diff --git a/Corpus/Standards/ISO27x/PECB-Lead-Auditor-Training/transcriptions/CleanShot 2026-06-08 at 16.17.34.png b/Corpus/Standards/ISO27x/PECB-Lead-Auditor-Training/transcriptions/CleanShot 2026-06-08 at 16.17.34.png new file mode 100644 index 0000000..dd57cca Binary files /dev/null and b/Corpus/Standards/ISO27x/PECB-Lead-Auditor-Training/transcriptions/CleanShot 2026-06-08 at 16.17.34.png differ diff --git a/Corpus/Standards/ISO27x/PECB-Lead-Auditor-Training/transcriptions/CleanShot 2026-06-08 at 17.28.31.png b/Corpus/Standards/ISO27x/PECB-Lead-Auditor-Training/transcriptions/CleanShot 2026-06-08 at 17.28.31.png new file mode 100644 index 0000000..4011b89 Binary files /dev/null and b/Corpus/Standards/ISO27x/PECB-Lead-Auditor-Training/transcriptions/CleanShot 2026-06-08 at 17.28.31.png differ diff --git a/Corpus/Standards/ISO27x/PECB-Lead-Auditor-Training/transcriptions/CleanShot 2026-06-09 at 10.49.18.png b/Corpus/Standards/ISO27x/PECB-Lead-Auditor-Training/transcriptions/CleanShot 2026-06-09 at 10.49.18.png new file mode 100644 index 0000000..3789075 Binary files /dev/null and b/Corpus/Standards/ISO27x/PECB-Lead-Auditor-Training/transcriptions/CleanShot 2026-06-09 at 10.49.18.png differ diff --git a/Corpus/Standards/ISO27x/PECB-Lead-Auditor-Training/transcriptions/CleanShot 2026-06-09 at 20.53.01.png b/Corpus/Standards/ISO27x/PECB-Lead-Auditor-Training/transcriptions/CleanShot 2026-06-09 at 20.53.01.png new file mode 100644 index 0000000..ad6c640 Binary files /dev/null and b/Corpus/Standards/ISO27x/PECB-Lead-Auditor-Training/transcriptions/CleanShot 2026-06-09 at 20.53.01.png differ diff --git a/Corpus/Standards/ISO27x/PECB-Lead-Auditor-Training/transcriptions/S10.1-Initiation-of-the-audit-process.md b/Corpus/Standards/ISO27x/PECB-Lead-Auditor-Training/transcriptions/S10.1-Initiation-of-the-audit-process.md index cd66af9..b7c7e54 100644 --- a/Corpus/Standards/ISO27x/PECB-Lead-Auditor-Training/transcriptions/S10.1-Initiation-of-the-audit-process.md +++ b/Corpus/Standards/ISO27x/PECB-Lead-Auditor-Training/transcriptions/S10.1-Initiation-of-the-audit-process.md @@ -7,7 +7,7 @@ tags: - PECB-LA isotags: [] status: active -processed: false +processed: true --- # S10.1 Initiation of the audit process @@ -15,6 +15,96 @@ processed: false This session introduces the PECB AMS II audit methodology and its six phases: initiation, stage one audit, preparation for stage two, stage two audit, audit conclusions, and beyond the initial audit. The session focuses on phase one, covering how to accept an audit mandate, what an audit offer contains, and how to appoint an audit team leader. The roles and responsibilities of the audit team leader are described, along with criteria for selecting team members including competence, language, cultural awareness, conflict of interest, and technical expertise. Valid reasons for requesting replacement of an auditor are also discussed. +## PECB audit methodology + +PECB has developed a methodology for auditing a management system, known as the *accepted auditing methodology for management systems and standards*, or AMS II. This methodology has been developed based on best audit practices and on ISO 1911 guidelines, and it also meets the requirements of ISO 17021-1. + +![](CleanShot%202026-06-08%20at%2016.17.34.png) + +The AMS II consists of six phases, similar to a normal audit cycle: + +1. Initiation of the Audit Process +2. Stage 1 Audit +3. Preparations for Stage 2 Audit +4. Stage 2 Audit +5. Audit conclusions +6. Beyond the initial Audit + +Each phase has a couple of steps, which are further divided in separate activities. The methodology has two supporting processes: communication during the audit, and management of audit risks. + +### Initiation of the Audit Process +This section focuses on the first phase, Initiation of the Audit Process, consisting of the following activities: receiving an audit offer and accepting the audit mandate, appointing the audit team leader and other audit team members, determining audit feasibility, accepting the audit, establishing contact with the auditee and defining the audit schedule. + +So an organization has approached the certification body with a request to be certified: + +1. The certification body then makes an **audit offer**[^1] to a **qualified auditor** +2. Both the certification body and the certified auditor need to accept the **audit mandate**[^2] +3. The certification body appoints the **audit team leader** +4. The audit leader determines the **audit feasibility** +5. The **audit team members** are selected +6. The certification body and the auditee then sign the **certification agreement** +7. The audit team leader establishes contact with the auditee +8. The audit team leader defines the audit schedule + + +The **feasibility of the audit** is determined to provide reasonable confidence that the objectives can be achieved. Factors to take into account: + +- sufficient and appropriate information for planning and conducting the audit +- adequate cooperation from the auditee +- adequate time and resources for conducting the audit + + +The auditee may **reject an auditor** on the following grounds: + +- conflict of interest (real or potential) +- previous unprofessional conduct +- required security clearance +- negative experiences during previous audits + +When **forming the audit team**, you should take into account: + +- The particular conditions of the audit mission +- The required competences of the audit team +- the considerations specific to each audit member. + +![](CleanShot%202026-06-08%20at%2017.28.31.png) + + +*Note that in this training the terms "audit mandate" and "official audit offer" are used interchangeably to describe the contract between the auditor and the certification body.* + + +--- + ## Transcription -Section 10 aims to provide information on receiving an audit offer, appointing the audit team leader and other audit team members, determining, of course, the audit feasibility, accepting the audit establishing contact with the auditee and defining the audit schedule. So this is really the kickoff of the audit. So let's have a look So PECB has developed a methodology developed for auditing a management system. It's known as the accepted auditing methodology for management systems and standards. In short, it's AMS2. This methodology has been developed based on best audit practices and on ISO 1911 guidelines, and it also meets the requirements of ISO 17021-1. So the AMS II consists basically out of six phases. It's very similar to a normal audit cycle. So the six phases are the initiation of the audit process. Then we go to the stage one audit. Step 3 is the preparation for stage 2 audit. Step 4 is stage 2 audit itself. Step 5 are the audit conclusions. And step 6 is beyond the initial audit. So each phase within the AMS II has three to five steps, which are further divided in separate activities. The methodology also consists of two supporting processes which are communication during the audit and management of audit risks. During the training course these steps will be presented and illustrated in a chronological order The activities in each step. So each phase has two to five steps, and in those steps there are a multitude of activities that need to happen. We will not dive deep into the activities because they depend on the specific context of the audit. So the appointment of an audit team leader, for example, will depend on whether the certification auditor has a qualified auditor or not. And these steps involved then a series of activities such as a job interview, signing of the contract, which we will not go deeper into So on the slide, you see the six different phases with the activities included there. And you see, as a supporting process, is of course the communication during the audit and management of the audit risks. So, for this section, we will dive into phase one, which is initiation of the audit process, and we will talk a little bit about the five different steps that need to be taken there. So, first of all, you need to accept an audit mandate, and the certification body needs to accept the audit mandate and the certified auditor as well, and you need to appoint an audit team. So prior to accepting that audit mandate, the auditor receives an offer from the certification body. So that's of course a little bit dependent. on how the qualified auditor is appointed. Is it an employee? Is it a full-time employee? The engagement in audit is already part of the employee contract, so there might not be an official offer or an official mandate. The same goes goes when a certification body works with self-employed auditors and they have like a contract which is uh an open-ended contract um then you don't have that specific of offer either. So the process of accepting the audit mandate helps of course in avoiding any misunderstanding that might arise during the audits. And the official audit offer then offers as the yeah as a contract between the auditor and the certification uh body um and it's best that it's formally signed. So if I look at my experience as an external audit I don't get um specific offers per audit. I have an an open-ended contract as being self-employed And we agreed on the number of days that I would do audits. And as long as the days have not been fulfilled, the calendars are checked and there's also of course a check of on the independency. and then the audit company just uh completes um the planning in my calendar so but it will be different from certification body to certification body Now looking at the audit offer, what is usually included in an audit offer? Of course the audit scope um the audit objective and the criteria. The duration of the audit and will it be ten days, will it be twenty days, will it be only three days Potential audit team members, the responsibilities of the audit team members, what are the limits of the audit engagement And um of course uh almost also very important uh the auditor's payment is also very important, of course. Um so the auditor and the certification body should agree on that uh audit offer and on the terms of the offer mandate. So just to ensure that there is no misconfusion, there's no discussion afterwards. So on the following slide you see um an example of an audit offer where you see Basically, name of the auditor that they state that there is an um an audit that needs to be happening against the ISO 2701. You see there is a line on Your responsibility will be to ensure that the organization has implemented and continually maintains and improves in signing the offer as well as the attached terms and conditions. You agree to those and you will perform the audit in uh name of the certification body. You see the duration it will last 16 days which is already a pretty long audit And the audit scope covers the organization's headquarters, including the data processing centers and seven offices. And the other team members will collectively have the necessary skills and expertise to conduct it. And the payment details will be specified. in an uh a separate document. So it really entails everything that you need to know before engaging in an audit for you as an auditor. Now, um appointing an audit team leader is of course very important. Before each audit, the certification body should appoint only one audit team leader. That person is a is responsible. For conducting the audit until its completion. So the audit team leader is the one who uh drafts up in the end the non-conformities, who comes with the conclusion he's and responsible. So um very important here on the terminology and the term audit team leader is not um the same as certified lead auditor. Although uh there might be a lot of team members on the audit team that are also lead auditor, but the team leader is basically the one that leads um the audit who has um the duties and has certain duties and responsibilities And everybody involved in the audit team should also agree, of course, on the authority of that audit team leader. If you have misconception on what the audit leader is supposed to be doing, you get a lot of frustration. So the audit team leader is responsible for a lot of things. He needs to he or she needs to plan the audit. He needs to think about potential audit risks and he needs to think about how he's how he's going to address them. He or she is also responsible for undertaking the communication with the audit team. He needs to manage the audit team. He needs to assign the responsibilities to each team member. Here she also needs to solve any conflicts within the audit team or conflicts with the audit team. Here she is also responsible for drafting and reporting the audit conclusions. And he or she needs to uh prepare the uh audit report as well. So um there are a lot of responsibilities that come with the audit uh team leader. How it usually happens is that the team leader is basically responsible for everything and you have in an audit regular touch basis during the audit to check whatever goes wrong or what non-conformities that you have have encountered during the audit Of course, you also want to select an audit team. Any successful audit will be dependent on the audits, the auditors that you choose, the competence that they have. um the expertise that they have uh with the industry. So um when you decide on uh the size and the competences of an audit team um you need to take into consideration a couple of things First of all, you need to have a look at what is the audit mission and what are the audit objectives, what is the scope, what is the location. So you Um you also need to ensure because everything um needs to be paid by the audity, so you have to have a look at okay where is the the audit happening uh Do I have auditors close by? Do we need to fly them over? So that will be uh one part to think about. You also need to think about what are the required competences of the audit team And do we um need any specific expertise um to communicate with the oddity? Um is there technical knowledge necessary? Uh what language is the audit uh in Is there any um social or particular cultural characteristics that we need to take care of? Um for example, I can imagine if you go and audit in Saudi Arabia, it might not be the best thing to send uh a woman or perhaps it is or and the same goes for Israel for example. So you want to think uh about any social and particular cultural characteristics And you want to have a look at each individual team member. Is there a conflict of interest? Are the auditors obviously available? What is the specific expertise as well? So Um if you just pick and choose without taking these things in consideration, that will have an impact on the effectiveness and the efficiency of the audit, of course. So it might also be the case that you don't have any specific technical knowledge in the audit team and that it's still required then you can add technical experts um or translators um to uh the audit team just uh to help them um yeah perform the audit and when you use of course translators or interpreters uh they should not um yeah affect the audit as such as so they're just there uh to basically translate whatever needs to be done So when selecting um the audit team, um you there is a difference, of course, um in what you uh should be looking at. So um the individuals that manage the audit program, and the so the the lead auditor. needs to appoint those members. It usually is done together with the certification body, but you need to take into account competences needed to perform in line with the objectives to perform that individual audit. So of course you need to have a look at the overall competence of the audit team. So you need to have a look at okay what is the competence needed as I already explained And you also need to select those other team members so that you have all relevant uh knowledge in there. So you need to have a look, and depending on the size and complexity of the audit, of course, you need to think about okay, what is the overall competence that we need? What is the complexity of the audit? Is it a combined audit? Are you doing multiple management systems? What are the audit