How to effectively audit any ISO 27001 process?

First of all, auditor needs to be a SME, not only to the security management system, but also specifically in regards to ISO 27001. The reason is related to the fact that “terminology” or “particular definition” of terms is important. 

Then there are three simple aspects of any process or policy document which should have been adequately addressed by piece of documentation, so we need to focus on those aspect to have an effective audit: 

  • Purpose 

Everything starts with statements regarding purpose of a policy, guideline, work instruction or procedure. There has to be clear definition of the purpose of any given process and as an auditor, one need to fully understand and even criticize it. 

  • Scope 

That is where the context comes in which is usually in deliberately overlooked by auditors! Focus on the scope but never criticize it. Always have the scope in your mind when trying to define the border of a process. 

  • Records 

Evidence is the main result of a process and must be addresses during audit. A survey without evidence does not have any values and it is not effective to the whole process evaluation, measurement or critic. 

By focusing on above 3 simple aspects of any ISO 27001 documentation, you will have an effective ISMS audit, whether internal or external. 

By Kaveh Mofidi

I find simple solutions for huge and complicated problems. I believe information security and computers in general are fun to deal with, but our problems are way bigger than securing information. The real deal is to find solution for unlimited clean energy, drinkable water, mitigate root cause of hunger, war, and injustice...We need to keep our planet livable, that is our real problem on the Earth! Contact me with any question or comment: