Auditor Evaluation Template

Why Auditor Evaluation Matters

Selecting the right certification body and auditor team is one of the most critical decisions in your ISO 27001 journey. The right choice can mean:

Smooth certification process with constructive feedback
Value-added insights that improve your ISMS beyond compliance
Long-term partnership that supports your security maturity
Credible certification recognized by customers and stakeholders
Fair pricing that matches the value delivered

The wrong choice can result in:

Adversarial audit experiences
Superficial reviews that miss real security gaps
Certifications that customers don't recognize
Hidden fees and unexpected costs
Poor communication and support

This lesson provides you with a comprehensive evaluation framework to objectively assess and compare certification bodies.

The Certification Body Evaluation Process

Overview

Use this systematic approach:

Initial Research - Identify 3-5 potential certification bodies
Request Information - Ask for proposals and documentation
Structured Evaluation - Use the forms provided in this lesson
Reference Checks - Speak with current clients
Final Comparison - Use weighted scoring to make your decision
Contract Negotiation - Finalize terms and expectations

Certification Body Evaluation Form

Use this comprehensive form to evaluate each certification body you're considering. Complete one form per certification body.

Basic Information

Certification Body Name: _______________________________________________

Date of Evaluation: _______________________________________________

Primary Contact: _______________________________________________

Contact Email: _______________________________________________

Contact Phone: _______________________________________________

Website: _______________________________________________

Section 1: Accreditation and Recognition

Maximum Points: 100 | Weight: 25%

1.1 Primary Accreditation

Question: Is the certification body accredited by a recognized national accreditation body?

Yes, by: _______________________________________________ (100 points)
No or unclear accreditation (0 points)

Required Evidence:

Copy of accreditation certificate
Accreditation scope covering ISO 27001
Current accreditation status (not expired)

Accreditation Bodies to Look For:

United States: ANAB (ANSI National Accreditation Board)
United Kingdom: UKAS (United Kingdom Accreditation Service)
Europe: National bodies under EA (European Accreditation)
International: IAF MLA (International Accreditation Forum Multilateral Recognition Arrangement) members

Notes:

1.2 International Recognition

Question: Is the accreditation recognized internationally through IAF MLA?

Yes, IAF MLA signatory (50 points)
No or regional only (0 points)

Why This Matters: IAF MLA ensures your certification is recognized globally, which is crucial if you:

Have international customers
Operate in multiple countries
Need to demonstrate compliance to global partners
May expand internationally in the future

Notes:

1.3 Industry-Specific Scope

Question: Is the certification body's accreditation scope relevant to your industry?

Exact match for our industry sector (30 points)
Related sector coverage (15 points)
Generic coverage only (0 points)

Your Industry Sector (ISO/IEC 17021-1 codes): ___________________________

Certification Body's Scope: _____________________________________________

Notes:

SECTION 1 TOTAL: _______ / 180 points WEIGHTED SCORE (Total × 0.25): _______ / 45 points

Section 2: Industry Experience and Expertise

Maximum Points: 100 | Weight: 20%

2.1 Years in ISO 27001 Certification

Question: How long has the certification body been certifying ISO 27001?

10+ years (40 points)
5-10 years (25 points)
2-5 years (10 points)
Less than 2 years (0 points)

Years in Business: _______________

Notes:

2.2 Your Industry Experience

Question: How many organizations like yours have they certified?

20+ similar organizations (40 points)
10-20 similar organizations (25 points)
5-10 similar organizations (15 points)
1-5 similar organizations (5 points)
None or won't disclose (0 points)

Number of Similar Clients: _______________

Examples Provided:

2.3 Size and Complexity Match

Question: Have they certified organizations of similar size and complexity?

Yes, multiple examples of similar size/complexity (30 points)
Some examples, but not exact matches (15 points)
No similar examples (0 points)

Similar Clients: (ask for 2-3 examples)

Client Name	Industry	Size	Complexity Match
1.
2.
3.

Notes:

2.4 Technical Competencies

Question: Do they have expertise in your specific technical environment?