methods that you're going to use? Can everybody act in an impartial and objective way? How are people working together? How are they able to communicate with the external parties? What is the complexity of the processes? What is the language? But when looking at the audit competences, uh each auditor mainly needs to be able to communicate in a good way. They need to be able to work together. although usually uh auditors um are used to working in solitude. Uh you don't always have an audit team. Um but if you have an audit team you need to be able to work together well. You need to have good communication skills because you also need to communicate of course with your customers. You need to know the risk-based approach to auditing. You also need to of course understand the standards, the audit standards, the procedures In ISO 27001, you of course need to understand what requirements of 27001 are, and you also need to understand organizations main business processes. So you need to have a basic knowledge on whatever the organization is doing. At least one audit team member should have knowledge of the industry in which the Audity operates Knowledge of the Odity's language, of course, expertise in each domain to be audited, and some knowledge about legal and other requirements that the auditee is subject to So it is very important that uh you take that into consideration. Of course, um not everybody uh will have all uh the knowledge and that's not really necessary. You can add as I already s stated. Technical experts. You can also add auditors in training, but they're not supposed to be working alone, so they always need to participate under the direction and guidance of an auditor. So it's very important that everybody knows what their role is in the audit process, and you need to ensure that you have the necessary skills and competence available. Usually, at least that's my experience, this is checked beforehand, also in the initial stage, to understand what is the specific need that the organization has. Now, an audit client or an audit tee has the right to request a replacement of an audit team leader, of course. You need to have valid reasons. So, what usually happens is that the certification body provides with the names of at least the lead auditor but also the team members And an certification body can also present with a resume or some background information to the certification to the auditee. um to give them enough time to do an analysis if that's happened. Now I haven't seen that happening a lot. I we usually provide with the names um but an RDT Can say I I don't want to have that person um on the team, I don't want it, but there needs to be a valid reason of course. A valid reason can be a couple of things. It might be that there is a conflict of interest. That might be a real one. For example, the auditor has previously worked for the Odity, or a perceived conflict of interest. For example, the auditor has worked for a competitor and uh the audit doesn't want uh the auditor um to see their internal processes as well. Um the fact that an auditor has previously displayed uh unprofessional conduct might be a good uh reason. It might also be the case case that in certain industries, some sectors like um aviation, um anything that has to do with defense, nucle nuclear power, those kind of things It can be the case that an auditee requests the auditors or members of the audit team to hold a security clearance or a background check because you need to do that from out of legislation sometimes. So it might be the case that that is requested as well. So it is of course very important that you communicate the reasons that a customer or an oddity asks you to remove somebody from the audit team to communicate that as well. So um as I already said uh you don't have if you don't have the clearance you cannot go and audit. Um I know uh um unprofessional conduct um conflict of interest, all good reasons um b by which an um an audit um yeah an auditee can refuse to have you Sometimes you also have like um yeah it doesn't click yeah sometimes you you just don't have the glue that sticks you together. That might also be a reason um for an auditee or even from an auditor um to ask a replacement if you feel that you it's not comfortable, it's not working, if you get frustrated from one another, you should take that into account. \ No newline at end of file +During the training course these steps will be presented and illustrated in a chronological order. So each phase has two to five steps, and in those steps there are a multitude of activities that need to happen. We will not dive deep into the activities because they depend on the specific context of the audit. So the appointment of an audit team leader, for example, will depend on whether the certification auditor has a qualified auditor or not. And these steps involved then a series of activities such as a job interview, signing of the contract, which we will not go deeper into. So on the slide, you see the six different phases with the activities included there. And you see, as a supporting process, is of course the communication during the audit and management of the audit risks. + +So, for this section, we will dive into phase one, which is initiation of the audit process, and we will talk a little bit about the five different steps that need to be taken there. + +So, first of all, you need to accept an audit mandate, and the certification body needs to accept the audit mandate, and the certified auditor as well, and you need to appoint an audit team. So prior to accepting that audit mandate, the auditor receives an offer from the certification body. So that's of course a little bit dependent on how the qualified auditor is appointed. Is it an employee of the certification body? Is it a full-time employee? +The engagement in audit is already part of the employee contract, so there might not be an official offer or an official mandate. The same goes goes when a certification body works with self-employed auditors and they have an open-ended contract. So the process of accepting the audit mandate helps of course in avoiding any misunderstanding that might arise during the audits. And the official audit offer then offers as the yeah as a contract between the auditor and the certification uh body um and it's best that it's formally signed. So if I look at my experience as an external audit I don't get um specific offers per audit. I have an an open-ended contract as being self-employed And we agreed on the number of days that I would do audits. And as long as the days have not been fulfilled, the calendars are checked and there's also of course a check of on the independency. and then the audit company just completes the planning in my calendar so but it will be different from certification body to certification body + +Now looking at the audit offer, what is usually included in an audit offer? Of course the audit scope um the audit objective and the criteria. The duration of the audit and will it be ten days, will it be twenty days, will it be only three days Potential audit team members, the responsibilities of the audit team members, what are the limits of the audit engagement And um of course uh almost also very important uh the auditor's payment is also very important, of course. Um so the auditor and the certification body should agree on that uh audit offer and on the terms of the offer mandate. So just to ensure that there is no misconfusion, there's no discussion afterwards. + +So on the following slide you see an example of an audit offer where you see basically, name of the auditor that they state that there is an um an audit that needs to be happening against the ISO 2701. You see there is a line on "your responsibility will be to ensure that the organization has implemented and continually maintains and improves in signing the offer as well as the attached terms and conditions. You agree to those and you will perform the audit in name of the certification body". You see the duration it will last 16 days which is already a pretty long audit, and the audit scope covers the organization's headquarters, including the data processing centers and seven offices. And the other team members will collectively have the necessary skills and expertise to conduct it. And the payment details will be specified in a separate document. So it really entails everything that you need to know before engaging in an audit for you as an auditor. +Now, appointing an audit team leader is of course very important. Before each audit, the certification body should appoint only one audit team leader. That person is a is responsible for conducting the audit until its completion. So the audit team leader is the one who drafts up in the end the non-conformities, who comes with the conclusion, and he's responsible. So very important here on the terminology and the term audit team leader is not the same as certified lead auditor. Although there might be a lot of team members on the audit team that are also lead auditor, but the team leader is basically the one that leads the audit, who has certain duties and responsibilities. And everybody involved in the audit team should also agree, of course, on the authority of the audit team leader. If you have misconception on what the audit leader is supposed to be doing, you get a lot of frustration. + +So the audit team leader is responsible for a lot of things. He or she needs to plan the audit. He needs to think about potential audit risks and he needs to think about how he's how he's going to address them. He or she is also responsible for undertaking the communication with the audit team. He needs to manage the audit team. He needs to assign the responsibilities to each team member. He or she also needs to solve any conflicts within the audit team or conflicts with the audit team. He or she is also responsible for drafting and reporting the audit conclusions. And he or she needs to prepare the audit report as well. So there are a lot of responsibilities that come with the role of audit team leader. +How it usually happens is that the team leader is basically responsible for everything and you have in an audit regular touch basis during the audit to check whatever goes wrong or what non-conformities that you have have encountered during the audit. + +Of course, you also want to select an audit team. Any successful audit will be dependent on the auditors that you choose, the competence that they have, and the expertise that they have with the industry. + +So when you decide on the size and the competences of an audit team you need to take into consideration a couple of things: first of all, you need to have a look at what is the audit mission and what are the audit objectives, what is the scope, what is the location. So you also need to ensure, because everything needs to be paid by the auditee, so you have to look where the audit is happening. Do I have auditors close by? Do we need to fly them over? So that will be one part to think about. You also need to think about what are the required competences of the audit team. And do we need any specific expertise to communicate with the auditee? Is there necessary technical knowledge? What language is the audit in? Are there any social or particular cultural characteristics that we need to take care of? For example, I can imagine if you go and audit in Saudi Arabia, it might not be the best thing to send a woman, or perhaps it is, and the same goes for Israel for example. So you want to think about any social and particular cultural characteristics. + +And you want to have a look at each individual team member. Is there a conflict of interest? Are the auditors obviously available? What is the specific expertise as well? So if you just pick and choose without taking these things in consideration, that will have an impact on the effectiveness and the efficiency of the audit, of course. + +So it might also be the case that you don't have any specific technical knowledge in the audit team and that it's still required then you can add technical experts um or translators um to uh the audit team just uh to help them um yeah perform the audit and when you use of course translators or interpreters uh they should not um yeah affect the audit as such as so they're just there uh to basically translate whatever needs to be done So when selecting um the audit team, um you there is a difference, of course, um in what you uh should be looking at. So um the individuals that manage the audit program, and the so the the lead auditor. needs to appoint those members. It usually is done together with the certification body, but you need to take into account competences needed to perform in line with the objectives to perform that individual audit. So of course you need to have a look at the overall competence of the audit team. So you need to have a look at okay what is the competence needed as I already explained And you also need to select those other team members so that you have all relevant uh knowledge in there. So you need to have a look, and depending on the size and complexity of the audit, of course, you need to think about okay, what is the overall competence that we need? What is the complexity of the audit? Is it a combined audit? Are you doing multiple management systems? What are the audit methods that you're going to use? Can everybody act in an impartial and objective way? How are people working together? How are they able to communicate with the external parties? What is the complexity of the processes? What is the language? But when looking at the audit competences, uh each auditor mainly needs to be able to communicate in a good way. They need to be able to work together. although usually uh auditors um are used to working in solitude. Uh you don't always have an audit team. Um but if you have an audit team you need to be able to work together well. You need to have good communication skills because you also need to communicate of course with your customers. You need to know the risk-based approach to auditing. You also need to of course understand the standards, the audit standards, the procedures In ISO 27001, you of course need to understand what requirements of 27001 are, and you also need to understand organizations main business processes. So you need to have a basic knowledge on whatever the organization is doing. At least one audit team member should have knowledge of the industry in which the auditee operates Knowledge of the auditee language, of course, expertise in each domain to be audited, and some knowledge about legal and other requirements that the auditee is subject to So it is very important that uh you take that into consideration. Of course, um not everybody uh will have all uh the knowledge and that's not really necessary. You can add as I already stated. Technical experts. You can also add auditors in training, but they're not supposed to be working alone, so they always need to participate under the direction and guidance of an auditor. So it's very important that everybody knows what their role is in the audit process, and you need to ensure that you have the necessary skills and competence available. Usually, at least that's my experience, this is checked beforehand, also in the initial stage, to understand what is the specific need that the organization has. + +Now, an audit client or an audit tee has the right to request a replacement of an audit team leader, of course. You need to have valid reasons. So, what usually happens is that the certification body provides with the names of at least the lead auditor but also the team members And an certification body can also present with a resume or some background information to the certification to the auditee. um to give them enough time to do an analysis if that's happened. Now I haven't seen that happening a lot. I we usually provide with the names um but an auditee Can say I I don't want to have that person um on the team, I don't want it, but there needs to be a valid reason of course. A valid reason can be a couple of things. It might be that there is a conflict of interest. That