COVID complicates ISO 27001 audits, creating risk for some UK companies

COVID has made in-person ISO audits more difficult, so companies need to be aware of new rules around remote audits to continue to meet security standards.

security audit word cloud
Thinkstock

ISO management system certifications earned by UK companies could be at risk of lapsing due to certification bodies auditors not being able to conduct in-person re-certification audits during the coronavirus pandemic, according to InfoSaaS.

The ISO 27001 standard aims to help organisations create a management system to control information security risks. With around 114 controls in 14 groups and 35 control categories, achieving certification can be a significant undertaking, taking many months and thousands of pounds to implement. Furthermore, the loss of ISO certification could put companies in breach of contract with partners.

ISO certifications also require regular audits to ensure continual adherence to their requirements. These are often done through in-person audits and assessments, but  the COVID-19 pandemic has meant many missed audits. Under normal conditions, UKAS guidelines allow a maximum six months overrun for recertification audits and that if recertification assessments cannot be performed in that time the certificate should be suspended.

COVID makes ISO audits more difficult

InfoSaaS predicts an average of 2,500 UK certifications per month could be at risk of lapsing due to the break in audit activities, potentially leaving companies and their clients at risk. “ISO standards are living certifications,” says Peter Rossi, co-founder of InfoSaaS, “you have to be re-audited to prove that you're still adhering to it and that's typically a very face-to-face process. Now people are coming back to work but delivering these audits face to face is still proving challenging, so they're having to look at ways of moving to remote audits.”

To continue reading this article register now

The 10 most powerful cybersecurity companies