Take the internal audit as a dress rehearsal
An (ISO) internal audit is not just a mandatory part of ISO 27001 or NEN 7510. It is the ideal time to check that your system is correct and working. Think of it as the full dress rehearsal for the day when the ISO 27001 auditor or another auditor walks in your door.
Have areas for improvement been found? Record and schedule them. You don't have to have everything solved to get your ISO certification. What matters is that you show that you are consciously working on (continuous) improvement and are "in control". After all, the auditor must be able to trust that points for improvement will be addressed within a common time frame.
Make sure your executive assessment is current
For standards such as ISO 27001, NEN 7510 and ISO 9001, the management review is mandatory. Here you discuss key risks, objectives, performance and incidents. Changes in internal/external factors and feedback from stakeholders must also be addressed. The auditor expects a report that matches how your organization is running.
When you conduct the executive review annually and keep good minutes (and sign them if necessary), you show that top management is involved. That inspires confidence and avoids awkward questions during the audit.
Make employees audit-proof
Your employees play a big role in an external audit. An auditor usually talks to a number of people from different departments. That's why it helps to conduct mock interviews. Not to drill employees, but to make sure they know what to expect.
Also make sure that training and campaigns have been implemented. Employees should be aware of your policies, basic principles of information security and, for example, the principles of ISO 27001. Also consider awareness issues such as the clean desk and clear screen principle. This is not just necessary for an audit - it is vital for a secure organization.
Clearly define your scope and make sure everything is correct
An auditor always looks at the scope. What processes are within the management system? Which locations? What systems? The scope must match one-to-one with what the auditor finds in practice. An unclear or too broad scope quickly leads to additional questions, for example, during an IT audit (ISO 27001).
Check your checks and collect evidence on time
In the case of an information security audit, the auditor wants to see that you have implemented measures as well as that you can demonstrate that they work. Therefore, go through all the checks and see if you have the corresponding evidence. It is important that you have completed the PDCA cycle. Are you missing something? Then schedule when you collect it. Planning something well obviously works better than last-minute rushing off.
This also applies to deviations from the internal audit. Resolved is nice, but scheduled is also okay if you accept the residual risk for a certain period of time. As long as you show that you have the process under control.
Prepare content for top management
An auditor usually wants to speak with top management as well. Therefore, make sure they get a brief briefing beforehand. In any case, they need to know:
- what the main risks are
- how your goals stand
- what incidents have played
- What responsibilities they bear
- How the policy was communicated (when, to whom, etc.)
This sounds logical, but in practice it often turns out to be an underestimated part of an external audit (such as ISO 27001 or another standard).
Update your documentation
Make sure everything you display is current. No old version numbers, no outdated formats, no documents that have been in draft form for a year. This applies to policies, procedures, risk assessments and minutes. An auditor sees outdated documents as a signal that your system is not fully maintained.
Schedule in a timely manner and coordinate with your CI
The schedule for the external audit should be clear and achievable. Establish it in advance with the certifying body and the employees involved within your organization. Do not wait too long for confirmation. A direct mail to your CB is quite normal when the planning is delayed. After all, good preparation begins with clarity.
Good audit preparation is all about structure and peace of mind
An audit doesn't have to be stressful. By starting early, involving employees, getting your evidence in order and having a clear scope, you give the auditor exactly what is needed: confidence that you are in control.
Would you like help with an audit, such as for ISO 27001 or another standard? Or are you looking for an information security consultant or security officer to guide your organization towards the external audit? Then we would like to think along with you.
Ready for the next step?
Schedule a free, no-obligation 45-minute consultation. Or check out our news & insights page for more in-depth information on audits, ISO 27001 and NIS2.
