Stage 1: ISMS Audit Scoping
Stage 2: ISMS Audit Assessment
Basis of Work
FAQs

ISO 27001 Audit

Our ISO 27001 Audit provides an independent evaluation of your organization’s Information Security Management System (ISMS) against ISO/IEC 27001:2022 requirements. The audit is conducted in two stages in accordance with recognized ISMS auditing practices.

Stage 1: ISMS Audit Scoping

This stage establishes the scope and audit criteria and reviews the documented structure of the ISMS to determine audit boundaries.

  • Organizational Structure Review: Examination of the organization’s structure, responsibilities, and governance relevant to the ISMS.
  • Management Interviews: Discussions with responsible management to understand ISMS oversight and accountability.
  • Process and Asset Identification: Identification of key business processes and information assets relevant to the audit scope.
  • Audit Scope Definition: Determination of organizational units, systems, and processes included in the audit.

Deliverable: An approved ISMS Audit Plan defining the audit scope, criteria, and audit activities.

Stage 2: ISMS Audit Assessment

This stage evaluates the implementation and effectiveness of the ISMS against ISO/IEC 27001:2022 requirements through document review, interviews, and evidence verification.

  • Policy and Control Review: Examination of information security policies, procedures, and implemented controls.
  • Stakeholder Interviews: Interviews with relevant personnel to verify ISMS implementation across organizational functions.
  • Control Verification: Assessment of controls related to:
    • Information security governance and policies
    • Asset management and data classification
    • Access control and identity management
    • Third-party and supplier security
    • Business continuity and compliance monitoring
    • IT operations and physical security
    • Endpoint protection and malware controls
    • Configuration management and data protection
    • Network security and cryptography
    • Secure development and system lifecycle controls

Deliverable: The ISMS Audit Report, including:

  • Audit findings against ISO/IEC 27001:2022 requirements
  • Identification of nonconformities and observations
  • Assessment of ISMS implementation and effectiveness
  • Presentation of audit results and key findings to senior management

Basis of Work

The audit is conducted in accordance with the following standards:

  • ISO/IEC 27001:2022: Information Security Management Systems.
  • ISO/IEC 27002:2022: Information security controls.
  • ISO/IEC 27003:2017: Guidance for ISMS implementation.
  • ISO/IEC 27005:2022: Information security risk management.
  • ISO/IEC 27007:2020: Guidelines for auditing information security management systems.

Frequently Asked Questions

Need help? Here are the top questions asked by our Subscribers

  • What is ISO 27001?

    ISO 27001 is an international standard for managing information security. It provides a framework for an Information Security Management System (ISMS) to protect data and systems.

  • How long does an ISO 27001 audit take?

    The timeline depends on the size and complexity of the organization, typically taking 3 to 6 months from scoping to the completion of the audit.

  • What is an ISMS?

    An Information Security Management System (ISMS) is a set of policies, procedures, and controls designed to manage information security risks and ensure compliance with standards like ISO 27001.

  • What is the purpose of a GAP Assessment?

    The GAP Assessment identifies areas where the ISMS does not conform to ISO/IEC 27001 requirements and documents identified gaps and observations.

  • What happens after the GAP Assessment?

    Based on the findings of the GAP Assessment, we provide recommendations for remediation, which may involve policy updates, control implementations, or process improvements.

  • Can I implement ISO 27001 on my own?

    While it’s possible to implement ISO 27001 internally, working with experienced consultants ensures that you efficiently meet compliance requirements and avoid common pitfalls.

  • What happens if non-compliance is found during the audit?

    If nonconformities are identified, they will be documented in the audit report and communicated to the organization for corrective action prior to certification.

  • How often do I need to be re-audited for ISO 27001?

    After initial certification, an organization undergoes annual surveillance audits to ensure continued compliance. A full recertification audit is typically required every three years.

Get Started Today!
Strengthen your software security with our SAST & SCA as a
Service or request a one-time secure code review.
Contact us today to schedule a consultation
or a security assessment!
Get Started