Welcome!

F ro m t h e I n ter n ati o n al Re g i ster o f

C e r t if i cate d A u d i to rs

1
2
 Welcome
Welcome to your CQI and IRCA Certified
ISO 27001 Lead Auditor Information Security
Management Systems VILT Course (ISMS)

www.quality.org/training

ISO 27001 LEAD

AUDITOR VILT
COURSE
SECTION 1

About the Course

2
4
 The Value of Effective Auditing
‘There was an evident belief of senior managers
that they were working in a safe organisation.
This may have been because they may not have
known how to seek out, or to recognise, the
symptoms of an unsafe organisation. It may
also be true that they would not have known
what practical steps to take to turn an unsafe
organisation into a safe organisation.’

(Piper Alpha Inquiry Report)

SECURITY NOTICE

• You are advised to ensure that your personal possessions and

property are kept in a safe place at all times.
• You are advised to ensure a backup connection is available,
battery power, equipment that works properly.

• Fire Exits !?! – If the course really hots up.

3
6
 MOBILE PHONES IN SILENT MODE

COURSE OVERVIEW

Group
Audit
Practice
Work

Presentation
Exam

4
8
 DELEGATE RESPONSIBILITY

To qualify for certification delegates shall be required to:

• Fulfil the pre-course requirements

• Demonstrate the ability to understand the ISMS requirements
• Attain the skills necessary to conduct effective audits against the
ISO 27001:2022 requirements
• Maintain 100% attendance throughout the course
• Obtain an overall 70% continual assessment mark
• Obtain a min. 50% examination mark

DELEGATE RESPONSIBILITY

To qualify for certification delegates shall be required to:

Submit course records on time and correctly. In the absence of any

course records, examination link cannot be generated and
certificates cannot be processed.

Course records required to submit to tutor:

• Consent form- By first break of Day 1 (with e signature. Typed name is
not acceptable under GDPR requirements).
• Pre course- By first break of Day 1
• Feedback form- By end of Day 5

5
10
 COURSE CONTENT

• Introducing Management • Development of Skills

Systems Auditing • Document review
• Risks/ threats/ • Audit training of ISMS
vulnerabilities compliance
• Compliance • Management of risk/
• Systems threats/ vulnerabilities
• Non-conformance writing
• In-depth Training in ISMS • Statement validation
techniques

11

TESTING UNDERSTANDING

Continual assessment – 70%

End-of-Course Exam – The course curriculum requires that an

examination is taken within 30 days from the last day of the course. A
five part exam is set. Learners must achieve the minimum pass mark
for each domain and an overall score of 40 marks (50%)

New exam pattern introduced for English speaking course. Refer the
exam guideline document.

6
12
 DELEGATE INTRODUCTIONS
You will be asked to introduce the person to your left or
right. You will need to discover the following information
about them for the introduction

• Their name
• A brief description of their organisation
• A brief job description
• Their involvement in ISMS
• Why they are here
• And finally…superpowers they wish to have
Time allowed – 2 minutes

13

COURSE OBJECTIVES
Upon successful completion of this course you will…

• Be able to prepare for, report on and follow up on ISMS

Audit

• Have undergone training recognised by the

International Register of Certificated Auditors

• Have achieved the means to assess and improve ISMS

7
14
 COURSE STRUCTURE

On completion of the course delegates will be able to:

 Describe the purpose of an ISMS
 Explain the scope and other criteria for ISMS Audits
 Interpret ISO 27001 requirements
 Identify and assess ISMS risks
 Plan and conduct Audits against ISMS 27001 requirements in
compliance with ISO 19011
 Prepare Audit reports with valid and factual non-conformities that
add value
 Conduct follow up Audits that include evaluating effectiveness of
corrective/ preventive action

15

COURSE OBJECTIVES

The CQI-IRCA course learning objectives are listed in the

introduction at the beginning of each section in your course
manual.

The course objectives and content are controlled by CQI-

IRCA.

100% attendance is required.

8
16
 COURSE PLAN

About Unified
Standards Framework

Information
Implementation
Security
&
Management
Measurements
Systems

17

COURSE PLAN :AUDIT STAGES

• Pre-audit management
Planning • Document review
• Detailed planning for the on-site audit

Implementation • On-site audit

Reporting and • Reporting

Follow Up • Follow up

9
18
 COURSE PLAN

Planning Audits

Collecting &
Conducting Audits
Verifying Evidence

Non-Conformities Objective Evidence

(NCR/ Checklist) (Checklist)

19

COURSE PLAN

Preparing Audit Summary

Report
Preparing Audit Conclusions
Preparation
Documenting Audit Report

Completing Closing
Audit Meeting

10
20
21

CQI-IRCA IS0 27001

LEAD AUDITOR VILT
COURSE
SECTION 2
Standards, Principles and
Definitions
Purpose of this session: To ensure that
delegates from differing backgrounds are
familiar with baseline ISMS terminology.
To discuss the main ISMS principles and
interrelationships of the applicable
standards.

11
22
 HISTORY OF REQUIREMENTS

 ISO/IEC 17799, "Information Technology - Code of practice for

information security management.“ – developed by BSI in
2000;
 ISO/IEC 27001:2005 – first edition developed by ISO/IEC Joint
Technical Committee 1;
 ISO/IEC 27001:2013 – second edition developed by ISO/IEC
Joint Technical Committee 1;
 ISO/IEC 27001:2022 – third edition developed by ISO/IEC
Joint Technical Committee 1;

23

THE ISO 27000 SERIES

Standard used for auditing:

ISO/IEC 27000 Series
Guidance Standards: Published Standards
Guidance Standards:
Published
ISO/IEC Standards
27001:2022 Information security, ISO 27000:2018 Information technology – Security
Cybersecurity and privacy protection - ISMS techniques – Information security management
Requirements systems Overview and vocabulary

ISO/IEC 27002:2022 Information security, ISO/IEC 27003:2017 ISMS Implementation

cybersecurity and privacy protection — Guidelines
Information security controls
ISO/IEC 27004:2016 ISMS Metrics and ISO/IEC 27005:2022 , Information technology —
Measurements Security techniques — Information security risk
management
ISO/IEC 31000:2018 Risk Management-Principles
and guidelines
ISO/IEC 27006:2015 Requirements for Certification BS 7799-3:2006 ISMS – Part 3: Guidelines for
Bodies information security risk management

ISO/IEC 27035:2020 Information technology – ISO/IEC 27011:2016 — Information security

Security techniques – Information security incident management guidelines for telecommunications
management EA 7/03 ISO/IEC 13335-1:2004, etc.
organizations (based on ISO/IEC 27002)

12
24
 INFORMATION SECURITY MANAGEMENT SYSTEM

It is part of the overall management system,

based on a business risk approach, to establish,
implement, operate, monitor, review, maintain
and improve information security

NOTE: the management system includes organizational

structure, policies, planning activities, responsibilities,
practices, procedures, processes, and resources

25

Information Security – security

preservation of confidentiality, integrity
and availability of information. It may
also include other features such as
authenticity, accountability, non-
rejection and reliability.
13
26
 TERMS AND DEFINITIONS

 Availability – the property of being accessible and usable

upon demand by an authorized entity.
 Confidentiality – the property that information is not
made available or disclosed to unauthorized individuals,
entities or processes
 Integrity – the property of safeguarding the accuracy and
completeness of assets

27

RELATIONSHIP BETWEEN CONFIDENTIALITY, INTEGRITY,

AND AVAILABILITY NEEDS TO BE BALANCED

Confidentiality

Security

Integrity Availability

14
28
 THREATS AND VULNERABILITIES

 Threat – damage or loss to information assets

 Vulnerabilities – weak links that could be exploited by
the threats

29

EXAMPLES…

Security Area Threat Vulnerability

Hardware Theft of media and Lack of care at disposal
property
Dust, corrosion, Susceptibility to humidity, dust, soiling
freezing
Software Abuse of rights No “logout” when leaving the workstation
Forging of rights Unprotected password tables
Network Remote Spying Insecure network architecture
Personnel Error in Use Incorrect use of software
Site Loss of power supply Unstable power grid

Organization Theft of equipment Lack of formal policy on mobile computer usage

Error in use Lack of procedures for classified information handling

15
30
 Terms and Definitions

Risk Acceptance – decision to accept a risk

Risk Analysis – systematic use of information to identify sources

and to estimate risk

Risk Assessment – overall process of risk analysis and risk

evaluation

Risk Management – coordinated activities to direct and control an

organization with regard to risk

Risk Treatment – treatment process of selection and

implementation of measures to modify risk

31

TERMS AND DEFINITIONS

Statement of Applicability – document describing the

control objectives and controls that are relevant and
applicable to the organization’s ISMS, based on the
results and conclusions of the risk assessment and risk
treatment processes, legal and regulatory requirements,
contractual obligations and the organization’s business
requirements for information security

16
32
 COMMON TERMS AND DEFINITION - GENERAL

Terms and definitions may be:

•within the standard;
•in a separate document (ISO/IEC 27000:2018).

The following terms and definitions constitute an integral

part for management systems standards:
•Common terms
•Core definitions
•Discipline specific ones - additional terms and definitions
as needed.

33

COMMON TERMS AND DEFINITION - ANNEX SL. COMPARISON

organization
person or group of people that has its own functions with
responsibilities, authorities and relationships to achieve its
objectives

Note 1: The concept of organization includes, but is not limited to

sole-trader, company, corporation, firm, enterprise, authority,
partnership, charity or institution, or part or combination thereof,
whether incorporated or not, public or private.

17
34
 COMMON TERMS AND DEFINITION - ANNEX SL. COMPARISON
(CONT.)

interested party (preferred term)

stakeholder (admitted term)
person or organization that can affect, be affected by, or
perceive themselves to be affected by a decision or activity

35

COMMON TERMS AND DEFINITION - ANNEX SL. COMPARISON

(CONT.)

requirement
need or expectation that is stated, generally implied or
obligatory

NOTE : “Generally implied” means that it is custom or common

practice for the organization and interested parties that the need
or expectation under consideration is implied.
NOTE 2: A specified requirement is one that is stated, for
example in documented information.

