Early this week I was in Fremont, California supporting a company through their ISO22301 audit. We have been working with them for a year to get them ready for the audit. Monday and Tuesday were the days that the auditor was on site. We had already taken half of the company (the part based in Sweden) to ISO22301 certification, so were fairly confident that we would pass the audit. A different auditor is always an unknown quantity. This meant that the audit was, as always, approached with a little apprehension.
- If you have part of your organisation certified to ISO22301 you do not need to go through a part 1 (documentation) and a part 2 audit (interviews with staff), you can just go for a single extension of the certificate audit.
- It is important to remember that although the auditor is auditing you and your BCMS (business continuity management system), you have invited them into your company and are paying them to do the audit. An auditor should add value to your BCMS and should help continual improvement. In the end that is why we go for the standard - to improve business continuity within our organisation. Too many auditors just treat it as a box-ticking exercise and want to slavishly go through the standard. Where they find issues they make a recommendation on how to meet the requirements of the standard, not how to help you understand what value that section has in improving your BCMS. The auditor, having seen other organisations address the section, could suggest how they approached the section and hence promote good practice. The audit, as the check part of the plan-do-check-act cycle, should add value to the BCMS and not be an end in itself. This is one item I am going to take up with our auditing body on return to the UK.
- Auditors seem obsessed with scope and so may question your scope and spend a lot of time ensuring that the scope is correct on the certificate. If your scope is less than the whole organisation then you should have a think about how to define your scope.
- Make sure you use the correct nation’s term or better still the terminology from the standard. I use directors of the company when I should have said ‘vice presidents’. Better still is to use the phase “top management” and your can’t go far wrong!
- Understand the difference between nonconformity and an opportunity for improvement. A nonconformity means you have not met the requirements of the standard. Either you have not complied with one of the clauses or not met your own requirements e.g. not updated your plans every six months. An opportunity for improvement is just what it says, is a recommendation on how to carry out an action better.
- If you find nonconformity it is not sufficient just to take steps to address the issue. You should carry out a route cause analysis (you could use the 5 whys), decide what you are going to do to remedy the action, who is going to do it and when it will be done. Finally determine what steps you are going to take in future to ensure that the remedy is effective.
- You need to state who is going to report to top management on the state of business continuity within the organisation. Just because you have a sponsor for business continuity, the role of briefing top management needs to be stated within their responsibilities.
- If you use a third party to help you gain the standard, you need to make sure that you can convince the auditor that the organisation is committed to the standard and that all the business continuity knowledge does not reside in the third party.
- It is encouraged to do your internal audit 2-3 months before the external audit rather than the week before!
- Never say you don’t have one to the auditor unless you really don’t have one. A member of staff said that the organisation didn’t have a written IT disaster recovery plan, due to the answer we were hearing towards a minor nonconformity. Asking a more senior manager the same question, he was able was able to produce suitable documentation and prevent the minor nonconformity. If in doubt produce something that exists within the organisation and leave it up to the auditor if they will accept it as evidence.
- During the development of your BCMS you will develop internal standards such as a plan should be updated every six months. It is a good idea to have a checklist of these internal determined standards and monitor them though your management review.
- In section 9.3 of the standard there is a list of items which should be considered as part of the management of the BCMS. In the past I have put them within the management review and used them as a checklist to go through each time a management review was conducted. Recently I shortened them to make them a little less unwieldy to go though at a meeting. The auditor suggested that the list was not shortened as I might miss one of the items.
- Make sure when you are carrying out awareness training for staff that the message is not too complex for them as they may forget the message. A few simple messages such as ‘yes I have been briefed on business continuity in a disaster’, ‘my role is…’ and ‘I can find out further information from…’. Keep it simple. It is a pleasure when staffs recount the simple messages to the auditor!
- Decide how you will make available all the documents to the auditor. I have in the past given them a big stack of printed out documents. You may want to consider giving the auditor all the documents on a memory stick rather than printing them all out. If in doubt ask them in advance.
- Finally I still strongly suggest that if you want to do business continuity properly and want to truly embed it within your organisation, you go for ISO22301 Certification.
The result of the audit was that we were recommended for certification with no nonconformities!