Following your ISO 27001 Stage 1 Audit now is the time for you to arrange your Stage 2 on-site certification audit by your Certification Body (CB).
You have spent hours and hours creating, establishing and maintaining your information security management system (ISMS).
You may captured all sorts of records like internal audit reports, management review minutes, training records, improvement forms, supplier lists and all sorts of other compliance documents or records.
All this builds for your CB to come and visit and audit your ISMS.
The Stage 2 audit follows a set process.
Prior to the audit (say 2 weeks prior) the CB will send through an audit plan for the time they are onsite. This will typically be structured around the clauses of ISO 27001 and Annex A (ISO 27002).
They will suggest Managers and Employees to be available at certain times. Make sure your staff are available in their time allotment.
On the day of the audit the auditors will call for an opening meeting.
The attendees you should invite to this meeting will be the heavy hitters in the ISMS. This will be representatives from Top Management and the Compliance Manager (or someone of a similar title).
This meeting sets the scene for the auditors to ensure everyone understands the objectives of the audit, the ground rules that are in place and the plan for conducting the audit.
The CB auditors will follow their plan. However, the auditors need to see evidence of your ISMS in action. To do that they need to:
Don’t forget auditors are trained to seek the truth. To do that they will ask your staff open questions. They will ask:
During the audit the auditors will be highlighting issues and discussing whether some are non-conformances or opportunities for improvements (OFIs).
The auditors tread a fine line here because they aren’t permitted to consult. I have previously blogged on this issue here: http://www.mangolive.com/blog-mango/external-compliance-audits-top-tips-for-success
At the end of the audit the auditors will call for a closing meeting. The attendees at the opening meeting should also attend the closing meeting.
It is best practise that all non-conformances and OFIs are discussed in the meeting.
After the onsite audit the auditors will create an audit report summarising their findings. These will be the non-conformances and the OFIs.
Here at Mango our onsite Stage 2 audit was conducted by two auditor over a 3- day period. There was a Technical Auditor and a Management Systems Auditor.
We are a small company with 12 employees. However, we have 20 resellers that are based all around the world. So the management of them was a focus for the auditors.
To help we use our online QHSE software Mango to manage our systems. Because of this the auditors viewed much of the ISMS from their office before he had set foot in our office. This had saved time for all parties. This allowed was more time talking to our staff and less time on the administrative things like internal audit reports and management review reports that sometimes bogs audits down. So much time and effort is wasted with things like searching filing cabinets for files, travelling (or walking) long distances to see records or waiting for staff to turn up to see records filed somewhere on their desk. Time wasting like this just sucks, for everyone involved. I want value from my audits. Value that could help my business be more productive or make more money.
View previous blogs in this series "ISO 27001 Information Security Management Standard":
Part 1 - Reasons why you need to meet this standard
Part 2 - Principle 1 - Analysing the Protection of Your Information and then Applying Controls
Part 3 - Principle 2 - Awareness of the Need for Information Security
Part 4 - Principle 3 - Assignment of Responsibility for Information Security
Part 5 - Principle 4 - Incorporating Management Commitment and the Interests of Stakeholders
Part 6 - Principle 5 - Enhancing Societal Values
Part 9 - Principle 8 - Active prevention and detection of information security incidents
Part 10 - Principle 9 - Ensuring a comprehensive approach to information security management
Part 12 - ISO 27001 Information Security Management Standard: Clauses 0, 0.1, 0.2, 1, 2 and 3
Part 13 - ISO 27001 Information Security Management Standard: Clauses 4.1, 4.2, 4.3 and 4.4
Part 14 - ISO 27001 Information Security Management Standard: Clause 5.1
Part 15 - ISO 27001 Information Security Management Standard: Clause 5.2
Part 16 - ISO 27001 Information Security Management Standard: Clause 5.3
Part 17 - ISO 27001 Information Security Management Standard: Clause 6.1
Part 18 - ISO 27001 Information Security Management Standard: Clause 6.2
Part 19 - ISO 27001 Information Security Management Standard: Clauses 7.1 - 7.4
Part 20 - ISO 27001 Information Security Management Standard: Clause 7.5
Part 21 - ISO 27001 Information Security Management Standard: Clauses 8.1, 8.2, 8.3
Part 22 - ISO 27001 Information Security Management Standard: Clauses 9.1, 9.2, 9.3
Part 23 - ISO 27001 Information Security Management Standard: Clauses 10.1, 10.2
Part 24 - ISO 27001 Information Security Management Standard: Clause A5
Part 25 - ISO 27001 Information Security Management Standard: Clause A6
Part 26 - ISO 27001 Information Security Management Standard: Clause A7
Part 27 - ISO 27001 Information Security Management Standard: Clause A8
Part 28 - ISO 27001 Information Security Management Standard: Clause A9
Part 29 - ISO 27001 Information Security Management Standard: Clause A10
Part 30 - ISO 27001 Information Security Management Standard: Clause A11
Part 31 - ISO 27001 Information Security Management Standard: Clause A12
Part 32 - ISO 27001 Information Security Management Standard: Clause A13
Part 33 - ISO 27001 Information Security Management Standard: Clause A14
Part 34 - ISO 27001 Information Security Management Standard: Clause A15
Part 35 - ISO 27001 Information Security Management Standard: Clause A16
Part 36 - ISO 27001 Information Security Management Standard: Clause A17
Part 37 - ISO 27001 Information Security Management Standard: Clause A18
Part 38 - ISO 27001 Information Security Management Standard: Getting Certified to ISO 27001