Company

security audit
(ISO 27001)

1. Andrii Serhiichuk; XD43462

2. Kostiantyn Abramov; XD44122
3. Illia Shniukov; XD43468
4. Viacheslav Spiridonov; XD43465
5. Ihor Bobukh; XD44131
What is a security
audit?
A security audit is a comprehensive assessment of an
organization’s security posture and IT infrastructure.
Conducting an IT security audit helps organizations
find and assess the vulnerabilities existing within their
IT networks, connected devices and applications.

It gives organizations the opportunity to fix security

vulnerabilities and achieve compliance
Why Perform a
Security Audit?
Identify security problems, gaps and Comply with external regulatory requirements
system weaknesses

Establish a security baseline to which Determine if security training is adequate

future audits can be compared

Comply with internal organization Identify unnecessary resources

security policies
When Is a Security
Audit Needed?

Organizations that handle high volumes of sensitive data, such as

financial institutions and healthcare providers, require an audit
more often.

The determining factors in how often an organization chooses to do

security audits depends on the complexity of the systems used and
the type and importance of the data in that system.

If the data in a system are deemed essential, then that system may
be audited more often, but complicated systems that take time to
audit may be audited less frequently. External factors such as
regulatory requirements also affect audit frequency
Comprehensive security audit will
assess an organization’s security
controls relating to the following
 The two security
audit options

Internal External
audit audit
Frameworks for
Integration

Frameworks and regulations that can be integrated are

International Standards Organization (ISO) standard ISO
27001, SOC 2 Type 2, Payment Card Industry (PCI) Report
on Compliance (ROC), and the US Health Insurance
Portability and Accountability Act (HIPAA)
What does
ISO 27001 mean?
ISO 27001 is part of a set of standards
developed to handle information security:
the ISO/IEC 27000 series. Its full name is
“ISO/IEC 27001 – Information security,
cybersecurity and privacy protection —
Information security management systems
— Requirements.”
ISO framework and the
purpose of ISO 27001
The ISO framework is a combination of
various standards for organizations to use.
ISO 27001 provides a framework to help
organizations, of any size or any industry, to
protect their information in a systematic
and cost-effective way, through the
adoption of an Information Security
Management System (ISMS).
 What are the three principles
of ISO 27001?

Confidentiality: Integrity: Availability:

How does
ISO 27001 work?
Two parts of
the standard
What are the
ISO 27001 controls?
Who conducts an
ISO 27001 audit?
All audits against ISO 27001 must be carried out by
competent and objective auditors.

This may be through attending an ISO 27001 Lead

Auditor course or through having another recognized
auditing qualification and then provable knowledge of
the standard.

For smaller organizations or those wanting clearer

objectivity, it may be more practical to bring in a
contracted auditor.
 Additional benefits of ISO
27001 certification include:

01 02 03

04 05
Finding a certification
body and auditor
You can find accredited ISO 27001 certification bodies
online on the official ANAB website in the accreditation
directory.

ANAB (ANSI National Accreditation Board) is part of

These include:
ANSI (American National Standards Institute), and as UKAS: United Kingdom Accreditation
such is responsible for accrediting U.S. vendors. Service

In Europe and Asia, you may have to research other JAB: Japan Accreditation Board
accreditation bodies’ websites for the same
information. DAkkS: German Accreditation Body
Audit firms with a lot of experience in your industry will
have a deeper understanding of emerging
technologies, for example, cloud computing like GCP,
AWS, and Azure. That means they’ll better understand
industry practices and requirements, speeding up the
audit process in its early stages.

But there are other factors to consider — including

industry experience, other audit accreditations, and more
What should companies do
before hiring an auditor for
an external ISO 27001 audit?

Most audit firms offer precertification and gap analysis

services as the first step toward achieving certification.

Unless you have an information security expert in your

company, these services are crucial to help you lay the
foundation for a successful ISO audit in the future.

After the gap analysis is complete, the next steps you

need to take to prepare for your Stage 1 ISO 27001 audit
include:
ISO 27001 Audit Timeline
The ISO 27001
audit process

If you’re attempting certification with the assistance of a

consultancy firm, the consultant will probably arrange a
pre-certification audit closer to your scheduled audit. This
helps them see whether your ISMS (information security
management system) is likely to meet all the necessary
criteria.

Consider this a pre-certification ‘dress rehearsal’ audit. It

allows you to identify any potential problems that can be
ironed out before the actual audit, and it gives your staff
the opportunity to see how the big day will play out.
What does an ISO consultant do?
Stage 1 audit
The Stage 1 audit is often called a
‘documentation review’ audit because the
auditor will review your processes and
policies to establish whether they’re in line
with the requirements of ISO 27001
Stage 2 audit
The Stage 2 audit is often referred to as the
‘certification audit’. During a Stage 2 audit,
the auditor will conduct a thorough on-site
assessment to establish whether the
organization’s ISMS complies with ISO 27001
How to Maintain
Your Certification?
 Measures to Maintain
Your Certification
• Inform your certification body of any changes
that may affect the scope of your certification as
early as possible. Your certification body can be
contacted at any point in the cycle.
• Ensure that your key technical staff maintain
their technical competence by attending
recognized training courses and relevant sector
events.
• Ensure that you keep up to date with regulatory
changes in your sector.
• Ensure that you are subscribed to regular
updates from UKAS/ ISMS publications and
technical bulletins to ensure that you receive the
latest certification requirements.
• Inform UKAS or your certification body in advance
of any relocation of premises from which
accredited work is performed.
• Implement an appropriate internal audit regime.
• Ensure on-going effective document control.
• Retain all quality records and technical records
throughout the period between assessments.
• You can use the PDCA (plan–do–check–act) model
for the control and continuous improvement of
cyber security processes and activities.
• Organizations that have achieved certification to
ISO27001 standard are advised to adopt the
following measures to maintain their certification
 Sources
https://www.techtarget.com/searchcio/definition/security-audit
https://www.isaca.org/resources/news-and-trends/industry-news/2022/an-integrated-approach-to-security-audits
https://advisera.com/27001academy/what-is-iso-27001/
https://secureframe.com/blog/how-to-select-an-iso-27001-auditor
https://secureframe.com/blog/iso-27001-consultant
https://www.bridewell.com/insights/blogs/detail/what-to-expect-from-stage-1-and-stage-2-iso-27001-certification-audits
https://www.vigilantsoftware.co.uk/blog/what-to-expect-from-stage-1-and-stage-2-iso-27001-audits
https://www.barradvisory.com/blog/iso-27001-stage-1-and-stage-2/
https://www.strongdm.com/blog/iso-27001-audit
https://core-compliance.com/iso-27001/