How do you prepare for your ISO 27001 phase 2 audit?

To prepare effectively, concentrate on these critical areas:

1. ISMS design and implementation: In phase 1, the auditor looked at whether you had the right documentation in place, such as risk registers and treatment plans. In phase 2, they’ll go into the actual operations of your ISMS. You’ll need to explain why you identified specific risks, why you chose certain treatment plans, and how well these match your organisation’s risk profile. For example, if you have a backup policy, you may need to show it’s not just a document but an active process. The auditor will assess whether your documented processes are effective in practice. In other words, your Plan-Do-Check-Act (PDCA) cycle should be fully operational. For more information about the PDCA cycle check out our blog International Information Security – ISO 27001 for more details.

2. Implementation of Annex A controls: Be ready to demonstrate how you’ve practically applied and implemented the relevant controls from Annex A of ISO 27001. It’s not enough to just list them—you will need to demonstrate that they’ve been implemented in a way that fits your business. This is where NAALA’s toolkit can help. It includes an implementation plan that walks you through each control, helping you track your progress and ensuring you’re hitting all the necessary points.

   *Reminder; by phase 2 you’ll want to be ready to show that the controls aren’t just ideas but are operational and adding value.

3. Continual improvement: The phase 2 audit isn’t just about showing what you’ve done so far, it’s about proving that you’re continuously improving. One of the best ways to do this is by having your Monitoring & Measurement (M&M) activities in place and performed, ensuring you have outcomes of such activities readily available. These activities show that you’re actively tracking the effectiveness of your ISMS. Also, make sure you’ve addressed any feedback or issues raised during the phase 1 audit—auditors love to see that you’re learning and improving. NAALA’s toolkit can help here too, offering a set of standard M&M tasks to ensure you’re on track and continuously improving your ISMS.

Here are some best practices to help you prepare:

1. Address phase 1 findings: Ensure you’ve addressed any issues identified during the Phase 1 audit. It’s a good idea to document these as deviations in your non-conformities register and treat them as such. Even if the auditor made observations or comments that weren’t formally noted as concerns, consider logging these as opportunities for improvement in your improvement register. This proactive approach shows that you’re serious about continuous enhancement.
2. Gather evidence: Collect documentation that proves your ISMS is operational and effective. This might include risk assessment reports, internal audit records, incident logs, awareness training records, and operational & monitoring activities. The key is having a solid audit trail—document every step so that someone else can replicate the process and achieve the same results. This not only ensures consistency but also provides the evidence the auditor needs.
3. Prepare your team: Brief your staff on what to expect during the audit. Make sure that key people—such as your ISO, technical ISO, management, a member of the development team, HR, and the office manager—are familiar with their roles in the ISMS and have read the relevant policies. These are the roles the auditor will likely want to speak with, so it’s important they understand their responsibilities and can explain them clearly. By preparing these individuals, you demonstrate that your ISMS is ingrained in the organisation and that everyone is aligned. Furthermore, these employees should be able to prove that the ISMS has actually been implemented and is working effectively. For example, if you have created an onboarding policy for new hires, the auditor may want to check whether these policies were actually followed in the onboarding of a recent hire.
4. Conduct an internal audit or mock audit: Perform a thorough internal audit. As mentioned in our blog audit phase 1, an internal audit should be carried out by an independent person. This can be done internally, or you can engage an external party – for example, NAALA – to conduct an internal audit. This will give your team a chance to experience an external audit environment and feel comfortable answering questions. Moreover, as an internal auditor, an external party can take a fresh, critical look at your ISMS and identify any gaps or areas for improvement before the actual audit takes place. Think of it as training and an extra layer of assurance.
5. Be honest and transparent: If the auditor identifies issues, acknowledge them and discuss your improvement plans. This also means that it doesn’t have to be perfect! Is there any part of your policy documentation that you have not (yet) fully mastered or cannot (yet) fully implement before the external audit? Identify the deviation, record it as such, and don’t be afraid to discuss it. The auditor will want to see that your processes in the ISMS are effective; and part of that is recognising, acknowledging and resolving deviations.

Once the phase 2 audit is complete, the auditor will provide a detailed report outlining their findings. The outcome of the audit may vary depending on the type of findings. Here is what to expect (please note that external auditor organisations may use different terminology or approaches themselves, but broadly the following applies):

1. Minor non-conformities: If minor non-conformities are found, you will need to submit a plan of action (PoA) to address them within a certain timeframe. The auditor must approve this plan before your ISO 27001 certificate is issued. The effectiveness of your corrective actions will be verified during the next surveillance audit.
2. Major non-conformities: For major non-conformities, you’ll need to submit a PoA along with evidence that the corrective actions have been fully implemented. The certificate will only be issued once these issues are resolved. This may involve additional contact with the auditor, either through a follow-up call or another visit to verify the resolution.
3. Observations/recommendations: These are opportunities for improvement that don’t require immediate action. However, you must demonstrate that you have considered them and made decisions on how to address them. Be sure to include these in your improvement plan and document your actions or decisions.

Once all non-conformities are addressed and the auditor is satisfied with the resolutions, the external auditor will make a final decision on awarding your ISO 27001 certificate.

Remember, the phase 2 audit is not just a hurdle to overcome, but an opportunity to validate and improve your information security practices. With thorough preparation and a commitment to continuous improvement, you’ll be well-positioned for a successful audit and a more robust ISMS.