18
36
 COMMON TERMS AND DEFINITION - ANNEX
SL. COMPARISON (CONT.)

management system
set of interrelated or interacting elements of an organization to
establish policies and objectives and processes to achieve those
objectives
NOTE 1 : A management system can address a single discipline
or several disciplines.
NOTE 2 : The system elements include the organization’s
structure, roles and responsibilities, planning, operation, etc.
NOTE 3 : The scope of a management system may include the
whole of the organization, specific and identified functions of
the organization, specific and identified sections of the
organization, or one or more functions across a group of
organizations.

37

COMMON TERMS AND DEFINITION - ANNEX SL. COMPARISON

(CONT.)
top management
person or group of people who directs and controls an
organization at the highest level

NOTE 1: Top management has the power to delegate authority and provide
resources within the
organization.
NOTE 2: If the scope of the management system covers only part of an
organization then top management refers to those who direct and control
that part of the organization.

19
38
 COMMON TERMS AND DEFINITION - ANNEX SL. COMPARISON
(CONT.)

effectiveness
extent to which planned activities are realized and planned
results achieved

policy
intentions and direction of an organization as formally expressed
by its top management

39

COMMON TERMS AND DEFINITION - ANNEX SL. COMPARISON

(CONT.)
objective
result to be achieved

NOTE 1: An objective can be strategic, tactical, or operational.

NOTE 2: Objectives can relate to different disciplines (such as financial, health and
safety, and environmental goals) and can apply at different levels (such as
strategic, organization-wide, project, product and process).
NOTE 3: An objective can be expressed in other ways, e.g. as an intended
outcome, a purpose, an operational criterion, as an information security objective
or by the use of other words with similar meaning (e.g. aim, goal, or target).
NOTE 4: In the context of information security management systems information
security objectives are set by the organization, consistent with the information
security policy, to achieve specific results.

20
40
 COMMON TERMS AND DEFINITION - ANNEX SL. COMPARISON
(CONT.)
Risk
effect of uncertainty
NOTE 1: An effect is a deviation from the expected — positive or negative.
NOTE 2: Uncertainty is the state, even partial, of deficiency of information related
to, understanding or knowledge of, an event, its consequence, or likelihood.
NOTE 3: Risk is often characterized by reference to potential events (ISO Guide 73,
3.5.1.3) and consequences (ISO Guide 73, 3.6.1.3), or a combination of these.
NOTE: Risk is often expressed in terms of a combination of the consequences of an
event (including changes in circumstances) and the associated likelihood (ISO
Guide 73, 3.6.1.1) of occurrence.

41

COMMON TERMS AND DEFINITION - ANNEX SL. COMPARISON

(CONT.)

competence
ability to apply knowledge and skills to achieve intended results

21
42
 COMMON TERMS AND DEFINITION - ANNEX SL. COMPARISON
(CONT.)
documented information
information required to be controlled and maintained by
an organization and the medium on which it is contained
NOTE 1: Documented information can be in any format and media
and from any source.
NOTE 2: Documented information can refer to:
– the management system, including related processes;
– information created in order for the organization to operate
(documentation);
– evidence of results achieved (records).

43

COMMON TERMS AND DEFINITION - ANNEX SL. COMPARISON

(CONT.)
process
set of interrelated or interacting activities which
transforms inputs into outputs

performance
measurable result
NOTE 1: Performance can relate either to quantitative or qualitative
findings.
NOTE 2: Performance can relate to the management of activities,
processes, products (including services), systems or organizations.

22
44
 COMMON TERMS AND DEFINITION - ANNEX SL. COMPARISON
(CONT.)
outsource (verb)
make an arrangement where an external organization
performs part of an organization’s function or process
NOTE 1: An external organization is outside the scope of the
management system, although the outsourced function or process
is within the scope.

monitoring
determining the status of a system, a process or an
activity
NOTE 1 to entry: To determine the status there may be a need to
check, supervise or critically observe.

45

COMMON TERMS AND DEFINITION - ANNEX SL. COMPARISON

(CONT.)

measurement
process to determine a value

23
46
 COMMON TERMS AND DEFINITION - ANNEX SL. COMPARISON
(CONT.)
audit
systematic, independent and documented process for
obtaining audit evidence and evaluating it objectively to
determine the extent to which the audit criteria are
fulfilled
NOTE 1: An audit can be an internal audit (first party) or an
external audit (second party or third party), and it can be a
combined audit (combining two or more disciplines).
NOTE 2: “Audit evidence” and “audit criteria” are defined in ISO
19011.

47

COMMON TERMS AND DEFINITION - ANNEX SL. COMPARISON

(CONT.)

conformity
fulfilment of a requirement

nonconformity
non-fulfilment of a requirement

24
48
 COMMON TERMS AND DEFINITION - ANNEX SL. COMPARISON
(CONT.)
correction
action to eliminate a detected nonconformity

corrective action
action to eliminate the cause of a nonconformity and to prevent
recurrence

49

COMMON TERMS AND DEFINITION - ANNEX SL. COMPARISON

(CONT.)

continual improvement
recurring activity to enhance performance

25
50
51

SECTION 3
Annex SL (normative) - Proposals
for management system
standards and unified
framework

Purpose of this session: To

understand the main purpose
and principles of
Annex SL

26
52
 ANNEX SL – GENERAL

Annex SL defines and provides the framework for all ISO

management system standards (MSS).

Annex SL is intended to be used when:

•preparing a new management system standard (MSS);
•revising an existing one.

53

ANNEX SL – GENERAL (CONT.)

The main aim of Annex SL is the framework of all ISO

standards to be unified, in order to facilitate the
organisations using the standards and the auditors when
performing audits.

Unified frameworks:
• high level structure (HLS)
• identical clause titles
• identical text
• common terms and definitions

27
54
 ANNEX SL - APPENDIXES

•Appendix 1 (normative) - Justification criteria questions

•Appendix 2 (normative) - High level structure, identical

core text and common terms and core definitions for use
in Management Systems Standards

•Appendix 3 (normative) - High level structure, identical

core text, common terms and core definitions

•Appendix 4 (informative) - Guidance on high level

structure, identical core text, common terms and core
definitions

55

ANNEX SL - SL.6 GENERAL PRINCIPLES

An MSS should be initiated, developed and maintained by

observing the following principles:
•Market relevance - MSS should meet the needs of and
add value to the users and affected parties.
•Compatibility – it should be maintained between various
MSS and within a MSS family.
•Topic coverage - MSS should have sufficient application
coverage.

28
56
 ANNEX SL - SL.6 GENERAL PRINCIPLES (CONT.)

•Flexibility - MSS should be applicable to organizations in all

sectors and cultures and of every size and they should be
able to add to, differentiate from others, or develop their MS
beyond the standard.
•Free trade - MSS should permit the free trade of goods and
services in line with the principles included in the WTO
Agreement on Technical Barriers to Trade.
•Applicability of conformity assessment - The market need
for first-, second- or third-party conformity assessment
should be assessed. An MSS should facilitate joint audits.

57

ANNEX SL - SL.6 GENERAL PRINCIPLES (CONT.)

•Exclusions - MSS should not include directly related

product /services specifications, test methods,
performance levels or setting of limits or other forms of
standardization.
•Ease of use – The user should be able to easily
implement one or more MSS. MSS should be easily
understood, unambiguous, free from cultural bias, easily
translatable, and applicable to businesses in general.

29
58
 APPENDIX 1

Appendix 1 (normative) - Justification criteria

questions

When a proposal is made to prepare a new MSS or to

revise an existing one a justification study (JS) shall
be carried out in accordance with Appendix 1 of
Annex SL.

The issues to be addressed in the justification study

are in line with the principles listed in SL.6., but they
are not exhaustive and additional information should
be provided if it is relevant to the case.

59

APPENDIX 2

Appendix 2 (normative) - High level structure, identical core

text and common terms and core definitions for use in
Management Systems Standards

The aim - alignment of all ISO MSS by providing a unifying

and agreed high level structure, identical text and common
terms and definitions.
Individual MSS will of course add additional “discipline-
specific” requirements as required.
This is particularly useful to organizations operating
integrated management system that can meet the
requirements of two or more MSS at the same time.

30
60
 Appendix 3

Appendix 3 (normative) - High level structure, identical

core text, common terms and core definitions

Appendix 3 sets out the:

•High level structure (HLS);
•Identical core text;
•Common terms and core definitions.

They all form the nucleus of future and revised ISO Type
A management system standards.

61

APPENDIX 3 (CONT.)

High level structure (HLS) includes the main clauses (1 to

10) and their titles in a fixed sequence.

The identical core text includes numbered sub-clauses

(and their titles) and text within the sub-clauses

The common terms and core definitions are either

included or normatively reference an international
standard where they are included.

31
62
 APPENDIX 4

Appendix 4 of Annex SL provides guidance to the

use of Appendix 3.

63

UNIFIED FRAMEWORK

The unified framework of all ISO MSS will have:

•the same high level structure;
•identical clause titles;
•identical text;
•common terms and definitions.

Individual MSS will add needed additional “discipline-

specific” requirements as required for the specific area in
question.

32
64
 THE NEED FOR UNIFIED FRAMEWORK AND HLS

Despite that the published MSS by ISO over the years

share some common elements, ISO management
system standards were published in different shapes
and structures.

This has caused:

• to the organizations – difficulties in understanding,
using and integrating different standards, as well as
confusion and difficulties at the implementation stage;
•to the auditors - a great deal of discomfort when
performing audits, especially on integrated
management systems.

65

THE BENEFITS OF UNIFIED FRAMEWORK AND HLS

The unified framework of all ISO MSS will facilitate:

•the organisations when using the standards;
•the organisations when integrating different management
systems;
•the auditors when performing audits.

33
66
 HIGH LEVEL STRUCTURE

•Introduction
•Cl. 1 - Scope
•Cl. 2 - Normative references
•Cl. 3 - Terms and definitions
•Cl. 4 - Context of the organization
•Cl. 5 - Leadership
•Cl. 6 - Planning
•Cl. 7 – Support
•Cl. 8 - Operation
•Cl. 9 - Performance evaluation
•Cl. 10 - Improvement

67

GENERAL COMMENT

1.Clarifications or descriptions should be given for “as

applicable” or “as appropriate”.

2. Objectives – have to be specified - XXX objectives; XXX

management system objectives; process objectives etc.

