How to become an auditor at a certification body

As you might expect, here at IT Governance we have extensive experience working with various certification bodies. Indeed, a number of our consultants used to work as ISO 27001 Auditors at certification bodies.  We therefore thought it might prove useful if we pulled on this collective experience and shared it with you along with a précis of the requirements you should plan to meet if you are considering becoming an Auditor at a certification body.

Each certification body (CB) maintains its own balance between using employees as Auditors and using a combination of employees and external contractors.  Some CBs may use only employees, while some, typically the smaller certification bodies, use only contractors.

The best approach for those looking to pursue this option as a career is to check, and then demonstrate to the CB, that you satisfy the generic competence criteria.  Each CB will have its own set of requirements for ISO 27001 certification Auditors or Lead Auditors.  The minimum requirements are based on the guidelines for all management system Auditors as stipulated by Annex A of ISO 17021:2011:

Knowledge of business management practices.

  • Knowledge of audit principles, practices and techniques.
  • Knowledge of specific management system standards/normative documents.
  • Knowledge of certification body’s processes.
  • Knowledge of client business sector.
  • Knowledge of client products, processes and organisation.
  • Language skills appropriate to all levels within the client organisation.
  • Note-taking and report-writing skills.
  • Presentation skills.
  • Interviewing skills.
  • Audit management skills.

The following are the additional requirements mandated by ISO 27006:2011 for information security auditors:

Knowledge of the ISMS standard and other relevant normative documents.

  • An understanding of information security.
  • An understanding of risk assessment and risk management from the business perspective.
  • Technical knowledge of the activity to be audited (across an audit team).
  • General knowledge of regulatory requirements relevant to ISMSs.
  • Knowledge of management systems.
  • An understanding of the principles of auditing based on ISO 19011.
  • Knowledge of ISMS effectiveness review and the measurement of control effectiveness.

ISO 27006:2011 also stipulates the following mandatory requirements for qualifications and experience:

An education at secondary level.

  • At least four years’ full-time practical workplace experience in information technology, of which at least two years must be in a role or function relating to information security.
  • Successful completion of five days of relevant training (such as the ISO 27001 Lead Auditor course), the scope of which must have covered ISMS audits and audit management.
  • Experience in the entire process of assessing information security prior to assuming responsibility as an auditor. This experience should have been gained by participating in a minimum of four certification audits for a total of at least 20 days, including review of documentation and risk analysis, implementation assessment and audit reporting.
  • Reasonably current experience.
  • Ability to put complex operations in a broad perspective and understand the role of individual units in larger client organisations.
  • Keeping their knowledge and skills in information security and auditing up to date through continual professional development.

The audit time requirement can be something of a ‘Catch-22’ scenario – you need experience to gain experience – but this is often an issue the CB will offer to help good applicants overcome, although there is likely to be something you need to offer in return.

The team here at IT Governance suggests that individuals wishing to apply for roles as Auditors at certification bodies should prepare a CV and covering letter that explains how their skills and experience align with the requirements above.  A list of most of the accredited certification bodies operating in the UK can be accessed through the UKAS website; there are one or two others operating in the UK that are accredited overseas.

From the experience within our consulting team, it is fair to say that salaries/day rates and working arrangements will vary from CB to CB.  If you are looking to go down the self-employed/contracting route there is nothing preventing you from working for two or more CBs in parallel.  IT Governance has noticed a number of individuals who work this way and appear to make a reasonable living at it.

The ISO27001 Certified ISMS Lead Auditor Training Course is scheduled to run in January 2015, giving you the opportunity to book the course at 30% off.