ISO 17799 and ISO 27001 Newsletter

The David L Watson Interview

The following questions were presented:

How does the BS7799 / ISO 27001 certification audit process actually work?

Before the audit:

The greatest mistake that organisations ever make is that they are not properly prepared for an audit. Many organisations who want to undergo a certification audit fail at the first stage because they have not properly prepared for it.

Some examples I have encountered are below:

A classic case of this was the organisation that desk dropped their approved information security policy on all staff desks on the weekend before our audit started on the Monday. Somehow the words ‘published and communicated, as appropriate, to all employees’ (A.3.1.1.) did not spring to mind.

Likewise failure to perform a risk assessment would not give the auditor a warm and comforting feeling of a risk assessment being carried out on the ‘assets within the scope’ (4.2.1).

Any organisation that cannot demonstrate that the ISMS works by undertaking internal ISMS audits (6.4) will not be looked upon favourably for passing a certification audit.

Another major failure at the outset of the certification or implementation project is the failure to have demonstrable management commitment. This means something more than saying ‘yes –go do it’ by the CEO or MD. There needs to be management commitment to the process as well as ring fencing resources. (5.1 and 5.2).

What is a CB Audit, and why should I undergo one?

Auditing by a third party (an Accredited CB) is an assurance of an acceptable and risk based level of information security being implemented that is regularly reviewed.

There are a number of reasons to obtain certification, these include:

l        Organisational assurance;

l        Service provider assurance;

l        Business trading partner assurance;

l        Demonstrable and effective way of showing appropriate information security in place;

l        Competitive advantage;

l        Reduce trade barriers – international acceptance;

l        Reduce costs of regulation, corporate governance etc.

So who can do this Certification?

The only body who can carry out this certification is a CB that has been Accredited by the ‘national accreditation service’ (in the UK this is the United Kingdom Accreditation Service – UKAS).

This ensures that CBs meet national and international standards for services they are offering. This is typically EA-7/03, which is the ‘Guidelines for Accreditation of Bodies Operating Certification / Registration of Information Security Management Systems’. EA-7/03 can be found at

This harmonises use of Guide 62 for ISMS’s and was approved by Europeans Co-operation for Accreditation (EA) in Nov 1999.

Guide 62 is the ‘General requirements for bodies operating assessment and certification / registration of quality systems’.

A CB uses auditors who are totally independent of the organisation being audited.

The CB is regularly audited by the National Accreditation Service to ensure that the CB processes are appropriate and correct. This means that all work is to the standard required by EA-7/03 and allows’ mutual recognition’ between the National Accreditation Services.

So am I certified against BS 7799 Part 2 (2002) or ISO 17799 (2000)

Certification is carried out against (currently) BS 7799 Part 2 (2002). This contains the requirements for the ISMS in terms of the PDCA (Plan, Do, Check, Act or Deming Cycle) and the old Annex A (Updated) from BS 7799 Part 1 (1995).

BS 7799 Part 2 (2002) is a Specification.

ISO 17799 is a Code of Practice.

What Documents can I read to help me prepare for BS7799?

There are a number of documents that are available, in addition to the BS 7799 and ISO17799 standards themselves, and these include:

From BSI

·        Information Security Management: An Introduction (PD 3000);

·        Preparing for BS 7799 Certification (PD 3001);

·        Guide to BS 7799 Risk Assessment and Risk Management (PD 3002);

·        Are you ready for a BS 7799 Audit? (PD 3003);

·        Guide to BS7799 Auditing (PD 3004);

·        Guide on the Selection of BS 7799 Controls (PD 3005).

Other publishers

·        ISO Guide 62 – General Requirements for Bodies Operating Assessment / Registration of Quality Systems (to merge with ISO Guide 66 to become ISO 17021);

·        EA-7/03 – Guidelines for the Accreditation of Bodies Operating Certification/ Registration of Information Security Management Systems;

·        ISO 19011 – Guidelines for Quality and / or Environmental Management Systems Auditing.

A number of books have been published on the BS 7799 process, a check of the local IT Bookshop or Amazon should provide numerous titles from which to choose.

The types of Audit that may be undertaken in an organization

There are a number of audits that may be undertaken in an organisation, and these include:

·        First Party (Internal Audit) – Within an organisation, internal review etc;

·        Second Party (Supplier Audit) – Of a supplier or contractor

·        Third Party Audit – By a CB

The CB Audit process

In order to become a certified organisation, you needs to start off correctly at the beginning and determine which CB you are going to engage to provide BS 7799 Certification services.

If you have any other certifications in the organisation, it makes sense to use the same CB for BS 7799 (assuming that they are Accredited to provide BS 7799 Certification services). This is called integrated auditing and allows the number of days to be spent by the CB on site to be reduced as they use the same auditor to audit more than one standard.

In my case, I have the same auditor do ISO 9001 and BS 7799 as he is dual qualified and it saves me at least an audit day per year. Additionally I have only one visit so my routine is not disturbed twice.

If you have no existing certificates, then make a list of all of the CBs that are available, ring each of them and get some idea of costs and services and then them to send you the relevant forms to fill in.

The actual Certification process is a six step one:

Note: Not all CBs follow this process exactly – when investigating them determine the discrepancies from this generic approach and ensure that you are happy with them.

