After completing an ISO 27001 audit, there may be some critical responses you must undertake based on the recommendation in your audit report. This step-by-step guide will ensure you don’t miss any of the outstanding follow-up tasks that need to be addressed after the audit process is over.
Learn how UpGuard simplifies Vendor Risk Management >
Step 1: Review Your Recommendation Status
Your certification auditor will summarize the outcome of their findings through one of three statuses:
- Recommended - No nonconformities were discovered in the audit, so an ISO 27001 certification is recommended.
- Recommended upon action plan development - Some minor nonconformities were identified, but compliance gaps can be overcome.
- Not recommended - Nonconfomatives are too significant to overcome outside a complete security control and security practice overhaul.
If you’re lucky enough to receive that coveted “recommended” status, skip to step six of this list. Suggested responses for the other status’ are outlined in the subsequent steps.
To streamline your remediation efforts, download this free ISO 27001 risk assessment template.
Step 2 - Review Your Nonconformities
The first thing you’ll need to do is determine the severity of your nonconformities. The are three primary severity categories:
- Major Nonconformity - This is the bucket you don’t want to fall in. You’ll get slapped with a major nonconformity if your auditor cannot identify risk mitigation procedures mapping to ISO 27001 standards. In other words, your auditor concludes that you have not met the security objectives and risk mitigation requirements of ISO 27001.
A major nonconformity doesn't need to be the end of your ISO certification journey. There are actions you can take to change this outcome
- Minor Nonconformity - This means your auditor has confirmed that an ISO 27001-specific risk mitigation procedure is in place, but it either isn’t effective or is improperly executed. However, this discrepancy doesn’t impact your overall ISO 27001 certification potential.
Multiple minor nonconformities could lead to a major nonconformity
- Opportunity for Improvement (OFI) - This is when your auditor identifies processes that, once improved, will increase the efficiency of ISO 27001 risk control(s). OFIs are recommended improvement actions and are not mandatory.
Though OFIs are not mandatory, their timely implementation will increase your chances of passing your next ISO27001 certification renewal audit in three years.
Your auditor should also supply you with a nonconformity report detailing the key findings of each discovered nonconformity and suggested corrective actions. Some auditors will happily discuss their final report in a closing meeting. This is a great opportunity for you to ask questions about specific audit findings, ISO 27001 requirements, and your certification process.
When a nonconformity has the potential to be rectified, your auditor will set its status to Open. An open status indicates that steps taken to address the nonconformity are yet to be reviewed.
A Closed status is assigned when the assessor accepts the response actions action taken to amend each nonconformity as outlined in your submitted Corrective Action Plan and Evidence of Correction report (see details below).
Step 3 - Provide a Corrective Action Plan
Failing an ISO 27001 certification doesn’t mean you need to redesign your audit plans and Information Security Management System (ISMS). As mentioned earlier, your external auditor will provide accreditation guidance for your recertification audit. A high-level risk treatment plan will be outlined in a section of the audit report titled “Terms and Conditions for Certification” or something to that effect.
For each non-conformity, you must provide your assessor with an action plan detailing how it will be addressed. This Corrective Action Plan must be submitted within 14 days of receiving your nonconformity report. Proof that your Corrective Action Plan has been implemented must be provided through an Evidence of Correction report within 30 days.
In short, there are two critical steps you need to follow when responding to ISO 27001 non-conformities:
- Provide a Corrective Action Plan to your certification body within 14 days. This plan should outline your organization’s approach to fixing each identified nonconformity, who is responsible for each action, and how each action will be implemented.
- Provide Evidence of Correction to your certification body within 30 days - Proof that the actions outlined in your Corrective Action Plan have been implemented.
- Provide Evidence of Remediation for all nonconformities - For minor nonconformities, this is due upon subsequent review. For major nonconformities, this is due within 60 days from the close of the review.
What’s the Difference Between Evidence of Correction and Evidence of Remediation?
Evidence of Correction is proof of an immediate fix to an identified non-conformity to ensure immediate ISO 27001 compliance. For example, if a required document is missing, the EoC would involve creating and implementing this document. Evidence of Remediation looks beyond immediate corrective actions to the root cause of the nonconformity to ensure it doesn’t happen again. A root cause analysis is performed to identify this underlying issue.
Some examples of remediation efforts addressing root causes include:
- Changes to information security policies.
- Management reviews (as per clause 9.3).
- Addressing internal and third-party vendor vulnerabilities.
- Reviewing alignment with regulatory standards, such as the GDPR and other data security regulations.
These documents need to be provided to your certification body before they can issue an ISO 27001 certification and related report.
Your corrective action plan (or corrective action procedure) should be based on ISO 27001 Clause 10.1, which is a helpful framework for organizations to follow when responding to non-conformities.
Here’s an example of a corrective action process flow:
- Identify the nonconformity.
- Added action items to the corrective action log.
- Take corrective action.
- Perform a root cause analysis to detect the root cause of the nonconformity and its link to other sections of the ISMS.
- Evaluate the potential impact of corrective actions (through risk assessments, internal reviews, etc.).
- Make amendments to the organization’s ISMS if necessary.
