ISO 27001 Audit Tips and Tricks

the easy way to maintain an effective, low cost and smart ISO 27001 security management system

ISO27001/ISO27002: A Pocket Guide
Information is one of your organisation’s most important resources…

Even though there is no magic behind auditing a system based on ISO 27001, there are simple tricks which help you handle ISO 27001 or many other similar standards and frameworks, both as and auditor and auditee.

I would point only at one single tip if I wanted to direct you to just one important aspect of ISO 27001, and that is “Links”. The connection between different parts of standard is the key to kingdom! Understanding this key makes you super strong either as an auditor or as an auditee.

There are certain connections between different Clauses or even different Controls. Majority of ISO 27001 standard element are linked together and this simple means, as long as you follow links, you will reach a final destination for sure which is the flawless system with no broken links.

Main links are from relationship between SoA, Risk, Asset and Access

Links are important because if Clauses, Documents, Policies, Controls…are not connected and consistent, you will be noncompliance ultimately. No matter how hard you try to have a comprehensive, beautiful, technical…set of policies, ignoring links is a reg flag for any experienced auditor, they simply see the effect right away and after that all system looks synthetic!

Main links are between SoA, Risk, Asset and Access. These are foundations and without proper linkage, there is no way to maintain a healthy, consistent, auditable ISO 27001 security management system. Start with SoA, that document is not an index or table of contents! Flow from SoA to Risk Assessment, vice versa and multiple times until all controls has justification. Never compile Asset policies without conducting demonstrating and understanding the links with higher SoA and Risk, and then jump into Access as the baby and outcome of first 3 document.

As an auditor you should always look for broken links because also analysing and accepting a subject without finding conceptual link with other topic is nothing more than ignoring the main purpose of standard, which is a solid management system, not a set of individual files and unclear processes.

As an auditee try to find your broken links prior to audit. This does not require internal audit at all. This is more and more reviewing your key documents by someone who understand the links and concepts, not just memorizing Clauses.

Remember after having a system flawless of broken links, you have already started the easy way to maintain an effective, low cost and smart ISO 27001 security management system, something which has the potential to make money for your business rather than a hassle and expense.

Kaveh Mofidi

By Kaveh Mofidi

I find simple solutions for complex problems. While I enjoy working with information security and computers, our challenges extend far beyond securing data. The real task is to discover solutions for unlimited clean energy, drinkable water, and addressing the root causes of hunger, war, and injustice. Our primary goal should be to keep our planet livable; that is the true challenge we face on Earth!