might be a real one. For example, the auditor has previously worked for the auditee, or a perceived conflict of interest. For example, the auditor has worked for a competitor and uh the audit doesn't want uh the auditor um to see their internal processes as well. Um the fact that an auditor has previously displayed uh unprofessional conduct might be a good uh reason. It might also be the case case that in certain industries, some sectors like um aviation, um anything that has to do with defense, nucle nuclear power, those kind of things It can be the case that an auditee requests the auditors or members of the audit team to hold a security clearance or a background check because you need to do that from out of legislation sometimes. So it might be the case that that is requested as well. So it is of course very important that you communicate the reasons that a customer or an oddity asks you to remove somebody from the audit team to communicate that as well. So um as I already said uh you don't have if you don't have the clearance you cannot go and audit. Um I know uh um unprofessional conduct um conflict of interest, all good reasons um b by which an um an audit um yeah an auditee can refuse to have you Sometimes you also have like um yeah it doesn't click yeah sometimes you you just don't have the glue that sticks you together. That might also be a reason um for an auditee or even from an auditor um to ask a replacement if you feel that you it's not comfortable, it's not working, if you get frustrated from one another, you should take that into account. + +--- + +[^1]: The audit offer contains the audit scope, objective and criteria, the duration of the audit, potential audit team members, the responsibilities of the audit team members, the limits of the audit engagement, and the auditor's reimbursement. + +[^2]: Depending on the relationship between the certification body and the auditor – if the auditor is an employee of the certification body this may not be a formal step. + diff --git a/Corpus/Standards/ISO27x/PECB-Lead-Auditor-Training/transcriptions/S10.2-Initiation-of-the-audit-process.md b/Corpus/Standards/ISO27x/PECB-Lead-Auditor-Training/transcriptions/S10.2-Initiation-of-the-audit-process.md index 17e4c7c..5a0e582 100644 --- a/Corpus/Standards/ISO27x/PECB-Lead-Auditor-Training/transcriptions/S10.2-Initiation-of-the-audit-process.md +++ b/Corpus/Standards/ISO27x/PECB-Lead-Auditor-Training/transcriptions/S10.2-Initiation-of-the-audit-process.md @@ -7,7 +7,7 @@ tags: - PECB-LA isotags: [] status: active -processed: false +processed: true --- # S10.2 Initiation of the audit process @@ -15,6 +15,78 @@ processed: false This session covers audit feasibility assessment and the determination of audit duration and scope. Feasibility depends on access to information, auditee cooperation, available time, team competence, and cultural factors. The ISO 27006 employee-count table for determining audit days is explained, ranging from five days for small organizations to over 28 days for large ones. Audit objectives per ISO 17021-1 must confirm ISMS conformity, effectiveness, and identification of improvement areas. The distinction between ISMS scope and audit scope is clarified, and the session explains how scope changes during an audit should be documented and communicated to the certification body. +## Determining Audit Feasibility + +This is the first thing you do after being appointed as an Audit Team Leader. + +To determine the feasibility you need: +- sufficient and appropriate information to plan and conduct the audit +- adequate cooperation from the auditee +- adequate time and resources for conducting the audit. + +You will probably need to sign a confidentiality agreement. Possibly the auditee will do a background check or ask for security clearance. + +The Audit Team Leader checks the available time, the competencies and skills of the audit team members, and possible issues with language, culture, or social background. + +ISO 27001 gives a table for **audit days** in relation to the number of employees of the auditee, but there are reasons for shortening that (e.g. combined audits) or expanding that (regulated industries, complex sectors, complex technologies, multiple sites). + +With a minimum of 5 days, of which 3 days need to be spent on site, typical time spent will be: + +- half a day for planning the audit +- one day for Stage 1 Audit (documentation audit) +- three days on-site audit (interviews) +- half a day for drafting the final audit report + +This includes the opening and closing meetings. + +The **audit objectives** be stated by the certification body. The standard objectives are: +- check if the ISMS conforms to the requirements of the standard +- check if the ISMS is effective in meeting its intended results – is the ISMS working correctly +- check if the organization can reach their information security objectives, based on their own criteria. + +ISO 17021-1 clause 9.2.1.2 has more on this: + +![](CleanShot%202026-06-09%20at%2010.49.18.png) + +As you can see, an audit needs to determine: + +- conformity of the ISMS with the audit criteria +- if the ISMS ensures compliance with statutory, regulatory, and contractual requirements +- the effectiveness of the ISMS to achieve its objectives +- areas for improvement to the management system. + +The **audit scope** must also be determined. This is not the same as the scope of the management system. The audit scope might for instance not include all sites of the auditee, or all processes (in a surveillance audit). +The audit scope must be validated and agreed upon by both the certification body and the auditee. The scope is formalized in the **certification agreement** between the certification body and the auditee[^1]. + +The **audit scope may be changed** during the audit, because of material changes in the organization, information that was not available to the auditor when determining the audit scope initially, or unexpected physical disruptions like a fire. Those changes need to be documented and shared with the certification body. If the auditee does not agree, the audit may either continue with the original scope, of the auditor may withdraw because it's impossible to complete the audit (i.e. reach the audit objectives). + + +--- + ## Transcription -When you're appointed as a lead auditor, you first of all need to determine the audit feasibility. The audit feasibility is very important because it gives you the reasonable assurance or the reasonable confidence that the audit objectives can be achieved. So how do you now come to that determination of feasibility? So you need a couple of things that you need to consider. So first of all, you need to check, okay, what is the information that we need to plan the audit? Do you receive the necessary information to really plan and conduct the information? Do you have everything available? Secondly, you also need to check okay what is a corporation from the audites part. You need to have as an audit team full access to the information related to the ISMS. So for example, if an Audit refuses to give you access to, for example, firewall configurations, claiming that the information is too sensitive, it would be impossible to check the control. So it is recommended, of course, you usually have a confidentiality agreement. It might also be the case that sometimes you can do background checks. I haven't I I ha only have a couple of uh customers where I need to do a full uh security clearance, but that's based on legislation. In all other um areas and some countries it's not even allowed To do a full um criminal records um background checks. Usually the confidentiality agreement is enough. But you can also state that sensitive information can only be accessed on site and when somebody from the audity uh team is uh represented. Um you also want to check um to the proposed length um of the audit. Uh if um sometimes you get into a situation where you think okay I don't have enough time uh to perform the audits. So you need to check that as well. So for example at the ISO 2706 on which certification bodies need to be certified requires a maximum of five-day audit, of which three needs to be held on site. In a research and development company, in the pharmaceutical sector sector, it would not make sense um and it should not be uh accepted. So depending on um how big the organization is, the complexity of the processes, you need to check do I have um enough time do I have um enough time to check if everything is implemented accordingly. Of course you also need to have a look at the competence of the audit The audit team leader needs to be sure that everybody is part of the audit team has the right competences, has the right interpersonal skills to feel comfortable to conduct the audit. And then lastly, you also need to have a look at the cultural aspects. Do you have an issue with the language, with the social background? That might also be an issue, of course. Again, I want to reiterate here, resources also include adequate access. As an auditor, you need to have full access to whatever you want to check. Now how long should an audit last? It's not something that certification bodies um can come up uh with um out of the blue in the ISO 27006. There are tables that help you with deciding how long an audit should last. So that also means that if you compare audit firms as certification bodies with each other Um it's um you won't see a difference in audit days. Uh usually the audit days are the same, price will be different. um reputation will be different um but um basically there is a table that is used and a certification body is allowed um to use um a couple of um indicators like complexity of systems, um outsourcing of uh systems Um is it a combination audit that will give them extra parameters to either uh reduce or increase the number of days? But In the in the basis, the table that is shown on the slide gives you an indication on the number of days. So number of employees, if we look at the ISO 27001 column, which is the third one If you're an organization between one or ten FTEs, you will receive a five-day audit, of which three days will usually be on site. From 11 to 15, it goes up to six. If you're 176 to 275, it will be 14 days. And it goes up all the way to 10,700 where an auditor comes and lives with you for a month. So what usually happens when you have like uh days like 28 or 10 um you usually um get uh because that it's that is per person. So usually uh the people um get divided so that you don't have four weeks the same person in the company, but you get like two or three or four audit uh auditors that visit your company So um the basic thing here is that certification bodies um need to give uh enough time to auditors to complete the audit. So the time available will depend on a couple of things. So you have the basic table, but then certification bodies also look at what is the scope of the management system, what is the complexity. What is the field? For example, in a ho in a healthcare sector, it might be a different complexity. Are there multiple sites that need to be audited? Um what is uh the complexity of the technology? Are you using one technology stack or are you using multiple uh technology stacks? What are um outsourcing uh services? Um what are any regulations? Um Um or loss that needs to happen. So as I stated, at the minimum time for an audit is five days per person. So that means that usually you have like half a day that you use for uh planning and auditing. You have one day that you do the phase one or the stage one which is the documentation audit. You will have three days to do an on-site audit and then half a day to do the drafting of uh the final process. So um that means that an auditor performing an audit um on their own um must in five days conduct everything so do the opening and the closing meeting, they do need to do the interviews, they need check the documentation. So that becomes uh that's a pretty challenging task. Um so um the auditor must use time wisely and that's why they only uh focus on key processes. So you won't be able to see everything. So that's the reason why you need to focus on the key processes and the critical systems that you want to audit. Now looking at the audit objectives, they need to be stated by the certification body So usually a certification body uh creates um um audit objectives for ISO 27001 audits that might be different from a stage one and a stage two, but the audit objectives are there to verify. If the ISMS conforms to the requirements of the standard. Also to check if the ISMS is effective in meeting their intended results. And it's to check if the organization can reach their information security objectives. based on their own criteria. So having those audit objectives in place is your first step of course to start your audit. Now looking at the audit objectives, ISO 17021-1, class nine dot one dot one dot too gives a little bit more information about that. So the audit objectives really need to describe what is accomplished by an audit and needs to include a couple of things. So there are four things that need to be included. So first of all, needs to include that there is a determination of the conformity of the client's management system or parts of it with the audit criteria There needs to be a determination of the ability of the management system to ensure that the client meets all statutory, regulatory, and contractual requirements There needs to be a determination of the effectiveness of the management system to ensure that the client can reasonably expect to achieve the specified objectives. And of course, there needs to be, as applicable, an identification of areas for improvement to the management system. So that's usually what is stated in the audit objectives. If you look at an audit report That's usually stated on the first page. Besides that, the audit scope will need to be determined. Also, ISO 17021 Uh gives there some uh insight. The audit scope will describe what are the boundaries of the audit and what is the extent, what is the the boundary like what are the number of sites, what are the organizational units What are activities and processes to be audit? So the audit scope is something different than the scope of the management system. So the ISMS scope is probably more broader Then the audit scope. It of course the audit scope needs to be consistent with the audit program and also with the audit objectives But it doesn't necessarily include all of the organizations processes and products which may be covered by the ISMS. So if we look at an example, it might be that in a bank, for example, that for auditing the overall activities of a bank that has like a head office, four processing centers um a couple of regional offices and uh a multitude of branches um that for the audit scope we would all only um visit the head office One data processing center and only five regional office and twenty-five branches, for example So that would mean that you will not would not need to visit all the sites and all the branches because that would be become very expensive And that would also mean that it would take a lot of time to do that. So the audit scope is not necessarily the same as the ISMS scope It's usually a little bit um uh smaller than the ISMS scope, but it needs to be in line with the audit program and the audit objectives We'll have a look at the audit scope. So it might also be so you he will he or she will look with the audit tee at the audit scope and to see if there need to be any changes made when they're on site. So it might be that you determine an audit scope and you come on site, you d conduct a couple of interviews and you come to the conclusion that basically the audit scope is not completely correct And then the other team leader needs to have a discussion with the client. So what might that, for example, be? For example, the ISMS scope wasn't really clear at the beginning of the process and while doing the interviews it becomes more clear. There are recent changes in technology that have not been communicated. There have been an acquisition