ISO 27001 Audit - Thoropass

A certified ISO 27001 auditor needs to audit ISO 27001 to complete the certification. Here is everything you need to know about an ISO 27001 audit.

Who can perform my ISO 27001 audit?

Only an accredited ISO 27001 certification body can perform the formal audit.

According to the ANSI National Accreditation Board, ANAB, there are only 21 firms in the United States that can provide businesses with an official ISO 27001 certification. ANAB is the largest accreditation body in the western hemisphere that assesses and accredits different auditors against information security standards like ISO 27001.

What is an ISO 27001 audit?

The ISO 27001 audit process is broken down into two phases, an internal readiness assessment and an external formal audit.

Internal Readiness Assessment

First, ISO 27001 requires your company to go through a readiness assessment. This informal, internal review of the ISMS checks that it exists and is complete. Think of it as a mini-audit without recommendations on how to fix any problems found.

The readiness assessment audit should be performed by an independent party or an external team. Businesses commonly hire contractors or a select, uninvolved team execute it independently.

Formal External Audit

An accredited ISO 27001 certified auditor performs the certification process after the internal audit execution. This involves examining the design, implementation, and operations of the ISMS.

The same auditors cannot perform the readiness assessment and the external audit. If you are considering working with consultants that provide both the mini-audit and certification, your ISO 27001 will lack integrity and quality assurance.

How long does an ISO 27001 audit take?

While the schedule of the audit is dependent on your auditing body, the certification process typically takes two weeks for investigation and two weeks to compile the final certification.

How do I best prepare for an ISO audit? What is required?

Finding a certification body and auditor presents one of the biggest challenges organizations face.

To become an accredited body, auditors need at least 4 years of experience in information security, go through 3 full ISMS audits, take a 5-day auditor course, and find a certification body to take a trainee program.

Due to the increased level of experience, we recommend seeking an auditor as soon as you start the ISO 27001 process. This will help you prepare your timeline appropriately and budget accordingly since the process can be costly if you fail the audit.

How much does an ISO 27001 audit cost?

Expect ISO 27001 to be slightly more expensive than a SOC 2 report.

ISO 27001 requires specific auditors to execute and issue the certification, which is a lengthy process. The timing of the audit can get expensive, particularly if you have to hire two independent auditors for the internal audit and the formal certification audit.

Does ISO 27001 require an annual recertification?

ISO 27001 requires a full recertification process every 3 years.

However, auditors can perform random tests, like a pop quiz, for the following 2 years to make sure your organization maintains compliance. If your ISMS doesn’t pass the quality checks, you’ll need to go through the formal certification process sooner.