Everything You Need to Know About ISO 27001 Certification: Part 1—The Internal Audit

September 19, 2022 | ISO 27001

The ISO 27001 internal audit is a prerequisite to Stage 1 of the certification process, where either your organization or a third-party firm will assess the effectiveness of your information security management system (ISMS) to meet clause 9.2 of the ISO 27001 standards. 

This is the first installment in a two-part series on the ISO 27001 certification process. Through the rest of this series, we’ll outline requirements for stage 1 and stage 2 of the audit as well as what it means to obtain ISO 27001 certification. 

“The internal audit is the biggest lift for organizations when preparing for ISO 27001 certification,” said Whitney Perez, director of quality and compliance at BARR Advisory. This process is beneficial for several reasons, including: 

  • Validating your ISMS before undertaking the ISO audit
  • Demonstrating your organization’s commitment to improvement
  • Encouraging continuous security management 

Let’s take a look at what to expect when you’re first starting your ISO 27001 certification during the internal audit. 

ISO 27001 Clause 9.2 

Clause 9.2 of the ISO 27001 standard is one of the more complex requirements to achieve certification. This is due to the detailed requirements and possible need for outside assistance. 

During the internal audit, it’s required that your ISMS not only conforms to your organization’s own requirements  (9.2a), but that those requirements of this standard are effectively implemented and maintained (9.2b). 

Here are the additional requirements for clause 9.2 of the internal audit according to the ISO 27001/IEC 27001 standards:

  • 9.2c—The organization shall plan, establish, implement, and maintain an audit program, including the frequency, methods, responsibilities, planning requirements, and reporting. The audit program shall take into consideration the importance of the processes concerned and the results of the previous audits. 
  • 9.2d—Define the audit criteria and scope for each audit.
  • 9.2e—Select auditors and conduct audits that ensure objectivity and the impartiality of the audit process.
  • 9.2f—Ensure the results of the audit are reported to the relevant management.  
  • 9.2g—Retain and document information as evidence of the audit program and results. 

“While it’s recommended to conduct these internal audits on an annual basis, there’s no requirement to audit against all ISO clauses and Annex A controls at once,” said Perez. “You can make an audit plan that suits your needs. Your organization’s plan may span multiple years, testing controls on a rotational basis.”

Using a Third-Party Auditor 

If this is your first ISO 27001 audit, or your organization might need extra assistance, you can employ an independent third-party firm to help complete your internal audit. Consulting firms like BARR will help you create policies and complete your internal audit while maintaining independence.

Perez said, “While it’s not required, most organizations who use a third-party auditor for their internal audit experience a greater level of success within the certification process.” 

Still not sure where to start? Not to worry. At BARR, we have a list of best-fit experts we can refer you to when it comes to completing your internal audit. 

Looking Ahead: Stage 1, Stage 2, and SOC 2 Reporting 

Once you’ve completed your internal audit and have developed and implemented the other ISO documentation and processes outlined in ISO 27001, you’re now geared up for Stage 1 and Stage 2 of the ISO 27001 certification process:

    • Stage 1 of the audit process tests the design of your ISMS. Your engagement lead will conduct a walkthrough of clauses 4-10, identify any major and minor nonconformities or opportunities for improvement (OFIs), and evaluate the organization’s corrective action plans. 
    • Stage 2 tests the effectiveness of your ISMS. BARR will conduct a walkthrough of Annex A controls, identify nonconformities and opportunities for improvement, and evaluate the organization’s corrective action plans.
    • Certification Decision occurs at the conclusion of Stage 1 and Stage 2 during which BARR will review the results and make a certification decision.

For more information, see our ISO 27001 Engagement Process

Additionally, BARR is one of only nine firms in the nation who can help you obtain both an ISO 27001 certification and SOC 2 report upon project completion. Through our “test once, report many” approach, we save you time and resources to help you meet regulatory requirements and ensure customer trust. 

Interested in connecting with a specialist from our ISO team? Contact us for a free consultation.

Let's Talk