Qualsys are in the process of certifying to ISO 27001.
Following our stage one audit last week, the auditor said he had never seen a better organised, structured and planned information security management system.
Kate Armitage, Head of Quality Assurance and Chris Webster, Operation and Infrastructure Manager, who co-ordinated the project have shared their 15 tips for a successful stage 1 audit.
1. Get your documentation ready: Stage 1 is a document review. This means that it is unlikely that you’ll be audited for your practices - so really focus on your documentation, training, audits and Management Review. The easier you make it for the auditor to check the documentation, the better.
2. Read and understand the Standard. Have a copy of 27002 which really clearly explains the controls.
3. Prepare clear policy documentation and advise which controls the policies cover.
4. Integrate with existing standards such as ISO 9001. There are lots of shared documentation such as Document Control, Manual, Leadership, Context, Interested parties, Risk Approach, Org chart etc. You don't need to reinvent the wheel.
5. Consider a Competency Matrix and Roles and Responsibilities document.
6. Remember your Legislation Register
7. Test audits. Carry out some audits and have a plan in place for the others prior to Stage 2. This allows an effective Information Security Management Review.
8. Remember to integrate ISO 27001 with your Business Continuity plan.
9. Spend time on your Risk Assessment and have a Risk Register with CIA clearly thought about and align the SOA clauses.
10. Have a project plan
11. Have quiet time set aside to work on the documentation, training records, engagement, meetings etc.
Access our ISO 27001: Internal buy-in presentation
12. Build a support network. It's too challenging to approach ISO 27001 as an island. You need everyone to be involved!
13. Remember what could be considered even a small risk e.g. whiteboards
14. Training and education for all staff. Remember your training records!
15. Remember your Ps and Qs! Don't challenge the auditor. Instead, engage with the auditor(s). They can provide valuable guidance if you listen and the Stage 1 is a great learning opportunity in preparation for Stage 2.