How to become an auditor at a certification body

At IT Governance, we have extensive experience working with various certification bodies. Indeed, many of our consultants used to work as ISO 27001 auditors at certification bodies. We, therefore, thought it would be useful to draw on this collective experience and share it with you, along with an abstract of the requirements needed to become an auditor at a certification body.

Each certification body decides whether to use employees as auditors, external contractors, or a combination. While some bodies may use only employees, others, especially the smaller ones, use only contractors.

The best approach for those looking to pursue this as a career option is to check and then demonstrate to the certification body, that you satisfy the general competence criteria. Each body will have its own set of requirements for ISO 27001 certification auditors or lead auditors. The minimum requirements are based on the guidelines for all management system auditors as stated in Annex A of ISO/IEC 17021:2011:

  • Knowledge of business management practices
  • Knowledge of audit principles, practices, and techniques
  • Knowledge of specific management system standards or normative documents
  • Knowledge of the certification body’s processes
  • Knowledge of the client’s organizational sector
  • Knowledge of the client’s products, processes, and organization
  • Language skills appropriate to all levels within the client organization
  • Note-taking and report-writing skills
  • Presentation skills
  • Interviewing skills
  • Audit management skills

Requirements mandated by ISO/IEC 27006:2015 for information security auditors

  • Knowledge of the ISMS standard – ISO 27001 – and other relevant normative documents
  • An understanding of information security
  • An understanding of risk assessment and risk management from a business perspective
  • Technical knowledge of the activity to be audited (across an audit team)
  • General knowledge of regulatory requirements relevant to ISMS
  • Knowledge of management systems
  • An understanding of the principles of auditing based on ISO 19011
  • Knowledge of ISMS effectiveness review and the measurement of control effectiveness

Individuals wishing to apply for roles as auditors at certification bodies should prepare a CV and cover letter that explains how their skills and experience align with the requirements above. From our consulting team’s experience, salaries/day rates and working arrangements will vary per body. If you are looking to go down the self-employed/contracting route, there is nothing to prevent you from working with two or more bodies simultaneously. IT Governance has noticed quite a few individuals who work this way and appear to make a reasonable living doing so.

Start your career as an ISO 27001 lead auditor

IT Governance We have many course dates available for our ISO27001 Certified ISMS Lead Auditor Online Masterclass. Book your place today.