Preparing for an Audit
Preparing for an audit is a very important step for your organization. The external audit from a 3rd party certification body is the final step before your organization receives certification to ISO/IEC 27001.
The auditors have several objectives:
- Verify that your documentation meets all of the requirements of the standard.
- Ensure your employees know their role in the ISMS and are familiar with the ISO/IEC 27001 requirements that pertain to their role in the organization.
- The procedures and processes are correctly followed.
The results will either grant you certification or require corrective actions your organization must meet before becoming certified.
When the day of the certification audit has arrived, it is time to showcase your ISMS and how you have addressed the requirements. Being audited is time-consuming and costly so you want to make sure that you are well prepared. Here are some tips from 27001Store.com to help your organization ensure that you are ready in order to have a successful audit.
Give the company ample time to prepare
Preparing your organization for an audit takes time and effort. When you have decided that receiving certification is necessary for the organization, you should set goals and give an appropriate amount of time to meet the requirements of the standard.
Prepare the employees
Your employees are the ones that will demonstrate that your organization is complying with the requirements of ISO/IEC 27001. Before the audit, you will want to make sure that all employees know when the audit will be taking place and what the scope of the audit is. Each employee should have a clear idea of the organization’s competence objectives, and how their role contributes to them. Each employee should have proper training on the tasks that they perform.
When you are preparing your employees to answer questions, remember this is not a test, auditors are not looking for an exact answer, rather they want to know how employees go about finding information and answers. Do procedures provide information? If the information is not in a procedure, where does the employee go next, do they ask a supervisor?
27001Store.com suggests Several Employee Training Courses to help prepare your organization for the audit:
Documented information is another important aspect of preparing for your audit. When you are preparing for your audit, you need to ensure that documents and record lists have been updated. Additionally, all documents need to have been reviewed, approved, communicated and followed by everyone involved in the process or activity. You should also ensure that no one is using outdated documents.
Processes and Procedures
Processes and Procedures need to be carefully followed. Your organization needs to make sure all processes are meeting the planned arrangement you set out to achieve, and that they are being followed and performed in the same and correct way by all employees.
Prepare the facility
When you are preparing for the audit your organization needs to be well-organized and cleaned. If your facility is a mess, it is easy to miss nonconformances. You want to make sure that you are well aware of every area of the facility so that you do not have to encounter any hidden issues during the audit. When getting organized and ready for the audit, check bulletin boards, counters, drawers, etc for uncontrolled documents.
The organization must conduct an internal audit. Not only is this a requirement of the ISO standard, but it is also the best way to catch any major nonconformances. Internal audits should be taken seriously. They are also a great way to prepare staff for the interview process. Remember that the purpose of an internal audit is to identify weaknesses and areas that need improvement in order to increase the effectiveness of the management system and prepare for external audits.
27001Store.com offers the following products to help your laboratory perform a successful internal audit:
The management review should take place following the internal audit. This step should consist of reviewing past internal audit findings and take corrective actions where necessary.
Review past Internal Audit Findings
After your organization undergoes an Internal Audit, these findings should be reviewed in a closing meeting to everyone involved. The meeting should be detailed to give the organization an understanding of where they are falling short and how they can improve. This information should be given in an objective and friendly manner and suggestions should be informed constructively.
The organization needs to determine who is responsible for monitoring the actions necessary to make corrections. The results of the audit need to be recorded along with any corrective action taken. Documentation is necessary to ensure that nonconformities are taken care of and that improvements are made.
Review Corrective Action Process
Reviewing past audits and taking corrective action to any nonconformances is key to certification. We recommend taking corrective actions immediately to avoid compromising your ability to achieve certification. A major problem found by the auditor could delay your certification and leave you scrambling to establish a process to fix the issue. Performing internal audits in preparation for your third-party auditor is ideal.
Have a professional audit
When the auditor arrives, your goal should be making a good first impression and to act professionally. Auditors are there to help the organization uncover any nonconformances and weaknesses in order to take action, improve and become certified. Remember they want your organization to succeed as well.