The purpose of an ISO 27001 audit is to verify that your company's information security management system (ISMS) meets the requirements of ISO/IEC 27001:2022, the latest revision of the information security management system standards. To obtain and maintain ISO 27001 certification, companies must pass a series of rigorous internal and external audits.
We'll cover everything you need to know about conducting ISO/IEC 27001 audits to obtain and maintain your ISO 27001 certification. You'll learn about ISO 27001 audit requirements, why an ISO 27001 audit is important, how long it takes conducting audits and who can conduct audits that demonstrate that your company follows current information security management best practices.
What is an ISO 27001 audit?
An ISO 27001 audit is a review process that ensures that your organization's Information Security Management System (ISMS) complies with the latest information security best practices as defined by ISO/IEC 27001:2022 the latest version of the ISO/IEC 27001 standard from 2022. Organizations must conduct a series of regular internal and external audits to obtain and maintain their ISO 27001 certification.
ISO 27001 demonstrates that a company's ISMS controls are sufficient to secure its data, documents and other information assets. ISO 27001 certification also gives companies a competitive advantage by showing that their security controls are more stringent and in line with international standards.
To qualify for certification, companies must undergo an external audit by an accredited, objective audit firm or ISO 27001 approved auditor to demonstrate that their processes and systems meet the expectations of ISO/IEC 27001:2013 or ISO/IEC 27001 :2022, and after October 2025 only on ISO/IEC 27001:2022.
Continuous ISO 27001 audits demonstrate the effectiveness and efficiency of a company's security controls. Plus, these audits measure and demonstrate ongoing compliance with ISO standards. Regular audits allow organizations to review and assess the level of residual risk associated with their existing information security standards.
With the results of an ISO 27001 IT audit, organizations can continue to improve their ISMS controls and standards to make residual risk more bearable.
Importance of IT security audit for ISO 27001 certification
- 1. ISO 27001 certification is primarily dependent on passing a series of audits. A company cannot claim compliance with global best practices for information security management unless it has successfully passed these audits.
- 2. It can be difficult for companies to establish or maintain relationships with customers or partners who require ISO 27001 certification as a condition of doing business. This means that ISO 27001 audits can be critical for businesses to gain or retain customers.
- 3. In order to maintain their ISO 27001 certification, companies must go through periodic audits to prove that they are still in compliance with the requirements set by ISO 27001. As can be seen from the audit results, the company's information assets are reliable protected by its established systems, procedures and controls.
- 4. As a firm grows, it faces additional risks that can be assessed during routine audits to help determine where improvements can be made. Opportunities to improve data management and IT security are also revealed during these assessments.
ISO 27001 Audit types
Compliance with ISO 27001 requires the conduct of two types of audits: internal audits and external audits.
Accreditation bodies around the world have different requirements for how often audits should be carried out to maintain compliance; however, all companies interested in obtaining or maintaining their certification must submit regular ISO 27001 internal audit reports and perform periodic external audits.
Here are the internal and external audit expectations that organizations must follow to stay compliant.
Internal audit
An ISO 27001 internal audit is a review of a company's ISMS performed by objective internal personnel trained to ISO 27001 standards or an external contractor hired to work alongside an internal team. Even when an internal audit is performed by an external party, it is considered internal unless that party is part of an ISO 27001 certification body.
Clause 9.2 of ISO 27001 requires a consistent ISO 27001 audit program to maintain compliance. An approved ISO 27001 audit plan specifies how often internal audits are conducted, the methods used to complete the audit, and who is responsible for planning, completing, and reporting the audit results.
Each company works with the certification body to determine the appropriate ISO 27001 audit frequency for their organization, most companies will be recommended to complete an annual ISO 27001 audit.
