Organisations looking to achieve compliance with ISO 27001 often view the internal audit as a perplexing prospect.
That’s mainly because it’s not always easy to be fully objective about how well you’ve implemented and documented your processes and controls, especially when you’ve been directly involved in the ISMS implementation project.
Endless checking and cross-checking
Having to check and cross-check your own work means you run the risk of missing important red flags that an experienced and independent auditor might spot easily.
But the internal audit is also the last checkpoint for determining whether the company is indeed ready to pass the final certification audit (stage 1 & 2 audit). If the organisation is not properly prepared, a fail at the certification audit stage could result in additional expenses no company would want to incur for a second time.
That’s why many companies choose to use an independent certified auditor before the stage 1 audit to help them identify the various gaps between the security measures that have been implemented and the specific demands of ISO 27001.
It is the auditor’s job to highlight any nonconformities that need to be fixed in order to satisfy the certification audit. In this respect, the company may even find that the internal auditor is a little less forgiving than one would expect from the certification audit itself.
ISO 27001 is very specific
“In some ways, it seems harsh that companies get challenged during the internal audit, even if they had many of the right measures engrained in the business,” says Steve Watkins, Director of IT Governance and UKAS assessor. “However, ISO 27001 is very specific in its requirements and, to compound matters, its language is generic, so it can be hard for the uninitiated to understand precisely how it applies to them.”
This rigid approach to the audit helps the company to be fully prepared and proceed to the certification audit with fewer jitters.
“We benefited hugely”
As one of our clients put it: “We benefited hugely from IT Governance’s advice, and they effectively mapped out the route we needed to follow. If I were faced with doing the project all over again, the first thing I would do is get an expert consultant in to make sure we were tackling things in the right way. IT Governance really know their stuff and immediately impressed us with their calm and reassuring approach.”
Remove the guesswork from your ISO 27001 audits with an experienced auditor on your side