When you pursue an ISO 27001 certification, best practice is to hire one firm to perform the audit and a separate firm for the certification process. This process may seem tedious, but it instills independence so that conflict of interest is never a concern.

KirkpatrickPrice only offers ISO 27001 audits and consulting. Our firm is not a certifying body, so any quotes on our ISO 27001 services will never include certification. If you are considering working with a firm that offers both auditing and certification services or has a partnership with another organization in order to offer both, this is a red flag. It indicates a lack of integrity and a conflict of interest, which could have negative implications on your audit and certification.

Many organizations opt to undergo the ISO 27001 audit and not pursue certification. Certification is a possibility, not a requirement. In this scenario, you will have an ISO 27001 report to offer clients and stakeholders who need assurance of your ISMS’ effectiveness, and you only need to work with one firm for your ISO 27001 needs.

An ISO 27001 audit culminates in a report, written by our in-house Professional Writing team. The report will provide stakeholders with independent third-party verification regarding the fairness and suitability of information security management, controls, and practices.

Pricing for an ISO 27001 audit depends on scoping factors, including business applications, technology platforms, physical locations, third parties, and audit frequency. Pricing will also vary based on the inclusion of a gap analysis, or inclusion of additional remediation time.

The average ISO 27001 audit can take anywhere from weeks to months, depending on your level of preparedness and staff’s availability for interviews and control demonstration. To satisfy the requirements for an ISO engagement, the auditor must validate scope, perform testing procedures, and document conclusions. These steps require time from the service organization’s management, which can be compressed or extended to meet your timeline needs. You can save time by leveraging the Online Audit Manager to maintain the audit evidence you need for compliance.

ISO 27001 reports represent your controls from a period of time in the past. Typically, your clients will not accept a report issued more than 12 months ago because they want your testing to be relevant for their own audit period.

The industry-standard is to schedule an ISO 27001 audit to be performed annually or when significant changes are made that will impact the control environment. Any frequency less than every three years typically indicates that the organization has not been properly maintaining compliance.

Maintaining an audit process that covers each fiscal year will demonstrate a commitment to compliance and ongoing testing of controls, which ultimately contributes to the health of your organization.

Since 2013 when the last ISO 27001 revisions were released, there have been significant changes in technology, frameworks, and vulnerabilities. The 2022 update will help eliminate some of the previous complexities with the framework and allow users to focus on the implementation of controls instead of spending time trying to decipher what the framework requires.

Organizations can transition their existing ISO 27001:2013 certification to ISO 27001:2022 during their next audit, but no later than October 31, 2025. Keep in mind that certifications based on the 2013 framework will no longer be issued after May 31, 2024, and certificates based on the 2013 framework will expire on October 31, 2025.

Learn more here.