Skip to main content
All CollectionsComplianceISO 27001
Question to ask a Potential ISO 27001 Certification Body (i.e. Auditor)
Question to ask a Potential ISO 27001 Certification Body (i.e. Auditor)
Ethan Heller avatar
Written by Ethan Heller
Updated over a week ago

When looking for a ISO 27001 Certification Body, here is a list of questions you should consider asking as part of your evaluation process.

  • Who is your Accreditation Body?

  • For a company like mine, what Annex A Controls do you think may be Out of Scope or Not Applicable?

  • What other items will I need to complete besides my Drata dashboard to be audit ready?

  • What percentage of controls will you be able to confirm through Drata and how much evidence will I need to manually gather?

  • From planning to report and certificate delivery, what is the high-level audit process and how long does it typically take to complete?

  • How much communication should I expect during the audit process?

  • How will I know if you identify a Non-Conformity? Will we have an opportunity to discuss results prior to the final report and certificate being issued?

  • What is the typical period of time between the stage 1 and a stage 2 audit?

  • Will you have to come onsite for our audit?

  • Will you have to go to all locations where we have an office?

  • Ask specific questions on how they would audit your tech stack. For instance, what are the most important controls for S3? What controls would I need for Kubernetes?

Did this answer your question?