that has not been communicated. Or there might be something happening, for example, like a fire that yeah. And forces you to change the audit scope. Whenever that happens, those changes need to be documented in a clear way. And of course, the certification body also needs to be informed So there are a couple of things that then can happen if you uh if uh the auditor and the auditee don't agree on the change of the audit scope, there are two possibilities. Either continue with the audit as in the initial scope or state that you stop the audit and that you withdraw with the audit because it's impossible to complete the audit. So there are two things that you can do uh in that instance. \ No newline at end of file +When you're appointed as a lead auditor, you first of all need to determine the audit feasibility. The audit feasibility is very important because it gives you the reasonable assurance or the reasonable confidence that the audit objectives can be achieved. So how do you now come to that determination of feasibility? So you need a couple of things that you need to consider. + +So first of all, you need to check, okay, what is the information that we need to plan the audit? Do you receive the necessary information to really plan and conduct the information? Do you have everything available? Secondly, you also need to check okay what is a corporation from the audites part. You need to have as an audit team full access to the information related to the ISMS. So for example, if an Audit refuses to give you access to, for example, firewall configurations, claiming that the information is too sensitive, it would be impossible to check the control. So it is recommended, of course, you usually have a confidentiality agreement. It might also be the case that sometimes you can do background checks. I haven't I I ha only have a couple of uh customers where I need to do a full uh security clearance, but that's based on legislation. In all other um areas and some countries it's not even allowed To do a full um criminal records um background checks. Usually the confidentiality agreement is enough. But you can also state that sensitive information can only be accessed on site and when somebody from the auditee team is uh represented. + +You also want to check um to the proposed length of the audit. Uh if um sometimes you get into a situation where you think okay I don't have enough time uh to perform the audits. So you need to check that as well. So for example at the ISO 27006 on which certification bodies need to be certified requires a maximum of five-day audit, of which three needs to be held on site. In a research and development company, in the pharmaceutical sector sector, it would not make sense um and it should not be uh accepted. So depending on um how big the organization is, the complexity of the processes, you need to check do I have um enough time do I have um enough time to check if everything is implemented accordingly. + +Of course you also need to have a look at the competence of the audit The audit team leader needs to be sure that everybody is part of the audit team has the right competences, has the right interpersonal skills to feel comfortable to conduct the audit. + +And then lastly, you also need to have a look at the cultural aspects. Do you have an issue with the language, with the social background? That might also be an issue, of course. Again, I want to reiterate here, resources also include adequate access. As an auditor, you need to have full access to whatever you want to check. + +Now how long should an audit last? It's not something that certification bodies um can come up uh with um out of the blue in the ISO 27006. There are tables that help you with deciding how long an audit should last. So that also means that if you compare audit firms as certification bodies with each other Um it's um you won't see a difference in audit days. Uh usually the audit days are the same, price will be different. um reputation will be different um but um basically there is a table that is used and a certification body is allowed um to use um a couple of um indicators like complexity of systems, um outsourcing of uh systems Um is it a combination audit that will give them extra parameters to either uh reduce or increase the number of days? But In the in the basis, the table that is shown on the slide gives you an indication on the number of days. So number of employees, if we look at the ISO 27001 column, which is the third one If you're an organization between one or ten FTEs, you will receive a five-day audit, of which three days will usually be on site. From 11 to 15, it goes up to six. If you're 176 to 275, it will be 14 days. And it goes up all the way to 10700 where an auditor comes and lives with you for a month. So what usually happens when you have like uh days like 28 or 10 um you usually um get uh because that it's that is per person. So usually uh the people um get divided so that you don't have four weeks the same person in the company, but you get like two or three or four audit uh auditors that visit your company So um the basic thing here is that certification bodies um need to give uh enough time to auditors to complete the audit. So the time available will depend on a couple of things. + +So you have the basic table, but then certification bodies also look at what is the scope of the management system, what is the complexity. What is the field? For example, in a ho in a healthcare sector, it might be a different complexity. Are there multiple sites that need to be audited? Um what is uh the complexity of the technology? Are you using one technology stack or are you using multiple uh technology stacks? What are um outsourcing uh services? Um what are any regulations? Um Um or loss that needs to happen. + +So as I stated, at the minimum time for an audit is five days per person. So that means that usually you have like half a day that you use for uh planning and auditing. You have one day that you do the phase one or the stage one which is the documentation audit. You will have three days to do an on-site audit and then half a day to do the drafting of uh the final process. So um that means that an auditor performing an audit um on their own um must in five days conduct everything so do the opening and the closing meeting, they do need to do the interviews, they need check the documentation. So that becomes uh that's a pretty challenging task. Um so um the auditor must use time wisely and that's why they only uh focus on key processes. So you won't be able to see everything. So that's the reason why you need to focus on the key processes and the critical systems that you want to audit. + +Now looking at the audit objectives, they need to be stated by the certification body. So usually a certification body uh creates um um audit objectives for ISO 27001 audits that might be different from a stage one and a stage two, but the audit objectives are there to verify. If the ISMS conforms to the requirements of the standard. Also to check if the ISMS is effective in meeting their intended results. And it's to check if the organization can reach their information security objectives. based on their own criteria. So having those audit objectives in place is your first step of course to start your audit. + +Now looking at the audit objectives, ISO 17021-1 clause 9.1.1.1.2 gives a little bit more information about that. So the audit objectives really need to describe what is accomplished by an audit and needs to include a couple of things. So there are four things that need to be included. So first of all, needs to include that there is a determination of the conformity of the client's management system or parts of it with the audit criteria There needs to be a determination of the ability of the management system to ensure that the client meets all statutory, regulatory, and contractual requirements There needs to be a determination of the effectiveness of the management system to ensure that the client can reasonably expect to achieve the specified objectives. And of course, there needs to be, as applicable, an identification of areas for improvement to the management system. So that's usually what is stated in the audit objectives. If you look at an audit report that's usually stated on the first page. + +Besides that, the audit scope will need to be determined. Also, ISO 17021 Uh gives there some uh insight. The audit scope will describe what are the boundaries of the audit and what is the extent, what is the the boundary like what are the number of sites, what are the organizational units What are activities and processes to be audit? So the audit scope is something different than the scope of the management system. So the ISMS scope is probably more broader Then the audit scope. It of course the audit scope needs to be consistent with the audit program and also with the audit objectives But it doesn't necessarily include all of the organizations processes and products which may be covered by the ISMS. So if we look at an example, it might be that in a bank, for example, that for auditing the overall activities of a bank that has like a head office, four processing centers um a couple of regional offices and uh a multitude of branches um that for the audit scope we would all only um visit the head office One data processing center and only five regional office and twenty-five branches, for example So that would mean that you will not would not need to visit all the sites and all the branches because that would be become very expensive And that would also mean that it would take a lot of time to do that. So the audit scope is not necessarily the same as the ISMS scope It's usually a little bit um uh smaller than the ISMS scope, but it needs to be in line with the audit program and the audit objectives. + +We'll have a look at the audit scope. So it might also be so you he will he or she will look with the auditee at the audit scope and to see if there need to be any changes made when they're on site. So it might be that you determine an audit scope and you come on site, you d conduct a couple of interviews and you come to the conclusion that basically the audit scope is not completely correct. And then the Audit team leader needs to have a discussion with the client. So what might that, for example, be? For example, the ISMS scope wasn't really clear at the beginning of the process and while doing the interviews it becomes more clear. There are recent changes in technology that have not been communicated. There have been an acquisition that has not been communicated. Or there might be something happening, for example, like a fire that forces you to change the audit scope. Whenever that happens, those changes need to be documented in a clear way. And of course, the certification body also needs to be informed So there are a couple of things that then can happen if the auditor and the auditee don't agree on the change of the audit scope, there are two possibilities. Either continue with the audit as in the initial scope or state that you stop the audit and that you withdraw with the audit because it's impossible to complete the audit. So there are two things that you can do in that instance. + +[^1]: This agreement formally documents and confirms the acceptance of the audit's terms and conditions, including the audit objectives, scope, criteria, and the responsibilities of the auditee's top management diff --git a/Corpus/Standards/ISO27x/PECB-Lead-Auditor-Training/transcriptions/S10.3-Initiation-of-the-audit-process.md b/Corpus/Standards/ISO27x/PECB-Lead-Auditor-Training/transcriptions/S10.3-Initiation-of-the-audit-process.md index 0b29e0f..44b9ff1 100644 --- a/Corpus/Standards/ISO27x/PECB-Lead-Auditor-Training/transcriptions/S10.3-Initiation-of-the-audit-process.md +++ b/Corpus/Standards/ISO27x/PECB-Lead-Auditor-Training/transcriptions/S10.3-Initiation-of-the-audit-process.md @@ -7,14 +7,86 @@ tags: - PECB-LA isotags: [] status: active -processed: false +processed: true --- # S10.3 Initiation of the audit process ## Abstract -This session covers defining audit criteria, establishing the certification agreement, and the initial contact with the auditee. Audit criteria in an ISMS audit consist of ISO 27001 clauses 4-10 and the organization's own ISMS requirements, including policies, procedures, and controls. The session discusses challenges when auditing small organizations, where segregation of duties and documentation sophistication may be limited. The certification agreement formalizes audit dates, objectives, scope, criteria, and responsibilities. The session also explains the content of the engagement letter, initial contact with the auditee, and how the audit schedule should be structured and shared in advance. +This session covers defining audit criteria, establishing the certification agreement, and the initial contact with the auditee. Audit criteria in an ISMS audit consist of ISO 27001 clauses 4-10 and the organization's own ISMS requirements, including policies, procedures, and controls. The session discusses challenges when auditing small organizations, where segregation of duties and documentation sophistication may be limited. +The certification agreement formalizes audit dates, objectives, scope, criteria, and responsibilities. The session also explains the content of the engagement letter, initial contact with the auditee, and how the audit schedule should be structured and shared in advance. +## Accepting the Audit Mandate + +Both the certification body and the certified auditor need to accept the Audit Mandate. + +A couple of things need to be done: +1. review previous annual reports of the auditee: will they be able to pay all fees? +2. assess the integrity of the auditee +3. check with previous auditors for inconsistencies in audit procedures +4. check if accepting the audit would violate any regulatory requirements + +## Certification agreement + +The certification agreement is an agreement between the auditee and the certification body. + +The certification agreement generally includes the following: +- Audit objectives +- Audit scope +- Audit criteria +- Responsibilities of the auditee's top management +- Unrestricted access to information and other resources +- An agreement concerning the planning and the conduct of the audit +- The basis on which fees and invoicing are calculated. + +The **audit criteria** for an ISMS conformity assessment audit are: +- the requirements of ISO 27001, clauses 4 to 10 +- any relevant ISMS requirements that the organization has set for itself + +These requirements can be expressed in processes, procedures, controls, relevant policies, codes of conduct, documentation, etc. + +## Establish Contact with the Auditee + +The audit team leader prepares an engagement letter and sends it to the auditee. It usually contains various audit details, including the intention to schedule the initial contact. + +The objectives of the initial contact are to: + +- gain a better understanding of the auditee +- establish communication channels +- review the audit objectives +- introduce the audit team members +- *confirm* the audit schedule set in the certification agreement +- request access to documented information +- make logistical arrangements +- agree on the presence of guides (of the auditee) and observers (of the auditor) + + + +--- ## Transcription -When looking at an audit, you need to define the audit criteria. So in management systems, the audit criteria are really the requirements of the standard against which the auditee wishes to obtain certification. coupled with other requirements that the audit T has determined. So in an ISMS conformity assessment audit, the following audit criteria are used as a reference against which conformity is determined. So, first of all the requirements of ISO 27000 as defined in clauses 4 until 10 And then on top of that, the relevant ISMS requirements that the organization has set for itself. So that can be expressed in processes, procedures, controls, relevant policies, and so forth. So that will be used of course with whatever is being audited. So the audit criteria