[fibosearch]
[fibosearch]

Preparing for a Stage 1 Audit for an ISO Standard 

Preparing for a Stage 1 Audit for an ISO Standard - Stage 1 Audit

In this blog, we are going to discuss the audit objectives and steps of the Stage 1 Audit. It also includes information on how to prepare for and conduct on-site activities, together with an introduction into the types of documented information to be reviewed during the stage 1 audit. 

Objectives for a Stage 1 audit for an ISO Standard 

The main objective of State One audit is to verify the design of the ISMS. During Stage 1 audit, the auditor will review the isms documented information. Such documented information will be checked against the requirement of ISO 27001 and the requirements of top management. 

The auditor will also understand the ISMS goals and the legal and regulatory constraints. During stage 1 audit for an ISO Standard, the auditor will also evaluate the organization’s commitment to manage and improve the isms review, and whether internal audits and management reviews are being done regularly. 

The ISO auditor will also review the allocation of resources for Stage Two and the get details of Stage 2 audit with the client to ensure the necessary participants are available. 

Stage 1 audit usually takes 30% of the total audit time. The auditor should plan the stage 1 audit activities in such a way to ensure that the objectives can be met and agreed with the client. For example, although a confidentiality agreement is signed, the client has the right to require that the documented information review takes place on site and that no document is carried off site. 

Having said that current technology allows auditors to perform Stage 1 audit remotely, especially for reviewing the ISMS documented information. If the client agrees to provide limited access to auditors in their controlled environment. Limited access rights can allow, view, and forbid downloading and sharing. At least part of Stage 1 audit should be carried out at the auditees’ premises so that auditors can interact with the audit staff and gain a better understanding of the auditees’ business processes and business context.

The stage 1audit should not be conducted too far apart from the stage 2 audit, so that the management system does not change substantially between the two stages. A period of two to four weeks between Stage 1 and Stage 2 audits is considered acceptable.

Preparing for an onsite Stage 1 Audit for ISO Certification

As stated earlier, Stage 1 audit activity focuses on the design of the ISMS, and the auditor should plan the audit activities in such a way as to ensure that the objectives can be met.

The auditor must schedule a review of all ISMS documented information against the requirement of ISO 27001 and other requirements of top Management and make sure they are current, approved, and consistent.

Isms Documentation includes the following:

  • Policies
  • Processes
  • Procedures
  • Plans
  • forms to be used when performing specific isms processes. 

In addition to planning for onsite Stage 1 activities, the Auditor should also arrange the necessary travel and logistics. While on-site, the auditor should become familiar with the locations to be audited to assess better the risks related to the specific conditions of the audit. Furthermore, the auditor should obtain information on the physical security controls at those locations.

Who to involve in a Stage 1 audit for an ISO Standard?

During an ISO stage 1 audit, the audit team will have to conduct interviews with at least the person responsible for the ISMS. This interview helps the audit team better understand how the auditee operates with the management system. 

The auditor should also meet a representative of the Top management. This interview helps the audit team to validate the top management’s commitment and understanding of the standard requirements and the internal auditor. This interview helps the audit team to validate whether internal audits are performed adequately and regularly.

If state one audit takes place over several days, the audit team will have to conduct interviews with other interested parties who have a function or type directly related to the isms, such as Head of Human resources, Head of IT, the person responsible for physical security, and others. 

The objective of these interviews is to ensure a proper understanding of all applicable compliance requirements and how the ISMS responds to them. 

Preparing for Stage 1 audit for an ISO Standard 

Following Clause 6.3.1 of ISO 19011, the auditor should first have an understanding of the audit’s general Processes to understand how each process being audited is integrated with the general activities of the audit. Next, the auditor should ensure that the processes and controls were designed to comply with the requirements of the respective ISO standards and that internal audits and management reviews have been conducted.

What documentation is Audited in a Stage 1 Audit?

Ensuring that the submitted information is up to the standards’ requirement

As per Annex A of ISO 19011, the auditor should consider whether the documented information is

  • Complete – Content is contained in the documented information
  • Correct – content components to other reliable sources, such as standards and regulations
  • Consistent – the documented information is consistent in itself and with related documents 
  • Current – the content is up to date. 

A check of all these aspects provides sufficient objective evidence to demonstrate that the requirements of ISO standards are met. 

Auditors should verify that documented information exists and conforms to the Audit criteria, requirements, and ISMS controls within the scope of the audit and are related to the results of the risk assessment and risk treatment process.

