Company surveillance audits done on Six monthly or
annual which tend to focus on specific areas, a re- certification audit will give
the entire ISMS a thorough once-over. Since your ISMS has been in operation for
some time (at least 3 years), the auditor will expect to see a mature ISMS that
is nevertheless moving forward, proactively responding to the inevitable
changes using the PDCA/continuous improvement processes embedded in the ISMS.
This is a formal audit and can be tough for organizations
that have let their ISMS drift or decay after the elation of their initial
certification. The audit’s prime
focus will, of course, be to confirm strict compliance with the current version
of ISO 27001:2013. The key
issue is that you still have an effective and compliant management system to
manage your information security.
Use this simplified 8-point checklist as a basis for planning
the main things you need to get done before the auditor turns up (you will
probably need a more elaborate and comprehensive plan):
1.
Check that your ISMS internal and external audits are fully
up to date, with plans in place for future audits. Are all audit
findings/observations, recommendations and agreed actions either completed and closed
off, or currently in progress .Use the results of recent audits to drive
forward any necessary changes and to reinforce the concept that the audits are
all about making justified improvements.
2.
Collate evidence of continuing management commitment
to the ISMS such as minutes of management committee meetings, decisions and
actions taken, preventive and corrective action plans and the results of
follow-up or close-out actions, and budgets.
3.
Complete a full management review of the ISMS, including
your Statement of Applicability and Risk Treatment Plan. Document all findings
and recommendations as preventive or corrective actions and ensure all actions
are suitably initiated, allocated and managed. Try to get all significant
issues closed off, or at least well under way, before the audit.
4.
Review your information risks. If there have been
significant changes in the external business environment, internal situation, redo
your information risk assessment from scratch using the documented methods, and
update your RTP. All risks should be treated, in other words avoided, and
controlled, transferred or explicitly accepted by whoever is accountable and,
for significant risks, there should also be contingency plans in place in case
the mitigating controls fail.
5.
Review all the ISMS documentation (policies, standards,
guidelines, procedures etc.) to ensure
it is up to date, complete, formally approved/mandated/signed off, version
controlled and made
available to those who need it. Ruthlessly seek out
and destroy old or outdated ISMS documentation.
6.
Get your information security awareness and training activities
right up to date and ensure a plan is in place for future activities. Ensure
everyone knows where to find the ISMS policies and related materials and is
aware of the content (a useful tip is to give everyone a shortcut to the information
security documentation on their desktops). Ensure everyone is familiar with,
and in fact actively complies with their responsibilities towards information
security, for example any obligations arising from privacy legislation and
relevant information security procedures.
7.
Check the documentation relating to any recent
information security incidents, for instance to confirm that corrective/preventive
actions were documented and duly completed. Step back from the detail to
confirm that the process is operating
smoothly.
8.
Review your information security metrics. Given that your
ISMS has matured, are they still relevant and useful or do they need adjusting?
Have you in fact been reporting and measuring against them and have any actions
necessary been taken
User questions & answers