If your organization wishes to become certified to any of the ISO/IEC 27001, ISO/IEC 20000 or ISO 22301 standards, it will need to undergo a two stage process performed by a suitable external auditing body. Before this, you will need to select your auditing body and in most countries there are a variety of options. If you are already certified to a different international standard such as ISO 9001 then it usually makes sense to use the same auditing company, as long as they can provide that service. Increasingly, multi-standard audits will become commonplace as the effects of the Annex SL revisions are felt.
Having agreed a price, the external auditor will contact you to arrange the Stage One review. This is essentially a documentation review and a “getting to know you” discussion where the exact scope of potential certification is decided. Based on the Stage One, the external auditor will make a recommendation about your readiness for the Stage Two – the certification audit itself. It used to be common for there to be at least a three month gap between the Stage One and the Stage Two visits but this is less often the case nowadays and the two can be quite close together if desired.
Deciding when to ask the external auditor in for the Stage One visit is a matter of judgement on your part. If you invite them in too early they will simply tell you you’re not ready and this can have a detrimental effect on team morale (and possibly cost you more money for further visits). If you leave it longer the danger is that you’re extending the timescale to certification unnecessarily. We suggest you use the Gap Assessment and Conformity Action Plan within the Toolkit as a guide to your readiness, but don’t expect to be 100% compliant before going for Stage One. A more appropriate figure is probably 90% or so but it does depend on which areas are not yet complete.
Not having the key documentation available would probably mean that the Stage One visit is inconclusive in terms of judging your readiness for the Stage Two i.e. the auditor would tell you just weren’t ready yet.
Once you feel you’re ready to be visited by the auditor for either the Stage One or Stage Two then there are a number of sensible preparations to take to make the best impression from the start. Firstly, make sure that the visit is confirmed, provide directions and check the time of arrival of the auditor(s). If appropriate, inform reception that he/she will be coming, get an identity badge prepared and reserve a parking space. Book a room for the auditor’s use (more if there is a team) and ensure that refreshments will be available, including lunch if possible. You will be needing to show documents and discuss them, so some form of large screen or projector will be useful.
Once the basic arrangements are in place you need to ensure that whoever is going to act as the auditor’s guide around the management system is ready. This means knowing where all of the relevant documents are and how each of the requirements is met within the documents. Supporting information such as HR and training records should also be available if required. Anyone who might be able to help the auditor should be on standby and everyone who is planned to talk to the auditor should be prepared.
There is no substitute for practice so conduct a mock audit beforehand if you can and identify any improvements needed before the day. Having obvious signs of relevant activity on display at your location does no harm; this could be performance charts or posters for raising awareness on the walls.
It’s all about showing the auditor that you are a professional organization that is in control; you may be surprised how little the auditor feels he needs to look at if the overall impression he’s getting is very positive.
The auditor should have provided an audit plan which will set out the structure of the audit, including areas to be reviewed, people to be met and timings (this often doesn’t happen so don’t worry if you don’t get one). Despite the appearance of power, auditing is actually quite strictly regulated so the auditor will have specific things he needs to do, in a specific format, starting with an opening meeting and ending with a closing meeting. Do what you can to make it easy for him by providing access to the relevant documents and resources as quickly and smoothly as possible.
Basically all the auditor is doing is the same exercise as you did yourself when you performed (and repeated) the gap assessment. It’s purely a matter of going through the requirements of the ISO standard and asking to be shown how you meet them. The auditor will need to record the evidence he has been shown, including any relevant references such as document titles and versions. He may also want to see the relevant procedures etc. in action which may mean reviewing the records you keep and possibly talking to the people who perform the procedures.
If the auditor finds something that doesn’t conform to the requirements of the standard, he will raise a “non-conformity”. These can be major or minor and, as the names suggest, these vary in importance.
A major non-conformity may be raised if there is a significant deviation from the standard. This is often due to a complete section not really having been addressed, or something important that has been documented but there is no evidence that it has been done. Examples might be if no internal auditing has been carried out, no risk assessment done or no management reviews held.
A minor non-conformity is a lower level issue that doesn’t affect the operation of the management system as a whole, but means that one or more requirements have not been met. Examples could be that an improvement has not been evaluated properly, a test has not been carried out as planned or a risk assessment doesn’t follow the documented process.
Some auditors take note of a third level of item often called an “observation”. These are not non-conformities and so don’t affect the result of the audit but may be useful for improvement purposes.
Once the audit has been completed the auditor will write up the report, often whilst still on site. He will then tell you the result of the audit and go through any non-conformities that have been raised. Certification to the standard is conditional upon any non-conformities being addressed and upon the higher-level body that regulates the auditors agreeing with his recommendations. This can take a while to process so, even if you have no non-conformities, officially your organization is not certified yet.
You will need to produce an action plan to address the non-conformities and if this is accepted and they are closed off, you will then become certified and the certificate will be issued for a period of three years. During this time, there will be annual surveillance visits followed at the three year mark by a recertification audit.
There is usually a huge amount of pressure built up before the audit and once it’s over the relief can be enormous. It’s very easy to regard the implementation of a management system as a one-off project that is now over. But the auditor will be back within the next twelve months to check that you have carried on running the system as required, so you can’t afford to relax too much.
Certification is really a starting point rather than an end result and hopefully as time goes by your management system will mature and improve and start to provide more and more value to the organization. However you may find that the resources that were made available for the implementation now start to disappear and you need to ensure that the essential processes of the system are maintained. Plans can get out of date very quickly so the performance evaluation side in particular will become very important; make sure you continue with the management reviews, exercising and testing programme and internal audits and this should drive the rest of the management system to stay up to date.