OK so we've just had our ISO 27001 surveillance audit. This was the first such audit with PJR, having transferred our certification from BSI earlier in the year, mainly in an effort to get better value for money from our certification. I thought this was a good time to share some thoughts about the audit process and some of the things I learned, or remembered, to be good ideas when going through it. I should say that we passed with no nonconformities, so we must be doing something right, even if it didn’t always feel that way during the audit! So here goes…
Agree how the audit will be done
The pandemic changed everything in terms of how many audits are carried out and the default format has changed from a friendly on site visit with coffee and a nice lunch to a Microsoft Teams call (other conferencing applications are available). But this often means that one of two approaches are now taken, and you need to find out which is going to happen before the audit begins.
Option one is what you might call a “remote documentation review” where you supply the auditor with as many documents as you can think of and, after a scene-setting opening meeting, they spend most of the audit day reviewing them offline with occasional online sessions to ask clarification questions. We’ve done quite a few of these, and it does take a lot of the pressure off, but you can’t help feeling like it’s a bit of an easy ride for the auditor who doesn’t even need to change out of their pyjamas.
Option two is the more traditional “show and tell” where the auditor asks you a question and you respond in real time with the appropriate evidence to show that you meet the requirements and that everything is in hand. This involves a lot of screen sharing and filling in while you wait for the right app or evidence to load. With this approach you tend to feel that you have a chance to provide some context to the evidence, although it does mean that you need to be on the ball with where everything is.
For our recent audit we started with an understanding that it would be a remote documentation review (on my part anyway) because that’s how BSI did it. So I created a shared folder, uploaded a lot of documents and gave the PJR auditor access to it a week or so before the audit. When the audit began however it soon became clear that we were very much in a show and tell scenario, so I had to gather my wits and try to remember where I put all the evidence.
Treat it as a learning exercise but be prepared to argue with the auditor (nicely)
It’s usually fair to say that your auditor will have been around the block a few times and has been exposed to as many different ways to meet the requirements as audits they have completed. So they can be a goldmine of ideas for how to improve your management system and this represents a fantastic learning opportunity. Don’t be afraid to ask your auditor about how other organizations have approached particular areas, especially those that you are finding tricky. Some auditing bodies will document these for you as “opportunities for improvement” which you are also free to ignore if you choose to, but not, as it turns out, PJR. They take the approach that it’s either a nonconformity or it isn’t, but our friendly auditor did offer to include some ideas informally within the report, so that was nice. Be aware that the auditor is not allowed to offer consultancy, so keep it light.
If you’ve taken the time to read it, you’ll know that the ISO27001 standard is written in a semi-cryptic language akin to Esperanto which allows for endless interpretations of its core meaning. This has the result that everyone has a slightly different view on what each requirement means and of course everyone is totally convinced that their interpretation is the only correct one. When you get to thorny subjects like risk assessment and the statement of applicability then things get especially interesting and debates about the applicability of Annex A controls could easily get out of hand. Good job no one is in the same room any more. Our PJR auditor and I managed to keep it professional whilst both giving our points of view and I think I’m right in saying that the result was still a draw even after extra time and penalties. Be prepared to question the auditor’s views and put forward your own interpretation if you feel you’re right, but keep smiling while you do it.
Patience is a virtue
Let’s be honest – auditing can be a tedious process for both parties. Our auditor had to breathe deeply whilst watching me fumble around to find the evidence that I was sure I had looked at just the other day, and I had to resist the urge to start playing Royal Match on my phone (other time-wasting apps are available) while he tried to navigate the intricacies of the forms and reports he was required to complete, along with document titles, version numbers and dates. Take heart from the fact that for you it’s an annual event but the auditor will be doing the same somewhere else tomorrow. Yep, they earn their crust.
One last point is to be patient when it’s not going well. I’ve lost count of the number of times over the years when I’ve been sure we’re heading for a minor nonconformity, only to find that the auditor has talked themselves out of it without me doing anything. I imagine it’s the fear of paperwork that keeps the nonconformities down. So keep your nerve when it’s looking bleak.
Final thoughts
Well we passed and I survived, even if I did have to go and lie down afterwards. These audits are a necessary part of certification, but they can be made easier by having an effective internal audit schedule too. Find the issues at the internal audits and the surveillance ones will go by a lot more smoothly.
Thanks to PJR for a comprehensive audit. I’m looking forward to next year already!
