By: Jay Hunter Anson
This article describes the steps needed to complete both internal and external ISO 27001 audits that prove the Republic of Palau’s Ministry of Finance follows up-to-date information security management standards.
- Overview of ISO/IEC 27001 audits
- Importance of ISO 27001 Audits
- Types of ISO 27001 Audits
- Why an ISO 27001 Audit is Important
- ISO 27001 Audit Stages
- ISO 27001 Auditors
- ISO 27001 Audit Timeline
“Palau’s security strategy is critically dependent on our response to the numerous opportunities and challenges posed by the cyberspace environment in which the international community operates.” 2022 Republic of Palau National Security Strategy
Why ISO 27001?
ISO 27001 is one of the most widely recognized and internationally accepted information security standards. It’s one of the few standards that uses a top-down, risk-based approach to evaluation. It identifies requirements and specifications for a comprehensive Information Security Management System (ISMS), defining how an organization should manage and treat information more securely, including applicable security controls.
Overview of ISO 27001 Audits
An ISO 27001 audit is a review process that ensures the Ministry of Finance’s information security management system (ISMS) aligns with the most recent information security standards, as defined by ISO/IEC 27001:2022 guidelines. Organizations must conduct a series of regular internal audits and external audits to receive and retain their ISO 27001 certification.
ISO 27001 certification will demonstrate that the Ministry of Finance’s ISMS controls are sufficient to secure its data, documents, and other information assets. An ISO 27001 certificate also gives the Ministry of Finance a competitive advantage, showcasing that our security controls are more rigorous and aligned with international standards.
To qualify for certification, the Ministry of Finance must receive an external audit from an accredited, objective auditing firm or approved ISO 27001 auditor to prove their processes and systems meet ISO/IEC 27001:2022 expectations.
Continuous ISO 27001 audits demonstrate the efficiency and efficacy of the Ministry of Finance’s security controls. Plus, these audits measure and show ongoing compliance with ISO standards. Regularly conducting audits allows the Ministry of Finance to review and assess the level of residual risk involved with their existing information security standards.
With the results from an IT audit for ISO 27001, the Ministry of Finance can continue to improve their ISMS controls and standards to make residual risk more tolerable.
Importance of ISO 27001 Audits
Fundamentally, a series of ISO 27001 audits are required to complete the ISO 27001 certification process. Without successfully completing these audits, the Ministry of Finance cannot claim to comply with the international standards for information security management.
In some cases, the Ministry of Finance may not be able to work with clients or partners who contractually require compliance with ISO 27001 standards to enter or renew a contract. This can make ISO 27001 audits essential for the Ministry of Finance to attract or retain clients within their industry.
After the Ministry of Finance receives its ISO 27001 certification, it must follow a regular auditing schedule to demonstrate ongoing compliance with ISO 27001 standards and maintain certification.
Audits show that the Ministry of Finance’s systems, processes, and controls are working effectively and continuously protecting its information assets.
Regularly scheduled audits assess for new risks as the Ministry of Finance expands, allowing us to identify preemptively any weaknesses in our existing systems. These audits also reveal opportunities for the Ministry of Finance to strengthen existing data management and IT security practices.
Types of ISO 270001 Audits
ISO 27001 compliance requires conducting two types of audits: internal audits and external audits. Accreditation bodies across the world have different requirements for how often audits must be completed to maintain compliance. For the Ministry of Finance to remain ISO 27001 certified, periodic internal and external audit are required.
An ISO 27001 internal audit is a review of the Ministry of Finance’s ISMS completed by objective, internal staff trained in ISO 27001 standards, or an external contractor hired to work alongside an internal team. Even when an internal audit is completed by an external party, it’s considered internal unless this party is part of an ISO 27001 certification body.
A consistent ISO 27001 audit program is required to maintain compliance. An approved ISO 27001 audit plan defines how frequently internal audits are conducted, the methods used to complete the audit, and who is responsible for planning, completing, and reporting audit results.
The Ministry of Finance works with the certifying body to determine the appropriate ISO 27001 audit frequency. Normally, the Ministry of Finance will be required to complete an annual ISO 27001 audit.
