In this blog, we are going to discuss the audit objectives and steps of the Stage 1 Audit. It also includes information on how to prepare for and conduct on-site activities, together with an introduction into the types of documented information to be reviewed during the stage 1 audit.
Objectives for a Stage 1 audit for an ISO Standard
The main objective of State One audit is to verify the design of the ISMS. During Stage 1 audit, the auditor will review the isms documented information. Such documented information will be checked against the requirement of ISO 27001 and the requirements of top management.
The auditor will also understand the ISMS goals and the legal and regulatory constraints. During stage 1 audit for an ISO Standard, the auditor will also evaluate the organization’s commitment to manage and improve the isms review, and whether internal audits and management reviews are being done regularly.
The ISO auditor will also review the allocation of resources for Stage Two and the get details of Stage 2 audit with the client to ensure the necessary participants are available.
Stage 1 audit usually takes 30% of the total audit time. The auditor should plan the stage 1 audit activities in such a way to ensure that the objectives can be met and agreed with the client. For example, although a confidentiality agreement is signed, the client has the right to require that the documented information review takes place on site and that no document is carried off site.
Having said that current technology allows auditors to perform Stage 1 audit remotely, especially for reviewing the ISMS documented information. If the client agrees to provide limited access to auditors in their controlled environment. Limited access rights can allow, view, and forbid downloading and sharing. At least part of Stage 1 audit should be carried out at the auditees’ premises so that auditors can interact with the audit staff and gain a better understanding of the auditees’ business processes and business context.
The stage 1audit should not be conducted too far apart from the stage 2 audit, so that the management system does not change substantially between the two stages. A period of two to four weeks between Stage 1 and Stage 2 audits is considered acceptable.
Preparing for an onsite Stage 1 Audit for ISO Certification
As stated earlier, Stage 1 audit activity focuses on the design of the ISMS, and the auditor should plan the audit activities in such a way as to ensure that the objectives can be met.
The auditor must schedule a review of all ISMS documented information against the requirement of ISO 27001 and other requirements of top Management and make sure they are current, approved, and consistent.
Isms Documentation includes the following:
- Policies
- Processes
- Procedures
- Plans
- forms to be used when performing specific isms processes.
In addition to planning for onsite Stage 1 activities, the Auditor should also arrange the necessary travel and logistics. While on-site, the auditor should become familiar with the locations to be audited to assess better the risks related to the specific conditions of the audit. Furthermore, the auditor should obtain information on the physical security controls at those locations.
Who to involve in a Stage 1 audit for an ISO Standard?
During an ISO stage 1 audit, the audit team will have to conduct interviews with at least the person responsible for the ISMS. This interview helps the audit team better understand how the auditee operates with the management system.
The auditor should also meet a representative of the Top management. This interview helps the audit team to validate the top management’s commitment and understanding of the standard requirements and the internal auditor. This interview helps the audit team to validate whether internal audits are performed adequately and regularly.
If state one audit takes place over several days, the audit team will have to conduct interviews with other interested parties who have a function or type directly related to the isms, such as Head of Human resources, Head of IT, the person responsible for physical security, and others.
The objective of these interviews is to ensure a proper understanding of all applicable compliance requirements and how the ISMS responds to them.
Preparing for Stage 1 audit for an ISO Standard
Following Clause 6.3.1 of ISO 19011, the auditor should first have an understanding of the audit’s general Processes to understand how each process being audited is integrated with the general activities of the audit. Next, the auditor should ensure that the processes and controls were designed to comply with the requirements of the respective ISO standards and that internal audits and management reviews have been conducted.
What documentation is Audited in a Stage 1 Audit?
Ensuring that the submitted information is up to the standards’ requirement
As per Annex A of ISO 19011, the auditor should consider whether the documented information is
- Complete – Content is contained in the documented information
- Correct – content components to other reliable sources, such as standards and regulations
- Consistent – the documented information is consistent in itself and with related documents
- Current – the content is up to date.
A check of all these aspects provides sufficient objective evidence to demonstrate that the requirements of ISO standards are met.
Auditors should verify that documented information exists and conforms to the Audit criteria, requirements, and ISMS controls within the scope of the audit and are related to the results of the risk assessment and risk treatment process.
Criteria that auditors use to review documented information in an ISO Audit
While reviewing documented information. Auditors must validate it against three criteria.