Rate expertise in your key technology areas (0-10 each):

Technology Area	Your Use	Their Expertise (0-10)
Cloud (AWS/Azure/GCP)	[ ] Yes [ ] No	_____
SaaS Applications	[ ] Yes [ ] No	_____
Development/DevOps	[ ] Yes [ ] No	_____
Healthcare (HIPAA)	[ ] Yes [ ] No	_____
Payment Cards (PCI DSS)	[ ] Yes [ ] No	_____
Financial Services	[ ] Yes [ ] No	_____
Government/Defense	[ ] Yes [ ] No	_____
Manufacturing/OT	[ ] Yes [ ] No	_____
Other: _____________	[ ] Yes [ ] No	_____

Average Technical Expertise Score: _____ / 10 (multiply by 3 for section points)

SECTION 2 TOTAL: _______ / 140 points WEIGHTED SCORE (Total × 0.20 × 0.714): _______ / 20 points

Section 3: Auditor Team Quality

Maximum Points: 100 | Weight: 20%

3.1 Lead Auditor Qualifications

Question: What are the qualifications of the proposed lead auditor?

Lead Auditor Name: _______________________________________________

Qualifications: (check all that apply and sum points)

IRCA Certified Lead Auditor (or equivalent) (30 points)
10+ years auditing experience (20 points)
5-10 years auditing experience (10 points)
Industry-specific certifications (CISSP, CISA, CISM, etc.) (15 points)
Experience in our industry (15 points)
Technical background matching our environment (10 points)

Certifications Held: _______________________________________________

Years of Auditing Experience: _______________

Total Points: _______ / 90

3.2 Team Continuity

Question: Will the same lead auditor conduct all audits (Stage 1, Stage 2, surveillance)?

Yes, guaranteed (20 points)
Likely, but not guaranteed (10 points)
Different auditors may be assigned (0 points)

Commitment Level: _______________________________________________

Notes:

3.3 Team Communication Skills

Question: Based on initial interactions, how would you rate communication?

Excellent - Clear, responsive, professional (20 points)
Good - Adequate communication (12 points)
Fair - Some communication issues (5 points)
Poor - Difficult to communicate (0 points)

Response Time to Inquiries: _______________

Communication Quality Notes:

3.4 Audit Team Size

Question: Is the proposed team size appropriate for your organization?

Your Organization Size: _____ employees Proposed Audit Team: _____ auditors Proposed Audit Days: _____ days

Team size matches IAF MD 5 guidelines (10 points)
Team size slightly below recommended (5 points)
Team size significantly under-resourced (0 points)
Team size over-resourced (investigate why) (0 points)

Notes:

SECTION 3 TOTAL: _______ / 140 points WEIGHTED SCORE (Total × 0.20 × 0.714): _______ / 20 points

Section 4: Audit Approach and Methodology

Maximum Points: 100 | Weight: 15%

4.1 Audit Philosophy

Question: What is their stated approach to auditing?

Collaborative, value-added partnership (30 points)
Professional, compliance-focused (20 points)
Rigid, checklist-driven (5 points)
Unclear or concerning (0 points)

Stated Philosophy:

4.2 Finding Classification

Question: How do they classify and handle findings?

Clear distinction between major NCRs, minor NCRs, and observations (20 points)
Somewhat clear classification system (10 points)
Unclear or overly strict classification (0 points)

Classification System:

4.3 Remote Audit Capability

Question: Do they offer remote/hybrid audit options?

Yes, full remote capability with experience (15 points)
Hybrid options available (10 points)
On-site only (5 points)

Remote Audit Policy:

4.4 Audit Planning Process

Question: How thorough is their audit planning process?

Detailed pre-audit questionnaire and planning call (15 points)
Standard planning process (10 points)
Minimal planning (0 points)

Planning Process Description:

4.5 Reporting Quality

Question: Can they provide a sample audit report?

Yes, provided comprehensive sample report (20 points)
Provided basic report template (10 points)
No sample available (0 points)

Report Quality Assessment:

4.6 Feedback and Learning

Question: Do they provide learning opportunities during audits?

