Audits Schedule

Once certified, an ISO 27001 certified Information Security Management System (ISMS) must be audited annually to maintain certification. Internal Audits must be done each year by a third party, like ISO27001 Solutions, or internal personnel with an appropriate level of expertise who has not been instrumental in building or running the ISMS. Objectivity is the key here.

ISO 27001 certified organizations are also required to be on a three-year cycle of Surveillance and Recertification Audits by their certification body (the company that handed you your certificate). As an example, if you were certified in 2018 your audit schedule with your certification body would look something like this:

Audits Summaries

CERTIFICATION AUDIT

It’s the first audit performed by the certification body or registrar and is exactly what the name suggests. If passed, you will receive your ISO 27001 certificate.

Performed by:

Certification body

Timing:

Performed once (the first time you receive your certificate)

Cost range:

€15,000 to €30,000

Often companies need help preparing for a Certification Audit (from a company like ISO 27001 Solutions) and costs associated with certification preparation from a third party range from €35,000 to €70,000

INTERNAL AUDIT

It’s a requirement of the standard for a certified organization to review its ISMS at planned intervals (most often annually). The focus is to ensure each area of the ISMS is reviewed within the three-year period. This audit demonstrates top management’s commitment to ensuring the effectiveness of the ISMS, which positions a certified organization for a successful audit by the certification body.

Performed by:

Independent party with sufficient expertise (internal or external resource)

Timing:

Performed once every year

Cost range:

€9,000 to €20,000 for external resource

SURVEILLANCE AUDIT

It’s held in years one and two after initial certification, and also in years one & two following each recertification. The certification body will focus on clauses 4-10 of ISO 27001 and take a risk-based approach to Annex A controls. However, typically all applicable controls are reviewed during a Surveillance Audit to ensure effectiveness of each control.

Performed by:

Certification Body

Timing:

Performed in years one and two after certification
(or recertification) audit

Cost range:

65% to 75% of your Certification Audit cost (€9,750 – €22,500)

RECERTIFICATION AUDIT

It’s held every three years with a signiFicant level of detail, artifacts, and evidence required to be provided by the certiFied organization. The goal is to continue to demonstrate management’s commitment and improvement of the ISMS to ensure its effectiveness.

Performed by:

Certification Body

Timing:

Performed once every three years

Cost range:

€15,000 – €30,000

OVERALL COSTS

If you’re going to use an external resource (like ISO 27001 Solutions) to prepare for your Certification Audit and subsequent Internal Audits, here is a year-by-year breakdown of the cost ranges you can expect to achieve and maintain certification: