Part 39 - Getting Certified to ISO 27001 – The Stage 1 Audit
After you have selected your Certification Body and got them all signed up, now is the time to book in your Stage 1 audit.
Stage 1 is where the Certification Body (CB) confirms that you are ready for the full audit. The CB checks that you have in place all the required systems, processes, procedures and that your resources are ready and in place.
Most CBs will recommend that the Stage 1 audit is conducted on your site. However, if the CB already has experience of you and your industry, then this audit could be done offsite.
At Mango we had the stage 1 both offsite and onsite.
During the Audit:
During the audit, the auditor will review your scope of the information security management system.
Their job is to obtain information on your systems, processes and operations. They will look at the equipment and some of the levels of control that you have established.
The auditor will check your internal audits and management reviews. They will to ensure they are being planned and performed. They will also use the audits and reviews to pick up weaknesses you have identified.
They will the review the allocation of your resources. Resources like people, buildings, equipment, software etc.
After the Audit:
After the audit the CB will give you a Stage 1 report to outline the state of your readiness for the next stage - Stage 2.
They will identify any areas of concern that could be classified as potential non-conformance during the Stage 2 Audit.
The Stage 1 audit is much shorter in duration than Stage 2.
The audit will usually be carried out in one day. If you have more than one location, the audit would normally be conducted at your Head Office.
Typically there are a few weeks between a Stage 1 and a Stage 2 audit. This is to allow you to address any observations prior to the full audit (called a Stage 2 audit).
In addition the CB needs to determine the size of the audit team to conduct the audit. They also need to determine if they need technical experts are required to help with complex technicalities during the audit.
So the objective of a Stage 1 audit is to determine your readiness for their Stage 2 audit of your QMS.
Here at Mango, because we use our product Mango to manage our ISMS the auditor could do some of the stage 1 offsite. We gave the auditor a username login (and a password) to Mango. The benefit of this approach was:
- The auditor could do this in their own time.
- The audit didn’t hold up any of our personnel in a visit.
- Communication was all online.
- Questions were emailed though and easily answered.
- Auditor was not under pressure to rush through the audit.
To save time and money, ask the auditor to do the Stage 1 audit remotely.
- Make sure everything is ready:
- Internal audits are done
- Management Review done
- QMS documentation is ready
- Capture evidence that the systems are in place
- Learn from the findings from the CB audit report.
View previous blogs in this series "ISO 27001 Information Security Management Standard":