The audit process

Many organisations that are seeking certification do not understand the audit process well enough to properly plan and prepare for the audit. The Auditor is not out to catch the Auditee out or fail the organisation at all costs. The Auditor is there to determine that there is appropriate management control of the ISMS by inspection and examination of objective evidence to support it.

The typical audit interview (though these may vary slightly from Certification Body to Certification Body or from Auditor to Auditor) has the following format:

· The Auditor is introduced to the Auditee (the person being audited) by the organisation supplied 'guide'.

· The Auditor will explain what they are doing, why and how.

· The Auditee will be asked to explain their job function and responsibilities

· The Auditor will then ask the Auditee a number of questions from the Audit Work Program - which is only a series of questions, based on the ISO 17799 / ISO 27001 standards.

· The Auditor will ask for objective evidence that the control is properly managed (e.g. if asking about the Business Continuity Plan and determining that it is regularly tested, the Auditor will ask to see proof - such as the test results and proof that any shortfall found in the test has been addressed). It pays to be prepared for these audit interviews and have available what you think that the Auditor will want to see - failure to produce evidence in a timely manner (or at all) may prejudice the success of the audit.

· Once the Auditor has asked all of the questions that he wants to they will let the Auditee ask any questions. Once these have been addressed the audit interview will be terminated with the Auditor reminding the Auditee of any outstanding documents to be produced.

An Introduction To Information, Network and Internet Security
The audit process Many organisations that are seeking certification do not understand the audit process well enough to properly plan and prepare for the audit. The Auditor is not out to catch the Auditee out or fail the organisation at all costs. The Auditor is there to determine that there is appropriate management control of the ISMS by inspection and examination of objective evidence to support it. The typical audit interview (though these may vary slightly from Certification Body to Certification Body or from Auditor to Auditor) has the following format: · The Auditor is introduced to the Auditee (the person being audited) by the organisation supplied 'guide'. · The Auditor will explain what they are doing, why and how. · The Auditee will be asked to explain their job function and responsibilities · The Auditor will then ask the Auditee a number of questions from the Audit Work Program - which is only a series of questions, based on the ISO 17799 / ISO 27001 standards. · The Auditor will ask for objective evidence that the control is properly managed (e.g. if asking about the Business Continuity Plan and determining that it is regularly tested, the Auditor will ask to see proof - such as the test results and proof that any shortfall found in the test has been addressed). It pays to be prepared for these audit interviews and have available what you think that the Auditor will want to see - failure to produce evidence in a timely manner (or at all) may prejudice the success of the audit. · Once the Auditor has asked all of the questions that he wants to they will let the Auditee ask any questions. Once these have been addressed the audit interview will be terminated with the Auditor reminding the Auditee of any outstanding documents to be produced.	The Security Practitioner An Introduction to Information Security
Return To An Introduction to Information Security