Typically, an ISO 27001 internal audit involves:
- Reviewing and maintaining internal documentation for policies and procedures
- Sampling evidence from the ISMS as part of a field review, demonstrating that the policies and procedures are followed consistently
- Analyzing findings from document review and field review to ensure they meet ISO 27001 requirements
- Implementing improvements, as needed, based on audit findings
The ISO 27001 certification audit process begins with an internal audit, where the Ministry of Finance reviews its current IT processes and documents the scope of its ISMS audit for further external review.
Next, the Ministry of Finance completes a risk assessment and gap analysis, presenting these audits alongside other documentation to external auditors or a certifying body.
Finally, if the Ministry of Finance chooses to pursue certification, we must conduct regularly planned internal audits to maintain compliance.
External audits are conducted by accredited, certifying bodies to confirm compliance with ISO 27001 standards. the Ministry of Finance must participate in four external audits:
- ISMS Design Review. the Ministry of Finance defines the ISMS audit scope and request an accredited auditor complete the ISMS Design Review. During this ISO 27001 external audit, the auditor reviews the Ministry of Finance’s documentation, processes, and procedures to ensure our ISMS controls and design align with ISO 27001 standards. If the Ministry of Finance meets the ISMS Design Review requirements, the auditor will recommend the Ministry of Finance for the Certification Audit.
- Certification Audit. During the Certification Audit, an auditor will review the Ministry of Finance’s business processes and controls through a field review to ensure the 93 primary controls of ISO 27001 are met, as referenced in Annex A. Meeting these requirements make the Ministry of Finance eligible for full ISO 27001 certification.
- Surveillance Audits. To maintain compliance after certification, certifying bodies conduct Surveillance Audits. Random data samples are evaluated to ensure procedures and processes are being followed, as defined by the Ministry of Finance’s documentation. Surveillance audits often focus on specific ISMS areas and happen before recertification.
- Recertification Audits. Finally, the Ministry of Finance will undergo an extensive Recertification Audit every three years to maintain ISO 27001 certification eligibility. This review covers all areas of the ISMS and mimics the initial Certification Audit, ensuring that the Ministry of Finance is continuously following ISO 27001 standards and improving its ISMS as new risks arise.
ISO 27001 Audit Stages
As the Ministry of Finance prepares for ISO 27001 certification, it’s important to understand the two stages that make up the initial certification audit. The audit criteria for ISO 27001 are defined by these two stages, and the Ministry of Finance’s certification eligibility is contingent on passing both audit stages. As a best practice, organizations will hire a separate external auditor to support them in completing stage 1 compliance requirements before requesting an external audit from the certifying body for stage 2.
Stage 1 of the ISO 27001 audit is called the ISMS Design Review. Before the Ministry of Finance requests an ISMS Design audit, it’s critical to properly prepare for what an ISMS Design Review entails. An ISO 27001 audit checklist can help with stage 1 audit preparation.
- First, the ISSS team will work to determine the Ministry of Finance’s risk tolerance and security baselines based on stakeholder expectations, to include legal or contractual requirements. These elements will define the scope, security objectives, and statement of applicability for the Ministry of Finance’s certification audit.
- Next, the Ministry of Finance must thoroughly document all ISMS processes, procedures, policies, guidelines, and controls based on the requirements detailed in ISO 27001 and ISO 27002. the Ministry of Finance will complete a risk assessment, risk treatment, and gap analysis for submission with all other documentation.
- Once the Ministry of Finance implements and documents the ISMS controls, an auditor conducts the ISMS Design Review. All documentation will be evaluated to ensure ISO 27001 requirements are met. Upon completion, the auditor will provide the Ministry of Finance with an ISO 27001 audit report.
- The audit report includes findings and recommendations to improve The Ministry of Finance’s processes or controls before pursuing stage 2. the Ministry of Finance’s employees may also
need to complete additional security training to meet ISO 27001 stage 1 audit standards before moving forward with stage 2 of the certification process.
- If an auditor recommends the Ministry of Finance for certification after stage 1, we will be eligible to move forward with stage 2 to pursue certification.
In the ISO 27001 stage 2 audit, an auditor from a certifying body will complete an evidential field review to confirm that the Ministry of Finance’s business processes and controls within the ISMS align with the documented and approved procedures from stage 1.
- The auditor surveys a thorough, random sampling of data and information assets as evidence to confirm that the Ministry of Finance’s ISMS operates effectively and meets the requirements dictated by ISO 27001 and the obligatory Annex A controls. This evidence should demonstrate that the Ministry of Finance’s procedures work as they’ve been documented.