- Content – The auditor must ensure that each document contains, at the minimum, the information required by the respective clause of the standard. The criteria for the auditor are not the best industry practices, but the minimum requirements specified in the standard.
- Format – The auditor must ensure that each piece of documented information is confirm and standardized in terms of format, therefore, includes an identification of the author issuing date, version number, approval date, change, log, et cetera.
- Procedure – The auditor must ensure that there is a procedure for managing the documented information in compliance with the requirements of the standard.
The auditor must adopt a systematic and structured approach. To select the documented information to be analyzed, the Auditor will proceed with the examination of documented information in the following order.
- Level One – Strategic documentation – For example, Declaration of the ISMS Scope, Information Security objectives, and policies, and documentation related to risk management.
- Level Two – documented information that describes processes and controls.
- Level three – Supporting procedures
- Level Four – records that provides evidence of conformity with the requirements of the standard.
ISMS documented information may exist in different formats, such as text diagrams, Microsoft powerpoint presentations, Microsoft excel spreadsheets the vocabulary used to refer to each type of documentation may vary greatly from an organization to the another.
Disagreements may arise between the auditor and the Audit regarding the mandatory nature of documented information, or its type. In this case, the auditory must provide the audt with the clear interpretation of the standard requirements.
Meaning of critical words in Stage 1 Audit of ISO Standards
In all ISO Standards, the following interpretation has to be taken for specific critical words, as follows:
- Requirement – Shall and shall not – indicate the requirements to be strictly followed in order to conform to the standard and from which no deviation is permitted.
- Recommendation – should and should not – indicate that among several possibilities, one is recommended as particularly suitable. Or in a negative form, a certain possibility or course of action is deprecated, but not prohibited.
- Permission – may and may not – indicate a course of action permissible within the limits of the document.
- Possibility – Can and cannot – refer to the ability of a user of the document or to a possibility open to them.
Practical use of the critical words within ISO Standards
The auditor must ensure that the requirement of the standard expressed with the verbal form shall is considered as mandatory in the documentation of the audit management system. For example, when the standard States that the organization shall implement corrective Actions to eliminate the root cause of nonconformities. But the audit uses the verbal expression, of “Should”, the documented procedure is automatically considered inaccurate.
Obligations could derive from a legal or contractual requirement. For example, if a procedure of an organization States that all transactions shall be verified every morning, at 10:00 a.m., and the Auditor sees that this is not done. A nonconformity will be issued.
But if the same procedure is documented as should, the auditor will not report it as a nonconformity, since it constitutes a guideline, not a requirement.
Mandatory Documentation for an ISO Certification
The Auditor must make sure that all documents indicated in Clauses 4 to 10 of the respective ISO Standard are available and conform to the standard requirements. The absence of any of these items should be documented as a mandatory, nonconformity.
The mandatory documents related to management system are:
- Scope of the management system – the Auditor must validate that the scope is viable and clearly defined and that the Organization has accounted for the management system interfaces with the other systems and internal processes.
- Processes of the organization or other interested parties.
- Management System Policy and Objectives – the auditor must validate that the policy has been approved by the top management and distributed to all interested parties. In addition, the auditor must determine that the organization has documented the controls that it wishes to reach through the implementation of the respective ISO Standard.
- Statement of applicability (only for ISO 27001) – the Auditor must validate that the Organization has specified all controls included in the ISMS. It has stated the source of each control and that the reason for this election or inclusion of each of the 93 controls from Annex A have been documented. The description of the risk assessment, approach and methodology.
- The auditor must validate that the risk assessment approach, selective methodology, risk evaluation criteria, and acceptable levels of risk are documented to ensure that risk assessments produce comparable and reproducible results.
- Monitoring and measurement results
- Documentation of roles and responsibilities related to isms. Evidence of competence; including Records of Training skills, experience, and qualifications
- Results of Internal audits.
- Results of the management review
- Results of corrective actions
- Additional documentation to demonstrate conformity to the requirements of the relevant ISO Standard. For example, documentation that shows the effectiveness of the implemented processes and controls of the management system.
- A plan of communication with interested parties.
- Operating budget of the Management system
- Continual Improvement plan
Overall the documentation and records must demonstrate the auditees’ management’s commitments to the establishment, implementation, operation, monitoring, review, updating, and continual improvement of the management system.
The auditor must make sure that all documents indicated in clauses four to ten are present and that they contain the minimum requirements specified in the respective ISO Standard.
The abscess of any of these items should be documented as a major nonconformity.
