iso 27001 audit

Audit ISO 27001

Auditing according to the ISO27 information security standard001. An audit is a systematic periodic review carried out by an auditor. Called 'auditing' for short. The word audit is derived from a Latin word "audire", which means "to hear". 
The auditor examines whether the reality corresponds to the standard items, as specified in this area in the ISO 27 standard001. If this is done by your own employees, it is an internal audit. If this is done by (independent) external parties, it is an external audit. Usually as part of a certification process. The auditor identifies any (structural) deviations and determines the severity of the deviation, and then reports these findings to the auditee. Usually this is the board of directors or in larger organizations the management. The results of an audit procedure are recorded in a report.  

An ISO 27001 audit  is just one of many different types of audits: financial, operational, IT, quality, environment, etc. Everything is focused on the design, existence and operation of information, communication and control systems.
 

First the golden rules ...

When conducting or supervising audits, it is good to remember the following 10 golden rules:

 

  1. Clear goal and scope
    Discuss with the auditor (lead auditor in case of an audit team) what the purpose of the audit is. Also discuss the scope, what processes and activities does the audit include and especially what does not.
     
  2. Clear communication
    Have the auditor ask clear, simple questions. One thing at a time, with the questions short and to the point. If it is unclear or too complex, let us know. It is the professionalism of the auditor to ensure clear communication.
     
  3. Make employees aware
    The audit process is clear in itself with the aim of testing the organization's compliance and identifying improvements. Prepares the employees for this as well as the course of an audit interview. This avoids uncomfortable situations and makes the audit more efficient.
     
  4. Collaborate
    An audit requires the necessary planning and preparation. In addition, in practice, adjustments will often be necessary during the audit, in the agenda or with regard to the employees involved. This requires good cooperation.
     
  5. Guide the auditor(s)
    An auditor is not (well) familiar with the organization. Guidance by someone who has insight into the audit process is therefore necessary. Also to comply with its own policy regarding visitors. It is necessary for an auditor to be familiar with the required confidentiality.
     
  6. Take notes and listen
    A lot of information comes along during an audit interview. Perhaps questions are asked that are eye-opening. Listen carefully - also 'between the lines' - and take notes.
     
  7. Share the results
    If points of attention or even shortcomings emerge between an audit interview, share them with those involved and responsible management. It is advisable to look at them from different points of view in order to arrive at a correct factual observation.
     
  8. Availability of documentation and systems
    A commonly used audit technique is to assess documentation or the information within systems. Therefore, make sure that documentation and systems are available or accessible in advance.
     
  9. Ask relevant and clear questions
    If something is unclear, ask clear, simple questions. An auditor has a lot of knowledge of other, often similar organizations. Take advantage of that.
     
  10. Don't accept a simple checklist
    In an audit, specific norm items are often tested. Don't accept that these norm items are simply 'ticked off'. Expect more depth that provides a clear picture of the maturity of your own organization and any areas for improvement.