3. For the standards addressing risk, there should be

agreement on the positioning of risk assessment and risk
treatment text (i.e. should it go in clause 6 or clause 8)

34
68
69

SECTION 4

ISMS history and

benefits

Purpose of this session: To develop an

understanding of background of ISMS
standard To develop an understanding of
the structure of the ISO 27001:2022
standard. To review the requirements for
implementation; the documentation
requirements of ISO 27001:2022 and the
main benefits of implementing an ISMS

35
70
 ORIGINS OF ISO/IEC 27001

 BS 7799 - Information Security Code of Practice -

Developed in early nineties by a group of experts with
the support of the UK Department of Trade and
Industry (DTI). Consisted of two main parts.
 Part I (BS7799-1), known as best practices for
Information Security Management (revised in 1998),
was adopted in December 2000 as ISO 17799
“Information Technology - Code of practice for
information security management”
71

ORIGINS OF ISO/IEC 27001

 Part II (BS7799-2) - first published by BSI in 1999 as

“Information Security Management Systems -
Specification with guidance for use”
 Was revised in 2002 to introduce the Plan-Do-Check-
Act (PDCA) Quality Assurance Model aligning it with
ISO 9001
 In November 2005 ISO adopted BS 7799-2 as ISO/IEC
27001

36
72
 ISO 27001:2022 STRUCTURE

Clause 1-Scope
Clause 2-Normative Reference
Clause 3-Terms and Definitions

73

ISO 27001:2022 STRUCTURE

Clause 4 Context of the organisation

4.1 Understanding the organistaion and its context
4.2 Understanding the needs and expectation s of interested parties
4.3 Determining the scope of the information security management system
4.4. Information secur ity management system

37
74
 ISO 27001:2022 STRUCTURE

Clause 5 Leadership

5.1 Leadership and commitment

5.2 Policy
5.3 Organizational roles, responsibilities and authorities

75

ISO 27001:2022 STRUCTURE

Clause 6 Planning

6.1 Actions to address risks and opportunities

6.2 Information security objectives and planning to achieve them
6.3 Planning of Changes

38
76
 ISO 27001:2022 STRUCTURE

Clause 7 Support

7.1 Resources
7.2 Competence
7.3 Awareness
7.4 Communication
7.5 Documented information

77

ISO 27001:2022 STRUCTURE

Clause 8 Operation

8.1 Operation planning and control

8.2 Information security risk assessment
8.3 Information security risk treatment

39
78
 ISO 27001:2022 STRUCTURE

Clause 9 Performance Evaluation

9.1 Monitoring , measurement , analysis and evaluation

9.2 Internal audit
9.3 Management review

79

ISO 27001:2022 STRUCTURE

Clause 10 Improvement

10.1 Continual improvement

10.2 Nonconformity and corrective action

40
80
 DOCUMENTATION REQUIREMENT
1. Scope of the ISMS (clause 4.3)
2. Information security policy and objectives (clauses 5.2 and 6.2)
3. Risk assessment and risk treatment methodology (clause 6.1.2)
4. Statement of Applicability (clause 6.1.3 d)
5. Risk treatment plan (clauses 6.1.3 e and 6.2)
6. Risk assessment report (clause 8.2)

Documents from Annex A are mandatory only if the organisation has decided to
implement a particular control

81

DOCUMENTATION REQUIREMENT

Records required by standard:

Records of training, skills, experience and qualifications (clause 7.2)
Monitoring and measurement results (clause 9.1)
Internal audit program (clause 9.2)
Results of internal audits (clause 9.2)
Results of the management review (clause 9.3)
Results of corrective actions (clause 10.1)
Logs of user activities, exceptions (A 8.16) and security events ( A 5.28)

41
82
ISMS

Benefits of IMPLEMENTATION - SWOT

Strengths Weaknesses
•Improved net security level of the •Requires resources:
organization -material
•Demonstrated conformity with compliance -time
requirements •Distracts personal from other important tasks
•External expertise & assistance brings good •Other…………to be added by the delegates
practices
•Other……to be added by the delegates
Opportunities Threats
•Asset in marketing •Possible access to the organization's info if external
•Improved security for client's and partner's assistance is not properly managed
information •Overconfidence in ISMS as form of total protection
•Opportunities for improvement identified ( it is not and is not intended to be)
•Other…………to be added by the delegates •Other…………to be added by the delegates

83

ISMS

BENEFITS OF CERTIFICATION - SWOT

Strengths Weaknesses
•Confidence in clients and partners •Lost of confidence if ISMS is not properly
•Objective and independent third party review maintained and certificate is declared not valid
•Reduced costs and simplified process of •Frustration with the cost and complexity of
demonstrating compliance with legal and client ISMS if the system is not properly developed and
specific regulations applied
•Other ….to be added by the delegates •Other…. to be added by the delegates

Opportunities Threats

•Better market positions - new contracts •External access to the organization's info if no
•Opportunities for improvement identified appropriate measures are applied.
•Other ….. to be added by the delegates •Overconfidence that information is totally
protected
•Other…. to be added by the delegates.

42
84
85

SECTION 5
Information Risk
Assessment and
Treatment

Purpose of this session: To provide the

delegates with some general principals of
the process of risk assessment and its
practical influence on the establishment
of the ISMS, as well as the risk
management approach based on ISO
27005

43
86
 REFERENCE GUIDANCE ISO STANDARD

 ISO/IEC 27005:2022 – Information security,

cybersecurity and privacy protection —
Guidance on managing information security
risks
 ISO/IEC 31000:2018 Risk Management-
Principles and Guidelines

87

ISO/IEC 27005:2022
 Structure of the standard ISO / IEC 27005:2022
 Overview- Risk Management - (5)
 Define Context - (6)
 Risk Assessment - (7)
 Risk Treatment - (8)
 Operation- (9)
 Leveraging related ISMS processes– (10)
 Annex A Examples of Techniques in support of the risk assessment
process.

44
88
 INFORMATION SECURITY RISK MANAGEMENT PROCESS

PLAN Establish the context

Risk assessment
Develop the risk treatment plan
Risk assessment

DO Implement the risk treatment plan

CHECK Continual monitoring and review of risks

ACT Maintain and improve the RM process

89

TERMS
 INFORMATION SECURITY RISK - potential that a given threat will exploit
vulnerabilities of an asset or group of assets and thereby cause harm to the
organization (It is measured in terms of a combination of the likelihood of an
event and its consequence).
 RISK MANAGEMENT - coordinated activities to direct and control an
organization with regard to risk
 RISK ASSESSMENT – overall process of risk analysis and risk evaluation
 RISK ANALYSIS – systematic use of information to identify sources and to
estimate risk
 RISK IDENTIFICATION - process to find, list and characterize elements of risk
 RISK ESTIMATION - process to assign values to the probability and
consequences of a risk

45
90
 ISO/IEC 27005 provides general guidance but does not require or
imply the use of any specific method for risk assessment!

The organization itself chooses the Risk Assessment Methods and

Tools.
The following should be considered when the choice is made:
• previous experience of the organization and of other similar
organizations
• size/complexity of the organization
• industry specifics

91

TYPICAL RISK IDENTIFICATION TECHNIQUES

Process Mapping
Scenario Analysis
Business Studies and Benchmarking
Incidents Investigation
Auditing and Inspection
HAZOP
Checklists and questionnaires

46
92
 TWO ISSUES TO CONSIDER:

• The standard expects that periodic reviews of security risks and

related controls will be carried out – taking account of new
threats and vulnerabilities, assessing the impact of changes to
the business and the environment and to confirm effectiveness
of controls

• The second assumption of the standard is “that the execution of

its provision is entrusted to an appropriately qualified and
experienced person”

93

RISK PROCESS – ISO 27005

94

47
94
 ISO/IEC 27005

RISK IDENTIFICATION (7)

• Risk identification
• Identification of asset
• Identification of threats
• Identification of existing controls
• Identification of vulnerabilities
RISK ANALYSIS (8.3)
• Methodology
• Identification and assessment of consequences
• Assessment of the likelihood of occurring an incident
• Establishing level of the calculated risk

95

APPROACHES

A number of different approaches to risk analysis. Essentially

two types of methodologies are applied:
- Quantitative Risk Analysis
- Qualitative Risk Analysis
NOTE: A combination of the two approaches may be useful
for some organizations

48
96
 QUANTITATIVE RISK ANALYSIS

This approach looks at two issues:

• Probability of an event occurring
• Likely loss should it occur
The two elements are multiplied resulting in ALE
(annual loss expectancy) or EAC (estimated annual
cost).
The higher the number the more serious it is for the
organization

97

PROBLEMS WITH THE QUANTITATIVE APPROACH

Unreliability and inaccuracy if there is no reliable

historical numerical data
Sometimes promotes complacency about the real
significance of particular risks
It is sometimes difficult to identify interrelations
between events and threats

49
98
 QUALITATIVE RISK ANALYSIS

Risk Assessment
The risks have to be assessed to identify the potential
business harm, identifying likelihood of the failure. Establish the
level of the risk and from there whether it is acceptable or
control is required
Controls
These are countermeasures to vulnerabilities.
May be divided into four types: deterrent controls,
preventive controls, corrective controls and detective controls

99

QUALITATIVE RISK ANALYSIS

Probability data is not required and only estimated potential loss

is used
Owners, threats, vulnerabilities and impacts are identified for
each asset
• Threats
Things that can go wrong and affect negatively the assets
• Vulnerabilities
These leave a system open to attack or allow an attack to have
some success or greater impact
• Impacts
The successful exploitation of a vulnerability by a threat

50
100
 THE QUALITATIVE APPROACH

Advantage of qualitative estimation - is it easy to

understand by the relevant personnel
Disadvantage - is the dependent on subjective
choice of the scale to describe the magnitude of
potential consequences.

101

ISO/IEC 27005

RISK EVALUATION (8.4)

>The level of the risk should be compared with the

criteria for determining the risk value and the risk
acceptance level.
>The end result is decisions on future action.

