THE PERSONAL SIDE OF AN ISMS AUDIT
ISMS Audit from the Auditee View
Every member of an organization shall be aware of his/her importance in the ISMS, which is more than their daily routine. But otherwise the main part of the audit is about their daily tasks and responsibilities. As a consultant I used to say to company representatives who were nervous about being audited that they should not worry: they definitely know far more about their own job than the auditor. In other words, the auditee is working in a room that the consultant is looking into from the hallway and the auditor through the keyhole of the main door.
ISMS Audit from the Auditor View
An ISO 27001 audit is stressful. For both parties. Yes, for the auditor as well. He/she is in a position to make decisions but has to be ready to defend them. Auditor trainings are long and exhaustive, with a difficult exam at the end. That is enough for an auditor certificate, but to work as an auditor, you still need practical experience: witnessing other auditors and working under supervision.
The purpose of all this is that audits provide objective and repeatable results. Unfortunately, the raw material of an auditor is a human being with all his/her characteristics. And this cannot be basically changed. Not every personality is fit for the job.
Giving a presentation is not easy and requires concentration, but at least you are following your own logic. My 10 years of certification body auditing experience says that one of the most difficult things in an audit is that you must follow and understand somebody else’s approach and continually evaluate and compare to the requirements. And in an ISMS, they are quite many.
No auditor can be an expert in every control domain of the ISO 27001 standard, but they have a well-founded view of the management system framework. And in most cases, they are happy to help organizations with explanations and suggestions in this. Just because it is personally a good feeling to support things to get better. People are constructed like this, and auditors are no exceptions.
Auditors are not maniac. They are not happy to document a nonconformity, confront it with the auditee, and review the corrective action for the next time. They simply have to do this if they find a nonconformity. But auditors are also trained to decide in favor of the auditee if in doubt.
How to Deal with Disagreement Between the Parties
Sometimes the auditee doesn’t agree with the auditor. In most cases a short discussion of what has been seen and what that means in the light of the standard requirement is sufficient to form a common position.
Auditors make mistakes, like anybody else. If the auditee detects this or is simply asking for a reason for a finding, the most human reaction of an auditor is to defend his/her position. But auditors must be ready to review, apologize, and correct themselves if they were wrong. Auditors of accredited certification bodies work under multilevel control: they are sometimes supervised by another auditor even after many years of experience, and each audit report is independently reviewed before approval. Clients may make a complaint against the conduct or findings of the auditor at the certification body, and these complaints are taken seriously. Subsequently the client has the right to turn to the accreditation body as well.
Unfortunately, audits bring up not always just management system nonconformities. One of the most general mistakes that an auditor can make is when he/she doesn’t just want to evaluate the management system that he/she is auditing but wants to see a management system that exists in his/her head only. In a couple of years auditors see several implementations of standard requirements. It is easy for them to spot which are more and which are less efficient.
Auditors are always welcome to suggest a more efficient solution to cover a requirement, but they should never consider a less efficient solution a nonconformity. Simply because the word efficiency is not in any ISO management system standard. The objective is to be effective, fit for the purpose. If, for example, a nonconformity is not properly followed up, the finding is that there is a case when a nonconformity is not properly managed, and not that the approach or tool that is used for this is wrong.
It is always the task of the organization to evaluate the root cause of the finding and decide whether they are facing a unique situation or a systematic change is required. If an auditor is repeatedly faced with the question, where is this or that in the standard, he/she must look into himself/herself before the auditee forces this. That would be a deadlock, which nobody wants.
Pictures: Microsoft 365 Library28/07/2022