is really an essential part of the auditor because that is the checkbox or the reference check that the auditor will do to determine the conformity. If a non-conformity is being declared, it is always based on specific audit criteria So sp all any other additional criteria, audit criteria may come out of internal policies that you put, any laws of regulations, contracts that you've put. But mainly clauses 4 and 10 and then every other control that the organization has deemed part of the ISMS. Now when you perform audits in small organizations that sometimes poses a challenge. Um so That also means that um sometimes uh auditors um are used to auditing big organizations, so uh we tend to be used to very sophisticated management system or um very sophisticated record management systems. While in small organizations that is often not the case and it's not even preferable or desirable because it will overc um uh complicate uh things So in small organizations it's also d often the case that one person at the segregation of duties is a little bit more difficult in those small organizations. So it might be that um owners or managers uh control all the decision making processes but also intervene personally from time of time So what we also see happen a lot is that all the or that at least in small organizations the owners or the managers are not fully aware of their responsibilities and those of auditors. So it it it's very important to have that clearly state. Stated before the audit, the only thing that you also need to consider there is that if you're working with an audit team that might pose a challenge because you cannot um yeah you're you're talking to the same people and people cannot duplicate um so you need to take into consideration that um yeah you have a limited set of people you can talk to Documentation can be less sophisticated and of course the manager takes a very uh prominent uh role in that. The certification body will agree in the end on the terms and conditions of the audit. It will be agreed upon in a formalized certification agreement. It's in best interest that both parties sign this to understand or to avoid possible misunderstandings And the certification agreement documents and confirms the acceptance of the audit, also the audit dates, audit objectives, criteria, and scope. So it's a very important um document because it really has that objective uh of the certification agreement that is the clear communication of responsibilities also to the top management How is that usually done? It's usually just a contract like everything else, which states very clearly what will be done. Sometimes I see it also for the three-year cycle, so it's dependent from certification body to certification So, what is included in the certification agreement? The certification agreement generally includes the audit objectives, the audit scope, the audit criteria, but also the responsibilities of the audit stop management, ensuring that they are present when the audit happens. It also stipulates the unrestricted access to information and other resources. It also has usually an agreement concerning the planning and the conduct of the audit and of course the basis of the fees and other types of invoicing, how it is calculated, what is included in audit time, what is not included in audit time. So a certification body should only accept the audit, of course, um if they've also done a check um to the auditee um to check if um the audit has is uh the check of the integrity, the reputation, and those kind of things. You might also think about including Um for example, uh if you have any technical experts that need to attend um the audit, you might also uh think About that, you can also think about reference to other agreements. But usually the certification body has like a template for that where everything is included Now looking at the audit mandate, so there are a couple of steps that need to be undertaken in accepting an audit mandate So first of all, the certification body looks at all information regarding previous annual reports. Of course, you're going to check as a certification body Is the Odity able to pay all their fees? Will it be uh is it a financial strong organization? Secondly, you will ask information about the integrity of the potential Auditee You, if possible, want to check with previous auditors if there are any inconsistencies in audit procedures and you would also check if there would be any violation of um applicable regulatory uh requirements if you would accept uh the audit. So those are uh the things that you uh need to do Now the audite usually contacts the certification body uh themselves because they're looking uh for an auditor. But prior to the initial contact with the Audite, the audit team leader will prepare an engagement letter and send it to the Auditee. So the engagement letter um is basically um a a letter that states hey I'm your uh lead auditor I'll be coming uh to visit you um these are the dates um perhaps he can he or she can ask to have uh um a call to just get acquainted before you um end up on their doorstep on the day of the audit. So that might be uh the thing. So uh the really that initial contact is really to get a better understanding about um the oddity about the customer to understand how um do they want to communicate You want to introduce the team members as well. You want to check that the audit schedule is still okay, that they don't have any wrong dates in their calendar. Potentially you can also ask access to the documented information. Um you also want to check depending how the organization is set up, uh where do you need to park your car, how do I need to access the building, those kind of things. And if there are any observers or any other, for example, auditors in training, if you bring them along You might introduce that as well. So it's really a first contact with the auditee to get acquainted and to inform them about everything that will happen in that audit The audit schedule is of course important both for the audit team as for the audit tee because there need to be people available. So the audit schedule is basically the list of actions that will be done during the audit and link to that uh when it will be happening. So what usually happens I usually uh make an Excel spreadsheet, I divide it in the hours and I tell them um Yeah, what process or what team that I want to talk and which controls or uh clauses I will be discussing about. So um the audit schedule needs to reflect basically the importance of the activities. It's crucial uh to prepare that time uh that schedule based on the time that you have available while of course optimizing the effectiveness and efficiency um of the audit. So to be to have an efficient audit you need to provide the audit schedule uh before you start with uh the audit and before you arrive on the um audit. Usually certification bodies have like internal processes as well that uh state that you need to provide the internal audit schedule or the audit scheduled to the customer six weeks in advance, for example, in order to give the auditee enough time to indicate which resources should be available if people are on holiday that they can be uh backed up by somebody else, but also indicate if something wouldn't be possible so that you still have enough time to change the audit schedule. So again, a pretty um long section. Um so before let me summarize a little bit um before accepting the audit mandate, the auditor receives an offer from the certification body The process of accepting the audit mandate helps in avoiding any misunderstanding that may arise during the audit. An audit offer generally includes the audit objective, the scope, the criteria and the duration of the audit, but also the team members if they're already known and the responsibility of each team member, but also the limits of the audit engagement and the auditors' payment. For each audit, and also in the case of joint audits, the certification body appoints one audit team leader. There can only be one audit team leader who is responsible for conducting the audit until its completion. In management system audits, the audit criteria are comprised of the requirements of the standard against which the Auditee wishes to obtain certification and any other requirements that the Auditee might determine. The certification body and the auditee must agree on the terms and conditions of the audit, and the audit objectives must be defined and the audit scope must be validated before the audit starts. \ No newline at end of file +When looking at an audit, you need to define the audit criteria. So in management systems, the audit criteria are the requirements of the standard against which the auditee wishes to obtain certification. coupled with other requirements that the audit T has determined. So in an ISMS conformity assessment audit, the following audit criteria are used as a reference against which conformity is determined. So, first of all the requirements of ISO 27000 as defined in clauses 4 until 10 And then on top of that, the relevant ISMS requirements that the organization has set for itself. So that can be expressed in processes, procedures, controls, relevant policies, and so forth. So that will be used of course with whatever is being audited. + +So the audit criteria is an essential part of the auditor because that is the checkbox or the reference check that the auditor will do to determine the conformity. If a non-conformity is being declared, it is always based on specific audit criteria So sp all any other additional criteria, audit criteria may come out of internal policies that you put, any laws of regulations, contracts that you've put. But mainly clauses 4 and 10 and then every other control that the organization has deemed part of the ISMS. + +Now when you perform audits in small organizations that sometimes poses a challenge. Um so That also means that um sometimes auditors um are used to auditing big organizations, so we tend to be used to very sophisticated management system or um very sophisticated record management systems. While in small organizations that is often not the case and it's not even preferable or desirable because it will overc um complicate things So in small organizations it's also d often the case that one person at the segregation of duties is a little bit more difficult in those small organizations. + +So it might be that um owners or managers control all the decision making processes but also intervene personally from time of time So what we also see happen a lot is that all the or that at least in small organizations the owners or the managers are not fully aware of their responsibilities and those of auditors. So it it it's very important to have that clearly state. Stated before the audit, the only thing that you also need to consider there is that if you're working with an audit team that might pose a challenge because you cannot um yeah you're you're talking to the same people and people cannot duplicate um so you need to take into consideration that um yeah you have a limited set of people you can talk to + +Documentation can be less sophisticated and of course the manager takes a very prominent role in that. The certification body will agree in the end on the terms and conditions of the audit. It will be agreed upon in a formalized certification agreement. It's in best interest that both parties sign this to understand or to avoid possible misunderstandings And the certification agreement documents and confirms the acceptance of the audit, also the audit dates, audit objectives, criteria, and scope. So it's a very important um document because it has that objective of the certification agreement that is the clear communication of responsibilities also to the top management How is that usually done? It's usually just a contract like everything else, which states very clearly what will be done. Sometimes I see it also for the three-year cycle, so it's dependent from certification body to certification + +So, what is included in the certification agreement? The certification agreement generally includes the audit objectives, the audit scope, the audit criteria, but also the responsibilities of the audit stop management, ensuring that they are present when the audit happens. It also stipulates the unrestricted access to information and other resources. It also has usually an agreement concerning the planning and the conduct of the audit and of course the basis of the fees and other types of invoicing, how it is calculated, what is included in audit time, what is not included in audit time. + +So a certification body should only accept the audit, of course, um if they've also done a check um to the auditee um to check if um the audit has is the check of the integrity, the reputation, and those kind of things. You might also think about including Um for example, if you have any technical experts that need to attend um the audit, you might also think About that, you can also think about reference to other agreements. But usually the certification body has like a template for that where everything is included + +Now looking at the audit mandate, so there are a couple of steps that need to be undertaken in accepting an audit mandate So first of all, the certification body looks at all information regarding previous annual reports. Of course, you're going to check as a certification body Is the auditee able to pay all their fees? Will it be is it a financial strong organization? Secondly, you will ask information about the integrity of the potential Auditee You, if possible, want to check with previous auditors if there are any inconsistencies in audit procedures and you would also check if there would be any violation of um applicable regulatory requirements if you would accept the audit. So those are the things that you need to do + +**Establish Contact with the Auditee** Now the auditee usually contacts the certification body themselves because they're looking for an auditor. But prior to the initial contact with the Auditee, the audit team leader will prepare an engagement letter and send it to the Auditee. So the engagement letter um is basically um a a letter that states hey I'm your lead auditor I'll be coming to visit you um these are the dates um perhaps he can he or she can ask to have um a call to just get acquainted before you um end up on their doorstep on the day of the audit. So that might be the thing. So the that initial contact is to get a better understanding about um the auditee about the customer to understand how um do they want to communicate + +You want to introduce the team members as well. You want to check that the audit schedule is still okay, that they don't have any wrong dates in their calendar. Potentially you can also ask access to the documented information. Um you also want to check depending how the organization is set up, where do you need to park your car, how do I need to access the building, those kind of things. And if there are any observers or any other, for example, auditors in training, if you bring them along You might introduce that as well. So it's a first contact with the auditee to get acquainted and to inform them about everything that will happen in that audit + +The audit schedule is of course important both for the audit team as for the audit tee because there need to be people available. So the audit schedule is basically the list of actions that will be done during the audit and link to that when it will be happening. So what usually happens I usually make an Excel spreadsheet, I divide it in the hours and I tell them um Yeah, what process or what team that I want to talk and which controls or clauses I will be discussing about. So um the audit schedule needs to reflect basically the importance of the activities. It's crucial to prepare that time that schedule based on the time that you have available while of course optimizing the effectiveness and efficiency um of the audit. So to be to have an efficient audit you need to provide the audit schedule before you start with the audit and before you arrive on the um