Of what use is an ISO Audit to companies? This is probably one of the most confounding questions that you will encounter once you embark on your compliance journey. Needless to say, the ISO/IEC 27001 standard often looks like a far-fetched dream for many organizations.
The size of the task and all the risks involved often make ISO audits to appear overwhelming. For you to successfully navigate your way through the processes involved, you need to have an in-depth understanding of what ISO audits are, and the basic requirements of getting this certification.
ISO is the abbreviation for the “International Organization for Standardization.” It is the brainchild of a 1946 conference that brought together delegates from 25 countries. The conference was held at the London Institute of Civil Engineers, and sought to establish a set of globally recognized industrial standards.
ISO currently comprises 162 member countries. It similarly has 778 committees and sub-committees. The body’s quality assurance standards apply to various industries ranging from data storage to manufacturing. It provides organizations with strategic tools to ensure that businesses remain productive and competitive.
Application of ISO Standards to Information Security
ISO/IEC 27001:2013 is a global standard that governs Information Security Management Systems (ISMS). Contrary to traditional standards like the PCI DSS, ISO/IEC 27001 largely bases its main controls on risks instead of prescriptive measures.
The risk-based approach allows a wider variety of organizations and industries to apply for ISO certification. Non-profit, commercial, and government agencies that wish to get ISO-certified can easily apply for this standard. The flexible nature of ISO 27001 means that players in the banking, retail, defense, education, and healthcare markets also qualify for it.
Due to its flexibility, ISO 27001 has become one of the most recognized information security standards. It similarly lists a series of Annex A controls, which act as a guide. These controls allow you to formulate your own unique information security strategy. The extended control sets also offer information security managers the option of avoiding, accepting or transferring risks rather than mitigating them through controls.
ISMS and Data Protection
Your company’s Information Security Management System is the procedures and policies that you put in place to ensure that sensitive data is protected. These procedures should go beyond protecting data to also govern employees’ behavior. For instance, employees’ password protection and security awareness also need to form part of your company’s data protection culture.
Whereas ISO/IEC 27001 is specific about the creation of an ISMS, it only recommends appropriate actions to take. Some of these suggestions may include how to undertake internal audits, preventive and corrective measures, and continual monitoring.
The ISO Auditing Process
To get ISO-certified, there are certain compliance and audit standards that you must meet. Certification can only be granted after an independent body has assessed your company’s ISMS to establish whether or not you have complied with all the requirements. The main steps involved during certification are gap analysis, formal appraisal, implementation, and auditing.
Gap analysis involves the evaluation of controls selected for different standards to ensure that your company has met all the necessary ISO/IEC 27001 requirements. For instance, you may want to follow the NIST framework and still strive to be PCI DSS-compliant. In as much as the requirements for both may overlap, they are also similar in some way. A gap analysis is often done to eliminate any discrepancies.
A formal assessment is often done to ensure that all risks are accepted, mitigated, or controlled. It incorporates risks that were previously mitigated. The implementation process entails the creation of policies and procedures that ensure your new controls are working effectively. On the other hand, the implementation stage involves the control and mitigation of new risks that you do not want to accept or control.
How Long Does ISO Certification Take?
The duration that it will take for your company to get ISO certified varies. Your current controls and compliance standpoint are the main determinants of the time you will take to become certified. Nonetheless, this process can take between five months to two years. This timeframe is also determined by how urgent you need the certification.
The ISO Audit Checklist
To monitor your current compliance position, you need an ISO audit checklist. This is basically a questionnaire, which guides auditors towards pertinent areas that require evaluation. If you are beginning the certification process, this checklist is an important tool that can guide you till the end.
The audit checklist usually incorporates in-depth policy reviews, asset inventories, and the formulation and implementation of policies. This list similarly guides auditors in their review of the management’s responsibilities. Furthermore, it ensures that electronic and physical access meets ISO standards.
Internal ISO Audits
The ISO certification requires your company to undertake internal audits as part of the far-reaching monitoring process. Internal audits are proof that you are adhering to ethical practices. Although the internal auditor needs to be independent of the process, you can still use a corporate employee who has a good understanding of your organization.
Internal audits ought to be conducted throughout the year. This enables you to identify any weaknesses for review before an external audit is conducted. An audit helps to establish whether or not your company has aggregated necessary ISO processes, documentation, and records. The auditor will compare these records with your organization’s daily routines to ensure that you not only meet compliance standards on paper but also in practice.
ISO Surveillance Audits
A review may be undertaken in between certifications. This is typically done on a yearly basis, but can also be conducted twice a year. The aim of surveillance audits is to ensure that your organization is properly monitoring its ISMS.
Concerns raised during such audits are often raised with the management, which must address them accordingly. To ensure that your company quickly gets ISO-certified; it is advisable to partner with certification experts. Automation also guarantees a quick and effective certification.
About the Author
Ken founded Reciprocity to pursue just that. He has propelled Reciprocity’s success with this mission-based goal of engaging employees with the governance, risk, and compliance goals of their company in order to create more socially minded corporate citizens. Ken earned his BS in Computer Science and Electrical Engineering from MIT.