You must be an organisation Administrator to carry out these actions.


The first action required to grant an auditor or external consultant is to set them up as a user on your ISMS.online.


Navigating to the 'Create new user' page:

  1. Scroll over your name and image in the navigation bar

  2. Click 'Organisation settings'

  3. Click 'Users'. This will take you to the registered user's page

  4. Click 'Create new user'. This will take you to the create a new user page

Creating a user for your auditor or external consultant


If you are receiving a stage 1 audit, we recommend that a unique email address is created by the auditor. This is because the same auditor may audit multiple ISMS.online customers, but an email address can only be associated with one user in the entirety of our platform.

  • For the purpose of accessing ISMS.online as a user within your organisation
  • For example, the address might be formatted like this: 
    • your-auditor's-ID-for-your-organisation@your-auditor-domain
  • The auditing organisation can grant multiple individuals access to this email address and ISMS.online user. Meaning that if the designated auditor isn't available - e.g. due to sickness, another auditor within the auditing organisation will be able to access ISMS.online using the same user



From the user creation page, you can then enter the auditor's information, including their First name, Last name, Email address, Organisation and Role on the platform.


We then suggest that you Team in your auditor or external consultant to the Work areas that you would like to grant them access to.


To do this, expand the options below the heading 'Add them to some work areas', and click on the radio button relevant to the Work area that you would like to grant the user access to.


By selecting 'Select all work areas that were set up with your organisation's ISMS', you can automatically grant them access to all areas that were provisioned when your platform was created.


Users can also be added to Work areas after they have been created. See here for a guide on how to An Introduction to Teams Team in users.

Work areas that you might want to give that user access to

If you want to grant an auditor access to your Work areas related to ISO 27001:

  • ISMS Cluster
  • ISO 27001:2013 Policies and Controls Project
  • ISMS Board Group
  • ISMS Communications Group 
  • ISMS Corrective Actions & Improvements Track
  • Information Asset Inventory (ISO 27001) Track
  • Security Incident Management Track
  • Policy Packs Administration (if Policy Packs are used)


If you are subscribed to the GDPR module and an external consultant requires access to your Work areas related to GDPR:

  • GDPR Compliance for ICO - With ISO 27001 Project
  • LIA and DPIA Project
  • Personal Data Inventory & Records Processing Track
  • Subject access Requests Track


If you are subscribed to the ISO 22301 BCMS module and an external consultant requires access to your Work areas related to BCMS:

  • BCMS Cluster
  • ISO 22301:2012 Policies and Controls Project
  • BCMS Incident Response Track
  • Business Impact Assessment (BIA)Track



Note: If you use supplier accounts you may also want to grant the Auditor or external Consultant access to your accounts on ISMS.online. You can grant access to all accounts by giving that user the Accounts Overview permission.


Please amend the auditors email address once audit is finished, so it is free to use by others then deactivate the auditor.


If the Auditors Email is already taken


It may be that your auditors email address is already in use on another platform. If this is the case there are several things you can try.


1. Try adding a tag to the auditors email address. This would allow the auditors email address to go through, but all emails to go to the auditors main email. To tag an email address just add a + then the tag. So for example, if the auditors email address is bob@auditor.com then it would be bob+(your organisation name)@auditor.com


2. If the auditors email inbox does not allow tagged emails, then the auditor will have to either provide a new email address or amend their email address on the previous platform they already exist on.


3. You could also set up the auditor internally with a unique email address for the purposes of accessing the platform


If the auditor cannot log in


If the auditor's email isn't in use, but they don't receive the welcome email they should make sure they check their spam/junk folder. If the welcome email is not there, they should email us at support@isms.online