Yes, actively educate and suggest improvements (20 points)
Some guidance provided (10 points)
Strictly compliance checking only (0 points)

Approach to Client Education:

SECTION 4 TOTAL: _______ / 120 points WEIGHTED SCORE (Total × 0.15 × 0.833): _______ / 15 points

Section 5: Cost and Value

Maximum Points: 100 | Weight: 15%

5.1 Pricing Transparency

Question: Is the pricing clear and comprehensive?

Detailed breakdown of all costs provided (25 points)
Basic pricing with some details (15 points)
Vague or incomplete pricing (0 points)

5.2 Three-Year Cost Analysis

Complete this detailed pricing breakdown:

Initial Certification (Year 1)

Item	Description	Cost
Stage 1 Audit	_____ days × $_____ per day	$_______
Stage 2 Audit	_____ days × $_____ per day	$_______
Certification Fee	One-time fee	$_______
Travel Expenses	If applicable	$_______
Other Fees	Specify: _____________	$_______
Year 1 Total		$_______

Surveillance Year 1 (Year 2)

Item	Description	Cost
Surveillance Audit	_____ days × $_____ per day	$_______
Annual Certification Fee	If applicable	$_______
Travel Expenses	If applicable	$_______
Other Fees	Specify: _____________	$_______
Year 2 Total		$_______

Surveillance Year 2 (Year 3)

Item	Description	Cost
Surveillance Audit	_____ days × $_____ per day	$_______
Annual Certification Fee	If applicable	$_______
Travel Expenses	If applicable	$_______
Other Fees	Specify: _____________	$_______
Year 3 Total		$_______

THREE-YEAR TOTAL COST: $______________

Average Annual Cost: $______________ (Total ÷ 3)

5.3 Cost Competitiveness

Question: How does the total three-year cost compare to other proposals?

Lowest cost option (20 points)
Within 10% of lowest (15 points)
10-20% above lowest (10 points)
More than 20% above lowest (5 points)

Cost Comparison:

Certification Body	Three-Year Total	Difference from Lowest
Option 1	$_______	___%
Option 2	$_______	___%
Option 3	$_______	___%
Option 4	$_______	___%

5.4 Hidden Fees and Extras

Question: Are there any concerning hidden fees or extras?

No hidden fees, all-inclusive pricing (20 points)
Some standard extras clearly explained (15 points)
Concerning hidden fees or unclear extras (0 points)

Potential Hidden Fees to Watch For:

Document review fees
Re-audit fees for non-conformities
Certificate issuance fees
Logo usage fees
Extra team members
Extended audit time
Report generation fees
Administrative fees

Notes on Fees:

5.5 Payment Terms

Question: Are payment terms reasonable and flexible?

Flexible payment schedule (15 points)
Standard payment terms (10 points)
Restrictive or unfavorable terms (0 points)

Payment Terms: _______________________________________________

Notes:

5.6 Value-Added Services

Question: What additional value do they provide?

Check all that apply (2 points each, max 20):

Pre-audit readiness assessment
Unlimited email/phone support
Training resources and webinars
Client portal with resources
Gap analysis services
Template libraries
Networking with other certified clients
Regular industry updates
Post-certification support
Dedicated account manager

Value-Added Score: _______ / 20

SECTION 5 TOTAL: _______ / 120 points WEIGHTED SCORE (Total × 0.15 × 0.833): _______ / 15 points

Section 6: Service and Support

Maximum Points: 100 | Weight: 10%

6.1 Responsiveness

Question: How responsive have they been during the evaluation process?

Highly responsive, same-day replies (25 points)
Responsive within 24-48 hours (18 points)
Slow to respond (10 points)
Very poor responsiveness (0 points)

Average Response Time: _______________

Notes:

6.2 Availability and Scheduling

Question: How flexible are they with scheduling?

Very flexible, accommodating our needs (20 points)
Reasonably flexible (12 points)
Rigid scheduling (5 points)

Scheduling Approach:

6.3 Support Between Audits

Question: What support do they provide between audits?

Dedicated support contact with unlimited access (25 points)
Standard support channels (15 points)
Limited support (5 points)

Support Services:

6.4 Geographic Coverage

Question: Can they support all your locations?

Yes, all locations covered (15 points)
Most locations, some limitations (8 points)
Limited geographic coverage (0 points)

Your Locations: _______________________________________________

Their Coverage: _______________________________________________

6.5 Client Portal and Tools

Question: Do they provide online tools and resources?