audit. + +Usually certification bodies have like internal processes as well that state that you need to provide the internal audit schedule or the audit scheduled to the customer six weeks in advance, for example, in order to give the auditee enough time to indicate which resources should be available if people are on holiday that they can be backed up by somebody else, but also indicate if something wouldn't be possible so that you still have enough time to change the audit schedule. + +So again, a pretty um long section. Um so before let me summarize a little bit um before accepting the audit mandate, the auditor receives an offer from the certification body. The process of accepting the audit mandate helps in avoiding any misunderstanding that may arise during the audit. An audit offer generally includes the audit objective, the scope, the criteria and the duration of the audit, but also the team members if they're already known and the responsibility of each team member, but also the limits of the audit engagement and the auditors' payment. For each audit, and also in the case of joint audits, the certification body appoints one audit team leader. There can only be one audit team leader who is responsible for conducting the audit until its completion. In management system audits, the audit criteria are comprised of the requirements of the standard against which the Auditee wishes to obtain certification and any other requirements that the Auditee might determine. The certification body and the auditee must agree on the terms and conditions of the audit, and the audit objectives must be defined and the audit scope must be validated before the audit starts. \ No newline at end of file diff --git a/Corpus/Standards/ISO27x/PECB-Lead-Auditor-Training/transcriptions/S11.1-Stage-1-audit.md b/Corpus/Standards/ISO27x/PECB-Lead-Auditor-Training/transcriptions/S11.1-Stage-1-audit.md index 46bbfd9..50ac762 100644 --- a/Corpus/Standards/ISO27x/PECB-Lead-Auditor-Training/transcriptions/S11.1-Stage-1-audit.md +++ b/Corpus/Standards/ISO27x/PECB-Lead-Auditor-Training/transcriptions/S11.1-Stage-1-audit.md @@ -7,14 +7,125 @@ tags: - PECB-LA isotags: [] status: active -processed: false +processed: true --- # S11.1 Stage 1 audit ## Abstract -This session explains the objectives and steps of a stage one audit, which focuses on the design rather than the effectiveness of the ISMS. The stage one audit, typically conducted two to four weeks before stage two, involves reviewing documented information, assessing site-specific conditions, and evaluating whether the organization understands the standard's requirements. On-site activities include familiarizing with the location, meeting personnel, observing technology in use, and planning for stage two. The session also explains how to evaluate documented information across three criteria: content completeness, format consistency (version numbers, author, approval), and document management procedures. +This session explains the objectives and steps of a stage one audit, which **focuses on the design rather than the effectiveness of the ISMS**. The stage one audit, typically conducted two to four weeks before stage two, involves reviewing documented information, assessing site-specific conditions, and evaluating whether the organization understands the standard's requirements. On-site activities include familiarizing with the location, meeting personnel, observing technology in use, and planning for stage two. The session also explains how to evaluate documented information across three criteria: content completeness, format consistency (version numbers, author, approval), and document management procedures. + +## Objectives of the Stage 1 audit + +The primary objective of Stage 1 is assessing the ISMS *design* — validating if documented processes actually exist and are effective is part of Stage 2. + +This breaks down into 6 objectives: + +- review the documented information of the auditee's ISMS +- gather information on the scope of the ISMS and the allocation of resources +- review the auditee's understanding of ISO 27001 requirements +- evaluate if internal audits and management reviews are planned and performed +- get information for the planning of Stage 2 +- assess the site-specific conditions + +## Stage 1 Audit activities + +The PECB method lists 3 steps: + +1. Prepare for on-site activities +2. Conduct on-site activities +3. Document the stage 1 audit outputs + +The main reason of preparing for on-site activities, is that the objectives of Stage 1 can be met. The preparations mainly consist of a general review of the documented information. + +## Activities during the on-site visit + +**Evaluating the location and site-specific conditions** — make yourself familiar with the location to better assess the risks related to the specific conditions of the auditee. Get acquainted with security rules regarding hygiene, health and safety in the workplace, if any personal protective equipment is necessary. + +**Make contacts with the auditee's personnel** — employees should understand the scope and the objectives of the audit they are involved in. Check if everybody has been well prepared and is motivated. Get a feeling for the organization's structure and culture. + +**Observe the technologies in use** — not in detail, but to get a bit more familiar with the technologies that where described in the documentation. + +**Observe the operation of the ISMS in general** — validate the scope of the management system and the audit. Understand the legal constraints, regulatory and contractual requirements. Talk to top management to ensure they understand their responsibility. Establish touch points with key interested parties. + +In a smaller organization you will talk with the person responsible for the ISMS, the internal auditor, and someone from top management. In a larger audit you may have interviews with someone from HR, an information security manager, perhaps someone responsible for physical security. + +## Review of documented information + +This is a very important part of the Stage 1 audit. + +The auditor will typically look at the information security policy, operational procedures, the asset inventory, awareness or training sessions, and previous audit reports. + +The documentation will be checked for being current, signed, dated and consistent. All documents should be updated, have an owner, and so forth. + +ISO 19011, clause 6.3.1 tells us the purpose of the documents review: +- understand the auditee's operations +- prepare audit activities and applicable audit work documents +- get an overview of the documented information to determine possible conformity and detect possible areas of concern (deficiencies, omissions, conflicts). + +The information provided should sufficiently demonstrate being: +- complete (all expected information is present) +- correct (confirming to standards and regulations) +- consistent (internally and with related documents) +- current (up to date) + +The auditor will also check if documentation has been approved/signed, + +The auditor will check: +- the **contents** — against the minimum requirements of the standard +- the **format** — is the format standardized, does it contain a title, identification of the author, production date, version number, approval, document classification. +- the **process** for managing documented information — how documents get drafted, approved, stored, distributed, reviewed, updated, etc. + + +--- ## Transcription -So in section 11 we will be uh discussing the objectives and the steps of a stage one audit. We will go over the steps in detail. In addition, this section includes also information on how to prepare and to conduct the on-site activities and among other things how you should review documented information and their types. So let's dive into it. Let's have a look what the objectives of a stage one audit are. As you all know, an ISO 27001 audit by a certified body is separated into two stages. Stage one and a stage two. So during the stage one audit, the auditor does not yet verify the effectiveness of the management system in place but it's design. So basically the auditor will only check the effectiveness of the management system during the stage two on-site audit to validate whether the documented processes exist and are effective and also comply with the standard requirements. So what is the stage one audit then about? So first of all, the auditor will have uh a look and will review the audities management system documented information. That's why it's also um often referred to as a documentation audit. So it really the auditor really looks at what has the organization documented. The auditor will also check for any site-specific conditions that the audit D has put in place. During that stage one audit, the auditor will also review the re or the uh the oddity's understanding of the standard requirements. He or she will gather information regarding the scope of the management system and also have already a look at the preparation for the stage two audit. So um it's really to get an understanding on how many sites need to be visited. What are the resources that need to be in place for the stage two audit in order to really get insight on a good planning for that stage two audit? And finally, the auditor will also check if an internal audit and a management review have been executed, have they been performed and planned in the way as is necessary for the standard Stage one audit steps. The stage one ideally takes time in between two or four weeks before the stage two audit. It depends a little bit on what the organization requires as well. Sometimes even a stage one and a stage two can be performed separately, but usually there is two to four weeks in between the stage one and the stage two audit. A stage one audit should not be too far from the stage two audit either. So usually it doesn't go over the 12 weeks mark and that's really the the the biggest time lap that can between can be between a stage one and a stage two audit um and that's done because uh you don't want any uh changes uh man happening in your management system Of course, that the design that you've reviewed is not necessarily reflected in a stage two anymore. So it should also be conducted far enough apart so that you have time to prepare, of course the on-site audit plan, but also to give the organization some time to work on areas of concern that has been identified during the stage one Usually 30% of the total audit time is spent on stage one audits. Um, and um usually I I prefer to do the stage one audit on site because you get a good feeling on what um yeah the audite's organization look like but um a part of the um stage one can also be performed remotely but it it is um a common practice that you do it on site To get that feeling of the organization. However, the review of the documented information of course can be done either at the audit site or remotely. So both are an option there. So, when looking at the approach at the audit program management, we're at phase two in the stage one audit. As you can see, there are three activities that need to be performed there. So we need to prepare for the on-site activities. We need to conduct the on-site activities and of course we need to document the output of the stage one audit. Looking at the preparation of the on-site activities. So The reason uh for having that um preparation there is of course to ensure that the objectives of stage one can be met and the client will be informed about um any on-site activities that will be happening during uh stage one. So first of all, the the audit team should carry out a general review of the documented information that the organization has in place. So what will they be looking at? They will be looking at the information security policy, obviously, any operational procedures, an asset inventory. Awareness or training sessions, previous audit reports. There is also a general review should be conducted to evaluate whether the documented information is current Signed and dated and of course consistent. So all the documentations should be updated, should have an owner, and so forth And this helps, of course, to give uh the auditor a systematic and structured approach when uh he goes through the audit. So as I stated previously, in determining the interval between phase one and phase two, you need to take into account that you need to give some time to the organization to resolve any areas of concern And yeah, it might also be that you decide to postpone the stage two audit based on the areas of concerns that you have identified in your stage one. So if that happens, of course, it might be that you need to redo parts of your stage one audit, but when that happens, the client will obviously be informed. Usually the interval is also determined not only on the areas of concern that you might have found in the audit, but it's also associated with the availability of auditors, of course, to take on the audit. So you've conducted, you have set down a planning, you did the review of the documentation. What are you going to do when you're on site? So you're going to do in general four steps or four things. First of all, you will um have a look at the location and site-specific conditions of the audit. Um so the auditor uh should make himself familiar with the location in order to assess better at the risks that are related to the specific conditions of the oddity. Also you should also get as an auditor information on security rules regarding hygiene, health and safety in the workplace. understanding that if there is any use of personal protective equipment when necessary. You also want to understand that if you wanna uh if you are conducting a stage two, you also want to understand if that's necessary as well for you when you're conducting this Stage two. Secondly, you want to make contact with the personnel of the Odity. So it's the first um instance. Well, basically, it's the second time that you have contact, and the first time you uh Send the auditee uh an email or a confirmation letter that you will be coming along. But this time you're on site, you're having contact with a lot of different people within the organization So that moment in time is really necessary to understand that people know about, that they are involved of the scope and the objectives of the audit. In addition to the presentation of the audit team, it will give you also a great opportunity to see if everybody has been well prepared, if they have the right motivation. And you can also already get a little bit of a feeling on how the organization is structured, what is the culture within the organization. So it will give you a good feel about the organization. You will also be observing the technologies that your audity is using. So during the internal the first stage audit, you will not go into the very uh detail of the technologies that are used. But you will be able to observe already based on the documented information, based on the interviews that we're having, you get a little bit more used, you get a little bit more familiar about the technologies that the Odity is using And in general, you will also observe the operation of the ISMS. And that will help you as an auditor to better evaluate the risks. To the specific context of the audity. It will be helpful to prepare any audit plan and any test plan for your stage two audit, obviously. So during that stage one audit, um there are a couple of things that you uh need to validate. So uh you need to validate um Mainly the scope of the management system and the audit. You want to understand what are the legal constraints, what are regulatory and contractual requirements. You also want to uh talk to top management to ensure that they understand what their responsibility is. You want to have a touch point with key interested parties and you want to do the stage two uh audit planning So during that stage one audit, you will obviously not talk to as many people as you will do in a stage two. So you will have some interviews with key interested parties. So the goal of the objective of those interviews is not really to collect evidence like you would do in a stage two audit, but it's more to validate the compliance of the management system with the standard requirements and to understand basically to get insight in the context of the organization and how that management system responds to them So usually uh what happens, and usually you talk to two to three people and you talk to the person who's responsible to the ISMS because they can give you an explanation how the management system has been set up You always talk to somebody from top management to understand their reasoning behind wanting to obtain a certificate. You want to understand if they um really get uh a grasp of their responsibility and usually um you also talk to the internal auditor to to to check if uh internal audits have been uh performed Of course, if you have an uh a stage one audit that goes over a couple of days, that sometimes happens when you have a huge organization, then you will of course have interviews with other people like HR, like an information security manager, or perhaps somebody who's responsible for the physical security, uh, also to get a better understanding of how things are being arranged within the organization. A very important part of that stage one audit is the review of the documented information. So, documented information, if we look at ISO 1911, class 6. 