51
102
 RISK TREATMENT OPTIONS (9)

Avoid Business considerations

Residual Risk –
Reduce/Treat Accept or Treat again

Risk
Risk Remains/
Retain/Accept
Accept

Insure/some level of
Transfer
risk remains

103

TERMS

RISK TREATMENT - treatment process of selection

and implementation of measures to modify risk
RISK TRANSFER - sharing with another party the
burden of loss or benefit of gain, for a risk
RISK ACCEPTANCE - decision to accept a risk

52
104
 RISK REDUCTION (9.2)- CONTROLS

Controls (may) provide one or more of the following

protection: correction, elimination, prevention, impact
minimization, deterrence, detection, recovery, monitoring
and awareness.
It is not possible to provide total security against every risk,
but it is possible to provide effective security against most
risks
It is essential to constantly monitor effectiveness of the
controls

105

INFORMATION SECURITY RISK COMMUNICATION (11)

Information about risk should be exchanged and/or shared

between the organization and the interested
parties/stakeholders
Communication in the form of Statement of Applicability
demonstrates to third parties the degree of security that
has been implemented
The current version and date of approval of the Declaration
of applicability is quoted in the certificate issued by a
certification body -(a requirement of ISO / IEC 27006).

53
106
 OTHER ISSUES TO CONSIDER:

• Risks are not static (12.2), periodic reviews of security risks and
related controls will be carried out:
taking account of new threats and vulnerabilities;
 assessing the impact of changes to the business/ environment;
to confirm effectiveness of controls

• The standard requires “that the execution of its provision is

entrusted to an appropriately qualified and experienced person”

107

ISO 31000:2018

Contrary to the popular belief that ISO 31000 is now mandatory

for ISO 27001 implementation, this is not true. However, ISO
31000 could be quite useful for ISO 27001 implementation – it
not only offers a couple of good guidelines, but it also gives a
strategic context for managing (information security) risks.

Insert Footer Here 108

54
108
 WHAT IS ISO 31000

ISO 31000 provides guidelines on how to organize risk

management in organizations – the standard is not focused
solely on information security risks; it can be used for any type of
risks including business continuity, market, currency, credit,
operational, and others.

It provides a detailed glossary of risk management terms,

explains basic principles of risk management, and provides a
general framework including a PDCA cycle (planning,
implementing, monitoring and improving – Plan/Do/Check/Act)
for risk management. However, being applicable to any type of
organization and to any type of risk, it does not provide specific
methodology for, e.g., information security risk management.

Insert Footer Here 109

109

ISO 31000 - CONTENT

1 Scope
2 Normative references
3 Terms and definitions
4 Principles
5 Framework
5.1 General
5.2 Leadership and commitment
5.3 Integration
5.4 Design
5.4.1 Understanding the organization and its context
5.4.2 Articulating risk management commitment
5.4.3 Assigning organizational roles, authorities, responsibilities and
accountabilities 7
5.4.4 Allocating resources
5.4.5 Establishing communication and
110

55
110
 ISO 31000 - CONTENT
5.5 Implementation
5.6 Evaluation
5.7 Improvement
5.7.1 Adapting
5.7.2 Continually improving
6 Process
6.1 General
6.2 Communication and consultation
6.3 Scope, context and criteria
6.3.1 General
6.3.2 Defining the scope
6.3.3 External and internal context
6.3.4 Defining risk criteria
111

111

ISO 31000 - CONTENT

6.4 Risk assessment
6.4.1 General
6.4.2 Risk identification
6.4.3 Risk analysis
6.4.4 Risk evaluation
6.5 Risk treatment
6.5.1 General
6.5.2 Selection of risk treatment options
6.5.3 Preparing and implementing risk treatment plans
6.6 Monitoring and review
6.7 Recording and reporting

112

56
112
 ISO 31000 PRINCIPLES

113

113

ISO 31000 FRAMEWORK

Insert Footer Here 114

57
114
 RISK MANAGEMENT PROCESS

Insert Footer Here 115

115

OTHER STANDARDS RELATED TO RISK MANAGEMENT

No matter the similarities and differences in risk management concepts in the

different standards, one thing is for sure: risk is always defined as the “effect
of uncertainty on objectives,” taking into account that uncertainty is the state
of deficiency of information related to understanding or knowledge of an
event, its consequences, or likelihood. Also, one common thing related to all
standards is that objectives related to risk management can be applied at
different levels in the organization, such as strategic, operational, project,
product/services, or process.

Risks will always exist around us, and we can never eliminate unwanted
situations except by completely terminating activities that can produce
negative effects. In most cases, you must follow objectives driven by the
organization`s top management, so the best you can do is use best practices
presented in all three standards to try to prevent or minimize negative effects.

Insert Footer Here 116

58
116
117

SECTION 6

ISO/IEC 27002 and the

Control Objectives

Purpose of this session: To gain

understanding of the structures and
interrelations of this standard with ISO
27001:2022 and the implementation,
maintenance and improvement of
ISMS

59
118
 THE CODE OF PRACTICE ISO 27002:2022

ISO 27002 was published in February 2022 and it now has a different from ISO 27001,
Annex A.
In the last update of 27002 from February 2022, the areas, control objectives and
controls were regrouped, with controls added and dropped. The structure of ISO / IEC
27002 differs from the structure of ISO / IEC 27001: 2013 (Annex A);
Categories & Domains / Areas: Control groups are already organized into four (4)
categories or topics, as opposed to fourteen (14) control domains / areas from version
2013. The four categories include organizational, people, physical and technological
controls.

119

THE CODE OF PRACTICE ISO 27002:2022

93 controls in ISO / IEC 27002: 2022;

11 new controls;
24 controls are a combination of 2, 3 or more controls from the 2013 version;
58 controls from the 2013 version have been reviewed and revised to better
align with the current information security and cybersecurity environment;

60
120
 THE CODE OF PRACTICE ISO 27002:2022

This code of practice may be regarded as a starting point for

developing organization ISMS. Not all of the guidance and
controls in this code of practice may be applicable. Furthermore,
additional controls not included in this document may be
required. When this happens, it may be useful to retain cross
references which will facilitate compliance checking by auditors
and business partners

121

SCOPE

The standard gives recommendations for information security

management for use by those who are responsible for initiating,
implementing or maintaining security in their organizations.
It is intended to provide a common basis for developing
organizational security standards and effective security
management practice and to provide confidence in inter-
organizational dealings.
Recommendations from this standard should be selected and
used in accordance with applicable laws and regulations.

61
122
 ISO 27002 SECTIONS

IN TEAMS DISCUSS THE SECTIONS

GIVEN TO YOU AND IDENTIFY
THE PRIORITIES WITHIN EACH.

PREPARE TO PRESENT TO THE

GROUP
6
5

8
7

123

62
124
 SECTION 07
STAGES OF ISMS DEVELOPMENT
ISO/IEC 27003
ISO/IEC 27004

Purpose of this session:

Review of the stages of ISMS
development. To understand
the basic requirements of
standard ISO/IEC 27003 and
ISO/IEC 27004

125

ISMS Development - Stages

 Evaluation of the current state of the organization

 Establish a Forum, defining the roles and the
responsibilities
 Planning the development of the ISMS – program,
schedule, deadlines, responsible persons.
 Scope of the ISMS
 Information Security Policy - purpose, basic
principles, approaches, criteria.

63
126
 ISMS Development - Stages

 Inventory list of the organization’s assets and defining

the “owner” for each asset.
 Method for Risk Assessment.
 Level of residual risk.
 Risk Assessment.
 Validation of the risk assessment results.
 Controls and a Risk Treatment Plan.

127

ISMS Development - Stages

Statement of Applicability.
ISMS effectiveness measurements- criteria for the
measurements.
ISMS documentation and implementation of the ISMS.
Implementation and monitoring of a Risk Treatment Plan.
Internal audits of the ISMS.
Business Continuity Management.
Management of incidents involving information security.

64
128
 ISMS Development - Stages

Awareness of information security issues among staff.

Monitoring the controls of the ISMS.
Collecting records.
Determining the effectiveness of the ISMS.
Management Review of the ISMS.
Certification of ISMS.

129

ISO/IEC 27004

INFORMATION TECHNOLOGY. SECURITY

TECHNIQUES. INFORMATION SECURITY
MANAGEMENT. MEASUREMENT

65
130
PROCESS OF MEASURING

131

THE MEASUREMENT RESULTS CAN BE USED:

 for evaluation of the effectiveness of individual

controls, control objectives and generally for ISMS;
 to provide input for the risk assessment;
 to show development of the ISMS regarding the
requirements;
 for reference testing or comparison of business units or
similar.

66
132
 RELEVANT STAKEHOLDERS
For each base measure must be defined and documented relevant
stakeholders who may be:
• Client of measurement: stakeholders requesting information regarding
the effectiveness of the ISMS or the controls;
• Reviewer for measurement: validates the adequacy of the developed
measurement constructs for assessing the effectiveness of the ISMS or
the controls;
• Information Owner : owns the information about an object of
measurement and attributes and is responsible for the measurement;
• Information Collector: is responsible for collecting, recording and
storing the data;
• Information Communicator: is responsible for analyzing data and
communicating measurements results;

133

MEASUREMENT CONSTRUCTS – MUST

CONTAIN AT LEAST:

• Measurement Objectives;
• Controls objectives / group of controls / ISMS processes
that must be measured;
• Object of measurement;
• Data that must be collected and used;
• Processes for collecting and analyzing of data;
• Reporting process and reporting form of the
measurement results;
• Roles and responsibilities of the stakeholders;
• Cyclic review of measurement.

67
134
 POSSIBLE RESULTS OF THE DATA MEASUREMENTS
ANALYSIS /NONCONFORMITIES/:

• Lack of control, which was decided to be implement

/implementation nonconformity/;
• The control is implemented but is not working properly /omission
in the performance/;
• The control is implemented and executed properly, but can not
counteract the current threats, because they are too strong /
inadequate Risk Assessment/;
• The Control is implemented properly, but there are some threats
that avoid it /inadequate Risk Treatment /;
• Control was not implemented properly due to omitted threats in
the Risk Assessment process /inadequate risk assessment
method/.

135

68
136
 SECTION 08
ISMS and the Legal
Compliance

Purpose of this session: Raise

the awareness of the delegates
on the principal applicable
national and international
legislation related to Information
Security and the principal
regulatory compliance auditing
methods

137

MAINTENANCE AND EVALUATION OF LEGAL

COMPLIANCE- RESPONSIBILITY OF THE ORGANIZATION

The certification/registration body is restricted to checks

and samples to establish confidence that the ISMS
functions in this regard

69
138
 ROLES

An organization with a certified/registered ISMS

guarantees continuing compliance with regulatory
requirements applicable to the information security
impacts of its activities, products and services
The certification/registration body confirms that a
system capable of achieving the required compliance
is fully implemented

139

THE CERTIFICATION/ REGISTRATION

BODY

Verifies that the organization:

⁻ has evaluated legal and regulatory compliance and

⁻ can show that action is taken in case of non-

compliance with relevant regulations

70
140
 IDENTIFICATION OF APPLICABLE LEGISLATION

The organization should explicitly define and

document the statutory, regulatory and
contractual requirements and any security

requirements applicable to the system .