Comprehensive client portal with tools (15 points)
Basic online resources (8 points)
No online resources (0 points)

Portal Features:

SECTION 6 TOTAL: _______ / 100 points WEIGHTED SCORE (Total × 0.10): _______ / 10 points

Section 7: Reputation and Track Record

Maximum Points: 100 | Weight: 15%

7.1 Market Reputation

Question: What is their reputation in the market?

Excellent reputation, industry leader (30 points)
Good reputation, well-established (20 points)
Average reputation (10 points)
Poor or unknown reputation (0 points)

Research Sources:

Online reviews
Industry forums
Peer recommendations
Professional networks

Notes:

7.2 Reference Check Results

Question: What did their current clients say?

References Contacted: (aim for 3)

Reference 1:

Company: _______________________________________________
Contact: _______________________________________________
Overall Satisfaction: [ ] Very Satisfied [ ] Satisfied [ ] Neutral [ ] Dissatisfied
Would they recommend? [ ] Yes [ ] Maybe [ ] No
Key Feedback: _______________________________________________

Reference 2:

Company: _______________________________________________
Contact: _______________________________________________
Overall Satisfaction: [ ] Very Satisfied [ ] Satisfied [ ] Neutral [ ] Dissatisfied
Would they recommend? [ ] Yes [ ] Maybe [ ] No
Key Feedback: _______________________________________________

Reference 3:

Company: _______________________________________________
Contact: _______________________________________________
Overall Satisfaction: [ ] Very Satisfied [ ] Satisfied [ ] Neutral [ ] Dissatisfied
Would they recommend? [ ] Yes [ ] Maybe [ ] No
Key Feedback: _______________________________________________

Reference Score:

All positive references (40 points)
Mostly positive (25 points)
Mixed reviews (10 points)
Negative reviews (0 points)

Total Points: _______ / 40

7.3 Accreditation Issues

Question: Have they had any accreditation suspensions or issues?

No issues, clean record (20 points)
Minor issues, now resolved (10 points)
Current or serious issues (0 points)

Research Notes:

7.4 Complaints and Disputes

Question: Is there evidence of unresolved complaints or disputes?

No complaints found (10 points)
Minor complaints, well-handled (5 points)
Significant unresolved complaints (0 points)

Notes:

SECTION 7 TOTAL: _______ / 100 points WEIGHTED SCORE (Total × 0.15): _______ / 15 points

Overall Scoring Summary

Section	Weight	Raw Score	Max Possible	Weighted Score
1. Accreditation and Recognition	25%	_____	180	_____ / 45
2. Industry Experience	20%	_____	140	_____ / 20
3. Auditor Team Quality	20%	_____	140	_____ / 20
4. Audit Approach	15%	_____	120	_____ / 15
5. Cost and Value	15%	_____	120	_____ / 15
6. Service and Support	10%	_____	100	_____ / 10
7. Reputation	15%	_____	100	_____ / 15
TOTAL	100%			_____ / 140

Final Percentage Score: _______ %

Score Interpretation

90-100% - Excellent choice, highly recommended
80-89% - Very good option, recommended
70-79% - Good option, acceptable
60-69% - Marginal, proceed with caution
Below 60% - Not recommended, consider alternatives

Final Recommendation Format

After completing evaluations for all certification bodies, use this format to document your decision:

Executive Summary

Date: _______________________________________________

Evaluator: _______________________________________________

Certification Bodies Evaluated: _____ total

Recommended Selection: _______________________________________________

Overall Score: _____ / 140 (_____%)

Comparison Matrix

Total Score	%	Three-Year Cost
_____	___%	$_______
_____	___%	$_______
_____	___%	$_______
_____	___%	$_______

Rationale for Recommendation

Primary Strengths:

Key Differentiators:

Considerations/Concerns:

Risk Assessment:

Risk Factor	Level (H/M/L)	Mitigation
Accreditation validity
Auditor expertise
Cost overruns
Schedule delays
Communication issues
Geographic coverage

Alternative Options

Second Choice: _______________________________________________

Score: _____ / 140 (_____%)