- To complete the audit, auditors will often interview key stakeholders responsible for managing the ISMS system as well as members of the internal audit and compliance teams. They’ll also request evidence of prior audit reports and any remediations completed based on stage 1 results. These audit reports inform them of non-conformities presented by the previous auditor, while management audits confirm that improvements were implemented after the audit.
- Stage 2 is also the time to define the processes moving forward after certification. This includes security awareness training procedures and the internal audit process, which must be documented to achieve certification and maintain continuous compliance.
Once the stage 2 ISO 27001 audit process is passed, the Ministry of Finance will be ISO 27001-certified for three years. However, the Ministry of Finance will complete and submit yearly surveillance audits to follow the required internal audit schedule submitted to the certifying body and show that their controls are continuously operating as intended.
ISO 27001 Auditors
Valid internal and external ISO 27001 audits must be conducted by objective, competent, and experienced auditors with demonstrable knowledge of the ISO 27001 standard. Demonstrable knowledge is commonly indicated by formal education or certification. However, a certifying body may approve an auditor who can show knowledge through relevant ISO 27001 audit questions and answers.
For internal audits, auditors must belong to a team that’s separate from the stakeholders maintaining the ISMS to ensure they are not reviewing their own work or creating a conflict of interest. Since the Ministry of Finance is without a separate compliance division or auditing team, it’s common to hire a formally trained contractor or auditing firm to support the internal audit plan. These firms can help the Ministry of Finance avoid common ISO 27001 audit mistakes.
Certification agencies have approved and accredited auditors who perform external certification, surveillance, and recertification audits. Often, these auditors have completed the ISO 27001 Lead Auditor course or a similar formal training-certification course.
ISO 27001 Audit Timeline
Auditing the Ministry of Finance’s ISMS for certification can be a lengthy process. For most small to mid-sized organizations, the initial certification process takes between 6 and 12 months to complete from start to finish. Larger organizations with a more comprehensive ISMS or more extensive scope can expect the process to take up to 18 months.
The Ministry of Finance should expect to prepare documentation extensively even before pursuing the stage 1 ISMS Design Review. This process alone can often take 6 to 10 months. the Ministry of Finance may need to complete multiple internal audits and implementations before the ISMS is ready to start the certification process.
Once the certification process begins, an auditor will work with the Ministry of Finance to create an ISO 27001 audit schedule. This schedule determines the timeline for an auditor to review thoroughly the documentation in stage 1 and collect enough evidence to prove compliance in stage 2.
While document review during stage 1 typically takes about a week to complete, stage 2 often takes longer because auditors interview stakeholders and spend more time examining the Ministry of Finance’s ISMS.
During either step, auditors may present remediations that must be completed before the Ministry of Finance can move forward with certification. Depending on what remediations are necessary to meet ISO 27001 standards, completing the necessary improvements can further extend the timeline for ISO 27001 certification.
About the Author
Jay Hunter Anson is a retired US Army Signal Officer (LTC/O5) with humanitarian assistance/disaster relief, peacekeeping and operational experience throughout Central America, South America, the Caribbean, and Europe, including the Balkan Wars (Bosnia, Croatia, and Kosovo). He is a combat veteran with multiple year-long tours in Iraq and Afghanistan. In 2019, Jay completed his 29-year military career while assigned to US Southern Command. A native of the Republic of Palau, Jay serves on the Ministry of Finance’s Board of Directors and is the Cybersecurity Advisor to the Republic of Palau’s President and National Security Coordinator. He is a Senior Security Analyst for Lennar Technology Services and a Service-Disabled Veteran Small Business Owner of Guardian Cyber, LLC (www.guardiancyber.us). Jay holds several academic degrees and industry certifications including the ISACA Certified Information Security Manager, US Department of Defense Strategist, US Cyber Command Cyber Operations Planners Course, and a Masters in Military Arts and Science from the US Army Command and General Staff College, Fort Leavenworth, Kansas U.S.A. In addition to his volunteer work with AFCEA International, Jay is a Cyber Florida Ambassador for Region 8, and a STEM Advisory Board Member for Miami-Dade County Public Schools. He Tweets at @JHX_1138. The views expressed are personal.