Audit Angst, why you should be prepared.

The process of getting ISO Certification can be a daunting experience.

The size and complexity of the task can be tricky, sometimes even for the best of us, but you can deal with the task by being prepared. Get to know the process and it will not seem so intimidating.

Using a consultant will help, they will arrange your internal audit close to the pre- certification audit. This will help them see if your ISMS (information security management system) will meet the necessary criteria.

This pre-certification audit is like a ‘dress rehearsal’. It helps you identify potential problems that can be corrected before the actual audit, and it gives you and anyone in your organisation the opportunity to see how the big day will play out.

The certification audit is conducted by an independent certification body (selected by you), and consists of ‘Stage 1’ and ‘Stage 2’ audits.

Stage 1 Audit

The Stage 1 audit is often called a ‘documentation review’ audit, because the auditor will review your processes and policies to establish whether they’re in line with the requirements of ISO 27001.

This stage is a pre-assessment, where the auditor does a high-level review of your ISMS and establishes whether the internal audit programme is in place.

Stage 1 can be either completed on-site, or more likely in today’s climate, remotely to determine whether your ISMS has met the minimum requirements of the Standard and is ready for a certification audit. You will be made aware of areas of nonconformity and potential improvements of the management system.

Stage 2 audit

The Stage 2 audit is often referred to as the ‘certification audit’. During a Stage 2 audit, the auditor will conduct a thorough assessment, normally onsite this will depend on the certification bodies policy, to establish whether the organisation’s ISMS complies with ISO 27001.

The audit will look for evidence that the organisation is following the documentation that they’ve previously reviewed. This is a major difference between the first audit and gap analysis and why it is important that members of your organisation are well trained and follow the policies.

The auditor will review their audit checklists and provide feedback to the client regarding any nonconformities.

If everything is in order, the auditor will issue a certificate stating that your organisation’s ISMS complies with ISO 27001, and recommend you for ISO 27001 certification.

Audits are expensive and use a lot of resources preparing for them. That is important that your organisation is ready for them and worth talking to someone with experience to help guide you through them.