Bulletin / Lesson learnt from...

Lesson learnt from a recent audit

Author: Charlie Maclean-Bristol

This week Charlie writes about what auditing in Sweden has taught him.

A couple of weeks ago I was in Sweden with a technology company taking part in a Stage 2 audit for ISO22301 certification. It's a beautiful country and I thoroughly enjoyed my time there.

More importantly I learnt a great deal from the audit and the journey we took to ISO22301.

  • The more I see organisations going for ISO22301 the more I am convinced that if you are serious about business continuity then you should go for the standard. Once you have gone round the business continuity lifecycle once, the challenge is trying to maintain the momentum of the project. It is far too easy to let business continuity slip. Forget to maintain the Business Continuity Management System (BCMS) and eventually the investment is wasted. If an external auditor comes into the organisation it provides extra discipline to make sure that the plans are updated, awareness training is conducted and exercises are carried out.

  • I think a good auditor will provide additional value in that they often notice bits you have missed, identify weaknesses or make suggestions for improvement. It is difficult to find someone within the organisation to provide a similar review. Internal audit departments are often very busy and only have time to audit you every 5 years. They also lack the business continuity expertise a ISO22301 auditor has.

  • One of the key lessons I learned on the last audit would be to challenge the audit company on the number of days they were going to spend auditing. We had four days allocated for the stage 2 audit for two smallish offices. In future I think I would push for the audit to be done in 3 days.

  • This reminded me of my time in the forces. When I was in the army you knew that a senior officer was going to do an armoury serial number check to all the unit’s weapons. You, as the officer responsible, always did your own check prior to them arriving to ensure that all the weapons were there and you weren’t caught out. It is obvious but you should do exactly the same thing prior to the audit. I have a spreadsheet which lists every clause of the standard and I laboriously go through each line to make sure that I have not missed any part of the standard.

  • Be nice to your auditor! They want you to pass, you want to pass and so you have the same end in mind. They can also catch you out if they want to. There is always something they can pick you up on if they want to. Remember they are human and a little kindness goes a long way!


You might be interested in the following stories

Tweets from the ISO22301 Annual Certification Audit in Sweden (December 2014)

Sign-up to our weekly bulletin

Twitter feed

Bulletin
Charlie's Top 10 Business Continuity and Crisis Management Books for Christmas

Charlie counts down his top 10 Business Continuity and Crisis Management books, as recommended by you.

14 December 2018

“Ewan [Donald] did a very good job, and I would recommend this [course] to anyone interested in Business Continuity.”

Julie Watmore
Premier Decorations Ltd
View further testimonials