You have applied for ISO 27001:2013 Certification and you are about to undergo your Stage 1 audit. The auditor checks that your ISO 27001 documentation is up to the task. For many organizations, the documentation stage is the most time-consuming part of their ISO 27001 project. For some, documenting ISMS (Information Security Management System) can take up to 12 months.

Providing the ISO 27001:2013 Documentation for your information security management system (ISMS) is often the hardest part of achieving ISO 27001 Certification. ISO 27001 Documents can run into thousands of pages for more complex businesses.

To get started, there are three approaches to addressing ISO 27001 documentation:

ISO 27001 documents

1. Trial and error
Designing the ISMS yourself is very risky and the most time-consuming approach. An ISMS needs a huge amount of detail, and trial and error is a difficult way to tackle this task.

2. External expertise
The second approach is bringing external expert from experienced consultants. Though this offers a faster route than trial and error, it is substantially more expensive. ISO 27001 Consultants will need time to learn your systems and processes before they can start documenting them and any new systems or processes. The advantages of external expertise include considerable reduction of the risk of failure and overcoming resource issues.

3. ISO 27001 Documentation toolkits
ISO 27001 Documentation Toolkit can significantly reduce errors and save you a considerable amount of time and money. We highly recommend this approach and have designed a documentation toolkit that exactly meets the requirements of ISO 27001. The ISO 27001 Documentation Toolkit has been developed by ISO 27001 experts and provides all of the mandatory and supporting documentation templates you will require, and is more cost-effective than consultancy fees.

The toolkit includes:

  • A complete set of easy-to-use, customisable and fully ISO 27001-compliant documentation templates that will save you time and money;
  • Easy-to-use dashboards and gap analysis tools to ensure complete coverage of the Standard; and
  • Direction and guidance from expert ISO 27001 practitioners.
Advertisements

An ISO 27001 audit is a gathering process for obtaining and evaluating evidence to determine the extent to which the audit criteria are fulfilled. The term “internal” means that the audit is performed within organizations’ own boundaries and rules, not involving external parties like customers, suppliers, or certification bodies.

ISO 27001 internal auditor training helps employees from IT industries to learn and develop the abilities that necessary to perform internal ISMS audits. The ISO 27001 training provides delegates with an understanding of ISO 27001 and provides practical training in the techniques of Internal Auditing. ISMS auditor training will guide towards the importance of company’s effective information security management system, most firms develop an inside ISMS to safeguard their system from security threats.

During this ISO 27001 training, candidates can learn the way to initiate, prepare, conduct and settle an audit. Additionally, candidates can study the principles of auditing and learn the main points and principle behind Information security system requirements.

Benefits of ISO 27001 Internal Auditor Training

  • Your company will have an internal resource and process to be able to conduct its own audit of its ISMS to assess and improve conformance with ISO 27001:2013
  • Successful ISO 27001 auditing will improve the protection of your organization’s private data to meet your market assurance and corporate governance needs
  • An appreciation of the importance of controlling Information Security in all types of business activities
  • An appreciation of Risk Analysis process
  • Detailed review and interpretation of the main requirements of ISO 27001:2013
  • An appreciation of documented management systems to control Information Security
  • Evaluating corrective actions for root cause and effectiveness

Global Manager Group offers different Training kit for IT companies to choose from ISO 27001 Training Presentation Kit and ISO 20000 Training Presentation Kit. To get more information about these training presentation kits, Click here

ISO 27001 is increasingly adopted in the global world by both internal and external IT organizations. Since there are many small, mid-size and established IT organizations so the standard has helped to differentiate between different IT companies across world.

ISO 27001 Certification demonstrates to existing and potential customers that your organisation has defined and put in place best-practice information security processes. ISO 27001 is the only auditable international standard that defines the requirements of an Information Security Management System (ISMS). Implementing ISO 27001-certified ISMS can help your organisation avoid the penalties and losses associated with data breaches, and comply with legal and regulatory requirements.

