How to effectively audit any ISO 27001 process?

First of all, auditor needs to be a SME, not only to the security management system, but also specifically in regards to ISO 27001. The reason is related to the fact that “terminology” or “particular definition” of terms is important. 

Then there are three simple aspects of any process or policy document which should have been adequately addressed by piece of documentation, so we need to focus on those aspect to have an effective audit: 

  • Purpose 

Everything starts with statements regarding purpose of a policy, guideline, work instruction or procedure. There has to be clear definition of the purpose of any given process and as an auditor, one need to fully understand and even criticize it. 

  • Scope 

That is where the context comes in which is usually in deliberately overlooked by auditors! Focus on the scope but never criticize it. Always have the scope in your mind when trying to define the border of a process. 

  • Records 

Evidence is the main result of a process and must be addresses during audit. A survey without evidence does not have any values and it is not effective to the whole process evaluation, measurement or critic. 

By focusing on above 3 simple aspects of any ISO 27001 documentation, you will have an effective ISMS audit, whether internal or external. 

Published by Kaveh Mofidi

He starts and finishes a day for only one reason which he is so passionate about: find simple solutions for huge and complicated issues! He believes information security and computers are so fun to deal with, but the real deal is to find solution for unlimited clean energy, drinkable water, hunger, war, injustice... those are our real problems on the Earth!