3. 1 gives a little bit more information. So it states the relevant management system, documented information of the audity should be reviewed in order to get gather information. to understand the audite's operations and to prepare audit activities and applicable audit work documents, for example, on processes And functions, and it will also establish an overview of the extent of the documented information to determine possible conformity to the audit criteria and detect possible areas as concerned, such as deficiencies, omissions, and conflicts. So three things that you basically add the documented uh read the review of the documented information will review in three main things. First of all, you get a general understanding of the function of the management system. You understand how each process is integrated with each other, how you best audit it. It's good to have an overview of that general process overview. You will be able to do an evaluation of the management system design as well as the related processes and controls Um so to check if they are compliant with the standard and of course you will um be able to check if the internal audit and the management re review have been conducted. So uh those are really important um points that need to uh be checked and of course while while reviewing that documentation The auditor checks if the documentation is complete, if it's up to date, if it has been approved, uh, if it's consistent across all the documentation. to see if there are references to other uh policy documents or other processes that it is in line with whatever has been discussed. So, what are now the criteria for evaluating that documented information? So, first of all, three criteria that needs to be followed. So, it's the content of the documented information. the format and the procedure of the of managing the documented information. So let's have a little bit of a detailed look. So content of the documented information, of course an auditor needs to check that the document contains the information that is required by the respective clause of the standard. Obviously that's the purpose of the document. However, the documents may contain only the minimum information required, not everything that the standard specifies. The criteria for the auditor are not the best industry practices, but the minimum requirements specified in the standard. So the standard is leading, so whatever is Written in the standard that the organization shall document should be in the document. However, the organization is free to add any additional information where it deems applicable. Secondly, we look at the format of the documented information. So the auditor must ensure that each piece of the documented information is conform and standardized in terms of format. So there needs to be an identification of the author, uh the production data, there should be a version number, perhaps the approval. Sometimes I also see data classification, the process that it links to. Very important there is when determining in 7. 5 in the clause that the organization determines what the process is for the documented information and that is of course what you want to follow but at a minimum you want to see of course the title a version number the author and the approval Thirdly, you wanna check the um to check if there is a procedure for managing the documented information. And you wanna check if that is in line with the requirements of the standard, and you wanna see that there is a process in place. that documents get reviewed and updated \ No newline at end of file +So in section 11 we will be discussing the objectives and the steps of a stage one audit. We will go over the steps in detail. In addition, this section includes also information on how to prepare and to conduct the on-site activities and among other things how you should review documented information and their types. So let's dive into it. Let's have a look what the objectives of a stage one audit are. As you all know, an ISO 27001 audit by a certified body is separated into two stages. Stage one and a stage two. + +So during the stage one audit, the auditor does not yet verify the effectiveness of the management system in place but it's design. So basically the auditor will only check the effectiveness of the management system during the stage two on-site audit to validate whether the documented processes exist and are effective and also comply with the standard requirements. + +So what is the stage one audit then about? So first of all, the auditor will have a look and will review the audities management system documented information. That's why it's also **often referred to as a documentation audit**. So it the auditor looks at what has the organization documented. The auditor will also **check for any site-specific conditions** that the auditee has put in place. During that stage one audit, the auditor will also **review the auditees understanding of the standard requirements**. He or she will gather information regarding the **scope of the management system** and also have a look at the **preparation for the stage two audit**. + +So it's to get an understanding on how many sites need to be visited. What are the resources that need to be in place for the stage two audit in order to get insight on a good planning for that stage two audit? And finally, the auditor will also check if an internal audit and a management review have been executed, have they been performed and planned in the way as is necessary for the standard. + +**Stage one audit steps**. The stage one ideally takes time in between two or four weeks before the stage two audit. It depends a little bit on what the organization requires as well. Sometimes even a stage one and a stage two can be performed separately, but usually there is **two to four weeks** in between the stage one and the stage two audit. A stage one audit should not be too far from the stage two audit either. So usually it doesn't go over the **12 weeks** mark and that's the the the biggest time lap that can between can be between a stage one and a stage two audit and that's done because you don't want any changes man happening in your management system. Of course, that the design that you've reviewed is not necessarily reflected in a stage two anymore. + +So it should also be conducted far enough apart so that you have time to prepare, of course the on-site audit plan, but also to give the organization some time to work on areas of concern that has been identified during the stage one + +**Usually 30%** of the total audit time is spent on stage one audits. Usually I prefer to do the stage one audit on site because you get a good feeling on what the auditee's organization look like but a part of the stage one can also be performed remotely but it it is a common practice that you do it on site to get that feeling of the organization. However, the review of the documented information of course can be done either at the audit site or remotely. So both are an option there. + +So, when looking at the approach at the audit program management, we're at phase two in the stage one audit. As you can see, there are **three activities** that need to be performed there. So we need to prepare for the on-site activities. We need to conduct the on-site activities and of course we need to document the output of the stage one audit. + +Looking at the **preparation of the on-site activities**. The reason for having that preparation there is of course **to ensure that the objectives of stage one can be met** and the client will be informed about any on-site activities that will be happening during stage one. So first of all, the audit team should carry out a **general review of the documented information** that the organization has in place. So what will they be looking at? They will be looking at the information security policy, any operational procedures, an asset inventory, awareness or training sessions, previous audit reports. Also a general review should be conducted to evaluate whether the documented information is current, signed, dated and consistent. All the documents should be updated, should have an owner, and so forth. And this helps, of course, to give the auditor a systematic and structured approach when he goes through the audit. + +So as I stated previously, in determining the interval between phase one and phase two, you need to take into account that you need to give some time to the organization to resolve any areas of concern. It might also be that you decide to postpone the stage two audit based on the areas of concern that you have identified in your stage one. So if that happens you might need to redo parts of your stage one audit, and when that happens, the client will obviously be informed. Usually the interval is also determined not only on the areas of concern that you might have found in the audit, but it's also associated with the availability of auditors to take on the audit. + +So you've conducted the preparation, you have set down a planning, you did the review of the documentation. + +**Activities during the on-site visit** What are you going to do when you're on site? So you're going to do in general four steps or four things. First of all, you will have a look at the location and site-specific conditions of the audit. so the auditor should make himself familiar with the location in order to assess better at the risks that are related to the specific conditions of the auditee. Also you should also get as an auditor information on security rules regarding hygiene, health and safety in the workplace, understanding that if there is any use of personal protective equipment when necessary. You also want to understand that if you wanna if you are conducting a stage two, you also want to understand if that's necessary as well for you when you're conducting this Stage two. + +Secondly, you want to make contact with the personnel of the Auditee. So it's the first instance. Well, basically, it's the second time that you have contact, and the first time you Send the auditee an email or a confirmation letter that you will be coming along. But this time you're on site, you're having contact with a lot of different people within the organization So that moment in time is necessary to understand that people know about, that they are involved of the scope and the objectives of the audit. In addition to the presentation of the audit team, it will give you also a great opportunity to see if everybody has been well prepared, if they have the right motivation. And you can also already get a little bit of a feeling on how the organization is structured, what is the culture within the organization. So it will give you a good feel about the organization. You will also be observing the technologies that your auditee is using. So during the internal the first stage audit, you will not go into the very detail of the technologies that are used. But you will be able to observe already based on the documented information, based on the interviews that we're having, you get a little bit more used, you get a little bit more familiar about the technologies that the auditee is using. + +And in general, you will also observe the operation of the ISMS. And that will help you as an auditor to better evaluate the risks. To the specific context of the auditee. It will be helpful to prepare any audit plan and any test plan for your stage two audit, obviously. + +So during that stage one audit, there are a couple of things that you need to validate. You need to validate the scope of the management system and the audit. You want to understand what are the legal constraints, what are regulatory and contractual requirements. You also want to talk to top management to ensure that they understand what their responsibility is. You want to have a touch point with key interested parties and you want to do the stage two audit planning + +So during that stage one audit, you will obviously not talk to as many people as you will do in a stage two. You will have some interviews with key interested parties. The objective of those interviews is not to collect evidence like you would do in a stage two audit, but it's more to validate the compliance of the management system with the standard requirements and to get insight in the context of the organization and how that management system responds to that. + +So usually you talk to two to three people, and you talk to the person who's responsible to the ISMS, because they can give you an explanation how the management system has been set up. You always talk to somebody from top management to understand their reasoning behind wanting to obtain a certificate. You want to understand if they get a grasp of their responsibility and usually you also talk to the internal auditor to check if internal audits have been performed. + +Of course, if you have an a stage one audit that goes over a couple of days, that sometimes happens when you have a huge organization, then you will of course have interviews with other people like HR, like an information security manager, or perhaps somebody who's responsible for the physical security, also to get a better understanding of how things are being arranged within the organization. + +A very important part of that stage one audit is the review of the documented information. So, documented information, if we look at ISO 1911, clause 6.3.1 gives a little bit more information. So it states the relevant management system, documented information of the auditee should be reviewed in order to gather information. to understand the auditee's operations and to prepare audit activities and applicable audit work documents, for example, on processes and functions, and it will also establish an overview of the extent of the documented information to determine possible conformity to the audit criteria and detect possible areas as concerned, such as deficiencies, omissions, and conflicts. + +So three things that you basically add the documented read the review of the documented information will review in three main things. First of all, you get a general understanding of the function of the management system. You understand how each process is integrated with each other, how you best audit it. It's good to have an overview of that general process overview. You will be able to do an evaluation of the management system design as well as the related processes and controls so to check if they are compliant with the standard and of course you will be able to check if the internal audit and the management re review have been conducted. + +So those are important points that need to be checked and of course while while reviewing that documentation The auditor checks if the documentation is complete, if it's up to date, if it has been approved, uh, if it's consistent across all the documentation. to see if there are references to other policy documents or other processes that it is in line with whatever has been discussed. + +So, what are now the criteria for evaluating that documented information? So, first of all, three criteria that needs to be followed. So, it's the content of the documented information. the format and the procedure of the of managing the documented information. + +So let's have a little bit of a detailed look. So content of the documented information, of course an auditor needs to check that the document contains the information that is required by the respective clause of the standard. Obviously that's the purpose of the document. However, the documents may contain only the minimum information required, not everything that the standard specifies. The criteria for the auditor are not the best industry practices, but the minimum requirements specified in the standard. So the standard is leading, so whatever is written in the standard that the organization *shall* document should be in the document. However, the organization is free to add any additional information where it deems applicable. + +Secondly, we look at the format of the documented information. So the auditor must ensure that each piece of the documented information is conform and standardized in terms of format. So there needs to be an identification of the author, the production data, there should be a version number, perhaps the approval. Sometimes I also see data classification, the process that it links to. Very important there is when determining in 7. 