Why considered: _______________________________________________________________________________

Third Choice: _______________________________________________

Score: _____ / 140 (_____%)

Why considered: _______________________________________________________________________________

Next Steps

Schedule: Selection decision meeting by: _______________
Negotiation: Key terms to negotiate: _______________________________________________________________________________
Contract Review: Legal review needed? [ ] Yes [ ] No
Kick-off: Target audit kick-off date: _______________
Communication: Inform other vendors by: _______________

Approval

Recommended by: _______________________________________________ Date: ___________

Approved by: _______________________________________________ Date: ___________

Budget Approved by: _______________________________________________ Date: ___________

Reference Check Template

Use this script when calling references:

Introduction

"Hi, I'm [Your Name] from [Your Company]. We're evaluating [Certification Body Name] for our ISO 27001 certification. They provided your name as a reference. Do you have 10-15 minutes to answer some questions about your experience with them?"

Reference Check Questions

General Experience

How long have you been working with [Certification Body]?
- Response: _______________________________________________________________________________
What is your organization's size and industry?
- Response: _______________________________________________________________________________
On a scale of 1-10, how satisfied are you overall with their services?
- Response: _______________________________________________________________________________

Auditor Quality

How would you describe the quality and expertise of their audit team?
- Response: _______________________________________________________________________________
Have you had the same lead auditor throughout your certification cycle?
- Response: _______________________________________________________________________________
Did the auditors understand your industry and technical environment?
- Response: _______________________________________________________________________________

Audit Process

How would you describe their audit approach - collaborative or adversarial?
- Response: _______________________________________________________________________________
Did you find the audits valuable beyond just compliance checking?
- Response: _______________________________________________________________________________
Were there any surprises or issues during the audit process?
- Response: _______________________________________________________________________________

Service and Support

How responsive are they to questions between audits?
- Response: _______________________________________________________________________________
How easy is it to schedule audits and get the support you need?
- Response: _______________________________________________________________________________

Value and Cost

Do you feel the value justified the cost?
- Response: _______________________________________________________________________________
Were there any unexpected fees or cost overruns?
- Response: _______________________________________________________________________________

Critical Questions

If you were choosing a certification body today, would you choose them again?
- Response: _______________________________________________________________________________
What's one thing you wish you had known before working with them?
- Response: _______________________________________________________________________________
Is there anything else you think we should know?
- Response: _______________________________________________________________________________

Reference Check Summary

Overall Impression: [ ] Very Positive [ ] Positive [ ] Neutral [ ] Negative

Recommendation Confidence: [ ] Highly Recommend [ ] Recommend [ ] Neutral [ ] Do Not Recommend

Red Flags Identified:

Key Insights:

Common Evaluation Mistakes to Avoid

1. Choosing Based on Price Alone

The Mistake: Selecting the cheapest option without considering value, quality, and total cost of ownership.

Why It's Dangerous:

Low-quality audits that miss real security gaps
Hidden fees that emerge later
Non-credible certifications that customers don't accept
Having to re-certify with a better body

Better Approach:

Consider cost as one factor among many
Calculate three-year total cost, not just initial certification
Weight cost at 15% in your evaluation, not 100%
Remember: certification is a strategic investment, not a commodity purchase

2. Not Checking Accreditation Status

The Mistake: Assuming a certification body is properly accredited without verification.

Why It's Dangerous:

Worthless certificates that aren't recognized
Having to re-certify completely
Losing customer trust and sales opportunities

Better Approach:

Verify accreditation directly with the accreditation body
Check the scope covers ISO 27001 and your industry
Ensure accreditation is current and not suspended
Verify IAF MLA membership for international recognition

3. Skipping Reference Checks

The Mistake: Not calling current clients to hear about their real experiences.

Why It's Dangerous:

Missing red flags about auditor quality
Not learning about hidden fees or problems
Overlooking cultural fit issues

Better Approach:

Call at least 3 references
Ask specific, probing questions
Listen for hesitation or qualified recommendations
Ask what they wish they had known beforehand

4. Ignoring Industry Experience

The Mistake: Selecting a certification body with no experience in your industry or technology stack.