Criteria that auditors use to review documented information in an ISO Audit

While reviewing documented information. Auditors must validate it against three criteria.

  • Content – The auditor must ensure that each document contains, at the minimum, the information required by the respective clause of the standard. The criteria for the auditor are not the best industry practices, but the minimum requirements specified in the standard. 
  • Format – The auditor must ensure that each piece of documented information is confirm and standardized in terms of format, therefore, includes an identification of the author issuing date, version number, approval date, change, log, et cetera. 
  • Procedure – The auditor must ensure that there is a procedure for managing the documented information in compliance with the requirements of the standard. 

The auditor must adopt a systematic and structured approach. To select the documented information to be analyzed, the Auditor will proceed with the examination of documented information in the following order.

  • Level One – Strategic documentation – For example, Declaration of the ISMS Scope, Information Security objectives, and policies, and documentation related to risk management
  • Level Two – documented information that describes processes and controls.
  • Level three – Supporting procedures
  • Level Four – records that provides evidence of conformity with the requirements of the standard. 

ISMS documented information may exist in different formats, such as text diagrams, Microsoft powerpoint presentations, Microsoft excel spreadsheets the vocabulary used to refer to each type of documentation may vary greatly from an organization to the another. 

Disagreements may arise between the auditor and the Audit regarding the mandatory nature of documented information, or its type. In this case, the auditory must provide the audt with the clear interpretation of the standard requirements.

Meaning of critical words in Stage 1 Audit of ISO Standards 

In all ISO Standards, the following interpretation has to be taken for specific critical words, as follows:

  • Requirement – Shall and shall not – indicate the requirements to be strictly followed in order to conform to the standard and from which no deviation is permitted.
  • Recommendation – should and should not – indicate that among several possibilities, one is recommended as particularly suitable. Or in a negative form, a certain possibility or course of action is deprecated, but not prohibited. 
  • Permission – may and may not – indicate a course of action permissible within the limits of the document.
  • Possibility –  Can and cannot – refer to the ability of a user of the document or to a possibility open to them. 

Practical use of the critical words within ISO Standards 

The auditor must ensure that the requirement of the standard expressed with the verbal form shall is considered as mandatory in the documentation of the audit management system. For example, when the standard States that the organization shall implement corrective Actions to eliminate the root cause of nonconformities. But the audit uses the verbal expression, of “Should”, the documented procedure is automatically considered inaccurate. 

Obligations could derive from a legal or contractual requirement. For example, if a procedure of an organization States that all transactions shall be verified every morning, at 10:00 a.m., and the Auditor sees that this is not done. A nonconformity will be issued.

But if the same procedure is documented as should, the auditor will not report it as a nonconformity, since it constitutes a guideline, not a requirement. 

Mandatory Documentation for an ISO Certification 

The Auditor must make sure that all documents indicated in Clauses 4 to 10 of the respective ISO Standard are available and conform to the standard requirements. The absence of any of these items should be documented as a mandatory, nonconformity. 

The mandatory documents related to management system are:

  • Scope of the management system – the Auditor must validate that the scope is viable and clearly defined and that the Organization has accounted for the management system interfaces with the other systems and internal processes.
  • Processes of the organization or other interested parties. 
  • Management System Policy and Objectives – the auditor must validate that the policy has been approved by the top management and distributed to all interested parties. In addition, the auditor must determine that the organization has documented the controls that it wishes to reach through the implementation of the respective ISO Standard.
  • Statement of applicability (only for ISO 27001) – the Auditor must validate that the Organization has specified all controls included in the ISMS. It has stated the source of each control and that the reason for this election or inclusion of each of the 93 controls from Annex A have been documented. The description of the risk assessment, approach and methodology.
  • The auditor must validate that the risk assessment approach, selective methodology, risk evaluation criteria, and acceptable levels of risk are documented to ensure that risk assessments produce comparable and reproducible results. 
  • Monitoring and measurement results
  • Documentation of roles and responsibilities related to isms. Evidence of competence; including Records of Training skills, experience, and qualifications
  • Results of Internal audits.
  • Results of the management review
  • Results of corrective actions
  • Additional documentation to demonstrate conformity to the requirements of the relevant ISO Standard. For example, documentation that shows the effectiveness of the implemented processes and controls of the management system.
  • A plan of communication with interested parties. 
  • Operating budget of the Management system 
  • Continual Improvement plan

Overall the documentation and records must demonstrate the auditees’ management’s commitments to the establishment, implementation, operation, monitoring, review, updating, and continual improvement of the management system. 

