At CERCOMS, we believe in transparency. We are happy to explain our approach so that you know exactly what the planning is based on.
When organizations start an external audit for ISO/IEC 27001:2022, we are often asked: ‘How do you actually determine the number of audit days?’
A reasonable question, since audit days involve time, effort, and cost.
Determining the audit duration is neither a random estimate nor a negotiation based on preparation or expectations. It is a structured process derived from international guidelines and accreditation requirements.
This applies to all accredited certification bodies: the calculation of audit days is based on established methodologies that align with the standard and the regulations.
“When determining the audit duration for ISO/IEC 27001:2022, we follow the general requirements for certification bodies from ISO/IEC 17021-1, supplemented by the specific calculation and competence requirements from ISO/IEC 27006-1:2024:
ISO/IEC 17021-1:2015
The general standard for management system certification, which defines how audits should be conducted, including risk-based planning and auditor competencies.
ISO/IEC 27006-1:2024
The specific guideline for audits of information security management systems (ISMS), which indicates how factors such as processes, IT complexity, and outsourcing affect the audit duration.
Factors that determine the audit duration
For the audit, we review the information provided by the organization in advance. Depending on the responses, the audit time may be reduced or extended. CERCOMS uses six assessment categories for this purpose, each with three levels (1 = low, 3 = high) that influence the audit duration:
Type of business activities and regulations
|
| 1: Non-critical sectors, no specific regulations |
| 2: Organization serves clients in critical sectors |
| 3: Organization operates in critical sectors |
Processes and tasks |
|
1: Standard processes, few products/services |
|
2: Standard but non-repetitive processes, many products/services |
| 3: Complex processes, many products/services, multiple business units |
Level of the management system |
|
1: ISMS well established or other management systems in place |
|
2: Some elements of other systems in place |
|
3: ISMS new or not implemented |
Complexity of IT infrastructure |
|
1: Minimal or highly standardized IT platforms, servers, networks |
|
2: Multiple different IT platforms and systems |
| 3: Numerous different IT platforms, servers, databases, networks |
Information systems development |
|
1: No or very limited in-house development |
|
2: Some in-house or outsourced development for critical purposes |
| 3: Extensive in-house or outsourced development for critical purposes |
Dependence on outsourcing and suppliers, including cloud services |
|
1: Little or no dependence |
|
2: Some dependence for critical processes |
| 3: High dependence with significant impact on critical activities |
Scope versus total number of FTEs
CERCOMS asks for both the total number of employees (FTE) and the number of FTEs within the scope of the management system. This allows us to calculate the audit days accurately and align them fully with the processes that actually fall under the certificate.
When calculating the audit duration, we do not consider the total number of employees in the organization, but the number of FTEs within the scope of the ISO/IEC 27001:2022 management system.
What does that mean in practice?
- Total FTEs: all employees in the organization, regardless of whether they are involved in processes covered by the ISMS.
- Scope FTEs: only the employees directly involved in the processes, systems, or departments covered by the certificate.
For example: a company has 500 employees, but the ISMS only applies to the IT department and a few core processes, totaling 120 FTEs. For calculating the audit days, CERCOMS therefore uses 120 FTEs, not 500.
Number of locations and sampling
In addition to FTEs and assessment categories, the number of locations also plays a major role in calculating the audit duration. Not every site needs to be fully and separately audited; in many cases, sampling is used, where a selection of locations is assessed that is representative of the entire scope.
The choice of which locations are included depends on several factors:
- The complexity and risks of processes at those locations
- Number of employees per location
- Any specific regulations or sector requirements per location
By sampling locations, the audit can be conducted efficiently while still ensuring that all relevant processes within the scope are fully assessed.
