<  All Posts

Navigating ISO Audits: What My First Experience Taught Me

Author:
Jack White

Completing my first audit as a security consultant was a real step into the unknown after transitioning careers to work for Periculo. My first experience was a four and a half day remote audit that packed in ISO 9001 recertification and a combined surveillance and transition audit for ISO 27001 from the 2013 to the 2022 standard. It wasn’t simple - each day ran from 09:30 to 15:30, filled with rigorous testing of controls, documentation reviews, and real-time evidence requests - all whilst trying to maintain the requirements of my normal day job with other clients.

While each audit is undoubtedly going to be unique, the challenges faced and the lessons learned during this first experience will undoubtedly shape how I approach future engagements.

The Structure of the Audit

The audit began with an opening meeting, setting the tone for the days ahead. It provided clarity on what the auditor expected and how we would proceed. Top management joined for this, to show their commitment and interest in compliance with the standards which was well received by the auditor.

For ISO 9001, the focus was on the company’s quality management processes, ensuring they aligned with certification requirements. The ISO 27001 audit, being both a surveillance and transition review, delved deeper into controls and their alignment with the updated 2022 standard.

Every aspect of the audit required thorough evidence backed by policy or procedure. The auditor left no stone unturned, reviewing examples of real-world and sometimes real-time implementations. A key challenge was ensuring that the evidence not only met the standards but was presented in a clear, logical manner.

It culminated in a closing meeting where the positives and negatives from the week were laid out to us as consultants, and also the top management who were there. It allowed us to see the path to continued certification in a year's time - and what obstacles laid ahead of us.

Harpe: Our ISMS/QMS Tool

As an ISMS/QMS tool, Harpe was invaluable. It allowed us to logically organise and present evidence, attach relevant files, and comment on specific items, linking everything back to the relevant policies stored in the Docs tab. What stood out was Harpe’s bespoke auditor role, which gave the auditor independent access to explore documentation and evidence.

This setup meant that the time spent on calls could be focused on discussing critical findings, while the auditor could independently dig deeper into areas of interest. Harpe not only streamlined the process but also showcased the value of having a robust system in place for audits.

Key Lessons Learned
  1. Understanding the Statement of Applicability (SoA):
    One of my main takeaways was the importance of mastering the SoA, especially for ISO 27001. This document outlines which controls are applicable and why. For instance, Annex A’s Section 7 on physical controls may be less relevant for fully remote workforces but must still be justified within the SoA.
  2. Proactive Evidence Collection:
    The auditor’s emphasis on real-world examples reinforced the need to continuously document processes throughout the year. Waiting until the audit to gather evidence would have led to unnecessary stress and potential oversights.
  3. Tailored Policies and Procedures:
    It became evident that generic policies are insufficient and really justified our policy and procedure reviews throughout the year. Documentation needs to reflect the specific context and operations of the company being audited.
  4. Debriefing is Crucial:
    After the audit, a comprehensive debrief with the client is essential. It helps align everyone’s understanding of the findings, establish corrective actions, and set a roadmap for the next certification cycle.

Remote Audits: A Unique Challenge

Conducting the entire audit remotely was an experience in itself. While it offered convenience, it also required meticulous preparation to ensure that all evidence was easily accessible and that technology worked seamlessly. The remote format demanded heightened attention to detail and communication, as any hiccup could delay the process.

Looking Ahead

This first audit was a whirlwind, but it was also immensely rewarding. It reinforced my passion for this field and gave me the confidence to tackle future audits with greater skill and efficiency. I’m eager to apply these lessons to other clients, refining my approach to ensure smoother, more professional engagements.

Ultimately, this experience has fueled my ambition to become the lead for audits here at Periculo. With each engagement, I hope to further solidify our reputation for excellence in navigating the complexities of ISO standards.

Ready to Ace Your Next Audit with Confidence?

Imagine walking into your next ISO audit knowing you’re fully prepared—your evidence is airtight, your policies are tailored, and your processes reflect your organisation’s unique needs. At Periculo, we don’t just guide you through compliance; we help you build a system that secures your future certifications with ease.

👉 Let’s Start Today: Book a strategy call to see how we can simplify your audit preparation and safeguard your organisation’s compliance journey.

Your next success story begins here. Schedule Your Call or Contact Us Now

Protecting Digital Health Solutions

Contact Periculo for expert cyber security solutions tailored to the digital health industry.

Subscribe
Stay updated with our newsletter for the latest features and releases.
By subscribing, you agree to our Privacy Policy and consent to receive updates from us.
Thank you! Subscription received.
Oops! Something went wrong. Please try again.