141

THE ISMS SHOULD CONTAIN

 A matrix of all the compliance requirements for each process

 Documented specific controls and individual responsibilities to

meet them.

71
142
 APPLICABLE MIGHT BE

 Domestic rules: statutory and normative

requirements, secondary legislation and technical
requirements;

 Foreign legislation: international and bilateral

agreements;

 EU legislation.

143

RELEVANT LEGISLATION

needs to be interpreted in line with supporting sub-

normative acts

needs further detailisation by qualified legal advisers in

the organization

72
144
 ACTS - MAKE SURE YOU KNOW THE
APPLICABLE LEGISLATION
Access to Public Information Act /2000, last revision 2002/
Classified Information Protection Act /2002, last revision 2003/
• Governs the creation, processing, retention of classified information and
the order and conditions for securing the access to it.

• Main principle: Access to information based on “necessity to know”

Personal Data Protection Act /2002, revised 2002/
• Governs the protection of physical persons in processing personal data,

• As well as the access to personal data

145

TELECOMMUNICATIONS ACT /2003/

Purpose:
• to secure freedom and secret of telecommunications;
• To protect the interests of the users;
• To safeguard public interests and national security and
defense

73
146
 BANKING REGULATIONS

Law on Banks 81997, last revision 2003/general

framework

Bank Deposits Guarantee Act /1998, last revision 2002/

Act on Measures against Money Laundering /1998, last

revision 2003/

Act on Measures against Financing of Terrorism /2003/

147

ELECTRONIC DOCUMENT AND ELECTRONIC SIGNATURE

ACT /2001, LAST REVISION 2002/

Governs electronic document, electronic signature and the

conditions and order for verification services

74
148
 COMPLEXITY OF IS REGULATIONS

Application needs integrated approach and professional expertise to

be used
Listed examples:
• Ordinance on the general conditions to guarantee industrial security
/2003/
• Ordinance on cryptographic security of classified information /2003/
• Ordinance on the mandatory general conditions for securing
automatic information systems and nets, in which classified
information is being created, processed, retained and transferred
/2003/

149

COMPLIANCE

The organization shall implement appropriate

procedures to ensure compliance with legal restrictions
on the use of material where IPR might apply and on the
use of proprietary software products

Software is covered by the laws of copyright

Act on Copyright and the Neighboring Rights /1993, last

revision 2003/

75
150
 IMPORTANT!

Legal Requirements
• Failure to comply with legal requirements may result in a fine or
imprisonment
Conformance to ISO Standards
• Failure to comply with ISO Standard 3rd Party Certification
requirement may lead to loss of registration

• Failure to comply with ISO Standard where the requirements are

contractually binding may result in being fined by the Civil Court

151

76
152
 SECTION 09

ISO/IEC 27035
Information technology –
Security techniques –
Information security incident
management

Purpose: gives guidance on detecting,

reporting and assessing information
security incidents and vulnerabilities.

153

ISO/IEC 27035

The standard ISO/IEC 27035 replaces the technical

standard ISO/IEC TR 18044:2004.

The standard ISO/IEC 27035 supports the general

concepts specified in ISO/IEC 27001:2013, Information
technology – Security techniques – Information
security management systems – Requirements.

77
154
 ISO/IEC 27035

The new standard ISO/IEC 27035 is applicable to any

organization, irrespective of size.

It covers a range of information security incidents,

whether deliberate or accidental, and whether caused
by technical or physical means.

155

ISO/IEC 27035

By implementing the information security incident

management approach contained in the new
International Standard ISO/IEC 27035 the impact from a
wide variety of information security threats can be
significantly reduced.

The standard ISO/IEC 27035 standard provides tried and

tested advice on the processes and methods that need
to be implemented to ensure effective management of
information security incidents.

78
156
 Information security breaches

Information security breaches can compromise the

business systems of the organization and can cause
disruption to business operations.
Using an information security incident management
system enables organizations to respond in a timely
and effective way by:
o implemented controls for the prevention and
reduction of information security incidents;
o implemented procedures to manage a wide variety of
security incidents and vulnerabilities.

157

SCOPE

ISO/IEC 27035 provides an approach to:

detect, report and assess information security incidents;
respond to and manage information security incidents;
detect, assess and manage information security
vulnerabilities; and
continuously improve information security and incident
management as a result of managing information
security incidents and vulnerabilities.

79
158
 TERMS AND DEFINITIONS
information security forensics - application of investigation and
analysis techniques to capture, record and analyse information
security incidents.
information security incident response team /ISIRT/ - team of
appropriately skilled and trusted members of the organization that
handles information security incidents during their lifecycle. The
organization may temporarily attract external experts to
investigate/respond to computer incident .
information security event - identified occurrence of a system,
service or network state indicating a possible breach of
information security, policy or failure of controls, or a previously
unknown situation that may be security relevant.
information security incident - single or a series of unwanted or
unexpected information security events that have a significant
probability of compromising business operations and threatening
information security.

159

Benefits

Several benefits:
Improve overall information security;
Reduce adverse business impacts;
Strengthen the information security incident prevention, prioritization, and
evidence;
Contribute to budgetary and resource justifications;
Improve updates to information security risk assessment and management
results;
Provide enhanced information security awareness and training program material;
Provide input to your information security policy and related documentation
reviews.

80
160
 PHASES

The information security incident management

consists of five distinct phases:

>Plan and prepare;

>Detection and reporting;
>Assessment and decision;
>Responses;
>Lessons learnt.

161

PHASE 1 PLAN AND PREPARE

Information security incident management policy, and commitment

of senior management
Information security and risk management policies updated at both
corporate level and system, service and network level
Information security incident management scheme
Information security incident management scheme (ISIRT)
establishment
Technical and other support (including operations support)
Information security incident management awareness briefings and
training
Information security incident management scheme testing

81
162
 PHASE 2 DETECTION AND REPORTING

Information security event detecting and reporting.

163

PHASE 3 ASSESSMENT AND DECISION

Assessment of information security event and making a

decision whether it is an information security incident or
not.

82
164
PHASE 4 RESPONSES

Responses to information security incident, including

forensic analysis.

Recovery from information security incident.

165

PHASE 5 LESSONS LEARNT

Further forensic analysis, if required

Identification of lessons learnt
Identification of and making improvements to
information security
Identification of and making improvements to
information security risk assessment and management
review results
Identification of and making improvements to
information security incident management scheme

83
166
 ANNEXES

Annex A (informative) Cross reference table of ISO/IEC 27001 vs ISO/IEC 27035

Annex B (informative) Examples of information security incidents and their

causes

Annex C (informative) Example approaches to the categorization and

classification of information security events and incidents

Annex D (informative) Example information security event, incident and

vulnerability reports and forms

Annex E (informative) Legal and regulatory aspects

167

84
168
 SECTION 10
Accreditation, Certification
and Types of Audits

To define accreditation and

certification and the parties
involved; to distinguish
between the various types
of audits

169

THE STANDARDS

International
Organization …Provides National
for Standards Standardization
Standardization Globally Bodies
(ISO)

85
170
 ACCREDITATION

Provided by accreditation bodies

Competence recognized by an authorized (national) accreditation body

171

ACCREDITATION

International Accreditation Forum (IAF)

MULTILATERAL AGREEMENTS (MLA)

COFRAC ANAB JAB UKAS

(France) (USA) (Japan) (UK)

86
172
 ACCREDITATION

European Cooperation for Accreditation

Oversight and control over the accreditation activities in the European Union

173

ACCREDITATION

National Accreditation
Body

Certification Bodies

INTK INTK INTK

87
174
 ACCREDITATION SCHEME

Government

National Accreditation Body

Accredits
Certification bodies
Laboratories
Certifies
Various Organizations

175

BENEFITS OF ACCREDITATION

Competence of CB recognized and confirmed

Complaints management

88
176
 BENEFITS OF CERTIFICATION

Provides confidence in clients and partners that the management system is compliant with the
respective standard

Opportunities for improvement identified

Other (please use the flipchart and list at least 3 benefits)

177

AUDITOR REGISTRATION SCHEME

The Chartered Quality Institute

& International Register of
Certificated Auditors
Lead Auditor/ Auditor Principal/Lead
and Internal Auditor Auditor Auditor
Training Registration
Organisations

Internal Auditor
Registration

*Find more on https://www.quality.org/

89
178
 TYPES OF AUDITS

According to the parties involved:

1st Party • Internal audits

• Customer audit of a supplier or a

2nd Party potential supplier

• Audit by an independent third

3rd Party party

179

SCOPE OF 19011 AND ITS RELATIONSHIP WITH ISO/IEC 17021

ISO 19011 concentrates on internal audits (first party) and audits conducted by
organizations on their external providers and other external interested parties
(second party). ISO 19011 can also be useful for external audits conducted for
purposes other than third party management system certification. ISO/IEC 17021-1
provides requirements for auditing management systems for third party certification;
ISO 19011 can provide useful additional guidance

1st party audit 2nd party audit 3rd party audit

Internal audit External provider audit Certification and/or

accreditation audit

Other external interested party Statutory, regulatory and

audit similar audit

90
180
 THIRD PARTY AUDITS ACCORDING TO 17021-1:2015

Audit carried out by an auditing organization independent of the client and the user, for the purpose of
certifying the client's management system

NOTE 1 - In the definitions which follow, the term “audit” has been used for simplicity to refer to third-
party certification audit.

NOTE 2 - Third-party certification audits include initial, surveillance, re-certification audits, and can also
include special audits.

181

THIRD PARTY AUDITOR

NOTE 3 - Third-party certification audits are typically conducted by audit teams of those bodies
providing certification of conformity to the requirements of management system standards.

NOTE 4 - A joint audit is when two or more auditing organizations cooperate to audit a single client.

NOTE 5 - A combined audit is when a client is being audited against the requirements of two or more
management systems standards together.

NOTE 6 - An integrated audit is when a client has integrated the application of requirements of two or
more management systems standards into a single management system and is being audited against
more than one standard.

