What are the most important considerations for selecting an ISMS auditor?

Some tips while shortlisting ISMS auditor : 1. IRCA - Certified ISO/IED 27001 Lead Auditor or IS auditor certified CISA from ISACA. 2. Have minimum industry experience of 15Yrs who can correlate the policy and procedures. 3. LA is the one who has corporate leadership quality, agile and industry well versed person 4. One who can exhibit thorough professionalism and honesty to be a neutral and fair practices 5. One who is passionate of his role to ensure his observations are detailed and makes strong feedback mechanism.

Certificates are important but experinece trumps it all. Find auditors that have engaged in projects similar to yours and are able to go beyond a xhecklist to help you improve your organization's security posture.

When selecting an ISMS auditor, key considerations include their relevant certifications (such as ISO 27001 Lead Auditor), experience in information security, a thorough understanding of industry-specific compliance requirements, and effective communication skills to facilitate a comprehensive audit process. Additionally, assessing their track record and reputation within the cybersecurity community is crucial for ensuring a reliable and competent ISMS auditor.

In my experience, the best ISMS auditors are the ones that know the material well, have enough similar clients to help with benchmarks and bring a fresh perspective to the table with each client. While there are many companies to choose from that have career auditors, the best to work with can help you to adapt your compliance capabilities to help you achieve more without it becoming a checklist exercise.

Certification and reputation are important but also take a look at previous clients and experience. If you are a very technical service provider you need an auditor who understands their technology. If you are a business service provider with limited technology, you need someone who understand the risks from people and process. One size does not fit all - and understanding and experience are important if you want to get some value out of your audit in addition to a simple certificate

There are a variety of outcomes for audits. If the audit is for certification, then the work should be bounded to achieve what is required for certification. If the audit is to help with risk assessment, then the scope and methodology should align to a risk-control matrix. Focusing on outcome and scope alignment really does matter.

The scope and methodology are crucial to ensure a comprehensive assessment for an ISMS audit. It's imperative to engage an auditor capable of addressing all pertinent facets, encompassing context, scope, policies, objectives, processes, controls, performance, and improvement initiatives. The chosen auditor should be able to apply a systematic and consistent methodology, like the PDCA cycle, to assess effectiveness. Their ability to develop a well-defined audit plan, generate a detailed report, and facilitate a structured follow-up process is equally essential. This approach ensures a thorough evaluation to identify strengths, weaknesses, and areas for improvement, ultimately enhancing its overall resilience and effectiveness.

Internally the scope of an ISMS should cover anything you do, but when looking at certification it's a different matter. Whenever looking at the actual certification, rather than the internal audit, it's about what your clients care about.

Si bien es importante que el auditor siga las pautas ya establecidas en la norma, más que seguir el método cada vez más al auditor se le va a pedir un plus de agregado de valor.

This is severely under estimated but communicating the findings and walking the stakeholders through the conformity and non-conformity issues is very critical. Most people view ISMS audit as black and white, while expecting an overall pass or fail. While certain elements in the ISMS are binary, the entire ISMS is a balance between controls in place, compensating controls and areas where the business has to deliberately invest to continuously close the outstanding issues. This has to be communicated clearly to the stakeholders and the auditor needs to have the emotional EQ to work with cross-functional teams to deliver a successful audit.

Having been on both sides of the audit process communication is absolutely key. While some auditors are always standoffish and perhaps hard to deal with, they're all still people. Being easy to work with, providing responses in a timely basis, not being overly protective of ALL information and treating the auditor like someone there to help can go a long way into making your audit go better. Additionally, auditors that are patient and recognize that organizations may be at different levels and some information harder or easier to gather can add a dose of patience. We can do a great job and be easy to work with (except for those times when it isn't). Think DISC profiles and work together to be thorough, timely and accurate.

Communication as always is key as many findings you might get during an audit need context and conversation. Having a good and frequent reporting is essential.

Good communication with an auditor is incredibly important. Always remember that ultimately a certification auditor wants you to pass an audit, and while they may look for flaws or gaps in your processes that's only to highlight them for you to improve.

Aquí la comunicación es clave, pero hay un factor que me parece más importante aún y que noto que escasea aún más... la intención de ayudar a las empresas a mejorar. Ya he visto varios auditores pocos flexibles y 100% adheridos al manual sin intentar empatizar con la organización. Deberían buscar conformidades, pero estamos en el momento donde muchos buscan no conformidades y nada más.

Engaging an auditor who maintains complete autonomy from your organization, competitors, suppliers, and any other stakeholders with a vested interest in the audit's outcome is imperative. An auditor must exhibit unwavering objectivity and fairness in their assessment, devoid of personal biases or predispositions. Upholding the highest standards of integrity and professionalism is paramount, ensuring a credible and reliable audit process. The ability to maintain independence and impartiality is fundamental to the success and trustworthiness of the audit.

Passing an ISMS audit is attesting that you have a running ISMS in place. Independency is key as there might be cases where e.g. your company gets hacked (even if you have an ISMS). Proving that you had a really independent auditor engaged during the process might help keeping customer reputation as well as the CISOs job.

You should never engage an auditor who helped you implement, and vice versa. If someone offers to both help you implement and provide the certification audit then alarm bells should ring - you should never have the same party doing both.

Be wary of cost, which is way different than value. Automated tools can do assessments, scans, testing and audits, but they lack the skills, intuition and experiences of a great auditor. I am not one to suggest scrimping when considering important investments and services. But, know your specific situation and exactly what you need and why. It may be possible you could do either acceptably, in some situations.

There are tools available that can produce compliance reports on technical controls continuously. This can help already getting a good overview. But it does not replace the human element as context might be missing in tools. Balancing manual efforts with automated assessments is key.

- Seek an auditor who offers a clear and reasonable fee structure, taking into account ISMS complexity, audit duration, and auditor qualifications. - Ensure the chosen auditor meets your budget constraints while delivering quality service. - Look for an auditor who identifies weaknesses and provides valuable insights into your ISMS and Actionable recommendations for improvements. - Sharing industry best practices to enhance your ISMS. - Striking a balance between cost-effectiveness and the value added to your organization

Buyer beware. If cost is the most important factor when choosing an ISO 27001 auditor then you will get what you pay for. If you want to do the minimum to get ISO 27001 certified and you jut view and ISO 27001 certification as the cost of doing business without providing any value, then you can certainly find ISO 27001 auditors that will do that for you. As you mature and scale your company, you will require an ISO 27001 auditor that has the requisite skills to audit complex environments and security controls.

Always remember that an ISMS should be built to fit your organisation, and the implementer should help you achieve that aim. You define your ISMS, you are not defined by it.

Everyone likes audits...NOT. The focus needs to be on transparency, insights and actions for remediation. Your success depends on establishing a good working relationship with your ISMS auditor. I would add that the ISMS auditor should be very familiar with the industry segment that your business operates within.

Mas allá de tener en cuenta todos los criterios de selección de auditor, internamente (para con la empresa) es importante educarlos sobre cómo pueden llegar a ser auditados y que sepan las bases y conceptos del manejo de un auditor.

Consider scope definition, audit objectives alignment with goals, auditor competence, risk assessment integration, legal compliance focus, thorough documentation review, effective incident response testing, continuous improvement emphasis, stakeholder feedback, robust follow-up process, resource allocation, appropriate audit frequency, clear communication plan, prudent third-party involvement, and ongoing training for a comprehensive and effective ISMS audit.