Skip to main content
Have a Question?
Table of Contents
< All Topics
Print

Scheme Requirements: ISMS ISO 27001:2022

Posted
Updated
Byadmin

Purpose
This article describes the additional requirements Assurco applies when auditing and certifying ISO/IEC 27001:2022 Information Security Management Systems (ISMS) under ISO/IEC 27006‑1:2024, in addition to the baseline management system certification requirements already defined in our ISO/IEC 17021‑1 framework.

Scope
These requirements apply to all ISMS certification activities (initial certification, surveillance, recertification, special audits), including where remote auditing and multi‑site arrangements are used.

1) Impartiality – ISMS

Assurco recognises we may “add value” during audits by identifying opportunities for improvement without recommending specific solutions, and this is not treated as consultancy.

ISMS‑specific prohibition: Assurco shall not provide internal information security reviews of a client’s ISMS that is subject to certification, and Assurco must be independent of any body/individuals providing the internal ISMS audit.

See main Impartiality Article.

2) Competence – ISMS

Assurco maintains ISMS competence criteria that build on ISO 17021‑1 and include ISO 27006‑1 Annex requirements, supported by our competence scheme, competence matrix, and associated records.

See main Competence Article.

2.1 Audit team competence for ISMS audits

Assurco defines competence criteria to verify audit team members have skills to apply knowledge of:

  • information security;
  • technical aspects of the activity to be audited (may be distributed across the team);
  • management systems;
  • auditing principles (including ISO 19011 principles via Assurco training);
  • ISMS monitoring, measurement, analysis and evaluation.

Additionally, the audit team (collectively) must be able to trace indications of information security incidents back to relevant ISMS elements.

ISMS knowledge expectations include:

  • ISMS documentation structures and relationships;
  • risk assessment and risk management;
  • ISMS processes;
  • information security tools/methods/techniques;
  • relevant/current technology where information security is applicable;
  • ISO/IEC 27001 requirements and (collectively) the controls in Annex A and their implementation.

2.2 Competence for application review and audit programme decisions

Personnel conducting the application review (to identify required competence, select the team, and determine audit time) must understand:

  • business sector terminology, processes, technologies and risks; and
  • how client organisation type/size/governance/structure/outsourcing impacts the ISMS and certification activities.

2.3 Competence for report review and certification decisions

Those reviewing audit reports and making certification decisions must be able to verify:

  • scope appropriateness (including interfaces/dependencies and associated risks); and have knowledge of management systems and audit processes.

They must also have ISMS‑relevant knowledge (risk/ISMS topics, and legal/regulatory requirements relevant to information security), plus sector and organisational context knowledge.

2.4 Demonstrating ISMS auditor knowledge & experience (selection criteria)

Assurco demonstrates auditor competence through items such as qualifications, registration (where applicable), ISMS training, CPD records, and witnessed ISMS audits.

When selecting ISMS auditors, the scheme requires that each auditor has:

  • education/training equivalent to university level;
  • practical workplace experience in IT and information security sufficient for ISMS auditing;
  • ISMS audit training and demonstrated skills auditing to ISO/IEC 27001;
  • monitored auditor‑in‑training experience that includes at least one initial certification (stage 1 & 2) or recertification and at least one surveillance audit, gained across at least 10 ISMS on‑site audit days within the last five years (including document review, review of risk assessment implementation, and audit reporting); and
  • current knowledge/skills maintained via CPD.

Technical experts must similarly meet education/experience expectations and maintain current knowledge/skills.

Audit team leaders must have actively participated in all stages of at least three ISMS audits, including scoping/planning, document review, review of risk assessment implementation, and formal reporting.

3) Certification documents – ISMS

3.1 ISMS certificates must include the SoA version

ISMS certification documents must include the version of the Statement of Applicability (SoA).
A change to the SoA that does not change control coverage in scope does not necessarily require certificate update (as noted in the manual).

