When organisations are seeking ISO 27001 compliance, they rely on auditors to give them good advice. Most of the time they’ll do just that – it’s what they’re paid to do. But as with any profession, some auditors are better than others.
How can you tell if your auditor isn’t to be trusted? Keep an eye out for these seven mistakes:
1. They impose their opinions without facts
Why is this bad? ISO 27001 has clear rules on how to implement its requirements. Although there’s room to interpret which course of action is best for you, any decision should be supported by an instruction in the Standard.
Unfortunately, some auditors have preconceived ideas of best strategies and will recommend certain practices regardless of your organisation’s situation. You should only ever follow advice if the auditor can explain how it helps meet a specific compliance requirement.
2. They report findings but don’t provide evidence
Why is this bad? Auditors must always provide proof when highlighting areas of non-compliance. It doesn’t need to be physical evidence; an eye-witness account will do.
The point is the auditor needs something concrete that they can point to, rather than citing a vague violation or general ‘feeling’ of non-compliance.
This helps the organisation understand exactly what the failure is and what it needs to do to fix the issue.
3. They tick off checklists without considering the bigger picture
Why is this bad? Checklists are a great way of quickly assessing whether a list of requirements are met, but what they offer in convenience they lack in in-depth analysis.
Organisations are liable to see that a requirement has been ticked off and assume that it’s ‘mission accomplished’. However, there may still be room to improve your practices, and it might even be the case that your activities aren’t necessary.
A good auditor will use the checklist as a summary at the beginning or end of their audit, with a more detailed assessment in their report, or they’ll use a non-binary system that doesn’t restrict them to stating that a requirement either has or hasn’t been met.
4. They believe the paperwork and ignore the facts
Why is this bad? Any organisation can create policies that demonstrate their commitment to meeting ISO 27001’s requirements, but it doesn’t mean employees actually follow those instructions.
A bad auditor might be satisfied by documentation and a cursory look at whether it’s been implemented. They must be more rigorous than that.
Auditors shouldn’t be satisfied with just what the organisation wants them to see; they should be digging deeper to check whether the rules are being followed consistently.
5. They feel obliged to find errors
Why is this bad? Auditors sometimes try to stamp their authority by pointing out areas of non-compliance as soon as possible. This isn’t necessarily a bad thing, but it is if they’re exaggerating the scale of a shortcoming to prove a point.
It shouldn’t take long for a good auditor to find genuine faults, as even the best-prepared organisation will have room for improvements.
Auditors should keep this in mind at the start of their assessment, otherwise they’ll end up with an unfairly long list of faults or an inconsistent interpretation of the requirements.
6. They allow cost-cutting to starve the audit
Why is this bad? This mistake occurs more often in internal audits, with organisations acknowledging the need to assess their practices but unable or unwilling to provide the necessary resources.
An underfunded audit will lead to rushed and incomplete results that have little value, and a good auditor will be able to tell if the scale of the project is too big for what’s been budgeted.
7. They use the audit to generate consultancy work
Why is this bad? After completing their assessment, the auditor knows exactly how your organisation operates and where its non-compliances are, so you might be wondering why they’d be a bad fit to consult you on how to correct those mistakes.
In theory, they are a perfect fit. You already have a working relationship and you’ll save time finding a consultant and bringing them up to speed on your organisation’s needs.
Unfortunately, there’s clearly a conflict of interest in this relationship, as you run the risk of allowing the auditor to manipulate their findings to persuade you to use them as a consultant.
It’s therefore generally best if you have a second pair of eyes as your consultant. Picking a colleague at the same organisation might be a good compromise, as it allows you to build on your relationship with that business.
Good auditing practices
ISO 19011 describes the principles that all auditors of management systems should act upon: integrity, fair presentation, due professional care, confidentiality, independence and an evidence-based approach.
Used diligently, these principles can eliminate bad practices.
You can find out more about what it takes to audit against ISO 27001 by enrolling in one of these training courses:
ISO 27001 external auditor
Our Certified ISO 27001 ISMS Lead Auditor Training Course equips you with the skills to conduct second-party (supplier) and third-party (external and certification) ISMS (information security management system) audits.
Packed with hands-on practical exercises, this five-day course helps you gain the expertise needed to manage an ISMS audit programme.
ISO 27001 internal auditor
If you’re looking to audit your own organisation, you’d be better suited to our Certified ISO 27001 ISMS Internal Auditor Training Course.
Designed by IT Governance director Steve Watkins, a technical assessor for UKAS (the United Kingdom Accreditation Service), this two-day course contains an introduction to ISO 27001 and how auditing fits into the compliance process, before explaining how to plan for and execute an internal audit.
A version of this blog was originally published on 18 February 2013.