ISO 27001/ISO 22301 documents, presentation decks and implementation guidelines


Have a question on ISO 27001 or ISO 22301?

Ask an Expert

Free eBook

Free eBook 9 Steps to Cybersecurity
Becoming Resilient: The Definitive Guide to ISO 22301 Implementation
Sign up for our free Newsletter and as bonus you'll receive my tips on how to launch an information security and business continuity project.



ISO 22301: An overview of BCM implementation process


September 10, 2014


How to become ISO 27001 Lead Auditor

'By 'Dejan Kosutic on February 27, 2012

Many people think that just by attending the ISO 27001 Lead Auditor Course they have become the ISO 27001 Lead Auditor. Well, this is not entirely true.

This article will show the steps you need to take if you want to work as an auditor for a certification body. If you want to work as an internal auditor, you basically do not need the Lead Auditor Course or anything else mentioned here – you can perform internal audits by just proving you have enough experience and knowledge. To learn more about internal audits read this article Dilemmas with ISO 27001 & BS 25999-2 internal auditors.

Steps for becoming the ISO 27001 Lead Auditor

So, if you want to become lead auditor, here is what ISO 27006 (standard that defines the requirements for certification bodies) requires:

  1. Prior experience – You need to have at least four years of experience in information technology, of which at least two years on a job related to information security.
  2. Pass the exam – The ISO 27001 Lead Auditor Course lasts 5 days, and on the fifth day you need to pass the written exam. Therefore, you need to invest considerable effort, not only by studying for the exam but also for attending the full 5 days of the course (if you miss a single day you will not be permitted to take the exam).
  3. Find a certification body – You need to find a certification body which needs an ISO 27001 certification auditor – that may prove to be a difficult task, since most of the certification bodies already have their auditors.
  4. Go through training – When you find the certification body which is interested, this doesn’t mean you’ll start auditing tomorrow – ISO 27006 requires you to go through a trainee program (or similar) during which you will attend real certification audits (done by more experienced colleagues) where you will learn how to perform such audits. Usually, this trainee period lasts 20 audit days after which you’ll be entitled to perform ISMS audits as part of the audit team.
  5. Gain audit experience – To become the ISO 27001 Lead Auditor, i.e. to lead a team of auditors performing ISO 27001 audit, you need to have experience in at least three complete ISMS audits.

After you finish all these steps, you will be able to perform the ISMS audits as the team leader. So, the ISO 27001 Lead Auditor Course is just the beginning of your journey…

You can also check out our ISO 27001 Lead Auditor Course preparation training – a webinar which describes the details of the course and helps you prepare for the exam (commercially sold online training).

  • Rahul Chitale

    Hello Sir,

    My name is Rahul Chitale. I have done M.B.A in I.T and passed ISO 27001 Lead Auditor course and exam. But I am a fresher. Now looking for job in auditing as a trainee. Please guide me for the same.

  • Dejan Kosutic

    Rahul, the best thing would be to contact local certification bodies in your country and ask them if they need a trainee for ISO 27001 auditing.

  • Guyerown

    Hi Dejan,

    I have only recently made my foray into InfoSec, and have been considering to take an LA course+exam; however the release of DIS version of ISO 27001:2013 has put me in a dilemma – should I wait till the 2013 version is released go ahead with it?
    (I have to weigh in the fact that certification is going to be a long needed shot in the arm for my career, and hence, something I want/need to get ASAP.)

  • Dejan Kosutic

    Guyerown, if you need to get Lead Auditor certificate as soon as possible, I would advise you not to wait for the new 2013 revision – the problem with this new revision is that it is not 100% certain it will be published this year, and once it is published it will take a couple of months for course organizers to launch courses compliant with the new revision. Further, if you get the certificate according to the existing 2005 revision, it won’t change a thing for you except if you want to work as certification auditor – in such case you’ll have to pass a short training which will cover the differences between 2005 and 2013 revision.

  • Guyerown

    Thank you. :)

  • lakshmipriya

    HI Dejan,
    Thanks a lot for the response that you posted in Quora.
    I just have one more query can you please tell me if the certificate issued by BSI for ISO 27001 LA is recognized internationally and is acknowledged by IRCA?
    What are the things you need to do inorder to maintain your LA certificate? Do you have to pay an annual fee to BSI, i am not clear on this , can you please throw light on this.

  • Dejan Kosutic

    BSI is very well recognized body with good image; however you have to ask them directly if their course is accredited by IRCA (I assume it is).

    You don’t need to maintain your certificate or pay any fees, however if you work as certification auditor you need to have a minimum number of audit man days per year in order to maintain your status.

  • teena

    I want to take ISO27001 LA certification training. i have almost four year experience but last two years, i am not in touch with Information security or any ISO standard.
    I am planning to take the ISO27K certification in September 2013 but i don’t that i can pass the exam or not.
    Please help me

  • Dejan Kosutic

    Teena, it doesn’t really matter if you have been in touch in the last couple of years for passing the exam – what is much more important is to participate in the course as much as possible and to ask for the clarifications from the tutor.

  • teena

    Thanks a ton for quick response…..

  • teena

    i am planning to take certification from BSI but i do not know the exam criteria even not mentiond in BSI site.
    My second query is that if i fail in the exam or some reasons i can not continue training then what would be the next process.
    Actually my phobia is written exam becoz my english is just ok ok.
    i am really scared about the exam.

  • Zak

    where can i find this course

  • Dejan Kosutic

    Zak, ISO 27001 Lead Auditor Courses are usually provided by certification bodies such as BSI, SGS, DNV, BVQI, etc.

  • Lenart

    Worth reading this. thanks for putting this down on paper :)

  • Ritesh

    Hi, I want to know what are the major differences with LA and LI certification? Fresher should go with LA or LI! Thanks.

  • Dejan Kosutic

    Lead Auditor course is nominally intended for auditors, whereas Lead Implementer course is for consultants and people working on implementation. However, very often consultants go for the Lead Auditor course because they want to learn about the certification criteria.

    Therefore, you should choose your career path first, and then decide on the course that better suits you.