3.2 Remote‑only organisations must be declared

Where the certified organisation undertakes no activity at a defined physical location, the certificate must state that all activities are conducted remotely.

3.3 Referencing other control frameworks/standards on ISMS certificates

Certification documents may reference other national/international standards only if:

  • the client has compared its necessary controls with the referenced control source(s) to ensure none are inadvertently omitted (aligned to ISO/IEC 27001:2022 control determination expectations); and
  • excluded reference controls are justified in the SoA.

Where referenced control sets are used, certification documents must clarify that the control set is used for reference to inclusion/exclusion relevance and not for conformity assessment.

4) Confidentiality – pre‑audit access to sensitive ISMS information

Before certification audits, Assurco asks the client to identify any ISMS‑related information that cannot be made available to the audit team due to confidentiality/sensitivity (e.g., ISMS records or evidence of control design/effectiveness).

Assurco then determines whether the ISMS can be adequately audited without that information. If not, we inform the client that the audit cannot proceed until appropriate access arrangements are granted.

5) Pre‑certification and audit programme – ISMS

5.1 No “prescribed” ISMS implementation style

Assurco’s certification procedures do not assume a particular ISMS implementation method or documentation format; audits confirm conformity to ISO/IEC 27001 and the client’s policies/objectives.
The manual notes that organisations may design controls or select from other sources, and certification remains possible even if none of the “necessary controls” come from ISO/IEC 27001 Annex A (as long as ISO/IEC 27001 requirements are met).

5.2 Audit programme must consider the client’s control set

The ISMS audit programme must take into account the information security controls determined by the client (whether ISO/IEC 27001 Annex A, other standards, or self‑designed).

5.3 Remote audits – mandatory risk analysis and documentation

Assurco defines remote audit procedures to determine the acceptable level of remote auditing. A risk analysis is performed prior to any remote audit and considers factors including infrastructure, client sector, audit type in the cycle, competence of involved personnel, previous remote audit performance, and certification scope.

The analysis and justification for remote audit use must be documented, and audit plans/reports must clearly indicate remote activities. Remote audits are not used where unacceptable risks to audit effectiveness are identified; the risk assessment is reviewed through the certification cycle.

5.4 Readiness expectations: internal audit & management review evidence

Assurco will not certify an ISMS unless there is sufficient evidence that management reviews and internal ISMS audits have been implemented, are effective, and will be maintained for the scope of certification.

5.5 Scope of ISMS certification – boundaries, interfaces, and SoA

ISMS audits must cover the defined scope against applicable requirements, and Assurco confirms that:

  • the scope addresses ISO/IEC 27001 context/scope determination requirements;
  • the risk assessment and risk treatment reflect the organisation’s activities and boundaries;
  • there is an SoA for the scope; and
  • interfaces with out‑of‑scope services/activities are addressed within the ISMS and included in the risk assessment (e.g., shared facilities, outsourcing).

5.6 Audit time determination – ISMS

Audit time is determined using ISO 27006‑1 Annex C (as implemented in Assurco’s audit time calculation approach).

See main Audit Time Article.

5.7 Multi‑site sampling – additional ISMS conditions

Where a client has multiple sites, Assurco may apply a sample‑based approach only where sites meet criteria such as operating under the same centrally administered ISMS, included in internal audit programmes, and included in management review programmes.

Sampling decisions consider factors including prior internal audit results, management review results, site size/purpose, complexity of information systems, variations in practices/activities, control design/operation, interaction with critical/sensitive systems, legal requirements, geographical/cultural aspects, site risk situation, and incident history. The sample selection includes judgemental factors plus a random element, and sites subject to significant risks are audited prior to certification.

See main Multiple Site Auditing Article

5.8 Integrated audits / multiple standards

Assurco may accept combined management system documentation provided the ISMS remains clearly identifiable with interfaces to other systems. Combined audits may be performed where all ISMS certification requirements are satisfied and ISMS elements are clearly identifiable in audit reports.

