How to effectively audit any ISO 27001 process?

First of all, auditor needs to be a SME, not only to the security management system, but also specifically in regards to ISO 27001. The reason is related to the fact that “terminology” or “particular definition” of terms is important. 

Then there are three simple aspects of any process or policy document which should have been adequately addressed by piece of documentation, so we need to focus on those aspect to have an effective audit: 

  • Purpose 

Everything starts with statements regarding purpose of a policy, guideline, work instruction or procedure. There has to be clear definition of the purpose of any given process and as an auditor, one need to fully understand and even criticize it. 

  • Scope 

That is where the context comes in which is usually in deliberately overlooked by auditors! Focus on the scope but never criticize it. Always have the scope in your mind when trying to define the border of a process. 

  • Records 

Evidence is the main result of a process and must be addresses during audit. A survey without evidence does not have any values and it is not effective to the whole process evaluation, measurement or critic. 

By focusing on above 3 simple aspects of any ISO 27001 documentation, you will have an effective ISMS audit, whether internal or external. 

Published by Kaveh Mofidi

Still waking up every morning with so much passion just to do one thing: find simple solutions for big complicated issues! and seriously information security and computers are so fun to play with, but those are not a big deal, we need to find solution for unlimited energy, drinkable water, food, shelter, jobs, war, injustice... those are our real problems on the Earth!