Upload
others
View
13
Download
0
Embed Size (px)
Citation preview
ISO 27001AUDITS GUIDEThe audits and associated costs needed to gain and maintain ISO 27001 certi�ication
ISO 27001 certi�ied organizations are also required to be on a three-year cycle of Surveillance and Recerti�ication Audits by their certi�ication body (the company that handed you your certi�icate). As an example, if you were certi�ied in 2018 your audit schedule with your certi�ication body would look something like this:
Once certi�ied, an ISO 27001 certi�ied Information Security Management System (ISMS) must be audited annually to maintain certi�ication. Internal Audits must be done each year by a third party, like Pivot Point Security, or internal personnel with an appropriate level of expertise who has not been instrumental in building or running the ISMS. Objectivity is the key here.
Certi�ication Audit Surveillance Audit Surveillance Audit
Surveillance Audit Surveillance AuditSurveillance Audit
Recerti�ication Audit
Recerti�ication Audit
...and so on
2018 2019 2020 2021
2022 2023 2024 2025
Audits Schedule
Often companies need help preparing for a Certi�ication Audit (from a company like Pivot Point Security) and costs associated with certi�ication preparation from a third party range from $35,000 to $70,000
Audit Summaries
CERTIFICATION AUDIT - It’s the �irst audit performed by the certi�ication body or registrar and is exactly what the name suggests. If passed, you will receive your ISO 27001 certi�icate.
Performed by: Certi�ication body
Timing: Performed once (the �irst time you receive your certi�icate)
Cost range: $15,000 to $30,000
Performed by: Independent party with suf�icient expertise (internal or external resource)
Timing: Performed once every year
Cost range: $9,000 to $20,000 for external resource
2
INTERNAL AUDIT – It’s a requirement of the standard for a certi�ied organization to review its ISMS at planned intervals (most often annually). The focus is to ensure each area of the ISMS is reviewed within the three-year period. This audit demonstrates top management’scommitment to ensuring the effectiveness of the ISMS, which positions a certi�ied organization for a successful audit by the certi�ication body.
Performed by: Certi�ication body
Timing: Performed in years one and two after certi�ication (or recerti�ication) audit
Cost range: 65% to 75% of your Certi�ication Audit cost ($9,750 – $22,500)
Performed by: Certi�ication body
Timing: Performed once every three years
Cost range: $15,000 to $30,000
Audit Summaries
SURVEILLANCE AUDIT – It’s held in years one and two after initialcerti�ication, and also in years one & two following each recerti�ication. The certi�ication body will focus on clauses 4-10 of ISO 27001 and take a risk-based approach to Annex A controls. However, typically all applicable controls are reviewed during a Surveillance Audit to ensure effectiveness of each control.
3
RECERTIFICATION AUDIT – It’s held every three years with a signi�icant level of detail, artifacts, and evidence required to be provided by the certi�ied organization. The goal is to continue to demonstrate management’s commitment and improvement of the ISMS to ensure its effectiveness.
If you’re going to use an external resource (like Pivot Point Security) to prepare for your Certi�ication Audit and subsequent Internal Audits, here is a year-by-year breakdown of the cost ranges you can expect to achieve and maintain certi�ication:
Overall Costs
Certi�ication Audit preparation and Internal Audit = $35,000 to $70,000Certi�ication Audit performed by certi�ication body = $15,000 to $30,000
2018 Total = $50,000 to $100,000
2018
2020
$9,000 to $20,000
$9,750 – $22,500
2019 Total = $18,750 to $42,500
2019
2021
Recerti�ication Audit performed by certi�ication body = $15,000 – $30,000
2021 Total = $24,000 to $50,000
$9,000 to $20,000
$9,750 – $22,500
2019 Total = $18,750 to $42,500
2023
Recerti�ication Audit performed by certi�ication body = $15,000 – $30,000
2021 Total = $24,000 to $50,000
$9,000 to $20,000
$9,750 – $22,500
2019 Total = $18,750 to $42,500
2022
2024
$9,000 to $20,000
$9,750 – $22,500
2019 Total = $18,750 to $42,500
4
- Internal Audit performed by independent third party
- Surveillance Audit performed by certi�ication body
$9,000 to $20,000
$9,000 to $20,000