The auditors should maintain the knowledge of the state of art and organizational situation. For all issues related to the audit, the ISO 27001 Auditor Training must be given that helps them in being independent in both attitude and appearance. ISO 27001 auditor training helps IT organization to prepare employees to perform ISMS 27001 internal audits on a company ISMS.

Essential Skills/learning in the ISMS – ISO 27001 Auditor training includes the following:

  • Overview of Information security management system.
  • Understanding ISO 27001:2013 system requirements.
  • Understanding Information security related definitions.
  • ISO 27001 documentation – 4 tier document structure.
  • Understanding ISMS internal auditing process.
  • Information Security management techniques.

The ISO 27001 manual is a mandatory document for ISO 27001 Certification, which maintains Information Security Management System in organization. This is a roof document for ISMS, and it usually includes the ISMS scope, role(s) undertaken by the organization, exclusions from the standard, references to relevant documents, and the business process model.

Basically, there are two approaches for ISO 27001 Information Security Management System (ISMS) Manual:

a) The ISO 27001 Manual could be a document explaining how an organization will meet the ISO 27001 requirements and which procedures will be used in the ISMS, or

b) The ISO 27001 Manual could be a set of all the ISO 27001 documents that are produced for the ISMS – in practice, the idea would be to place all the policies, procedures, working instructions, forms, etc. into a single book so that it is easier to read.

The first approach makes no sense because there is a mandatory document in the ISMS that must describe how a company will implement its information security – it is called Statement of Applicability. It must list all the controls, and define if they are applicable and how they will be implemented. Therefore, the Statement of Applicability has a very similar function to that of the Quality Manual, so an ISO 27001 Manual with the same purpose makes no sense.

Having all the ISMS policies and procedures included into a single ISO 27001 manual makes even less sense – first of all, most companies implementing ISO 27001 use intranet for handling documents, so merging documents in electronic form makes them no easier to read; secondly, the longer the documents, the smaller the chance someone will read them because not every ISMS document is intended for everyone in an organization; and thirdly – since individual ISMS documents change rather often, it would be a nightmare to update such manual so frequently.

If you are planning your ISO 27001 internal audit for the first time, you are probably puzzled by the complexity of the standard and what you should check out during the audit. So, you are looking for some kind of ISO 27001 Audit Checklist to help you with this task.

ISO 27001 Audit Checklist

Although they are helpful to an extent, there is no universal checklist that can fit your company needs perfectly, because every company is very different. However, you can create your own basic ISO 27001 audit checklist, customised to your organisation, without too much trouble.

Some Basics Steps in the ISO 27001 Internal Audit

1. Document review
In this step, you have to read ISO 27001 Documentation. You will need to understand processes in the ISMS, and find out if there are non-conformities in the documentation with regard to ISO 27001

2. Create the checklist
You make a checklist based on document review. i.e., read about the specific requirements of the policies, procedures and plans written in the ISO 27001 documentation and write them down so that you can check them during the main audit

3. Planning the main audit
Since there will be many things you need to check out, you should plan which departments and/or locations to visit and when – and your checklist will give you an idea on where to focus the most.

4. Performing the main audit
The main audit is very practical. You have to walk around the company and talk to employees, check the computers and other equipment, observe physical security, etc. Your previously prepared ISO 27001 audit checklist now proves it’s worth – if this is vague, shallow, and incomplete, it is probable that you will forget to check many key things. And you will need to take detailed notes.

5. Reporting
Once you finish your main audit, Summarize all the non-conformities and write the internal audit report. With the checklist and the detailed notes, a precise report should not be too difficult to write. From this report, corrective actions should be easy to record according to the documented corrective action procedure.

