The following questions were presented:
How does the BS7799 / ISO 27001 certification audit process actually work?
Before the audit:
mistake that organisations ever make is that they are not properly prepared for
an audit. Many organisations who want to undergo a certification audit fail at
the first stage because they have not properly prepared for it.
I have encountered are below:
case of this was the organisation that desk dropped their approved information
security policy on all staff desks on the weekend before our audit started on
the Monday. Somehow the words ‘published and communicated, as appropriate, to
all employees’ (A.3.1.1.) did not spring to mind.
failure to perform a risk assessment would not give the auditor a warm and
comforting feeling of a risk assessment being carried out on the ‘assets
within the scope’ (4.2.1).
organisation that cannot demonstrate that the ISMS works by undertaking internal
ISMS audits (6.4) will not be looked upon favourably for passing a certification
failure at the outset of the certification or implementation project is the
failure to have demonstrable management commitment. This means something more
than saying ‘yes –go do it’ by the CEO or MD. There needs to be management
commitment to the process as well as ring fencing resources. (5.1 and 5.2).
What is a CB Audit, and why should
I undergo one?
Auditing by a third party (an Accredited CB) is an assurance of an
acceptable and risk based level of information security being implemented that
is regularly reviewed.
There are a number of reasons to obtain certification, these include:
Service provider assurance;
Business trading partner assurance;
Demonstrable and effective way of showing
appropriate information security in place;
Reduce trade barriers – international
Reduce costs of regulation, corporate
So who can
do this Certification?
The only body
who can carry out this certification is a CB that has been Accredited by the
‘national accreditation service’ (in the
this is the United Kingdom Accreditation Service – UKAS).
that CBs meet national and international standards for services they are
offering. This is typically EA-7/03, which is the ‘Guidelines for
Accreditation of Bodies Operating Certification / Registration of Information
Security Management Systems’. EA-7/03 can be found at http://www.european-accreditation.org/Docs/0002_Application/0005_Application%20documents%20for%20Certification%20of%20Management%20System/00300_EA-7-03.pdf
harmonises use of Guide 62 for ISMS’s and was approved by Europeans
Co-operation for Accreditation (EA) in Nov 1999.
Guide 62 is
the ‘General requirements for bodies operating assessment and certification /
registration of quality systems’.
A CB uses auditors who are totally independent
of the organisation being audited.
The CB is regularly audited by the National Accreditation Service to
ensure that the CB processes are appropriate and correct. This means that all
work is to the standard required by EA-7/03 and allows’ mutual recognition’
between the National Accreditation Services.
So am I
certified against BS 7799 Part 2 (2002) or ISO 17799 (2000)
is carried out against (currently) BS 7799 Part 2 (2002). This contains the
requirements for the ISMS in terms of the PDCA (Plan, Do, Check, Act or Deming
Cycle) and the old Annex A (Updated) from BS 7799 Part 1 (1995).
BS 7799 Part
2 (2002) is a Specification.
ISO 17799 is
a Code of Practice.
What Documents can I read to help me prepare for
There are a
number of documents that are available, in addition to the BS 7799 and ISO17799
standards themselves, and these include:
Information Security Management: An
Introduction (PD 3000);
Preparing for BS 7799 Certification (PD 3001);
Guide to BS 7799 Risk Assessment and Risk
Management (PD 3002);
Are you ready for a BS 7799 Audit? (PD 3003);
Guide to BS7799 Auditing (PD 3004);
Guide on the Selection of BS 7799 Controls (PD
ISO Guide 62 – General Requirements for
Bodies Operating Assessment / Registration of Quality Systems (to merge with ISO
Guide 66 to become ISO 17021);
EA-7/03 – Guidelines for the Accreditation of
Bodies Operating Certification/ Registration of Information Security Management
ISO 19011 – Guidelines for Quality and / or
Environmental Management Systems Auditing.
A number of
books have been published on the BS 7799 process, a check of the local IT
Bookshop or Amazon should provide numerous titles from which to choose.
The types of Audit that may be undertaken in an
There are a
number of audits that may be undertaken in an organisation, and these include:
First Party (Internal Audit) – Within an
organisation, internal review etc;
Second Party (Supplier Audit) – Of a supplier
Third Party Audit – By a CB
In order to become a certified organisation,
you needs to start off correctly at the beginning and determine which CB you are
going to engage to provide BS 7799 Certification services.
If you have any other certifications in the
organisation, it makes sense to use the same CB for BS 7799 (assuming that they
are Accredited to provide BS 7799 Certification services). This is called
integrated auditing and allows the number of days to be spent by the CB on site
to be reduced as they use the same auditor to audit more than one standard.
