ISO 27001 - Stage 1 audit tips (Includes free internal buy-in presentation)

Qualsys are fully certified to ISO 27001:2013.

Following our Stage 1 and 2 audits, our auditors said they had never seen a better organised, structured and planned information security management system and found zero non-conformances.

Compliance Director Kate Armitage and Operations & Infrastructure Manager Chris Webster co-ordinated our ISO 27001 project.

They shared their 15 tips for a successful Stage 1 audit. 


1. Get your documentation ready

Stage 1 is a document review. This means it's unlikely that you’ll be audited for your practices - so really focus on your documentation, training, audits and management review. The easier you make it for the auditor to check the documentation, the better.


Unified ToDo List Workflow & KPI Reporting

Qualsys use EQMS - it's an integrated management system software solution


2. Read and understand the standard

Have a copy of 27002 which clearly explains the controls you can apply to treat your information security risks.


3. Prepare clear policy documentation and advise which controls the policies cover.


4. Integrate with existing standards such as ISO 9001

There are lots of commonalities with ISO 9001, including:

  • Document control
  • Manual
  • Leadership
  • Context
  • Interested parties
  • Risk approach
  • Organisational chart


You don't need to reinvent the wheel, so use what you already have within your QMS.


GDPR workshop


5. Consider a competency matrix

A matrix and a roles and responsibilities document will prove you've considered potential risks from your workforce operation and cascaded responsibility for your IMS throughout your organisation.


EQMS 6.7 training records manager

Training matrix in Training Records Manager


6. Remember your legislation register

As much as ISO 27001 gives you flexibility to build an ISMS that suits your business context, legislative requirements should still be a strong guiding factor in how you set up your system.

Prove to your auditor that you've considered the full compliance web around your operation.


7. Test audits

Carry out some practice audits and have a plan in place for the others prior to Stage 2. This allows an effective information security management review.


ISO 27001 - Audit

Example ISO 27001 audit in EQMS Audit Manager by Qualsys 


8. Remember to integrate ISO 27001 with your business continuity plan

If you've done any ISO 22301 work, you've probably already considered how to keep your information streams preserved and operational during a disruption event.

Feel free to copy over relevant business continuity elements into your risk register and statement of applicability.


ISO 22301 webinar recording

Access our ISO 22301 webinar here


9. Dedicate most time to your risk assessment and risk register

Classic risk assessment and treatment is at the heart of ISO 27001. Thinking about what your information risks are and how you can treat them with ISO 27002 controls is the most important piece of the puzzle. Consider how confidentiality, integrity and availability (CIA) of your data could be compromised.


10. Have a project plan

You don't want to be swept up in a manic last-minute rush before your audit. Plan at least 6 months before the big day.


11. Have quiet time set aside to work on your documentation, training records, staff engagement, meetings and so on. 


Access our ISO 27001: Internal buy-in presentation



12. Build a support network

It's too challenging to approach ISO 27001 as an island. You need everyone to be involved! 


13. Remember what could be considered even a small risk

Sensitive information written on whiteboards or memos left in a meeting room will be picked up on by your auditor. Don't leave anything to chance. 


Rawson Mobile Auditing iPad 2


14. Training and education for all staff

Your auditor can and will pick on your colleagues mid-audit, so it's crucial everyone knows what ISO 27001 is, and where their individual responsibilities and competences fit into your ISMS. Remember your training records!


15. Remember your Ps and Qs!

Don't challenge the auditor. Engage with them.

They can provide valuable guidance if you listen, and ultimately Stage 1 is a great learning opportunity in preparation for Stage 2.


New Call-to-action


Topics: ISO 27001

Share your thoughts on this article