6) Planning and conducting ISMS audits – ISMS

6.1 Audit objectives must include ISMS effectiveness and control determination

ISMS audit objectives include:

  • determining management system effectiveness;
  • ensuring the client has identified necessary controls based on risk assessment; and
  • determining that information security objectives have been achieved.

Audit criteria must include ISO/IEC 27001.

6.2 Audit plan and remote audit tools

Where remote techniques are used, the audit plan references the tools used to support remote auditing, with the stated intent of enhancing effectiveness/efficiency while protecting audit integrity.

6.3 Stage 1 – ISMS design and readiness

During Stage 1, Assurco obtains ISMS design documentation (as required by ISO/IEC 27001) and at least:

  • general information about the ISMS and covered activities;
  • a copy of required ISMS documentation and associated documentation where applicable.

Stage 1 develops understanding of ISMS design in context (risk assessment/treatment, controls, policy/objectives, readiness), documents results in a report, and informs Stage 2 planning.

6.4 Stage 2 – implementation and effectiveness focus areas

Stage 2 confirms effective implementation and adherence to client policies/objectives/procedures, focusing on:

  • leadership and commitment to information security objectives;
  • information security risk assessment (including consistency/validity if repeated);
  • control determination aligned to risk assessment/treatment;
  • information security performance and ISMS effectiveness vs objectives;
  • alignment between controls, SoA, risk assessment, risk treatment, policy/objectives;
  • implementation and effectiveness of controls (and how monitoring/measurement/analysis supports effectiveness);
  • traceability from programmes/processes/procedures/records/internal audits/reviews back to top management decisions and policy/objectives.

6.5 Conducting the audit – mandatory risk assessment evaluation

The audit team requires the client to demonstrate that information security risk assessment is relevant/adequate within scope, and evaluates whether risk identification/examination/evaluation procedures and their results align with policy/objectives/targets and are sound/implemented.

6.6 ISMS audit reporting – additional reporting content

ISMS audit reports must include or reference:

  • an account of auditing the client’s information security risk analysis;
  • any information security control sets used for comparison purposes (where applicable).

Reports must be sufficiently detailed for certification decisions and include:

  • significant audit trails and methodologies used;
  • reference to the SoA version and, where applicable, comparison with previous audits;
  • sample information (either in the report or associated certification documentation);
  • extent/effectiveness of remote methods used;
  • statement that all activities are remote where applicable;
  • commentary on the adequacy of internal organisation/procedures that provide confidence in the ISMS;
  • a summary of the most important positive and negative observations about implementation/effectiveness of ISMS requirements and controls.

7) Certification decision, surveillance and recertification – ISMS

7.1 Certification decision must rely on audit team recommendation and readiness evidence

The certification decision is based on the audit team’s recommendation in the audit report. Certification is not granted until there is sufficient evidence that management reviews and internal ISMS audits are implemented, effective and will be maintained.

7.2 Surveillance requirements – minimum content expectations

Surveillance procedures are a subset of certification audit procedures and verify continued implementation, consider changes to the ISMS, and confirm continued compliance. Surveillance programmes cover at least:

  • maintenance elements such as risk assessment/control maintenance, internal ISMS audit, management review, corrective action;
  • communications from external parties required by ISO/IEC 27001 and other certification documents.

Each surveillance audit, as a minimum, reviews:

  • ISMS effectiveness against information security policy objectives;
  • evaluation/review of compliance with information security legislation/regulation;
  • changes to controls and resulting SoA changes;
  • implementation and effectiveness of controls in the audit programme.

Surveillance reports must include clearance of prior nonconformities, SoA version, and important changes since the prior audit; the series of surveillance audits should cumulatively cover the required surveillance scope.

7.3 Recertification – subset approach and corrective action timing aligned to risk

Recertification audit procedures are a subset of initial certification procedures. The time allowed for corrective action must be consistent with the severity of nonconformity and associated information security risk.

7.4 Complaints – treated as incident indicator

The manual notes that complaints represent a potential incident and an indication of possible nonconformity.