The auditor must make sure that all documents indicated in clauses four to ten are present and that they contain the minimum requirements specified in the respective ISO Standard.

The abscess of any of these items should be documented as a major nonconformity.

START YOUR JOURNEY TODAY

Whether you’re after ISO Certification, internal audits, or results-oriented consultancy, Luke has the plan for you. Reach out to him and start your journey today.
ISO Consultant in Malta

SEE HOW LUKE CAN HELP YOU START YOUR JOURNEY TODAY

Luke has a plan for you whether you want ISO certification, internal audits, or results-oriented consulting. Contact him immediately to begin your adventure.

Format for documentation to meet ISO Standards

Documentation to meet the requirements of the various ISO Standards may exist in different formats, such as text, diagram, Microsoft powerpoint presentations, Microsoft excel, spreadsheets, and others.

It is important to note that the vocabulary used to refer to each type of documentation may vary greatly from an organization to the other. This is especially true for documenting the main processes or so called workflows, which can be drawn up using Microsoft visio diagrams, or Microsoft excel spreadsheets.

As for the discrete narrative of each activity in the process, is also called the Procedures or standard operating procedures; these can be created using Microsoft word. There is no mandatory prescription in any iso standard on the way processes and procedures are documented.

Documentation required for an Internal Audit for ISO Standards

Auditorial shall ensure that the auditee has the following documented information

    • Audit Charter – it must specify the roles and responsibilities of the internal auditors and demonstrate their independence concerning the audited processes.

    • Proof of competence of Internal auditors – it must demonstrate the auditors are qualified to conduct a management system internal audit based on the respective ISO Standard

    • Internal Audit Plan – must cover all the activities of the management system and be planned for the duration of the certification (3 years).

    • Internal Audit Procedure – It must describe the audit activities in a structured and methodical way

    • Documentation of follow up activities – If nonconformities were found during the internal audit, the documentation must describe the actions performed after the submission of the internal auditory report. After the organization is certified, the auditor shall validate the documentation of audit. Followup activities for nonconformities found during the last internal and external audit during the state one audit

Sharing information with an ISO External Auditor

In cases where a document management system is used and documents are displayed in a searchable manner, the time required to verify that all requirements have been addressed will be naturally reduced. In cases where a documents management system is not available, the documented information can either be shared by email to the auditor’s address or made available to the auditor on a computer where the documents are stored.

If documented information is received by email, auditors must apply the auditees requirements regarding the secure disposal of documented information. Given how easy it is to change, update and reformat documented information in an electronic document management system, auditors should pay close attention to controls such as Approval date change log, and version control.

WANT  TO LEARN MORE ABOUT ISO AND Stage 1 Auditing?

Here, at lukedesira.com, you have access to a plethora of reading material that will guide you and your organization to success. Read more about how to get ISO certified with Luke Desira here. Otherwise, you can also read about the work of certification bodies and the difference between implementing ISO in a large company versus implementing ISO in a small firm.

If you are searching for information on different types of ISO certification, read more here, and find out about the 10 pitfalls that you may encounter during the implementation process of different types of ISO certification.

Don’t forget to follow us on our Facebook and LinkedIn profiles, and subscribe to our Youtube Channel for more great content.

That is it form my end, let’s keep building processes and uncover the definition of ISO through optimized systems!

Book a Free 15 minute discovery call

Select a date and time to schedule a free 15 minute discovery call with Luke Desira.

Message Luke through an email

hello@lukedesira.com

Give Luke a call

+356 7920 6686

Related Articles

High Level Structure
General

Breakdown of the High Level Structure of ISO Standards

If you take a look at all the ISO standards that have been published after 2015, you may notice a pattern in their structure. You see, ISO 9001, ISO 45001, ISO 14001 and the latest ISO 27001, amongst others, have adopted a high level structure. What this effectively means is that every one of these

Read More »
certification bodies
General

Certification Bodies and What to Look Out for

When getting ISO certified, one of the most important steps is found at the end of the process, that of choosing a certification body. You see, when you implement an ISO standard in an organization, you have to get certified. This has to be done through an accredited certification body. In this blog, you can

Read More »
Scroll to Top