ISO 27001 - Stage 1 audit tips (Includes free internal buy-in presentation)

Qualsys are in the process of certifying to ISO 27001. 

Following our Stage 1 audit last week, the auditor said he had never seen a better organised, structured and planned information security management system. 

Kate Armitage, Head of Quality Assurance and Chris Webster, Operation and Infrastructure Manager, who co-ordinated the project have shared their 15 tips for a successful Stage 1 audit. 


1. Get your documentation ready: Stage 1 is a document review. This means that it is unlikely that you’ll be audited for your practices - so really focus on your documentation, training, audits and Management Review. The easier you make it for the auditor to check the documentation, the better.

Unified ToDo List Workflow & KPI Reporting

Qualsys use EQMS - it's an integrated management system software solution

2. Read and understand the standard. Have a copy of 27002 which really clearly explains the controls.


Download ISO 27001 Toolkit


3. Prepare clear policy documentation and advise which controls the policies cover.


4. Integrate with existing standards such as ISO 9001. There are lots of shared documentation such as Document Control, Manual, Leadership, Context, Interested parties, Risk Approach, Org chart etc. You don't need to reinvent the wheel. 


GDPR workshop


5. Consider a Competency Matrix and Roles and Responsibilities document.

EQMS 6.7 training records manager

Training matrix in Training Records Manager


6. Remember your Legislation Register


7. Test audits. Carry out some audits and have a plan in place for the others prior to Stage 2. This allows an effective Information Security Management Review.


ISO 27001 - AuditExample ISO 27001 audit in EQMS Audit Manager by Qualsys 


8. Remember to integrate ISO 27001 with your Business Continuity plan.

BCR Policy


9. Spend time on your Risk Assessment and have a Risk Register with CIA clearly thought about and align the SOA clauses.


10. Have a project plan


11. Have quiet time set aside to work on the documentation, training records, engagement, meetings etc. 

Access our ISO 27001: Internal buy-in presentation


12. Build a support network. It's too challenging to approach ISO 27001 as an island. You need everyone to be involved! 


13. Remember what could be considered even a small risk e.g. whiteboards

Rawson Mobile Auditing iPad 2


14. Training and education for all staff. Remember your training records!


15. Remember your Ps and Qs! Don't challenge the auditor. Instead, engage with the auditor(s). They can provide valuable guidance if you listen and the Stage 1 is a great learning opportunity in preparation for Stage 2.


Download ISO 27001 Toolkit


Topics: ISO 27001

Share your thoughts on this article