91
182
 DISCUSSION

1. Explain the differences between First, Second and Third Party Audits.
2. Give the example of each party

183

ASSESSMENT PARTIES

CUSTOMER

Second Party

ORGANIZATION
Third Party
(First Party)

Second Party INDEPENDENT

(First Party)
SUPPLIER
(First Party) Third Party

92
184
 OTHER TYPES OF AUDITS

According to Objectives and Methods:

Document • To determine the extent to which the

Review documentation complies with the requirements

Complianc • To determine that the system is being

e Audit implemented in compliance with the requirements

Surveillance • To determine whether the system continues to

meet the specified requirements

185

APPLICABLE AUDIT METHODS

Extent of involvement Location of the auditor

between the auditor
On-site Remote
and the auditee
Conducting interviews. Via interactive communication means:
Completing checklists and questionnaires — conducting interviews;
with auditee participation. — observing work performed with remote
Human interaction Conducting document review with auditee guide;
participation. — completing checklists and
Sampling. questionnaires;
— conducting document review with
auditee participation.
Conducting document review (e.g. records, Conducting document review (e.g. records,
data analysis). data analysis).
Observation of work performed. Observing work performed via surveillance
No human interaction Conducting on-site visit. means, considering social and legal
Completing checklists. requirements.
Sampling (e.g. products). Analysing data.

On-site audit activities are performed at the location of the auditee. Remote audit activities are performed at any place
other than the location of the auditee, regardless of the distance.
Interactive audit activities involve interaction between the auditee’s personnel and the audit team. Non-interactive audit
activities involve no human interaction with persons representing the auditee but do involve interaction with equipment,
facilities and documentation.

93
186
 EXERCISE

Team Work (15 minutes)

The tutor will prepare a white board with the following methods of audit:

- On site Audit with human interaction

- On site Audit without human interaction
- Remote audit with human interaction
- Remote audit without human interaction

Each team need to choose one of the items and present the benefits of it.

The team with the longest list wins!

187

94
188
 SECTION 11

Audit Process &

Planning

Purpose of this section

To be able to define audit
stages, roles and
responsibilities
To develop lead auditor skills
through accurate and
detailed planning

189

MAIN DOCUMENTS TO BE CONSIDERED

• ISO 17021-1: 2015 - Third Party Audit Requirements

• ISO/IEC 27006:2015/ AMD 1:2020
• ISO 19011: 2018 - Auditing Guidelines
• Requirements of the management system standard

95
190
 ISO 19011: 2018 GUIDELINES FOR MANAGEMENT
SYSTEMS AUDITING

• ISO 19011 (does not state requirements) provides guidance:

• on the management of an audit programme,
• on the planning and conducting of an audit of the management system,
• on the competence and evaluation of an auditor and an audit team.

NB: The new version covers all disciplines whereas the previous version covered only quality and
environmental

191

THE PURPOSE OF ISO/IEC 17021

• This International Standard specifies requirements for certification bodies.

• Aims to ensure that certification bodies operate management system certification in a competent,
consistent and impartial manner.
• This International Standard serves as a foundation for facilitating the recognition of management
system certification in the interests of international trade.

96
192
 RELATIONSHIP BETWEEN ISO/IEC 19011:2018 AND ISO/IEC 17021:2015
ISO 19011 concentrates on internal audits (first party) and audits
conducted by organizations on their external providers and other
external interested parties (second party). ISO 19011 can also be
useful for external audits conducted for purposes other than third
party management system certification. ISO/IEC 17021-1 provides
requirements for auditing management systems for third party
certification; ISO 19011 can provide useful additional guidance
1st party audit 2nd party audit 3rd party audit
Internal audit External provider audit Certification and/or
accreditation audit

Other external Statutory, regulatory and

interested party audit similar audit

193

AUDIT STAGES

• Pre-audit activities
Planning
• Audit Planning

Implementation
• On-site audit – Stage 1
and Stage 2 activities

Reporting and • Reporting

Follow Up • Follow up

97
194
 PLANNING: PRE-AUDIT ACTIVITIES

• Application
• Application review
• Audit Programme
• Determining audit time
• Multi-site sampling
• Multiple management systems standards

195

APPLICATION

Applicant organization to provide the necessary information to enable it to establish

the following
Scope
Name, address
Processes and operations
Relevant legal obligations

Insert Footer
196
Here

98
196
 AUDIT PROGRAMME ISO 19011:2018

All audits in a given audit cycle

Extent of an audit programme should be based on the size and nature of the auditee, as well as on
the nature, functionality, complexity, the type of risks and opportunities, and the level of maturity of
the management system(s) to be audited.

When planning the audit programme, Risk-based approach must be considered

Also the following shall be considered:

• Status and importance of processes
• Major changes
• Previously established non-conformities

197

AUDIT PROGRAMME
ISO 19011

99
198
 AUDIT PROGRAMME ISO 17021-1:2015

The Audit Programme shall include a two-stage initial audit, surveillance audits in the first and second
years, and a recertification audit in the third year prior to expiration of certification. The three-year
certification cycle begins with the certification or recertification decision.

The determination of the audit programme and any subsequent adjustments shall consider the size of
the client, the scope and complexity of its management system, products and processes as well as
demonstrated level of management system effectiveness and the results of any previous audits.

199

DETERMINING AUDIT TIME

Consideration should be given to:

a) the requirements of the relevant management system standard;
b) complexity of the client and its management system;
c) technological and regulatory context;
d) any outsourcing of any activities included in the scope of the management system;
e) the results of any prior audits;
f) size and number of sites, their geographical locations and multi-site considerations;
g) the risks associated with the products, processes or activities of the organization;
h) whether audits are combined, joint or integrated

Insert Footer
200
Here

100
200
 DETERMINING AUDIT DURATION

• The “IAF Mandatory document for Duration of QMS and EMS Audits/2015” provides:
• guidance and methodology for calculating audit duration
• It’s applicable for any type of audit
• The Audit duration depends of 2 parameters
• Men in the scope of the management system
• Complexity of the processes
• Usually the certification body has methodology developed upon the above IAF’s document

201

MULTI-SITE SAMPLING

Where multi-site sampling is used for the audit of a client’s management system covering the same
activity in various geographical locations, a sampling programme to ensure proper audit of the
management system.
Where there are multiple sites not covering the same activity sampling is not appropriate

Multiple management systems standards

When certification to multiple management system standards is being provided by the certification
body, the planning for the audit shall ensure adequate on-site auditing to provide confidence in the
certification.

Insert Footer
202
Here

101
202
 PLANNING THE AUDIT: AUDITS OBJECTIVES, SCOPE AND CRITERIA ISO 17021

Audit Objective
Shall be determined by the certification body. The audit scope and criteria, including any changes, shall
be established by the certification body after discussion with the client.

Audit Scope
Shall describe the extent and boundaries of the audit, such as sites, organizational units, activities and
processes to be audited. Where the initial or re-certification process consists of more than one audit
(e.g. covering different sites), the scope of an individual audit may not cover the full certification scope,
but the totality of audits shall be consistent with the scope in the certification document

Audit criteria
• the requirements of a defined normative document on management systems
• the defined processes and documentation of the management system developed by the client.

203

AUDITS OBJECTIVES, SCOPE AND CRITERIA - ISO/IEC 19011

Audit objectives:
Define what is to be accomplished by the individual audit

Audit criteria
Used as a reference against which conformity is determined and may include:
• Applicable policies,
• Procedures,
• Standards,
• Work instructions
• Legal requirements,
• Management system requirements,

102
204
 COMPETENCY OF AUDIT TEAM

• Generic knowledge and skills of management system auditors

• Audit principles, procedures and methods - to apply the appropriate principles, procedures and
methods to different audits, and to ensure that audits are conducted in a consistent and systematic
manner
• Management system and reference documents - to comprehend the audit scope and apply audit
criteria
• Organizational context - to comprehend the auditee’s structure, business and management
practices
• Applicable legal and contractual requirements and other requirements that apply to the auditee -
to be aware of, and work within, the organization’s legal and contractual requirements.

205

PLANNING: AUDIT PLAN

The audit plan shall be appropriate to the objectives and the scope of the audit and include or refer to
the following
a) the audit objectives;
b) the audit criteria;
c) the audit scope, including identification of the organizational and functional units or processes
to be audited;
d) the dates and sites where the on-site audit activities will be conducted, including visits to temporary
sites and remote auditing activities, where appropriate;
e) the expected duration of on-site audit activities;
f) the roles and responsibilities of the audit team members and accompanying persons, such as
observers or interpreters.

Insert Footer
206
Here

103
206
 STAGE 1 AUDIT

Stage 1
Purpose – to confirm that company’s ISMS policy, manual and procedures meet the minimum
requirements of the standard.

Activities
• To audit the auditee’s ISMS documentation
• To evaluate physical locations and site-specific conditions and to determine the preparedness for the stage 2
audit
• To review the auditee status and understanding according to standard’s requirements
• To collect necessary information, including statutory, legal and regulatory requirements
• To evaluate internal audits
• To prepare for Stage 2

It is recommended to conduct part of Stage 1 audit at auditee premises

207

STAGE 1 AUDIT - OUTPUT

• Audit schedule “the Stage 2” plan

• Verified ‘Scope’ statement
• Verified resources
• Verified ISMS documentation (Manual, Procedures)
• State of Management ‘Readiness’
• Findings of Evaluation

104
208
 STAGE 2 AUDIT

Purpose of the stage 2

To evaluate the implementation, including effectiveness, of the client's management system.
The stage 2 audit shall take place at the site(s) of the client.
It shall include:
• information and evidence about conformity to all requirements of ISO 27001 standard or other
normative document; performance monitoring, measuring, reporting and reviewing against key
performance objectives and targets;
• the client's management system and performance as regards legal compliance; operational control
of the client's processes;
• internal auditing and management review;
• management responsibility, etc.

209

INITIAL CERTIFICATION AUDIT CONCLUSIONS

The audit team shall analyze all information and audit evidence gathered during the stage 1 and stage 2
audits to review the audit findings and agree on the audit conclusions.

The audit team shall provide to CB the information necessary for certification decision: the audit
reports; comments on non-conformities; correction and corrective actions taken by clients;
recommendations whether or not to grant certification.

