How do you prepare for your ISO 27001 phase 1 audit?

Prepare for ISO 27001 Phase 1 Audit!

To prepare effectively for your phase 1 audit, concentrate on these areas:

1. ISMS documentation: You will need to make sure that all required documents are in place, including:
   • Information security policy
   • ISMS scope
   • Risk assessment and treatment methodology
   • Statement of Applicability (SoA)
   • Information security objectives
   • Operational planning documentation for ISMS maintenance
2. Context of the organization: Be prepared to discuss:
   • Internal and external issues affecting your ISMS
   • Interested parties and their requirements
   • Scope of your ISMS
3. Risk assessment and treatment: Have documentation ready showing:
   • Your risk assessment methodology
   • Identified risks and their owners
   • Risk treatment plans
   • For a deeper understanding of the distinctions between risk assessment and treatment, be sure to check out our blog on phase 2.
4. Leadership and commitment: Demonstrate top management’s involvement in:
   • Establishing the information security policy
   • Ensuring ISMS integration into organizational processes
   • Providing necessary resources
5. Internal audit and management review: Have evidence of:
   • An internal audit schedule
   • Completed internal audits
   • Management review meetings and outcomes
6. Roles within the organization: Provide evidence that your organization has:
   • Defined roles within your organization related to the ISMS
   • Established required competencies for these roles
   • Evidence that personnel meet the required competencies

Here are some best practices to help you prepare:

1. Conduct a gap analysis: Perform a thorough review of your ISMS against ISO 27001 requirements to identify and address any gaps. Remember that ISO 27001 consists of a Harmonized Structure (HS) and specific controls (Annex A). During your gap analysis, ensure both are thoroughly examined to confirm your ISMS is compliant. Engaging an external consultant, such as NAALA, can provide an independent perspective and better prepare you for this event.
2. Prepare your team: Your team has an important role to play during the audit. It is central that everyone involved in the ISMS is well-prepared, understands their role, and is familiar with ISO 27001 requirements. In phase 1, the auditor focuses on the management and the Information Security Officer. Although the auditor may primarily interact with these roles during phase 1, it’s beneficial for the entire team to be aware of their responsibilities. This level of preparation demonstrates to the auditor that information security is ingrained in your organization’s culture, and showcases a strong, cohesive team ready to uphold ISMS principles.
3. Organize your documentation: Have all relevant documents easily accessible and well-organized for the auditor. NAALA’s toolkit can help streamline this process. Our DIY-ISMS toolkit includes all necessary documentation, from essential policies to the required documentation to provide evidence of compliance. Our toolkit is made to easily integrate into your existing workflow, enhancing both efficiency and compliance. The toolkit also provides a phased implementation plan and a maintenance plan to help you adopt ISO 27001 standards systematically and keep your ISMS up-to-date.
4. Be honest about your maturity: If certain aspects of your ISMS are still in development, be upfront about this. The phase 1 audit is about assessing readiness, not perfection. Ensure that the framework for all processes is in place, with relevant policies and work instructions ready and accessible. It can be advantageous to demonstrate some level of monitoring and measurement already in action, as this shows the auditor that your Plan-Do-Check-Act cycle is operational and your ISMS is subject to continuous improvement.
5. Use the audit as a learning opportunity: View the auditor’s feedback as valuable input for improving your ISMS. Rather than being defensive, engage constructively with the auditor. They are there to help you refine your ISMS and challenge you to ensure continuous improvement. A constructive attitude will foster a positive relationship and benefit your organization in the long run.

Watch out for these common mistakes:

1. Incomplete documentation: Ensure all required documents are not only in place but also fully developed. In phase 1, the auditor will verify that all elements stemming from the High-Level Structure are documented in your ISMS and operational. Documentation required to implement controls from Annex A must be present during phase 1, even though their effectiveness will be assessed in phase 2. For further details about phase 2, please refer to the blog that will be uploaded on 11 September.
2. Misunderstanding the scope: Be clear about what is and isn’t included in your ISMS scope. If you’re struggling to define your scope, NAALA’s toolkit offers a practical guide to help you get it right. Our experts are also on hand to assist in refining your scope, tailored to your organization’s specific needs and objectives.
3. Neglecting the Statement of Applicability (SoA): Ensure your SoA is comprehensive, detailing which controls apply to your ISMS, why they are relevant, and their current implementation status. The SoA is a central document that is often not reviewed thoroughly enough, despite its importance in indicating which elements are applicable and why. Double-check your SoA for accuracy once filled in completely, as any discrepancies could lead to findings. Remember, for phase 1, it’s not necessary for all controls to be fully implemented unless specific documentation is required for a control.
4. Lack of management involvement: Demonstrate active engagement from top management in the ISMS. Management needs to articulate the importance of the ISMS to the organization and ensure all team members understand how to handle information security. Make sure your management team is well-versed in the implementation process and aware of their roles within the ISMS. They should be prepared to participate in the opening and closing meetings of the audit. This level of involvement will positively influence the auditor’s assessment of your ISMS readiness and overall commitment.
5. Incomplete implementation of processes: An issue that we see often is failing to have all necessary processes in place before the phase 1 audit. The auditor will verify if all components of the HLS are documented and implemented in your ISMS. It’s not sufficient to merely have a policy or a plan in place; you must demonstrate evidence of implementation. For example, your ISMS needs a process for conducting internal audits, so you need to make sure an internal audit has been carried out, the report is available, and any findings have been addressed or are scheduled for follow-up. The same applies to the management review process. Make sure these processes are completed, documented, and any necessary follow-ups are planned. The auditor wants to see evidence that your ISMS is operational and that key processes have been implemented and are functioning.

1. The auditor will provide a report outlining their findings, including any areas of concern.
2. You’ll have the opportunity to address any identified issues before the phase 2 audit.
3. The auditor will confirm whether you’re ready to proceed to phase 2 or if additional preparation is needed.

A few additional tips regarding the auditor’s findings: it’s a good idea to document any areas of concern as non-conformities or opportunities for improvement within your ISMS. Plan follow-up actions in line with your established procedures for handling non-conformities. It’s also beneficial to record any observations as potential improvements in your improvement plan and make sure these have been at least considered before advancing to phase 2.

Remember, the phase 1 audit is not just a hurdle to overcome, but an opportunity to validate your ISMS documentation and preparation. The auditor’s feedback is there to strengthen your system before moving on to phase 2.

For more information on what comes next,  look out for our upcoming guide on Preparing for Your ISO 27001 phase 2 Audit!