Typically, an ISO 27001 internal audit includes:
- Review and maintain internal documentation of policies and procedures
- Sampling ISMS evidence as part of a field review demonstrating that policies and procedures are consistently followed
- Analyzing document review and site review findings to ensure compliance with ISO 27001 requirements
- Implement improvements as needed based on audit findings
The ISO 27001 certification audit process begins with an internal audit where your organization reviews its current IT processes and documents the scope of its ISMS audit for further external review.
The organization then performs a risk assessment and gap analysis, submitting these audits along with other documentation to external auditors or a certification body.
Finally, if a company chooses to move toward certification, organizations must conduct regularly scheduled internal audits to maintain compliance.
External audit
When IT professionals ask, "how to prepare for an ISO 27001 audit," they usually mean an external ISO 27001 audit. External audits are conducted by accredited certification bodies to confirm compliance with ISO 27001 standards.
Organizations interested in ISO 27001 certification must participate in four external audits:
- ISMS Design Review
- Certification audit
- Surveillance audits
- Recertification audits
Once your organization has determined the scope of your ISMS audit, you will request an auditor from your country's accredited certification body to complete the ISMS design review. During this external ISO 27001 audit, the auditor reviews your organization's documentation, processes and procedures to ensure that your ISMS controls and design conform to ISO 27001 standards.
If your organization meets the requirements of the ISMS Design Review, the auditor recommends your organization for certification and moves on to a certification audit.
During the certification audit, the auditor will review your organization's business processes and controls through a field review to ensure they meet the requirements of ISO 27001 and the 93 primary controls listed in Annex A. Compliance with these requirements makes your organization eligible for full ISO 27001 certification.
To maintain compliance after certification, certification bodies conduct periodic audits—known as surveillance audits—in which they take a random sample of data to ensure they're following the procedures and processes defined by your documentation. These audits often focus on specific areas of the ISMS and occur prior to recertification.
Finally, organizations are subject to an extensive recertification audit every three years to maintain their eligibility for ISO 27001 certification. This review covers all areas of the ISMS and mimics the initial certification audit, ensuring that the organization is continuously following ISO 27001 standards and improving your ISMS as new risks arise.
ISO 27001 audit stages
As your organization prepares for ISO 27001 certification, it is important to understand the two stages that make up the initial certification audit. The audit criteria for ISO 27001 are determined by these two stages, and your company's eligibility for certification depends on passing both audit stages.
Companies should note that organizations will typically hire a separate external auditor to assist them in completing Stage 1 compliance requirements before requesting an external audit from the Certification Body for Stage 2.
Stage 1
Stage 1 of the ISO 27001 audit is called the ISMS design review. Before a company requests an ISMS design audit, it is extremely important that the company properly prepares for what the ISMS design review entails.
First, work with your compliance team to determine your company's baseline levels of risk tolerance and security based on the expectations of your customers or partners. You may also need to consider legal or contractual requirements. These elements will define the scope, security objectives, and statement of applicability for your certification audit.
Then document in detail all processes, procedures, policies, guidelines and controls for your ISMS based on the requirements detailed in ISO 27001 and ISO 27002. You will also need to complete a risk assessment, risk treatment and gap analysis to to send with your documentation.
Once you have implemented and documented the controls in your ISMS, an auditor will review your documentation during the ISMS design review to ensure it meets the requirements of ISO 27001. Once complete, the auditor will provide your organization with an audit report according to ISO 27001.
The audit report includes their findings and recommendations for improving your processes or controls before moving on to stage 2. Your organization's employees may also need to undergo additional security training to meet ISO 27001 stage audit standards 1 before moving forward to stage 2 of the certification process.
Stage 2
If an auditor recommends your organization for certification after Stage 1, your organization may choose to move forward with Stage 2 to continue certification. In an ISO 27001 Stage 2 audit, an auditor from a certification body will conduct an evidentiary field review to confirm that the business processes and controls in your ISMS are in accordance with the documented and approved Stage 1 procedures.
