What are the audit categories for ISO 27001?

There are generally four main audit categories for ISO 27001: Certification audit, Internal audit, Surveillance audit, and Recertification audit.

Each of these audits is important in its own way, and each one needs to be performed correctly for your organisation to achieve and maintain certification. Here’s everything you need to know about ISO 27001 audits.

Certification audit

The Certification audit is the first and most important type of audit for ISO 27001. This audit is usually conducted by an external assessor and is generally split into Stage 1 and Stage 2 Audit.

Stage 1 Audit is the preliminary audit and is typically conducted to determine whether your organisation is ready for a full certification audit. Stage 2 Audit is the actual certification audit, which examines your ISMS’s compliance with the standard in more detail. If you pass this audit, you will be awarded certification.

It’s worth noting that the Certification audit doesn’t have to be split into two stages and can be performed as a single-stage audit. In the single-stage format, the assessor conducts a full audit right away and makes a decision on certification based on the results. This option is typically used for smaller organisations or those with a limited scope.

Internal audit

The Internal Audit is conducted by your employees or external consultants and is used to assess your organisation’s compliance with ISO 27001. The Internal audit should be conducted at least once per year, and it should cover all the requirements of ISO 27001. The goal of the Internal audit is to identify any areas where your organisation needs improvement and develop an action plan to address any non-conformities.

Generally, three internal auditing methods can be used to determine compliance: System Audits, Process Audits, and Product Audits. System audits are the most comprehensive type of audit, and they cover the entire system of your organisation. Process audits are used to assess specific processes within your organisation, and product audits examine products or services that your organisation produces.

It is important to remember that internal audits are not a substitute for the Certification audit; they are simply a way to check your progress and ensure that you are meeting the standard’s requirements.

Surveillance audit

The Surveillance audit is conducted by a certification body and generally focuses on clauses 4-10 of ISO 27001. The Surveillance audit should be scheduled in years one and two after certification, and recertification audits should cover the entire scope of ISO 27001.

When conducting this type of audit, the certification body will review your management system and may ask to see some of your documentation.

Recertification audit

The Recertification audit is conducted by your certification body and is used to ensure that your organisation is still compliant with ISO 27001. The Recertification audit will be performed once every three years.

Tip: Although there are no specific requirements for how an organisation conducts its audits, it’s advisable to follow the ISO 19011 guideline so that your audits are effective and efficient.

Contact Citation Certification

Are you struggling to keep up with the requirements of ISO 27001? Citation Certification offers a range of services that can help your organisation achieve and maintain compliance with the ISO 27001 standard. Contact us today to learn more about how we can help you get ISO certification.