Search in ISMS Guides


Tuesday, September 25, 2007

How does the BS7799 / ISO 27001 certification audit process actually work?

Before the audit:
The greatest mistake that organizations ever make is that they are not properly prepared for an audit. Many organizations who want to undergo a certification audit fail at the first stage because they have not properly prepared for it.

Some examples I have encountered are below:
A classic case of this was the organization that desk dropped their approved information security policy on all staff desks on the weekend before our audit started on the Monday. Somehow the words ‘published and communicated, as appropriate, to all employees’ (A.3.1.1.) did not spring to mind.

Likewise failure to perform a risk assessment would not give the auditor a warm and comforting feeling of a risk assessment being carried out on the ‘assets within the scope’ (4.2.1).

Any organization that cannot demonstrate that the ISMS works by undertaking internal ISMS audits (6.4) will not be looked upon favourably for passing a certification audit.

Another major failure at the outset of the certification or implementation project is the failure to have demonstrable management commitment. This means something more than saying ‘yes –go do it’ by the CEO or MD. There needs to be management commitment to the process as well as ring fencing resources. (5.1 and 5.2).

What is a CB Audit
What Documents can I read to help me prepare for BS7799?
The CB Audit process

Source :

1 comment:

Anonymous said...

Dear colleagues,

I would like to inform you that on September 2007 we released an updated version of PTA Professional Edition (1.54 - build 1201) with major usability improvements.

PTA – Practical Threat Analysis - is a quantitative method and a software tool that enables you to model the security perimeter of you business, identify threats on an asset-by-asset basis and evaluate the overall risk to the system. The risk level, potential damage and countermeasures required are all presented in real financial values. PTA calculates the level of risk and the available mitigation. It advises on the most cost-effective way to mitigate threats and reduce the risk.

PTA is free-of-charge for students, researchers, software developers and independent security consultants. You are invited to review the latest version's new features and download a free copy of the software from our site:

PTA fully supports the ISO 27001 and other popular standards. Download a free copy of PTA for ISO 27001 security library from the following url:

Feel free to introduce PTA to your professional colleagues - it is our contribution to the security community. I'll be happy to have your comments and answer your questions on any issue.


Zeev Solomonik
R&D - PTA Technologies