What does an ISO 27001 auditor check in a phase 1 audit?

The phase 1 audit of ISO 27001 is a crucial moment in the certification process for information security. This is the moment when the auditor lays the foundation for the continuation of the audit. It can be quite exciting for organizations, especially if they are being assessed for the first time. What exactly happens during this phase? Which documents and processes are examined? And how can you best prepare as an organization? In this article, we discuss the key points of a phase 1 audit and provide practical tips for a smooth experience.

What is a phase 1 audit?

The phase 1 audit, also known as the documentation audit, primarily focuses on assessing the Management System (MS) of an organization. The auditor reviews the documentation and structure of the MS to determine whether it meets the requirements of the ISO standard. This audit is intended to enable the organization to address any non-conformities in the documentation or processes in a timely manner before the phase 2 audit takes place, in which the actual implementation and effectiveness of the MS are assessed.

What does the auditor check during the phase 1 audit?

During the phase 1 audit, the auditor will examine various aspects of the ISMS. Here are some key points that are typically checked:

• Documentation of the management system: The auditor reviews the policy documents, procedures, work instructions, and other relevant documents that are part of the management system. This includes checking whether the documentation is complete, accurate, and up-to-date.

• Scope of the management system: It is important that the organization has clearly defined which systems, processes, and locations fall under the management system. The auditor will verify whether this scope is logical and feasible.

• Risk analysis and treatment: An essential part of ISO 27001 is the risk analysis. The auditor checks whether a thorough risk analysis has been conducted and whether the associated measures for risk treatment are documented.

• Awareness and training: The auditor will also confirm that employees are aware of the management system and that they have received training, for example, on information security in ISO 27001. This includes checking any training exercises and communication materials.

• Management review: The organization must regularly conduct management reviews to assess the effectiveness of the management system. The auditor will check whether these reviews have been planned, conducted, and documented.

• Continuous improvement: ISO standards require organizations to commit to continuous improvement. The auditor will look at procedures and plans for monitoring and improving the management system.

How do you prepare for the phase 1 audit?

Good preparation is essential to successfully navigate the phase 1 audit. Here are some practical steps you can take:

• Gather documents: Ensure that all necessary documentation is available and well-organized. This includes policy documents, procedures, risk assessments, and reports of management reviews.

• Conduct internal audits: Perform an internal audit prior to the phase 1 audit to identify any non-conformities in the management system. This gives you the opportunity to address these issues before the external auditor arrives.

• Communicate with employees: Ensure that all employees are aware of the audit and understand their role in it. This fosters a positive atmosphere and can even contribute to a better assessment.

• Utilize technology: Consider using an audit management system, such as auditreporter.io, to streamline the internal audit process. This can help organize documents and schedule audits, saving you time and effort.

Document list

The list below is based on ISO 27001. Wherever the standard states that a document must be present, the auditor can verify this in phase 1. These are the documents you will certainly need.