Step 4 - Provide Evidence of Correction
The remediation details of each nonconformity should be outlined in “Nonconformities statements,” breaking down your efforts across three main sections.
- An overview of the specific ISO 27001 requirement being impacted.
- Evidence of Correction (EoC) proving that risk management teams have taken immediate action to rectify all information security policy and information security risks causing non-conformities.
- A brief statement of nonconformity linked the ISO 27001 requirement to your evidence document.
Before committing to any individual corrective action, it helps to first project its potential impact on your security posture and your degree of alignment with ISO 27001. This will identify which response actions to prioritize to achieve the fastest alignment with ISO 27001 standards.
With a risk management tool like UpGuard, this is very easy.
UpGuard allows you to determine the potential impact of any remediation action on your security rating (an objective and unbiased quantification of your security posture). With this capability, you can maximize your chances of submitting your corrective action plan within the narrow 14-day window.
Request a free trial of UpGuard >
The ability to predict which correction actions will have the highest degree of positive impact will help you develop the most concise and efficient correction action plan.
Step 5 - Provide Evidence of Remediation
Based on the results of your root analysis, provide evidence of your remediation actions taken to address each identified root cause. Not only will this report prove to auditors that you're capable of continuously meeting the requirements of the standards in ISO 27001, but it will also streamline the audit procedure in your next audit period.
Your remediation tasks will likely be complex assignments with multiple dependencies. Navigating through these complexities within the narrow 60-day window requires an effective remediation management process capable of conforming to this complex risk management environment. An ideal remediation process needs to track the complete lifecycle of each response task and streamline conversations between involved parties to prioritize stakeholder visibility and operational efficiency.
UpGuard Remediation Planner and In-Line Questionnaire Correspondance features are examples of solutions that meet these requirements to create an efficient remediation process.
Watch this video to learn about UpGuard Remediation Planner:
Watch this video to learn how UpGuard improves vendor relationships through better collaboration.
The efficacy of all of your remediation efforts (and corrective action efforts) should be confirmed by internal auditors before submitting them to your auditing body.
An internal audit program will confirm whether all nonconformities and their underlying causes have been fixed. Any issues found in the internal audit report should be regarded as opportunities to increase your chances of passing a certification audit and not reasons to discourage your ISO 27001 certification objective.
Step 6 - Share Your ISO 27001 Certification
Whether you’ve instantly passed an ISO 27001 certification or battled to close nonconformities through vigorous documentation reviews, your hard work has finally paid off. You finally have your ISO 27001 certification!
So, now what?
Not it’s time to put your certification to good use. Being ISO 27001 certified demonstrates your exemplary cybersecurity standards to prospective partners and existing clients. Evidence of your certificate should, therefore, be readily accessible to these parties.
One of the most efficient methods of doing this is by hosting all ISO 27001 certification supporting documents in a shareable profile. An example of such a capability is UpGuard’s Trust Page feature (formerly Shared Profile).
UpGuard’s Trust Page allows you to upload any cybersecurity documents and certifications likely to be requested by prospective or existing business partners on a public profile. Trust Pages can conveniently be shared with any relevant parties, either through an email invite or a direct link.
Because an ISO 27001 certification provides a marketing edge against your competitors, certification sharing should be incorporated into your Sales Cycle, during the nurture phase - where prospect doubts and reservations are done away with.
A Trust Page feature simplifies this process, and with the added functionality of direct link sharing, such a feature supports lead prospecting on LinkedIn - commonly the primary grounds of today’s sales lifecycles.
Learn what to do after getting your SOC 2 report >
Step 7 - Start Preparing for Your Recertification
Your recertification isn’t due for another three years, but you should start preparing the grounds for a streamlined process now.
Follow these best practices to improve your successful recertification chances:
- Develop a continual improvement culture - Use an Attack Surface Monitoring solution to continuously track emerging risks.
- Implement Regular ISO 27001 Internal Audits - Regularly complete ISO 27001 questionnaires and address alignment discrepancies based on a gap analysis. For internal audit processes to be efficient, it’s best to use a security questionnaire solution that automates the discovery of alignment gaps, such as UpGuard’s security questionnaire tool.
- Create an Audit Checklist - An audit checklist prevents you from overlooking any aspects of your ISMS that will be evaluated in an external audit. For more recertification preparation guidance, refer to this ISO 27001 implementation checklist for ideas.
How UpGuard Can Help
UpGuard offers a range of features for streamlining vendor alignment with ISO 27001 standards, including:
- Security Rating Projection - Evaluate the impact of corrective actions on internal and vendor security postures to develop the most efficient corrective action plan.
- ISO 27001 Security Questionnaire - Simplify self-audits with an ISO 27001-specific questionnaire that automates the discovery of alignment gaps based on questionnaire responses.
- Risk Assessment Management - With a library of questionnaire templates mapping to popular cybersecurity standards, including ISO 27001, UpGuard can help you query potential nonconformity root causes stemming from other security control deficiencies.
- Remediation Planner - Easily manage the complete lifecycle of remediation efforts to ensure each vulnerability is addressed as quickly and efficiently as possible.