105
210
 SURVEILLANCE

Surveillance activities
Representative areas and functions in the scope of ISMS shall be monitored at planned periods, taking
into account changes at the client or the ISMS

Surveillance audits
On-site audit, not necessarily the full ISMS audits
Shall be planned together with other surveillance activities in order to keep CB confident that the
certified ISMS fulfils ISO 27001:2013 requirements

211

RECERTIFICATION

The purpose of the recertification audit is to confirm the continued conformity and effectiveness of the
ISMS as a whole, and its continued relevance and applicability for the scope of certification

It is a full ISMS audit; The recertification audit shall include an on-site audit information for granting
recertification

The certification body shall make decisions on renewing certification based on the results of the
recertification audit, as well as the results of the review of the system over the period of certification
and complaints received from users of certification

106
212
 ON-SITE AUDIT ACTIVITIES

• Preparing working documents

• Conducting opening meeting
• Communication
• Role of the Guides
• Collection of objective evidence
• Audit conclusion and recommendations
• Conducting closing meeting
• Follow up

213

PROCESS APPROACH TO AUDITING

Any activity that receives inputs and converts them to outputs

Inputs PROCESS Outputs

A process may therefore cover all the

activities of a company

107
214
 THE TURTLE DIAGRAM PROCESS PLAN

Objective:

Owner: Personnel
Resources

Materials and
Outputs
Equipment

COP?

Performance
Inputs
Measures

Process
Support
Procedures

215

REPORTING & FOLLOW UP

Reporting
• Prepare the audit report
• Approve and distribute the audit report

Follow up
• Check the effectiveness of corrective actions implemented
• Plan for next audit
• Compile the audit file

108
216
 FIRST AND SECOND PARTY AUDITS

The management of 1st and 2nd party Audit planning and execution should call upon the skills and
techniques identified in the previous slides.

217

OTHER TYPES OF AUDITS…

Combined audits - the same organization has developed two or more types of management systems
(quality, ISMS, EnMS) – the audits of all are planned at the same time – which would allow for the joint
assessment of some system elements and more efficient use of audit time.

109
218
 OTHER TYPES OF AUDITS…

Integrated audits – audits of an integrated management system that complies with more than one
management system standard. Level of possible reduction of audit time depends on:

• Level of integration of the systems

• Competence of the staff of the organization
• Competence of the audit team

219

110
220
 Case Study 5:
Risk Assessment

(90 Mins)

221

Case Study 6:
Risk Assessment

(90 Mins)

111
222
 SECTION 12
Checklists

Purpose of this session:

To acquire pre-auditing skills
for producing and using
checklists

223

CHECKLISTS

• Used by the auditor as an Aide Memoir and an audit trace record

• Are compiled from the results of a detailed study of the process descriptions, procedures and the
standard

• Used to ensure that all elements and relevant requirements contained in the standard are covered
and nothing is omitted

112
224
 CHECKLISTS

• Used to reference each question to the relevant clauses of the standard

• Are an invaluable aid when writing the audit report.

• Space should be left on the checklist so that answers to the questions can be noted for later use.

225

SAMPLING

• Considerations • Previous Problems

• Scope • Important Aspects
• Duration of Audit • Sample size and its significance
• Requirements of the standard • Corporate Issues
• Level of potential risk

Sampling Benefits – more efficient use of time

Sampling Limitations – not all items are checked

113
226
 SAMPLE CHECKLIST

Standard: Type of Audit:

Client: Auditor: Date:
Requirements OK CAR Obs N/A Objective Evidence

227

114
228
 SECTION 13

OPENING MEETING

Purpose of this session:

To be able to list and structure an opening meeting

agenda.

229

THE OPENING MEETING

Punctuality is important! Arrive on time

The meeting should be brief and to the point

115
230
 THE OPENING MEETING

• introduce the audit team

• confirm the objective, scope and criteria
• confirmation of the audit plan (including type and scope of audit, objectives and criteria), any
changes, and other relevant arrangements with the client, such as the date and time for the closing
meeting, interim meetings between the audit team and the client’s management
• confirmation of formal communication channels between the audit team and the client
• confirmation that the resources and facilities needed by the audit team are available
• confirmation of matters relating to confidentiality

231

THE OPENING MEETING

• confirmation of relevant work safety, emergency and security procedures for the audit team
• confirmation of the availability, roles and identities of any guides and observers
• the method of reporting, including any grading of audit findings;
• information about the conditions under which the audit may be prematurely terminated
• confirmation of the status of findings of the previous review or audit, if applicable
• methods and procedures to be used to conduct the audit based on sampling
• opportunity for the client to ask questions

Insert Footer
232
Here

116
232
233

Case Study 7:
Risk Assessment

(90 Mins)

117
234
 SECTION 14

CONDUCTING AUDITS:
AUDIT TECHNIQUES
Purpose of this session:
To be able to list and use the words necessary to locate
objective evidence within an auditor’s code of conduct.
To be able to list and explain vertical, horizontal, forward
and backwards auditing trails. To recognize and handle
auditee delaying techniques.
To describe the roles and responsibilities of the auditors,
lead auditors and auditees

235

PRINCIPLES OF AUDITING

Integrity: the foundation of professionalism

Fair presentation: the obligation to report truthfully and accurately

Due professional care: the application of diligence and judgement in auditing

Confidentiality: security of information

Independence: the basis for the impartiality of the audit and objectivity of the audit conclusions

Evidence-based approach: the rational method for reaching reliable and reproducible audit conclusions
in a systematic audit process

118
236
 PRINCIPLES OF AUDITING

Risk-based approach: an audit approach that considers risks and opportunities

The risk-based approach should substantively influence the planning, conducting and reporting of audits
in order to ensure that audits are focused on matters that are significant for the audit client, and for
achieving the audit programme objectives.

237

AUDITOR CHARACTERISTICS

The personal attributes an auditor needs to develop :

• Ethical • Versatile
• Open minded • Tenacious
• Diplomatic • Decisive
• Observant • Self-reliant
• Perceptive

119
238
 ROLES, RESPONSIBILITIES, COMPETENCE REQUIREMENTS

• LEAD AUDITORS

• AUDITORS

• TECHNICAL EXPERTS

• AUDITEES

239

LEAD AUDITOR RESPONSIBILITIES

• A person qualified and authorised to manage a system Audit.

• Plan the Audit and organise a team to conduct the audit – contact the clients, agrees dates, prepare
audit/working documents
• Manage all aspects of the Audit ‘on site’ – opening meeting, team meeting, examine documents,
observes activities, check documented information's, etc…
• Report the audit - surmises any findings and positive points, writes and issues a summary report
• Close the audit - Considers the corrective action proposals and evidence submitted by the auditee.
Judges adequacy of root cause analysis. Accept or rejects these

120
240
 AUDITOR RESPONSIBILITIES

• A person qualified and authorised to perform all, or a portion of, an audit.

• To audit allocated areas/ activities and report findings to the Lead Auditor.
• Be aware of the needs and expectation of the Auditee.
• Consider local culture and customs.

241

AUDITEE’S RESPONSIBILITIES

• Co-operate with the Auditor in the planning and conducting of the Audit.
• Provide access for the Audit team.
• Provides guides.
• Attend the opening and closing meetings.
• Address and implement corrective action.

121
242
 OBSERVER AND TECHNICAL EXPERT

Observers
The presence and justification of observers during an audit activity shall be agreed to by the certification
body and client prior to the conduct of the audit. The audit team shall ensure that observers do not
unduly influence or interfere in the audit process or outcome of the audit.
Technical experts
The role of technical experts during an audit activity shall be agreed to by the certification body and
client prior to the conduct of the audit. A technical expert shall not act as an auditor in the audit team.
The technical experts shall be accompanied by an auditor.

Insert Footer
243
Here

243

GUIDES

The responsibilities of a guide can include:

a) establishing contacts and timing for interviews;
b) arranging visits to specific parts of the site or organization;
c) ensuring that rules concerning site safety and security procedures are known and respected by the
audit team members;
d) witnessing the audit on behalf of the client;
e) providing clarification or information as requested by an auditor.

Where appropriate, the auditee can also act as the guide.

Insert Footer
244
Here

122
244
 AUDIT TECHNIQUES

• Interview
• Observation of processes and activities
• Review of documentation and records
• Review of documented information
• Examine Objective Evidence
• Observe Activities
• Listen to Reactions
• Record Findings

245

TYPICAL PROCESS OF COLLECTING AND VERIFYING INFORMATION

Insert Footer Here 246

123
246
 DEALING WITH PROBLEMS

Auditors may not always receive full co-operation from the Auditee, it is therefore important to
recognise when such situations are occurring and take appropriate action.

Such instances may include:

• Avoid answering questions;

• Going missing;
• Delaying the Audit;
• Constant interruptions, etc.

247

THE AUDITORS SIX FRIENDS

When asking questions…..

• Who ?
• What ?
• Where ?
• When ?
• Why ?
• How ?

• and the seventh ….. Ok Show Me ?

124
248
 QUESTION TECHNIQUE

YES / NO Questions
• Often elicit dead end answers - you gain nothing –
• Only useful as a leader question.

How - What - Why - When - Where - Who ?

• Direct questions - will achieve more detailed
• answers.

Explanation Questions
• Useful for comparing interfaces.

