organization's information security management system (ISMS), ensuring compliance with
ISO 27001 requirements and identifying areas for improvement.
External Audit (ISO 27001): External ISO 27001 audits are typically conducted by
certification bodies or registrars to provide an independent assessment of an organization's
ISMS and determine its eligibility for ISO 27001 certification.
Conti….
Auditor Independence for ISO 27001 Audits:
Internal Audit (ISO 27001):Internal ISO 27001 auditors should be independent and impartial
within the organization, but they are still employees or contractors of the organization.
External Audit (ISO 27001):External ISO 27001 auditors are completely independent of the
organization and are hired by certification bodies to assess compliance with ISO 27001.
Scope for ISO 27001 Audits:
Internal Audit (ISO 27001):The scope of internal ISO 27001 audits includes assessing all
relevant aspects of the organization's ISMS, such as policies, procedures, controls, and risk
management practices.
External Audit (ISO 27001):External ISO 27001 audits focus on evaluating the organization's
ISMS in accordance with ISO 27001 requirements and determining whether it meets the
standard's criteria for certification.
ISO 27001 Audit

What is an internal audit?

Internal audits examine the component parts of your ISMS to verify they meet:
• The requirements of the Standard; and
• Your own requirements for your ISMS.
Internal audits are an explicit ISO 27001 requirement under Clause 9.2: “The organization
shall conduct internal audits at planned intervals”.

Clause 9.2.2 also specifies you must “plan, establish, implement and maintain an audit
programme(s), including the frequency, methods, responsibilities, planning requirements
and reporting”.
conti….
Steps to make your internal audit a success:
1. Scoping and pre-audit survey:
As audits are conducted on a sampling basis, your auditor must take a representative sample
to give a reliable picture of your ISMS. That said, higher-risk processes or controls will be
more frequently audited.When you set the scope for the audit, take the above into account.

During the pre-audit survey, the auditor should also identify and contact the person(s)
responsible to request copies of documentation they’ll review during the audit.
Conti…..
2. Planning and preparation: This involves generating an ISMS audit workplan, which settles
the timing and resourcing of the audit (agreed with management). Conventional project
planning charts, such as Gantt, may prove helpful.

Audit plans identify and put boundaries around the remaining phases of the audit, and often
include ‘checkpoints’ that detail specific opportunities for auditors to provide informal
interim updates to managers.Such updates allow:
• Auditors to raise concerns about access to information or people; and
• Management to raise concerns regarding the audit process.
Specify the timing of important audit work so you can prioritise aspects you believe pose the
greatest risk, should a nonconformity be raised.

• 3. Fieldwork: Reviewing ISMS documentation (policies, procedures, etc.),

• printouts and data
• Interviewing staff operating or responsible for the ISMS; and
• Observing ISMS processes in action.
Contii…..
4. Analysis
The audit evidence should be sorted, filed and reviewed in relation to the risks and control
objectives.

Occasionally, analysis may:

• Identify gaps within the evidence; or
• Indicate the need for more audit tests.
Third-Party Risk Management
5. Reporting
This essential component of the audit process typically consists of:

• An introduction clarifying the scope, objectives, timing and extent of the work
performed;
• An executive summary providing the key findings, a brief analysis and a conclusion;
• The intended report recipients and, where appropriate, guidelines on classification and
circulation;
• Detailed findings and analysis;
• Conclusions and recommendations; and
• A statement from the auditor detailing recommendations for scope limitations.
The draft audit report should be presented to and discussed with management.

Further review and revision may be necessary, because the final report generally
involves management committing to an action plan.
Corrective and Preventive Action
What is preventive action?
Preventive action is taken to fix the cause of a process problem before it
can happen. A preventive action (PA) definition in a management system
could be: “the activities taken by the organization to eliminate the cause of
a potential process nonconformity.” If you are identifying potential problems
that could happen in a process, assessing what could cause these
problems, and taking action to prevent the problem from occurring before it
happens, then you are taking preventive action.
What is corrective action?
Corrective action (CA) is the activities taken to eliminate the cause of a
process nonconformity. Corrective action is the activity of reacting to a
process problem, getting it under control through containment actions, and
then taking the action needed to stop it from happening again. Earlier
versions of ISO 9001 made the distinction that CA will prevent the
recurrence of a problem, but PA will prevent the occurrence of the problem.
Corrective and Preventive Action
conti…
Difference Between Corrective and Preventive Action:
The difference between corrective and preventive action is that corrective aims to stop current
issues such as nonconformance from recurring while preventive aims to prevent potential
issues from occurring entirely by eliminating the root cause.
Challenges and Pitfalls in ISMS
Not Performing a Robust Risk Assessment and Analysis:
A robust risk assessment process is key to any successful ISMS deployment. This critical step
helps you uncover any security weaknesses that may be present in your current system, as well
as prioritize which risks are most important and need to be addressed first.
Lacking Top Management Support and Commitment:
Management must understand and accept responsibility for leading the
development and implementation of an ISMS, as well as commit to
sustaining its full lifecycle. It's also important for their role in promoting a
culture of security throughout the organization. That means ensuring
employees understand the objectives and goals of your ISMS and have a
buy-in, too
Poorly Defining ISMS Scope and Exclusions: No two
organizations have exactly the same system, every system is unique, so it's
important to establish clear boundaries of which systems, processes and
personnel are covered by the ISMS. Clearly defining these criteria will help
Challenges and pitfalls in ISMS conti…
• Not Monitoring, Measuring and Reviewing ISMS Performance
It’s all too easy to set and forget an information security management system, but that’s a
surefire recipe for failure. Without regular monitoring, measuring and reviewing of your ISMS
performance, your security measures won’t be as effective as they could be
• Choosing the right tool
• Adapting standards to reality
• Disregarding Vulnerability Management and Patching
• Inadequate Resource Allocation: People, Technology and Budget