The auditor examines an in-depth, random sample of data and information assets as evidence to confirm that your ISMS is working effectively and meets the requirements dictated by ISO 27001 and the mandatory controls in Annex A. This evidence should ensure that your business procedures are working , as documented.
To complete their audit, auditors will often interview key stakeholders responsible for managing the ISMS system, as well as members of the internal audit and compliance teams. They will also require evidence of previous audit reports and any corrections made based on the results of Stage 1. These audit reports inform them of discrepancies presented by the previous auditor, while management audits confirm that post-audit improvements have been made.
Stage 2 is also the time to define the processes that will move forward after certification. This includes security awareness training procedures and the internal audit process that must be documented to achieve certification and maintain ongoing compliance.
Once your organization passes stage 2 of the ISO 27001 audit process, your company will be ISO 27001 certified for three years. However, companies are still required to perform and submit annual surveillance audits to follow the required internal audit schedule submitted to the certification body and to demonstrate that their controls are continuously operating as intended.
Annual ISO 27001 supervisory audits
One of the main objectives of the ISO 27001 information security management system is to ensure continuous improvement. The Plan-Do-Check-Act principle, supported by audits and reviews, will help achieve this goal.
Annual surveillance audits are a major component of this. This is a mandatory requirement for maintaining accredited ISO 27001 certification.
When does the annual supervisory audit take place?
In most cases, your organization will undergo an annual surveillance audit at the end of year 1 and year 2. The first of these will actually be carried out shortly before the end of year one. The goal is to have the three-year cycle set up so that your recertification audit takes place before the end of year 3. This is important because if any discrepancies are found at the end of year three, there may be a gap in your certification while you take corrective action.
Some larger organizations like their annual surveillance audits to occur more frequently, spread across the calendar. The schedule can be agreed with the auditor.
How long does the annual supervisory audit take?
An ISO 27001 audit can take anywhere from a few days to a few weeks, depending on factors such as the size and complexity of the organization, the scope of the audit, the number of auditors involved, and the readiness of the organization. For a smaller organization, the audit may take only a few days, while for larger and more complex organizations, the audit may take up to several weeks or even months.
Where does the annual supervisory audit take place?
The annual supervisory audit is usually conducted on-site. However, audits may be conducted remotely in exceptional circumstances such as COVID-19. If you have multiple sites, your head office will always be audited plus branches other than those selected for the initial ISO 27001 certification audit. Again, different sites will be selected for the second annual surveillance audit and recertification audit, although the head office will be included in each audit.
What happens at the annual supervisory audit?
In an annual surveillance audit, the auditor will take a similar approach to the ISO 27001 Stage 2 audit. However, less time will be spent on some areas of your management system and possibly only parts of your organization will be audited.
Much of what happens will be guided by what the auditor has discovered in previous audits, such as examining areas of weakness. The following will be covered as a minimum:
- Review of discrepancies and corrective actions from previous audits
- Maintenance and operation of the Management System
- The effectiveness of your internal audits
- View your reviews from the guide
- Preventive and corrective actions
- Documentation updates
What happens after the annual supervisory audit?
As with other audits, the auditor will summarize the findings at the end of the visit. A written report detailing any discrepancies will also be submitted.
If there are major discrepancies, you will have up to three months to take corrective action and provide evidence that you have done so. Failure to do so may result in your ISO 27001 certification being withdrawn.
For minor discrepancies, the auditor will agree a plan with you. Depending on the risk and severity, the Auditor will use his discretion to determine how the non-conformance can be "closed". It could potentially be closed at the next audit either by sending evidence to the auditor or maybe even another audit.
Final words
An ISO 27001 audit is a vital part of maintaining your organization's ISMS compliance. Since its primary purpose is to ensure that an organization's ISMS is adequately implemented and managed, ISO 27001 accreditation will enable your organization to retain confident customers and stakeholders.
If you need help navigating the world of information security or preparing for an internal or certification audit? We're happy to help — Contact one of our experts today using the contact form.