Preparing for an external audit: this is how you and your colleagues can relax
Heading 1
Heading 2
Heading 3
Heading 4
Heading 5
Heading 6
Lorem ipsum by sit amet, consectetur adipiscing elit, sed do eusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Dis aute irure door in reprehenderit in voluptate velit se cillum dolore eu fugiat nulla pariatur.
Block quote
Ordered list
- Item 1
- Item 2
- Item 3
Unordered list
- Item A
- Item B
- Item C
Bold text
Emphasis
Superscript
Subscript
Heading 1
Heading 2
Heading 3
Heading 4
Heading 5
Heading 6
Lorem ipsum by sit amet, consectetur adipiscing elit, sed do eusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Dis aute irure door in reprehenderit in voluptate velit se cillum dolore eu fugiat nulla pariatur.
Block quote
Ordered list
- Item 1
- Item 2
- Item 3
Unordered list
- Item A
- Item B
- Item C
Bold text
Emphasis
Superscript
Subscript
Take the internal audit as a dress rehearsal
An (ISO) internal audit is not only a mandatory part of ISO 27001 or NEN 7510, it is the ideal time to check whether your system is correct and working. Think of it as the full dress rehearsal for the day the ISO 27001 auditor or another auditor walks into your house.
Have any areas for improvement been found? Register and schedule them. You don't have to have everything solved to get your ISO certification. What matters is that you show that you are consciously working on (continuous) improvement and that you are “in control”. This is because the auditor must be able to trust that areas for improvement will be addressed within a conventional time frame.
Make sure your executive review is up to date
For standards such as ISO 27001, NO 7510 and ISO 9001 is the executive review mandatory. Here you will discuss the most important risks, objectives, performance and incidents. Changes in internal/external factors and feedback from stakeholders should also be addressed. The auditor expects a report that matches how your organization is running.
When you carry out the executive review annually and keep the minutes carefully (and sign if necessary), you show that top management is involved. This provides confidence and prevents difficult questions during the audit.
Make employees audit-proof
Your employees play a major role in an external audit. An auditor usually speaks to a number of people from different departments. That's why it helps to have mock interviews. Not to drill employees, but to make sure they know what to expect.
Also, make sure that training and campaigns have been carried out. Employees must be aware of your policy, basic principles of information security and, for example, the principles of ISO 27001, including awareness issues such as the clean desk and clear screen principles. This is not only necessary for an audit — it is very important for a safe organization.
Define your scope clearly and make sure everything is correct
An auditor always looks at the scope. Which processes fall within the management system? Which locations? Which systems? The scope must match one-on-one with what the auditor finds in practice. An unclear or too broad scope quickly leads to additional questions, for example during an IT audit (ISO 27001).
Check your checks and collect evidence on time
In the case of an information security audit, the auditor wants to see that you have implemented measures and that you can demonstrate that they work. Therefore, go through all the checks and see if you have the associated burden of proof. It is important that you have completed the PDCA cycle. Are you missing something? Then schedule when you collect it. Of course, planning something well works better than last-minute shopping.
This also applies to deviations from the internal audit. Solved is nice, but scheduled is also okay if you accept the residual risk for a certain period of time. As long as you show that you are in control of the process.
Prepare top management in terms of content
An auditor usually also wants to speak to top management. Therefore, make sure they receive a short briefing beforehand. At least they need to know:
- what are the main risks
- how your goals stand
- which incidents occurred
- what responsibilities they bear
- how the policy was communicated (when, to whom, etc.)
That sounds logical, but in practice, this often appears to be an underestimated part of an external audit (such as ISO 27001 or another standard).
Update your documentation
Make sure everything you show is up to date. No old version numbers, no outdated formats, no documents that have been in draft for a year. This applies to policies, procedures, risk analyses and minutes. An auditor sees outdated documents as a signal that your system is not fully maintained.
Set the schedule in time and coordinate with your CI
The planning of the external audit must be clear and feasible. Pre-register this with the certifying institution and the employees involved in your organization. Don't wait too long for confirmation. A direct mail to your CI is quite normal when the schedule is delayed. After all, good preparation starts with clarity.
Good audit preparation is about structure and rest
An audit doesn't have to be a stress. By starting on time, involving employees, having your evidence in order and using a clear scope, you give the auditor exactly what is needed: the confidence that you are in control.
Do you want help with an audit, such as ISO 27001 or another standard? Or are you looking for an information security advisor or security officer who guides your organization towards the external audit? Then we would be happy to think along with you.
Ready to take the next step?
Schedule a free, no-obligation 45-minute consultation. Or check out our news & insights page for more information about audits, ISO 27001 and NIS2.
