ISO Auditors and Compliance: The View from the Other Side
As a former Compliance Manager for two large American corporations pursuing ISO 27001 certification, I often wondered why my third-party ISO auditors were always so thankful and complimentary of the audit experience, year after year. Now that I’m working on the other side of the table, performing internal audits for clients pursing ISO 27001 certification, I understand why.
There seems to be a general consensus that ISO auditors are “the bad guys.” While that may play well on TV or film, it’s not usually the case in real life. I always tell my clients that audits are like mirrors. Third-party audits should serve to show clients where their areas of strength and weaknesses are, with the goal being to help focus in on areas that need attention prior to an external audit firm coming in to perform an assessment.
Top 10 Tips for Dealing With an ISO Auditor
So, in the spirit of New Year’s Top 10 lists, I’ve compiled my own Top 10 list of “Do’s” that will support a positive, beneficial outcome when you’re dealing with ISO auditors.
- Ensure that documentation is clear. The clearer your documentation, the fewer follow-up questions your auditor is likely to need to ask.
- Provide only the evidence the ISO auditor has asked you to provide. Now is not the time to play mind reader. Only give auditors what they ask for. That saves everybody time.
- Keep it professional, but casual. The auditor is here to do a job, same as you. Maintain professionalism while still being casual.
- Listen. Listen to what you’re being asked. Oftentimes, you can pick up on what direction the auditor is going with his or her questions, and thus respond more clearly and comprehensively.
- Be clear. Ensure that the evidence presented is clear. If you don’t understand it, chances are your auditor won’t, either.
- Absolutely no concealing!! Under no circumstances should you try to conceal what you may see as a deficiency. You’re better off taking a nonconformity, as the alternative can be much worse.
- Train your staff. Ensure that your staff are properly trained in response to ISO audit requests, and how to handle being questioned by auditors.
- No “Nervous Nellies!” It’s understandable to be nervous about an impending audit. But keep in mind that there is really nothing to be nervous about, particularly if you have one of Pivot Point Security’s highly-skilled consultants by your side.
- Labeling. Ensure that your ISO audit evidence is labeled clearly. This makes it easier for your auditor to refer back to evidence when preparing the final audit report, and is much appreciated.
- Organization, organization, organization. Want to set the right tone with your audit? Ensure that your evidence is clearly labeled and clearly organized for your auditor. A little bit of leg work on the front end can save a lot of headaches in the long run.
One last thing… a smile and a dash of humor never hurts. 🙂