When it comes to ISO27001, and the certification process, there is often some anxiety about what happens during the Stage 1 and Stage 2 process, so we thought we’d help by breaking this down and letting you know what happens during your stage 1 audit and stage 2 audits.
This post will focus on the first stage, so that you can be better prepared and remove as much anxiety as possible.
Purpose of the Stage 1 audit
Some auditors are now saying that the Stage 1 audit isn’t an audit at all. They are referring to it as a ‘gap analysis’ and there is no way to fail this audit. They are there to look at what you’ve done, and ensure you’re ready for stage 2.
Personally, we don’t like this claim and we’re not sure it’s true. Surely, if you haven’t done what you need to do (i.e. built an ISMS with all mandatory documentation and records), then they will not recommend you move to stage 2. Isn’t that a ‘fail’?
Irrespective of what the auditor may say on this; They are auditing your ISMS to ensure you have met the requirements of the standard. They are checking that all mandatory policies, procedures and records are in place. Note that they are largely looking for evidence that these things exist, not how they have been implemented.
For example, they may ask to see your awareness, education and training plans. But on Stage 1, they only want to see a plan exists. When it comes to Stage 2, they will want to see how you’ve followed your plan, and speak to people who have received awareness, education or training.
We often say that information security is a journey. So one way to look at the stage 1 audit, is to think of it as someone is checking your back-pack to ensure you have the essential equipment (documentation) and records (health, travel insurance etc), to ensure you are ready for the journey up a mountain.
Preparing for stage 1
In this post, we have to assume that you have done all the hard work and developed your information security management system (ISMS) with all the mandatory documentation and records you need to evidence compliance with the standard. If you haven’t, then you’re not ready for stage 1. Go read our ‘Real Easy Guide to ISO27001’ or engage with Consultants Like Us to develop your ISMS for you.
Auditors Access to the ISMS before the audit
Even though all UKAS certification bodies are expected to operate the same, they don’t!
Some auditors will be in contact with you and ask for access to your ISMS, or will ask to see a whole list of documentation. Some don’t.
IMPORTANT: You are NOT required to provide the information before the day of the audit. We cannot stress this enough – The date of the audit, is the day of the audit. You should respond to the auditors request politely and tell them that either the evening prior to your audit, or on the morning of the audit they will be given access to your ISMS.
It is totally up to you if you wish to give them access earlier, but we would advise against it. They don’t need it, and giving people access to your ISMS for longer than is required could be a breach of your own Access Control policy(!)
Any pressure from the auditor can be ignored. They are asking because they might have some free time prior to the audit, and it will make your audit go faster (as they can review documentation prior to the start date).
The important point to note is that it is up to YOU to decide when you give them access.
The Senior Leadership Team
During the opening meeting the auditor will want to speak to the senior leadership team (aka ‘Top Management’). It’s up to you how many people you invite, but you should ensure you have senior management support in this meeting so they can convey the importance of the topic to the auditor.
The auditor doesn’t have a script (as such) but the kind of questions you’ll be asked include;
Why are you doing ISO27001?
What are your biggest risks?
How will this improve security?
The auditor will also want to understand the context of your business, what your background is, who your clients are, and what services and products you provide.
The auditor will also explain the kind of findings they make during the auditor, which are as follows;
OFI – Opportunity for Improvement.
Mi-NC - Minor Non-Conformity.
Ma-NC - Major Non-Conformity.
An OFI is where you have everything in place, but there could be a better way of doing it, or it could be a minor change to improve security. An OFI might be noted, for example, if there is a security policy in place, but someone in top management hasn't signed it. Signing a policy isn’t a standard requirement, but it’s good evidence of leadership and shows support for the ISMS and security. Therefore, it’s an opportunity to improve the ISMS.
A Mi-NC is where you are meeting the needs of the standard. However, one core component is missing. Continuing our example above, if the Security Policy is in place but hasn't been communicated to the business or signed off, it might raise a Mi-NC.
A Ma-NC is the most severe finding and means that a core requirement of the standard is missing. In our example, this could mean the Security Policy isn’t in place at all Or, at the very least, it isn’t written.
If you have more than three Mi-NCs in one area, this can be elevated to become one Ma-NC because something is clearly going wrong or missing from the ISMS.
If you have any MI-NCs then these will need to be addressed and evidenced that they have been closed when you reach your stage 2 audit.
If you have one Ma-NC, it could affect your ability to move towards formal certification, and indeed, if there is more than this, then we wouldn’t recommend moving forward to stage 2 anyway.
Finally, about the OFI’s, the auditor could raise three, four, ten, or even twenty(!) Each should be carefully considered, and you can decide if you should embrace the OFI or ignore it. However, it is important to document this decision. We see OFIs as ‘opinions’, bordering on Consultancy (although the Auditor will tell you otherwise). If an auditor tells you, ‘Hey, here’s a better way of doing what you’re doing’ (i.e., improving the ISMS), that feels a lot like Consulting to us!
During the Audit
So what can you expect from the rest of the audit?
The auditor will go through all of your ISMS, including records and documentation that you have produced and will assess it against the points noted above.
They typically will only want to speak to the person who has put the ISMS together, as interviews with key stakeholders is normally held off until stage 2.
The stage 1 audit is pretty simple in that it is a review to ensure you have everything you need to progress to stage 2 (that’s where the evidence is required).
If you have followed good advice and guidance in the development of your ISMS then your stage 1 audit should be a relatively easy task.
At the end of the audit, the auditor will have a closing meeting where they give you their verdict, which should be that they recommend you to move to stage 2. The stage 2 audit is a little more intensive and needs more support from the business, but that’s the topic for another blog.
For now, bask in the glory that you have passed this stage and are now ready to implement and evidence implementation of your ISO27001 information security management system.
Remember that William Shakespeare once said, “All the world’s a stage, and all the men and women merely players”. This is just another milestone (aka stage) for you to go through which will ultimately lead you to achieving ISO27001.
This stage is not to be feared. If you’ve prepared and followed good advice from Consultants Like Us, read our book, or bought our templates then you’ll be in good shape.
More questions?
If you need help preparing for your stage 1 (or stage 2) audit, then book in with us for a FREE 1hr consultation where we’ll assess your readiness for your stage 1 audit.