Step 1 - Questionnaire

Typically the chosen CBs will send out a questionnaire for you to fill in. The certification process starts when you complete a questionnaire giving details of your requirements. This provides the CB with the information needed to send you a quotation.

Step 2 - Application for Assessment

If you decide to proceed with certification with the chosen CB, then you fill in an application form must be filled in. Once this has been done it is returned to the CB. On receipt, an initial visit by a BS 7799 Auditor is arranged

An initial visit allows you to meet the Auditor who will assess the ISMS for BS 7799 certification. The Auditor will explain the assessment process and carry out a review of the existing documented management system. An assessment date and an audit programme will be agreed.

Step 3 - Stage 0 Audit or could be called a ‘Pre-assessment Visit’ or a ‘Gap Analysis’.

This is an optional stage, but if you can afford it, I always recommend it

You should do this after you have implemented the Information Security Management System (ISMS) and developed the Statement of Applicability (SoA) and may have some controls in place and documented and may have some records available.

If you are doing this in house, it is a way of demonstrating to your management that you are on track and doing the job correctly and that your management can have confidence in that.

It also can show management where they fail as well, as non-conformances are written up as part of the audit.

Typical management failures that I see at this stage are usually lack of management commitment (5.1), inadequate resource management (5.2) or any other management type failure.

If you are using consultants, more or less the same applies, and passing this audit can be a useful pay point in their remuneration cycle or indicate the need to get a different consultancy!

Whilst this audit cannot be relied on to support a Stage 1 or2 CB Audit, it would be difficult for an Auditor to later find major non-conformances in the ISMS unless something dramatic had occurred in the organisation to warrant this.

This step provides a sanity check.

Step 4 – the Stage 1 Audit (otherwise called a ‘Document Review’)

This is the first part of the audit proper.

This stage looks to see if the SoA has been implemented by selection of controls and documenting all the policies and procedures that surround their use. The auditor will also look to see that there is evidence of records being collected for implemented controls, though the full audit for this is the Stage 2 Audit. At this time also the auditor will plan the Stage 2 audit.

Typically, the auditor reviews documented ISMS – looking at:

l        Policy;

l        Scope;

l        Asset Registers;

l        Roles and Responsibilities;

l        Risk process/treatment and acceptance;

l        SoA;

l        Documented processes and procedures supporting the ISMS;

l        Compliance, contractual and other regulatory issues.

If there are any audit failures, i.e. non-conformances then they will be written up on the Corrective Action Plan (CAP). It is then up to you, the client, to document how they are going to address these and return to the CB for agreement.

Typically, you have 20 days to respond to the raising of a CAP, and once agreed, 3 months to address issues raised on a CAP.

Failure to either respond or carry out the agreed work in the time limit can prejudice the granting (retaining) of a certificate. When the next audit occurs, the CAPs are the first items reviewed to ensure that they have been suitably addressed.

Step 5 - Stage 2 Audit (otherwise called the ‘Compliance Audit’)

During the Stage 2 Audit, an objective assessment of the organisational procedures and practice will be carried out against the documented ISMS (reviewed in the Stage 1 Audit).

The Auditor will be looking for records (i.e. proof) that the ISMS is operated as the documented ISMS says it should be.

On completion of the assessment the Auditor will present the findings of the assessment in a written report to you and CAPs will be raised if appropriate.

Following a successful Stage 2 Audit and the decision to grant registration, a certificate of registration is awarded and the organisation is permitted to use the CB Certification Mark and the relevant BS 7799 certification mark.

Step 6 – Ongoing audits

A program of regular surveillance visits is agreed with you to verify that the requirements of the BS 7799 standard continue to be met and again CAPs will be raised if appropriate.

There are two types of ongoing audits, each is covered in turn below:

Surveillance Audit

A programme of ‘surveillance audits’ is undertaken over a three year cycle to ensure that the ISMS is working properly. This is performed in addition to the internal audits and ongoing monitoring and management that you perform internally (4.2., 4.2.4, 6.2, 6.3, 6.4, 7.2, 7.3, A.4.1.7, A.12.2.1, .12.2.2 to name just some of the requirements you must meet on an ongoing basis).

The actual frequency of these will vary on the CB, but typically the following will occur:

l   Surveillance audits are carried out regularly (either annually, 9 monthly or 6 monthly);

l   The first one is usually 3 months after the Stage 2 Audit to check for any CAPs outstanding since that audit;

l   At every audit any outstanding CAPs are audited for completeness;

l   Audit all mandatory requirements;

l   Audit a representative sample of all other controls (so that all controls in the ISMS are reviewed in the surveillance cycle).

Triennial Audits

The Triennial audit, as the name suggests, is carried out every three years.

This audit is similar to the original Stage 2 or Certification Audit, but it should take less time as the CB Auditor now knows your systems, unless a scope or other change has occurred.

All controls are evaluated to ensure that the ISMS is operating properly and assuming it is, your certificate is renewed for another 3 years.

If not, CAPs are raised and you have to address them

The three year surveillance audit process starts all over again.



**The Newsletter**

The ISO 17799 and ISO 27001 Newsletter is published periodically. It provides news and background for those interested in information security generally, and ISO17799 / ISO27001 specifically. In addtion, we provide occasional 'breaking news' bulletins covering any major event related to the standards.


Free subscription is via our online form



Contact Us

© Copyright 2005/2006.