What’s an ISO 27001 Surveillance Audit like?
A few weeks ago, we had our first annual ISO 27001 audit and I’m pleased to say we flew though this with no issues. In this post I share a little about the experience, what it involved, and the biggest contributor to making future audits easy.
Just as a quick refresher, ISO 27001 is an internationally recognised specification for Information Security Management Systems (ISMS). It is one of the most popular standards for information security and one of the only standards that requires ongoing external audits. We gained this back in March 2020, which I wrote about in my blog post here: How hard is it to get ISO27001 and is it worth it?
To remain certified against ISO 27001 one must subject themselves to annual audits. These follow a 3-year cycle that starts with a 4-day ‘stage-2’ audit, then 2-day annual surveillance audits in year 2 and 3. After that, the cycle starts again.
The ISO 27001 surveillance audit is designed to determine if the ISMS is functioning well, and if it is effectively managed or is it just a box-ticking exercise? It looks for continual improvement, whether the status of risks well understood, if regular internal audits are happening, if executive management is involved and supportive, and if any identified issues are properly resolved? These are the types of things the external auditor looks at.
Our audit was carried out by Rod Lawrence, a NZ-based ISO 27001 lead auditor and technical advisor to JAS-ANZ, who certifies ISO 27001 certifies in the ANZ region. Rod was new to vBridge as our previous auditor no longer works for Best Practice, but this didn’t seem to matter much, as Rod had already reviewed the findings from our previous audit in 2020 and seemed well experienced. We used Microsoft Teams for the entire engagement, which started with a short opening meeting with me and our CEO. This helped Rod assess the level of executive leadership and support.
Day-1 continued with a structured review and assessment of the ‘guts’ of ISO 27001:2013 - clauses 4 through 10. Rod asked many questions about how we operate, and requested access to many artefacts to support those discussions. Topics included:
- Changes to vBridge (e.g., we were acquired by Softsource)
- Our relationships with external organisations
- Performance – Customer Satisfaction, Internal Audits & Management Review of ISMS
- Ongoing improvements to our ISMS
- Leadership and commitment
- Policy review, and document management
- ISMS Roles and Responsibilities
- Risk Management processes
- Allocated resources to the ISMS
- Employee awareness and ongoing training
- ISMS Communication
- Operational planning and control
So, was this hard and arduous? Well, no it was surprisingly easy because we have this well documented, and answers to this type of question are easy to find. This made life easy for us as well as for the auditor, so if you’re thinking of certifying against this standard make sure you document everything well. I’d be pleased to discuss how we achieved this using PowerApps and SharePoint if you're interested.
Day-2 ensued with a more technical investigation into some Annex-A controls. These are technical best practices – most of which would be hard to exclude:
- A.9 Access Management
- A.15 Supplier relationships
- A.17 Information security aspects of business continuity management
Our wider team jumped in here, and I’m thankful to Phil Snowdon who spent time demonstrating things to Rod, assuring him of our multi-layered approach to access control and network security.
Again, this went smoothly and having easy access to the relevant information really helped speed things up and make the process straightforward.
Our audit concluded faster than expected, and I’m happy to say there were no identified issues and I feel fortunate to work for an organisation where everyone takes information security seriously. The security of our customer’s information is critical to our success and it is a great honour to have it entrusted to our care. We feel the gravity.
It takes years to build a reputation and only a few minutes of cyber-incident to ruin it. That’s why we have certified our ISMS against ISO 27001. We take information security seriously, we resource it appropriately, we've baked into the way we operate, and ISO 27001 is an international endorsement of this.