249

QUESTIONING TECHNIQUES IN AUDIT INTERVIEW (BEST PRACTICES)

Through Questioning, auditors have to zero down the conversations in a
FRIENDLY MANNER, to witness / verify evidences to reach an audit
conclusion on degree of compliances
Qs. Type Sample Expected Answer Cautions during asking

Open Qs. What is the system you This is a lab where we quality Auditee may go into
maintain here? testing & calibrate measuring defensive mode –
instruments mainly with closed
questions
Probing Which acceptance criteria Every product have different
Qs. you use for quality standards which are acceptance
inspections ? criteria for quality

Closed Could you please show

me some records to NOW AUDITEE HAS TO SHOW THE EVIDENCE
evidence the same

125
250
 COMMUNICATIONS IN AUDITS – BODY LANGUAGE (BEST PRACTICES)

Friendly Body Language Non Friendly

Smiling Facial Tight Lipped
Relaxed Mouth Grim Smile
Alert Raised Eyebrows
Ready to Listen Jaw Muscles Clenched
Pupils Dilated Eyes Looking Down Nose
Good Contact Lack of Contact
Wide Open Narrowed
Straight Head Bowed
Mildly Nodding Shaking
Open Body Position Crossed Arms
Erect Legs Crossed Away
Leaning Forward Cold Shoulder
Open Hands Hand Gestures Tapping Fingers
Touching Closed Hands
Hand to Chest Finger Wagging

251

QUESTIONING TECHNIQUES

Keep conversation going

Repeat last word or phrase - say something nice
Avoid double questions (2 questions in 1)
Only one answer is likely to result

126
252
 QUESTION TECHNIQUE

HOW DO YOU MAKE HOW DO YOU KNOW IT

IT HAPPEN IS RIGHT

WHAT ARE YOU TRYING

TO DO

HOW DO YOU KNOW IT IS

HOW DO YOU KNOW IT IS
THE BEST WAY TO
THE RIGHT THING
DO IT
TO DO

253

QUESTIONING TECHNIQUES

• Keep conversation going

• Repeat last word or phrase - say something nice
• Avoid double questions (2 questions in 1)
• Only one answer is likely to result

127
254
 OBJECTIVE EVIDENCE

Try to establish:

• That authorised documents are in use

• Records exist and are managed
• That good housekeeping is practised
• That facilities are adequate
• That supervision is adequate

255

OBJECTIVE EVIDENCE

That orderly records are kept

That staff are adequately trained
Well prepared checklists will assist when answering these questions

128
256
 FINDING THE ROOT CAUSE

Investigate Nonconformity

Establishing the root cause

Recording the results

257

EVIDENCES IN AUDITS – SAMPLES IN AUDIT TRIAL

Process > Set of interacting activities which transforms inputs and outputs

129
258
 AUDIT TECHNIQUES

1. Horizontal Audit
When conducting Audits it is common practice to plan to cover department by department with the
scope of the Audit. Such Audits are effective at examining each department against their own quality
procedure for which they have direct responsibility. However, such Audits fail to address departmental
interface.
2. Vertical or Project
Such Audits follow a project trail through a company, e.g. through design, purchasing, production,
test and dispatch. But in completing the trail will ensure that departmental interfaces are functioning
adequately.

259

AUDIT TECHNIQUES

DEVELOPMENT Horizontal
Vertical

PURCHASING Horizontal
PRODUCTION Horizontal
TRAINING Horizontal
The processes cross through departments and functions, this is why the vertical audit tests the
interdependency between process

Audits follow a department cross points

130
260
 AUDIT TECHNIQUES

Forward Trace - An audit which follows the natural flow of a product or service process

Backward Trace - An audit which traces records back through the system

261

CONDUCTING THE AUDIT

• The auditors audit the area assigned to them in the audit plan.
• Sample the system.
• Collect objective evidence of system effectiveness.
• Compare findings from checklist with requirements.
• Decide compliance or noncompliance.
• Audit team daily meeting [or more frequently].

131
262
 CONDUCTING THE AUDIT

• Decide on system effectiveness.

• Agree and categorise non-conformities.
• Hold a meeting daily with auditee’s representatives, and at the end of the audit, prior to the closing
meeting.
• Prepare summary report with conclusions and indicate recommendations.

263

THE AUDIT

Remember the auditor is attempting to prove the system compliance

• ESTABLISHING THE FACTS
• AND FINDING THE PROOF
• THE AIM IS NOT TO SET OUT TO FAIL THE SYSTEM!

132
264
 OBSERVATIONS

Observations may be obtained through any of the following methods:

• Seeking objective evidence that the

• system is functioning as prescribed.

• Samples taken of the system will allow the

• auditor to obtain the required evidence.

265

OBSERVATIONS

Always establish objective evidence when an apparent nonconformity is found, remember the
occurrence discovered may be the effect and not the cause.

Where processes are involved the audit may examine the process controls and records to establish
conformance with the specification.

Both positive and negative observations are recorded.

133
266
267

SECTION 15
CONDUCTING AUDIT:
RAISING NON-
CONFORMITIES

Purpose of this section:

To establish the ground rules for writing and agreeing
NCR’s
To understand the possible differences between NCR’s
raised during 1st, 2nd & 3rd Party audits
To clarify categorisation/ grading of non-conformity
reports
To examine when observations should be used

134
268
 IDENTIFYING AND RECORDING AUDIT FINDINGS

Audit findings summarizing conformity and detailing nonconformity shall be identified,

classified recorded to enable an informed certification decision to be made or the
certification to be maintained.

Opportunities for improvement may be identified and recorded. Audit findings,

however, which are nonconformities, shall not be recorded as opportunities for
improvement

Insert Footer
269
Here

269

AUDIT FINDINGS ISO 19011

When determining audit findings, the following should be considered

a) follow-up of previous audit records and conclusions;
b) requirements of the audit client;
c) accuracy, sufficiency and appropriateness of objective evidence to support audit findings;
d) extent to which planned audit activities are realized and planned results achieved;
e) findings exceeding normal practice, or opportunities for improvement;
f) sample size;
g) categorization (if any) of the audit findings

Insert Footer
270
Here

135
270
 RECORDING CONFORMITIES

For records of conformity, the following should be considered:

a) description of or reference to audit criteria against which conformity is shown;
b) audit evidence to support conformity and effectiveness, if applicable;
c) declaration of conformity, if applicable.

Insert Footer
271
Here

271

RECORDING NONCONFORMITIES

For records of nonconformity, the following should be considered:

a) description of or reference to audit criteria;
b) audit evidence;
c) declaration of nonconformity;
d) related audit findings, if applicable

Insert Footer
272
Here

136
272
 NONCONFORMITY REPORTING

What is the Problem?

• describe clearly, concisely and factually

Why is it a noncompliance?
• i.e. against what requirement

Where did it occur?

• i.e. which department or activity

Who? - avoid apportioning blame

• (i.e. naming individuals)

273

NONCONFORMITY REPORT

• Used to report nonconformity audit findings

• Must be factual
• Must be understandable and traceable
• Raise formal notification of any issues at the time of finding
• Allow the auditee to implement corrective action prior to the closing meeting
• The auditee is requested to sign signifying an understanding and acceptance of the non-compliance

137
274
 WORDING OF NCR’S

It is important when preparing NCR’s to take care and ensure it is justified.

Failure to achieve clear factual information will invite challenge of the findings at the closing meeting.

This will be particularly important in areas where the emphasis is placed on the following
• Management Commitment
• Competence
• Communication
• Continual improvement

275

OBSERVATIONS

Notes made by an auditor during assessment may lead to non-compliances being raised or to provide
information for the audit report

Notes provide Objective Evidence back up

138
276
 CATEGORISING NON-CONFORMITIES

Major

A single major system, product, or service nonconformity

• A lack of documented information needed to satisfy an agreed requirement
• Non-implementation of documented information and arrangements
• A series of minor non-conformities in a particular area or activity which collectively have an adverse
effect on the system

Minor

There is a defined system, documented information and arrangements which satisfy agreed
requirements against which the organisation being assessed can demonstrate an acceptable level on
implementation overall, but there are minor discrepancies or lapses in discipline.

277

REVIEWING CORRECTIVE ACTIONS

• To ensure actions corrective actions requested are being implemented by

auditee.
• The agreed timescales are achieved.
• Corrective actions are effective.

139
278
 REVIEWING CORRECTIVE ACTIONS

― Corrective Action implementation can be verified off-site

based on documentary evidence provided.

― Follow-up visits may be as necessary to verify actions have

been take and were effective.

― Non-conformities should be closed out at each visit or further

corrective actions agreed.

279

CORRECTIVE ACTION RESPONSIBILITIES

Nonconformity

Raise NCR Sign Report at Closing

Categorise
Agreement Meeting

Auditor

Auditee Lead Auditor Auditor

Propose C/A Accept/Reject Proposed C/A Implement C/A

Auditee Auditor Auditee

Monitor Complete Action Taken Review Action Reject Action Taken or

Effective Action Section Taken Close NCR

Auditee Auditee Auditor Auditor

140
280
281

SECTION 16
CONDUCTING AUDITS:
AUDIT REPORTING AND
CLOSING MEETING
Purpose of this section:
To be able to list and present closing meeting
agenda points
To be able to list the contents of an audit report

141
282
 AUDIT REPORTING

Content:
a) identification of the certification body;
b) the name and address of the client and the client’s representative;
c) the type of audit (e.g. initial, surveillance or recertification audit or special audits);
d) the audit criteria;
e) the audit objectives;
f) the audit scope
g) any deviation from the audit plan and their reasons
h) any significant issues impacting on the audit programme

283

AUDIT REPORTING

i) identification of the audit team leader, audit team members and any accompanying persons;
j) the dates and places where the audit activities were conducted
k) audit findings
l) significant changes
m) any unresolved issues, if identified
n) where applicable, whether the audit is combined, joint or integrated
o) statement that auditing is based on a sampling process of the available information;
p) recommendation from the audit team
q) use of the certification documents and marks, if applicable
r) verification of effectiveness of taken corrective actions regarding previously identified
nonconformities, if applicable

Insert Footer
284
Here

142
284
 AUDIT REPORTING CONCLUSIONS

Audit report shall contain the following conclusions:

• a statement on the conformity and the effectiveness of the management system together with a
summary of the evidence relating to
- the capability of the management system to meet applicable requirements and expected outcomes
- the internal audit and management review process

• a conclusion on the appropriateness of the certification scope

• confirmation that the audit objectives have been fulfilled

Insert Footer
285
Here

285

AUDIT FILE

• Audit plan
• Audit report
• Open/closing meeting attendance list
• Copies of non-conformity reports and objective evidence provided
• Assignment of the audit teams
• Confidentiality statements of the audit team

143
286
 PURPOSE OF CLOSING MEETING

Advise auditee of findings and conclusions reached based on the audit findings

Advise on the recommendation to be made

• ACCEPTABLE
• UNACCEPTABLE

287

CLOSING MEETING

The closing meeting shall also include the following elements:

• advising the client that the audit evidence obtained was based on a sample of the information;
thereby introducing an element of uncertainty
• the method and timeframe of reporting, including any grading of audit findings
• the certification body’s process for handling nonconformities including any consequences relating
• to the status of the client’s certification
• the timeframe for the client to present a plan for correction and corrective action for any
• nonconformities identified during the audit
• the certification body’s post audit activities
• information about the complaint and appeal handling processes
• Opportunities for questions

144
288
289

145