In my case, I have the same auditor do ISO
9001 and BS 7799 as he is dual qualified and it saves me at least an audit day
per year. Additionally I have only one visit so my routine is not disturbed
If you have no existing certificates, then
make a list of all of the CBs that are available, ring each of them and get some
idea of costs and services and then them to send you the relevant forms to fill
The actual Certification process is a six step
Note: Not all CBs
follow this process exactly – when investigating them determine the
discrepancies from this generic approach and ensure that you are happy with
Step 1 -
chosen CBs will send out a questionnaire for you to fill in. The certification
process starts when you complete a questionnaire giving details of your
requirements. This provides the CB with the information needed to send you a
Step 2 - Application for Assessment
If you decide
to proceed with certification with the chosen CB, then you fill in an
application form must be filled in. Once this has been done it is returned to
the CB. On receipt, an initial visit by a BS 7799 Auditor is arranged
visit allows you to meet the Auditor who will assess the ISMS for BS 7799
certification. The Auditor will explain the assessment process and carry out a
review of the existing documented management system. An assessment date and an
audit programme will be agreed.
Step 3 -
Stage 0 Audit or could be called a ‘Pre-assessment Visit’ or a ‘Gap
This is an optional stage, but if you can
afford it, I always recommend it
You should do this after you have implemented
the Information Security Management System (ISMS) and developed the Statement of
Applicability (SoA) and may have some controls in place and documented and may
have some records available.
If you are doing this in house, it is a way of
demonstrating to your management that you are on track and doing the job
correctly and that your management can have confidence in that.
It also can show management where they fail as
well, as non-conformances are written up as part of the audit.
Typical management failures that I see at this
stage are usually lack of management commitment (5.1), inadequate resource
management (5.2) or any other management type failure.
If you are using consultants, more or less the
same applies, and passing this audit can be a useful pay point in their
remuneration cycle or indicate the need to get a different consultancy!
Whilst this audit cannot be relied on to
support a Stage 1 or2 CB Audit, it would be difficult for an Auditor to later
find major non-conformances in the ISMS unless something dramatic had occurred
in the organisation to warrant this.
provides a sanity check.
Step 4 –
the Stage 1 Audit (otherwise called a ‘Document Review’)
This is the first part of the audit proper.
looks to see if the SoA has been implemented by selection of controls and
documenting all the policies and procedures that surround their use. The auditor
will also look to see that there is evidence of records being collected for
implemented controls, though the full audit for this is the Stage 2 Audit. At
this time also the auditor will plan the Stage 2 audit.
the auditor reviews documented ISMS – looking at:
Roles and Responsibilities;
Risk process/treatment and acceptance;
Documented processes and procedures
supporting the ISMS;
Compliance, contractual and other regulatory
If there are any audit failures, i.e. non-conformances then they will be
written up on the Corrective Action Plan (CAP). It is then up to you, the
client, to document how they are going to address these and return to the CB for
you have 20 days to respond to the raising of a CAP, and once agreed, 3 months
to address issues raised on a CAP.
either respond or carry out the agreed work in the time limit can prejudice the
granting (retaining) of a certificate. When the next audit occurs, the CAPs are
the first items reviewed to ensure that they have been suitably addressed.
Step 5 -
Stage 2 Audit (otherwise called the ‘Compliance Audit’)
Stage 2 Audit, an objective assessment of the organisational procedures and
practice will be carried out against the documented ISMS (reviewed in the Stage
will be looking for records (i.e. proof) that the ISMS is operated as the
documented ISMS says it should be.
of the assessment the Auditor will present the findings of the assessment in a
written report to you and CAPs will be raised if appropriate.
successful Stage 2 Audit and the decision to grant registration, a certificate
of registration is awarded and the organisation is permitted to use the CB
Certification Mark and the relevant BS 7799 certification mark.
Step 6 –
A program of
regular surveillance visits is agreed with you to verify that the requirements
of the BS 7799 standard continue to be met and again CAPs will be raised if
There are two
types of ongoing audits, each is covered in turn below:
of ‘surveillance audits’ is undertaken over a three year cycle to ensure
that the ISMS is working properly. This is performed in addition to the internal
audits and ongoing monitoring and management that you perform internally (4.2.,
4.2.4, 6.2, 6.3, 6.4, 7.2, 7.3, A.4.1.7, A.12.2.1, .12.2.2 to name just some of
the requirements you must meet on an ongoing basis).
frequency of these will vary on the CB, but typically the following will occur:
Surveillance audits are carried out regularly
(either annually, 9 monthly or 6 monthly);
The first one is usually 3 months after the
Stage 2 Audit to check for any CAPs outstanding since that audit;
At every audit any outstanding CAPs are audited
Audit all mandatory requirements;
Audit a representative sample of all other
controls (so that all controls in the ISMS are reviewed in the surveillance
The Triennial audit, as the name suggests, is
carried out every three years.
This audit is similar to the original Stage 2
or Certification Audit, but it should take less time as the CB Auditor now knows
your systems, unless a scope or other change has occurred.
All controls are evaluated to ensure that the
ISMS is operating properly and assuming it is, your certificate is renewed for
another 3 years.
If not, CAPs are raised and you have to
year surveillance audit process starts all over again.