Part 40 - Getting Certified to ISO 27001 – The Stage 2 Audit
Following your ISO 27001 Stage 1 Audit now is the time for you to arrange your Stage 2 on-site certification audit by your Certification Body (CB).
You have spent hours and hours creating, establishing and maintaining your information security management system (ISMS).
You may captured all sorts of records like internal audit reports, management review minutes, training records, improvement forms, supplier lists and all sorts of other compliance documents or records.
All this builds for your CB to come and visit and audit your ISMS.
The Stage 2 audit follows a set process.
1. Audit Plan
Prior to the audit (say 2 weeks prior) the CB will send through an audit plan for the time they are onsite. This will typically be structured around the clauses of ISO 27001 and Annex A (ISO 27002).
They will suggest Managers and Employees to be available at certain times. Make sure your staff are available in their time allotment.
2. Opening Meeting
On the day of the audit the auditors will call for an opening meeting.
The attendees you should invite to this meeting will be the heavy hitters in the ISMS. This will be representatives from Top Management and the Compliance Manager (or someone of a similar title).
This meeting sets the scene for the auditors to ensure everyone understands the objectives of the audit, the ground rules that are in place and the plan for conducting the audit.
3. Conduct Audit
The CB auditors will follow their plan. However, the auditors need to see evidence of your ISMS in action. To do that they need to:
- Interview your staff.
- Listen to your senior managers demonstrating leadership.
- Poke around your organisation and look for evidence based on risk. Those high risk areas will be targeted first.
- Measure a level of commitment and compliance to your system.
Don’t forget auditors are trained to seek the truth. To do that they will ask your staff open questions. They will ask:
- “Show me where you keep records of that process”.
- “Tell me what happens when an error occurs?”
- “Let me see the why is it done that way?”
- “Show me how you were trained when doing this job?”
During the audit the auditors will be highlighting issues and discussing whether some are non-conformances or opportunities for improvements (OFIs).
The auditors tread a fine line here because they aren’t permitted to consult. I have previously blogged on this issue here: http://www.mangolive.com/blog-mango/external-compliance-audits-top-tips-for-success
4. Closing Meeting
At the end of the audit the auditors will call for a closing meeting. The attendees at the opening meeting should also attend the closing meeting.
It is best practise that all non-conformances and OFIs are discussed in the meeting.
5. Audit Report
After the onsite audit the auditors will create an audit report summarising their findings. These will be the non-conformances and the OFIs.
Here at Mango our onsite Stage 2 audit was conducted by two auditor over a 3- day period. There was a Technical Auditor and a Management Systems Auditor.
We are a small company with 12 employees. However, we have 20 resellers that are based all around the world. So the management of them was a focus for the auditors.
To help we use our online QHSE software Mango to manage our systems. Because of this the auditors viewed much of the ISMS from their office before he had set foot in our office. This had saved time for all parties. This allowed was more time talking to our staff and less time on the administrative things like internal audit reports and management review reports that sometimes bogs audits down. So much time and effort is wasted with things like searching filing cabinets for files, travelling (or walking) long distances to see records or waiting for staff to turn up to see records filed somewhere on their desk. Time wasting like this just sucks, for everyone involved. I want value from my audits. Value that could help my business be more productive or make more money.
- Ensure that your CB gives you an audit plan a couple of weeks before the audit.
- Make sure your key staff are involved in the opening meeting.
- Discuss the non-conformances during the audit. Don’t wait till the audit closing meeting. You don’t want surprises.
- Have the same staff in the closing meeting as they are in the opening meeting.
- If non-conformances are reported in the audit report that weren’t mentioned in the closing meeting send the audit report back and complain to the CB management.
View previous blogs in this series "ISO 27001 Information Security Management Standard":