What is an ISO 27001 audit?
An ISO 27001 audit is a systematic, objective assessment of the Information Security Management System (ISMS) within your organization. The audit tests whether you comply with the ISO/IEC 27001 standard and how effectively your control measures function in practice.
If you successfully complete the ISO 27001 audit, you will obtain ISO 27001 certification. With this, you demonstrate that your information security is in order.
Start ISO 27001-audit
In advance, you collect data such as the scope, the number of FTEs, outsourced processes and relevant IT factors. Based on this, we draw up a suitable proposal. If you want to undergo the ISO 27001 certification, you will receive an audit plan for the initial audit.
The initial audit is the start of the certification process. It is divided into two parts: stage 1 and stage 2. The results are recorded in an audit report.
| Stage | Focus | Activiteiten |
|---|---|---|
| Stage 1 | Assessment of documentation and ISMS structure | Auditing of policy documents, risk assessment, internal audit report |
| Stage 2 | Assessment of implementation and effectiveness | Interviews, observations, testing of evidence, practical testing |
Did you know...
…that internal audits are mandatory under ISO 27001?
Certification and annual audits
After approval by the certification committee, the ISO 27001 certificate is issued. But it doesn’t stop there. Annual surveillance audits are conducted, during which attention is paid to:
- Internal audits and management reviews
- Handling of complaints and nonconformities
- Objectives and improvement measures
- Changes in the ISMS or the scope
Nonconformities
Are there any nonconformities? You will receive a nonconformity form with clear instructions. Nonconformities occur in two forms:
| Type nonconformity | Meaning | Example |
|---|---|---|
| Major nonconformity | Risk of failure of the ISMS | No internal audit performed |
| Minor nonconformity | Limited impact on effectiveness of the ISMS | Outdated document in circulation |
You are responsible for analyzing the cause and formulating corrective actions. The auditor will assess whether these are sufficient to continue the certification process.
Recertification: extension after 3 years
After three years, the recertification audit follows. This is comparable to stage 2 of the initial audit and focuses on the continuity and structural functioning of your ISMS. Timely preparation prevents your certificate from expiring.
Did you know...
…that the external certification audit may only be carried out by an independent party?
ISO 27001 internal audit vs external audit
| Internal audit | External audit (certification) | |
|---|---|---|
| Objective | Self-assessment and preparation | Independent assessment |
| Executor | Internal or independent expert | External auditor/ audit team |
| Result | Internal report with points for improvement | Certificate or report with nonconformities |
| Obligation | Mandatory part of an ISMS | Condition for certification |
A well-executed ISO 27001 internal audit lays the foundation for smooth external certification.
Why have an ISO 27001 audit performed?
An independent audit via Brand Compliance offers:
✅ Demonstrable compliance with international requirements
✅ Trust among clients, partners and supervisors
✅ Insight into risks, opportunities for improvement and effectiveness
✅ Strengthening your market position and reputation
✅ Continuity and assurance of information security