6. Follow up
It’s the internal auditor’s job to check whether all the corrective actions identified during the internal audit are addressed. Your checklist and notes can be very useful here to remind you of the reasons why you raised nonconformity in the first place. The internal auditor’s job is only finished when these are rectified and closed

What to include in your ISO 27001 Audit Checklist

Normally, the checklist for internal audit would contain 4 columns:

Reference – e.g. the clause number, section number of a policy, within the standard.

What to look for – what to examine, monitor, etc., during the main audit – whom to speak to, which questions to ask, records to look for, facilities to visit, equipment to check, etc.

Compliance – Simply, has the company has complied with the requirement?

Findings – Details of what you have found during the main audit – names of persons you spoke to, quotes of what they said, IDs and content of records you examined, description of facilities you visited, observations about the equipment you checked, etc.

So, the internal audit of ISO 27001, based on an ISO 27001 audit checklist, is not that difficult – it is rather straightforward: you need to follow what is required in the standard and what is required in the documentation, finding out whether staff are complying with the procedures.

With a good ISO 27001 audit checklist, your task will certainly be a lot easier.

To implement an ISO 27001 Certification Standard, you will need to implement a series of activities that were described in your document. Once that has been done, you will need to implement another series of steps during the final phase of the project.

The ISO 27001 Certification Audit Process

The ISO 27001 certification audit process is divided into 2 stages.

In Stage 1, the auditor verifies whether your ISO 27001 documentation complies with the standard.

In Stage 2, the auditor verifies that your Information Security Management System (ISMS) operates effectively, as documented and in compliance with ISO 27001.

This underlines the importance of how much you need to be perfect when writing the document according to the clauses of the ISO 27001 Standard. It also stresses the importance of implementing the information security system in your company.

Steps That Should Taken

After all, the proper documentation has been prepared and the implementation of the new business processes has been implemented, then you will need to perform these mandatory tasks before you can perform the actual audit.

  • Internal Audit
  • Management Review
  • Corrective and Preventive Actions

The purpose of an ISO 27001 internal audit is to get an independent auditor to come around and do the auditing and check whether the Information Security System is working properly.

The Management review is a process where the management takes into account all the relevant facts about an information security and make the appropriate decisions.

The company then takes into all the faults and problems that were found out during the internal audit and the management review and take steps to resolve. These are called corrective actions, and these should be taken so that when the time for an audit comes, you won’t have any failures occurring.

Once all of this has been done, you would want to go over everything again, double check it, so that you know that everything is in order before the actual ISO 27001 audit happens. This double check will ensure that every employee will know their task and specialities when the actual audit happens.

ISO 27001 is an international specification or standard for the development and implementation of an information security system, which is often referred to as ISO 27001-compliant ISMS. The ISMS, in turn, as explained in detail by ISO 27001 Consultant, is a framework of policies and procedures of the company for the managing information risks. It includes the physical and technical, as well as legal, controls that must exist for optimal information risks management.

Information Security Management System

Companies that want ISO 27001:2013 Certification will do well to seek advice from experienced ISO 27001 consultants regarding implementation of the ISO 27001 standard. It follows a top-down approach to information risk management and is not specific to any type of technology. Essentially, the standard provides for a comprehensive planning process, which consists of six parts. The first entails defining the security policy, followed by setting the scope of the ISMS. This is followed by a risk assessment and then the management of the risks that were identified. The next phase entails choosing the control objectives and selecting which controls to implement. The final phase in the planning process entails the preparation of a statement of applicability.

The ISO 27001 standard and ISMS provides a framework for information security management best practice that helps organisations to:

  • Protect client and employee information
  • Manage risks to information security effectively
  • Achieve compliance with regulations
  • Protect the company’s brand image

What industries implement ISO 27001:2013?

ISO 27001 Certification is suitable for any organisation, large or small, in any sector. The standard is especially suitable where the protection of information is critical, such as in the banking, financial, health, public and IT sectors. The standard is also applicable to organisations which manage high volumes of data, or information on behalf of other organisations such as data centres and IT outsourcing companies.