Want to contribute to this article?
Qualsys are fully certified to ISO 27001:2013.
Following our Stage 1 and 2 audits, our auditors said they had never seen a better organised, structured and planned information security management system and found zero non-conformances.
Compliance Director Kate Armitage and Operations & Infrastructure Manager Chris Webster co-ordinated our ISO 27001 project.
They shared their 15 tips for a successful Stage 1 audit.
1. Get your documentation ready
Stage 1 is a document review. This means it's unlikely that you’ll be audited for your practices - so really focus on your documentation, training, audits and management review. The easier you make it for the auditor to check the documentation, the better.
2. Read and understand the standard
Have a copy of 27002 which clearly explains the controls you can apply to treat your information security risks.
3. Prepare clear policy documentation and advise which controls the policies cover.
4. Integrate with existing standards such as ISO 9001
There are lots of commonalities with ISO 9001, including:
- Document control
- Interested parties
- Risk approach
- Organisational chart
You don't need to reinvent the wheel, so use what you already have within your QMS.
5. Consider a competency matrix
A matrix and a roles and responsibilities document will prove you've considered potential risks from your workforce operation and cascaded responsibility for your IMS throughout your organisation.
6. Remember your legislation register
As much as ISO 27001 gives you flexibility to build an ISMS that suits your business context, legislative requirements should still be a strong guiding factor in how you set up your system.
Prove to your auditor that you've considered the full compliance web around your operation.
7. Test audits
Carry out some practice audits and have a plan in place for the others prior to Stage 2. This allows an effective information security management review.
8. Remember to integrate ISO 27001 with your business continuity plan
If you've done any ISO 22301 work, you've probably already considered how to keep your information streams preserved and operational during a disruption event.
Feel free to copy over relevant business continuity elements into your risk register and statement of applicability.
9. Dedicate most time to your risk assessment and risk register
Classic risk assessment and treatment is at the heart of ISO 27001. Thinking about what your information risks are and how you can treat them with ISO 27002 controls is the most important piece of the puzzle. Consider how confidentiality, integrity and availability (CIA) of your data could be compromised.
10. Have a project plan
You don't want to be swept up in a manic last-minute rush before your audit. Plan at least 6 months before the big day.
11. Have quiet time set aside to work on your documentation, training records, staff engagement, meetings and so on.
Access our ISO 27001: Internal buy-in presentation
12. Build a support network
It's too challenging to approach ISO 27001 as an island. You need everyone to be involved!
13. Remember what could be considered even a small risk
Sensitive information written on whiteboards or memos left in a meeting room will be picked up on by your auditor. Don't leave anything to chance.
14. Training and education for all staff
Your auditor can and will pick on your colleagues mid-audit, so it's crucial everyone knows what ISO 27001 is, and where their individual responsibilities and competences fit into your ISMS. Remember your training records!
15. Remember your Ps and Qs!
Don't challenge the auditor. Engage with them.
They can provide valuable guidance if you listen, and ultimately Stage 1 is a great learning opportunity in preparation for Stage 2.