Welcome to the Wiki of Compleye Online

External Audit ISO 27001


Certificates for companies are issued by organisations called certification bodies, which are entities licensed by accreditation bodies to perform certification audits and assess if a company’s Information Security Management System is compliant with ISO IEC 27001. Compleye is not a certification body (Let’s call them Audit Companies) – we support companies with our Platform and Services – and there we cannot certify customers.

You will need to select and contract an Audit Company. When signing up you will enter a contract for 3-years, as the certificate will be a process of 3 years as well.

External Audit Process

Every ISO 27001 audit will be organised as follows:

Year 1 is divided into 2 stages:

– stage 1: Audit Company will decide if you are eligible for certification You will need to introduce your business, talk about scope and ambitions. They will check how you have organised your ISMS and if all the mandatory topics are documented and if you have implemented. So, the focus is on Chapter 4-10. To support this process the Mandatory Topics Ch4-10 is important, as well as give the auditor access to the Compleye Online environment as an observer, so he/she can surf around and check the documented evidence. By the end of stage 1, the auditor will confirm if you are prepared for stage 2 and audit will be continued.

– stage 2: The auditor will set up an agenda for the in-depth audit – every topic will be on the agenda and you will select (ISMS) team members per topic that will be present during the audit. Auditor will ask for samples and checks if what you have documented in your policies & procedures are also implemented in that same way. By the end of each audit day there will be a small summary of non-conformities and.or suggestions of improvements. At the end of stage 2, the Auditor will tell you the end-results and start filing a report.

The actual report will first need to be reviewed internally at the audit company and you will receive the final report approx. 2-8 weeks after the audit (depends on the audit company). Only if the internal review is completed, you will receive the report and certification documents.

Year 2 and 3: The auditor will return for control audits, these are less extensive as year 1 and an agenda will already be in the final report of previous year. Although there is always a change that auditor will touch base on other topics.

Selecting an Audit Company

Depending on your budget, business and country you will select an Audit company. Considerations:

  • your customers are perhaps working with certain companies and it might be an advantage to use the same Audit company.
  • if you make use of an office building, the Auditor will need to visit you to check facilities and a local, regional Audit company might be handy and cost efficient, as you will need to pay travel expenses as well.
  • if you are a 100% online company, you can choose an Audit company that is use to online audits and work globally.
  • there are new style Audit companies that perform audit Risk Based, meaning that they are more focussed on your business risks and act more a partner in a friendly supporting way.
  • always ask for a minimum of 2 quotes to compare Audit companies.
  • a lot of Audit companies work with individual contractors (auditors), perhaps it is good to ask what kind of auditors they work with and if they have experience in your industry, or size of a company, if they are document focused, are more technical focused etc.
  • an auditor can only work with you for max of 3 years, after that you will get a new auditor. Some Audit companies change every year of auditor, that is mostly not beneficial – you can check what the approach of the Audit company is.

Compleye is working with DNV – https://www.dnv.nl/ – we choose this audit company, because they have a risk-based approach and work with individual contractors. We were able to select an auditor with experience with small sized companies and understands that agility is important for our business. 3angles https://3angles.nl/en/

Some International Audit companies you can check out: BSI, TUV, DNV, KPMG, Veritas, A-lign, Alcumus, We advise you to google in your own country for top 10 list in your country and get a list of national Audit companies.

**More Audit company tips
  • Every Audit Company has their own onboarding process – it always starts with an intake form, that can sometimes be extensive and is needed to define the scope of the audit. Based on the intake form they will define the pricing and proposal.
  • Audit Companies work with fixed days that are needed, depending on the size of your organisation (fte team members)and the complexity of your IT Infrastructure.
  • If you are a 100% online company, please make sure you mention that during application, it will reduce costs (no visit on location)
  • Indication of pricing: <25 fte = 10-15K Euro for 3 years. 25-50 = 12-20K Euro for 3 years

50 = 15-25K Euro for 3 years depending on # locations, complexity IT Structure

  • Start asking quotes 3-5 months before you wanted to be certified, it can be busy in certain periods.
  • In Compleye Online – section templates – you can find a document ‘Audit Tips’, that will give you some guideline on how to do (and not to do) during external audits.

Was this article helpful?
0 out of 5 stars
5 Stars 0%
4 Stars 0%
3 Stars 0%
2 Stars 0%
1 Stars 0%
How can we improve this article?
Please submit the reason for your vote so that we can improve the article.