How to effectively audit any ISO 27001 process?

First of all, auditor needs to be a SME, not only to the security management system, but also specifically in regards to ISO 27001. The reason is related to the fact that “terminology” or “particular definition” of terms is important. 

Then there are three simple aspects of any process or policy document which should have been adequately addressed by piece of documentation, so we need to focus on those aspect to have an effective audit: 

  • Purpose 

Everything starts with statements regarding purpose of a policy, guideline, work instruction or procedure. There has to be clear definition of the purpose of any given process and as an auditor, one need to fully understand and even criticize it. 

  • Scope 

That is where the context comes in which is usually in deliberately overlooked by auditors! Focus on the scope but never criticize it. Always have the scope in your mind when trying to define the border of a process. 

  • Records 

Evidence is the main result of a process and must be addresses during audit. A survey without evidence does not have any values and it is not effective to the whole process evaluation, measurement or critic. 

By focusing on above 3 simple aspects of any ISO 27001 documentation, you will have an effective ISMS audit, whether internal or external. 

Kaveh Mofidi

By Kaveh Mofidi

I find simple solutions for complex problems. While I enjoy working with information security and computers, our challenges extend far beyond securing data. The real task is to discover solutions for unlimited clean energy, drinkable water, and addressing the root causes of hunger, war, and injustice. Our primary goal should be to keep our planet livable; that is the true challenge we face on Earth!