5 in the clause that the organization determines what the process is for the documented information and that is of course what you want to follow but at a minimum you want to see of course the title a version number the author and the approval. +Thirdly, you wanna check the to check if there is a procedure for managing the documented information. And you wanna check if that is in line with the requirements of the standard, and you wanna see that there is a process in place. that documents get reviewed and updated. \ No newline at end of file diff --git a/Corpus/Standards/ISO27x/PECB-Lead-Auditor-Training/transcriptions/S11.2-Stage-1-audit.md b/Corpus/Standards/ISO27x/PECB-Lead-Auditor-Training/transcriptions/S11.2-Stage-1-audit.md index 994ff4a..8655fae 100644 --- a/Corpus/Standards/ISO27x/PECB-Lead-Auditor-Training/transcriptions/S11.2-Stage-1-audit.md +++ b/Corpus/Standards/ISO27x/PECB-Lead-Auditor-Training/transcriptions/S11.2-Stage-1-audit.md @@ -15,6 +15,16 @@ processed: false This session covers the four levels of documentation reviewed during a stage one audit: strategic documents (scope, policy, objectives), risk management documentation, process and procedure descriptions answering who/what/when/where/why/how, and records serving as evidence of conformity. The session explains how to verify the internal audit program and reports, including checking auditor competence, audit plan coverage, and follow-up on findings. Electronic document management is also addressed, covering access arrangements, retention policies, backup, and IT resource adequacy. The stage one audit output documents areas of concern that could become nonconformities in stage two, giving the auditee time to address gaps. +## Four levels of documentation + +![](CleanShot%202026-06-09%20at%2020.53.01.png) + + + + + +--- + ## Transcription Now, what type of documents need to be audited? So it's um there are um actually four levels of documentation that can be audited So on a first level, which is also called the strategic level, which is anything that has to do with the governance framework. So the ISMS scope The objectives, the policy, any other strategic documentation, that is basically where you want to start first as an auditor because it will give you the general overview And you basically go uh you dive deeper into detail um along the way. So after level one you go to level two uh two, which is um information that is um yeah basically related to risk management so it is the documented information on all the processes and the controls. So it really describes the why, what, how, when, by who. So it gives you that description of the process. At third level, you go to the individual processes and procedures where you check from okay how in detail are procedures being performed. And then on a third fourth level It's really the records where you um have any supporting documentation, the evidence of conformity happens uh there. So basically um starting with the governance uh framework, looking into the risk assessment then looking at all the different processes and procedures, and then checking for the evidence. That's basically the the strategic approach or the structured approach that an auditor should take to really see the um the linkages between the documentation uh within an organization. The auditor must validate, of course, that the documented information includes records that demonstrate the audite's management commitment. To the establishment implementation, operation, monitoring, and of course the continual review update as well. So that means that the strategic documents need to have um a couple of um central things in there. And it's all related to whatever decisions have been taken, any approvals that need to be taken. So the ISMS scope is of course something that the management team has been involved with. So you look at that You look at the information security policy, it's also a policy that top management needs to create and needs to sign and communicate to the organization. So you want to have a look at that Risk management at a risk acceptance and the risk evaluation criteria is something that stopped needs to sign off on. So you want to ensure that you have a look at those as well. the resources um uh that are um meant to implement the ISMS so people, money, uh consultants, you wanna uh check that and of course The management review and the internal audit program are uh two documents, two uh elements that uh should not be forgotten to verify if the management system is in place. So second step is of course after the risk assessment, so it's basically the third step, you want to verify the processes and the procedure So the processes and procedures need to give you information on what is happening in the organization. So basically they need to give you an answer to the five Y's and the One H. So Who, what, when, where, why, how. So that means, and you see an example written out on the slide. So that means that you need to, in some way or another, need to Detail that in the organization, but you can do that in different formats. The standard doesn't tell you that you need to use a physio diagram to do that. So you can use that in basic text formats, you can use an Excel spreadsheet, you can use Visio. So you can use whatever you have available in the organization and what is used in the organization to work with to create these processes and procedures. The auditor must also verify if the documented information related to the internal audit demonstrates that the auditee has implemented a planned and structured approach. um towards the audit program and that it meets the requirements of the ISO 2701. So the auditor will um We'll have a look at a couple of things. So um first of all, um the auditor wants to see any documented information related to that internal audit program. So Based on the ISO 27001 requirements, an organization needs to have an internal audit program available which really defines what is the frequency that you will do an audit What are the methods? What are the responsibilities? What are how does reporting work? So that must be sufficiently documented to have evidence basically of that implementation. So you need to have something written down The auditor will also look at files of internal auditor. With files meaning that checking that the internal auditor has the correct competences to execute the internal audit So that might be a resume, that might be a training plan or an annual evaluation. So anything that can attest to the competence that is required to perform their mission. The auditor will have a look at the internal audit plan to check that the audit plan covers all the ISMS activities That the internal audit program has detailed out that they are planned for the duration of the certification. So in this case that's three years. So it's best practice that it is conducted for three years. Of course, will the auditor also look at the internal audit procedure to see that there is any documented information available that gives information to the internal auditors on how they need to perform audits and that it's done in the same way? They will have a look at the report, and that's the very important document. So they will have a review of the internal audit report so that to see what has been found in the internal review. So at before going to a certification audit, you should have at least one internal report. So one internal audit report should be available. And it is of course best practice to have done the internal audit for the full scope Of the ISO 27001 or at least the full scope where you're implementing it for. Documentation of the audit follow-up activities Of course, if there were any non-conformities, observations, areas for improvement, they should be documented in a good way. There should be a follow-up plan or action plans. So the auditor will also have a look at those to see if you've done anything With the findings out of the internal report. So the internal audit is a very important document, a very important process that will be verified during the stage one. During the stage one audit, the auditor will also determine to what degree an auditee uses electronic documented information. So you should reach an agreement on how an auditor will get access to that documentation. So it might be that you give the auditor access and some instances you get a guest access. To go through the document management system. Sometimes you need as an auditor a little bit more explanation. So what needs to happen is that an audite gives you, of course, all the explanation um the not too many permission rights as so viewing rights um and of course give you detailed information on how you can uh walk through the documented information management system So of course, um auditors for an ISO 27001 should be competent in the use of IT um infrastructure and development trends. So, you need to have as an auditor a minimal practical understanding of general trends, of course, in technology development Auditors should pay uh in particular uh attention to development, technological developments in their respective area and how these innovations might be used in their work. So being up to date in any document management system or an electronic document management system uh is something that you would probably um do best in in gaining some access. And most commonly used is of course uh SharePoint uh confluences of these worlds uh but um asking some explanation is good uh thing to do. Of course you want to review that electronic uh documentation and so um it will depend on of course if The audity is able to make that information available either through a web-based application or through email transmission, but it will also be dependent on technical and security factors. So the audit approach here is of course dependent. And so during an on-site audit, the auditor's responsibility will be basically to oversee the physical location of the audited process. So in case when a document management system is applied, the amount of time required to confirm the evidence in order to validate that the requirements are being met may be dedicated to a computer workstation where the document is stored and which may not be located near the actual process. The actual auditing time at the physical location may then be reduced, where you can spend your time in reviewing the documentation in another part. So that is of course very important In using an electronic document documented information, of course, you also need to have a look at um yeah what is the format that the organization uh uses it. Is it plain text Is it HTML or the PDFs or their Excel Excel? So there needs to be suitable measures in place to protect those electronic documents as well, because it's much easier to change an electronic file than it is in an in uh in a paper-based file so you need to have a process in place or you need to check as an auditor if there is a process in place for the uh the review, the publication, the distribution, and the disposal of that document management uh system. So having um having a look at that electronic documentation um either separate in a separate document review sometimes we do that as well and that we spent one full day to review all the documented information and that might be done off site because you can access uh somebody's SharePoint from uh from a remote location. So that is uh basically uh what you uh should do. Lastly, of course, when you um evaluate uh the audities controls of the retention of that storage media, so you should also check okay what what is the time uh what are the retention periods that documents stay in the organization, um how what do they do with archived documents? Um how is backup uh done? How do we ensure that there is enough storage capacity? Um so It might be uh that um and because there is a lot of um where used to be everything used to be uh written down on paper nowadays A lot of electronic documentation is available. So the role of IT becomes more and more critical. So um in relation to that electronic document management system, an auditor should also check If an organization has allocated enough resources, enough IT resources, so that means both people and infrastructure to make sure that the system operates effectively and without interruption. So, and that also goes to looking at the competences of the people that are working with that. So that electronic document management system is becoming more and more important in every organization Of course, after you've done the full stage one audit, you need to create stage one audit output. So that a stage one audit report is usually shorter than a stage two audit report. And an auditor should at least document observations that run can result in nonconformities during the on-site audit. Means that you can write down as an auditor areas of concern That could be classified as a non-conformity during a stage two. So stage one doesn't necessarily need to meet requirements of a full audit report So in in um any case and when there are major nonconformities detected during that documentation audit The organization or the auditee should make time available to do the modifications to the management system and submit the correct documentation also to the auditor to ensure that you are ready before the stage two So it might happen that there are some big gaps that need to be closed, and then an auditor will ask you to either send the documentation or to set up a Teams call or some remote meeting. To check if you've closed the gap in order to successfully succeed with the stage two. So, in summary, the purpose of a stage one audit is really to review the overall design of the ISMS. The main activities undertaken during an on-site visit on a stage one audit are the evaluation of the auditee's site-specific conditions. Contact establishment with the personnel of the Audity and the observation of the technologies used and the operation of the ISMS in general. The main objectives of reviewing documented information are to get a general understanding of the function of the management system. To evaluate the management system design as well as the related processes and controls, and of course to verify if the internal audits and the management reviews have been conducted Strategic documents should include the ISMS scope and the ISMS policy, the risk evaluation criteria, the resources for the ISMS operation, the management review, and the internal audit program. \ No newline at end of file