In today’s business landscape, remote audits have become an essential part of the certification process, especially for standards like ISO/IEC 27001:2022, which focuses on Information Security Management Systems (ISMS). The COVID-19 pandemic accelerated the use of remote audits, but the shift to digital has proven to be not just a necessity but also an efficient, cost-effective, and flexible approach to ensuring compliance. This benefits both the client and us, as the certification service provider. However, remote audits must adhere to specific guidelines set forth in both the ISO/IEC 27001:2022 and the ISO 17021 standards.
What is a Remote Audit for ISO/IEC 27001:2022?
A remote audit refers to an audit process conducted through digital tools, such as video conferencing, screen sharing, and file sharing platforms, rather than in-person visits. For ISO/IEC 27001:2022, this audit ensures that an organisation’s ISMS complies with the standard, covering the following areas:
- Risk Assessment: Evaluating the organisation’s ability to assess and treat information security risks.
- Security Controls: Assessing the implementation and effectiveness of information security for organisational controls, People controls, Physical controls and Technological controls.
- Compliance: Ensuring that the organisation is complying with relevant legal, regulatory, and contractual obligations.
- Continuous Improvement: Reviewing the effectiveness of ongoing efforts to improve the ISMS.
A remote audit for ISO/IEC 27001:2022 allows auditors to assess these areas using digital tools without being physically present on-site.
Key Benefits of Remote Audits for ISO/IEC 27001:2022
- Cost-Effective: Reduces travel and accommodation costs, making audits more affordable for organisations.
- Efficiency: Remote audits allow for faster scheduling, and audits can be conducted with less disruption to the organisation’s operations.
- Flexibility: Auditors and organisations can choose convenient times for audits, reducing the time and effort involved in planning.
- Effective data sharing: Clients can share their portals with the Auditor who can assess all document remotely and not have to wait for the client to present it.
Where Remote Audits are Conducted in the ISO/IEC 27001:2022 Process
Remote audits can be applied during both Stage 1 and Stage 2 audits, though there are nuances in how they are carried out.
- Stage 1 Audit: The purpose of the Stage 1 audit is to review the organisation’s preparedness for the Stage 2 audit, focusing on the ISMS framework, policies, and procedures. This phase is more document-driven, meaning much of it can be effectively conducted remotely through digital means such as document sharing, interviews via video calls, and virtual meetings. Auditors will assess the organisation’s readiness to move forward to the Stage 2 audit, and this process can typically be done entirely remotely.
- Stage 2 Audit: The Stage 2 audit is more in-depth and involves evaluating the implementation and effectiveness of the ISMS. While some elements, such as reviewing documentation, conducting interviews, and evaluating records, can be performed remotely, physical aspects of the audit might still require an on-site visit. For example, assessing physical security controls, checking the implementation of technical measures, or inspecting infrastructure cannot be fully substituted with remote methods. However, these on-site visits are much shorter than they would be in a traditional audit, as the auditor can perform most of the verification remotely in advance. The physical visit focuses on specific aspects that require direct observation or inspection.
Requirements for Remote Audits Under ISO/IEC 17021:2015
ISO/IEC 17021:2015 is the standard that specifies requirements for certification bodies conducting audits and certifications, and it outlines essential criteria for performing remote audits. According to ISO/EC 17021:2015, a remote audit must meet several critical conditions to maintain its validity:
- Audit Plan and Scope:
The audit scope must be clearly defined in advance, outlining which processes and areas will be reviewed. The audit plan should take into account that it is a remote audit and may need to adapt, especially for the evaluation of certain types of evidence or physical inspection. - Technological Competence:
The organisation and the auditors must ensure that the necessary technologies (e.g., video conferencing tools, secure file sharing) are available and functional. The systems must be capable of supporting effective communication and data exchange. - Confidentiality and Security:
ISO/IEC 17021:2015 emphasizes the importance of confidentiality and data security during remote audits. Secure communication channels and data sharing protocols must be used to protect sensitive information during the audit process. This is particularly crucial for ISO/IEC 27001:2022, which deals with information security. - Competence of Auditors:
Auditors conducting remote audits must be competent not only in the technical requirements of ISO/IEC 27001:2022 but also in the use of remote audit tools and techniques. They must be trained to handle virtual audit processes effectively and securely. - Verification of Evidence:
The certification body must ensure that the evidence presented during the remote audit is sufficient and credible. For ISO/IEC 27001:2022, this could include reviewing electronic records, security logs, and interviews with personnel through video calls. Physical evidence may need to be documented through photographs or videos to substantiate the audit findings. - Adaptation of Audit Procedures:
While the fundamental audit processes remain the same, some adaptations may be necessary for remote audits. For instance, instead of physically inspecting facilities, auditors may request additional documents, screenshots, or recordings to verify controls and procedures. - Final Audit Report:
As with any ISO audit, the final report should document the audit’s findings, including any non-conformities, observations, and recommendations for improvement. The report should also reflect the remote nature of the audit, ensuring that no crucial areas were overlooked due to the digital format.
Conclusion
Remote audits for ISO/IEC 27001:2022, as defined by ISO/IEC 17021:2015, offer a practical and flexible way to ensure ongoing compliance with information security standards. While much of the Stage 1 audit can be performed remotely, physical assessments (such as infrastructure and physical security controls) still require on-site visits during Stage 2. Remote audits are efficient, cost-effective, and secure, but they require careful planning, appropriate technology, and highly competent auditors to ensure that all audit objectives are met.
At Sancert, we employ an effective remote audit process and have been continually refining our approach to ensure the highest level of efficiency and security.
If you’re interested in learning more about how remote audits can benefit your organisation, contact us today at info@sancert.global or visit www.sancert.global . We’re here to help you achieve your certification goals with minimal disruption to your operations.