Why It's Dangerous:

Auditors who don't understand your environment
Generic findings that aren't relevant
Missing industry-specific risks
Longer, more painful audits

Better Approach:

Prioritize bodies with proven experience in your industry
Ask for specific examples of similar clients
Verify technical expertise in your tech stack
Weight industry experience heavily (20% in our model)

5. Not Meeting the Auditor

The Mistake: Contracting with a certification body without meeting the actual auditor who will conduct your audit.

Why It's Dangerous:

The salesperson and the auditor may be very different
Personality and cultural fit issues
Different expertise than promised

Better Approach:

Request to meet or speak with the proposed lead auditor
Ask about auditor continuity guarantees
Assess communication style and approach
Ensure auditor assignment is in the contract

6. Overlooking Geographic Limitations

The Mistake: Not confirming the certification body can support all your locations.

Why It's Dangerous:

Need to use multiple certification bodies
Increased complexity and cost
Inconsistent audit quality across locations

Better Approach:

Map all your locations early
Confirm coverage for each location
Understand how multi-site audits work
Consider future expansion plans

7. Failing to Read Reviews and Research

The Mistake: Not doing basic internet research on the certification body's reputation.

Why It's Dangerous:

Missing serious red flags
Not learning from others' experiences
Overlooking accreditation issues

Better Approach:

Search for reviews and complaints
Check industry forums and LinkedIn groups
Research the accreditation body's public database
Look for patterns in feedback

8. Not Understanding the Contract

The Mistake: Signing a contract without fully understanding terms, fees, and commitments.

Why It's Dangerous:

Locked into unfavorable terms
Unexpected fees and costs
Difficulty changing certification bodies

Better Approach:

Read the entire contract carefully
Have legal review if needed
Negotiate unfavorable terms
Understand cancellation and transfer policies

Tips for Successful Evaluation

Start Early

Begin your evaluation process 4-6 months before your target certification date. This allows time for:

Thorough research and evaluation
Multiple reference calls
Proposal comparisons
Contract negotiations
Scheduling with your chosen body

Be Specific in Your RFP

When requesting proposals, provide:

Detailed organization information (size, locations, industry)
Your technical environment
Your timeline and target dates
Specific questions you need answered
Your evaluation criteria

Ask Hard Questions

Don't be afraid to ask challenging questions:

"What happens if we fail Stage 1 or Stage 2?"
"What are your re-audit fees?"
"Can you guarantee auditor continuity?"
"Have you ever had your accreditation suspended?"
"What's your policy on observations vs. minor NCRs?"

Trust Your Gut

While this evaluation form provides objective scoring, also consider:

How you feel about the people
Cultural fit with your organization
Ease of communication
Professionalism of interactions
Whether they seem genuinely interested in your success

Document Everything

Keep a folder with:

All proposals and correspondence
Completed evaluation forms
Reference check notes
Contract drafts and negotiations
Meeting notes and recordings

Using This Template Effectively

Step-by-Step Process

Week 1: Identify Candidates
- Research 5-7 potential certification bodies
- Create initial shortlist of 3-4
Week 2: Request Proposals
- Send detailed RFP to shortlisted bodies
- Request specific information needed for evaluation
- Schedule initial discovery calls
Week 3: Initial Evaluation
- Complete Sections 1-4 for each candidate
- This covers accreditation, experience, team, and approach
Week 4: Deep Dive
- Complete Sections 5-7 (cost, service, reputation)
- Conduct reference checks
- Request any missing information
Week 5: Decision
- Calculate final scores
- Present recommendation to stakeholders
- Begin contract negotiations
Week 6: Finalize
- Complete contract
- Schedule kick-off
- Inform unsuccessful candidates

Customizing the Template

Feel free to adjust:

Section weights based on your priorities
Questions to match your specific needs
Scoring criteria to reflect your environment
Additional sections for unique requirements

Working with Stakeholders

Share this evaluation with:

Executive leadership (for budget approval)
IT security team (for technical assessment)
Compliance team (for accreditation verification)
Finance (for cost analysis)
Legal (for contract review)

Next Lesson: In Lesson 8.3, we'll prepare for Stage 1 - the first actual test of your ISMS, covering what to expect, how to prepare, and how to ensure success.