When preparing for your external ISO assessment audit, from your chosen certification body, it’s important to ensure that you can evidence you have met all the requirements of the particular standard.
Any gaps or weakness may result in a non-conformance or opportunity for improvement (OFI) being raised, which can delay your certification.
However there is some debate among clients, ISO consultants & even certification auditors about whether you NEED to complete a FULL internal audit before the Stage 2 external audit in order to be compliant.
Demonstrating Internal Audit Compliance
All Annex SL (L) based management system standards, including ISO 9001, ISO 14001, ISO 45001, ISO 27001 & Others, have a requirement in clause 9 to ‘conduct internal audits at planned intervals’ and ‘retain documented information’ of those audits.
However, this only relates to the management system framework in the ‘scope’ of the document. It does not relate to how certification audits are conducted.
So, to be compliant with the standard we must meet the internal audit requirements in the clause.
ISO Certification Body Rules
Certification bodies operate to a number of their own standards and rules, including ISO 17021-1, which relates to how they audit management system standards.
Under the stage 1 objectives, ISO 17021-1 says the certification body should
evaluate if the internal audits and management reviews are being planned and performed and that the level of implementation of the management system substantiates that the client is ready for stage 2.
However for stage 2 it only says that the audit shall include the auditing of internal auditing.
It is not clear if the full system must be internally audited for stage 2.
ISO 27001, Annex A
While many management system standards contain only the high level clauses 4-10; ISO 27001 in particular is unique in having an additional Annex of 114 controls and control objectives.
Adding these 114 controls into an internal audit programme significantly increases the time and effort required to complete a full audit of the management system.
For this reason there is an additional standard to address the auditing of ISO 27001, called ISO 27006.
Internal Audit Planning
Given that UKAS Accredited ISO Certificates are run on a 3-year cycle, it’s understandable that some may opt to only internally audit a sample of these controls before stage 2, and complete the rest over a longer period, for example 3 years.
However this causes some concerns, not least because it creates an environment where a control may not be objectively audited for 3-years before it is found to be ineffective, thus exposing the organisation to an unrecognised risk.
Of course all auditing is sample based and should not be relied on as a definitive indication of the suitability of a management system, but the more audits your conduct, the better tested the system is.
Assent’s Internal Audit Approach
Our approach at Assent is to always conduct a complete internal audit before the stage 2 external audit.
The purpose of an internal audit is to take an impartial view of your management system and therefore it makes perfect sense to test the entire system including any annexes, before the certification body’s audit.
This approach helps to reduce the risk of a nonconformance or opportunity to improve (off) being raised by the certification auditor and your certification being delayed.
We also advise clients to be mindful of the fact that the booked auditor can sometimes be changed and not all auditors take the same approach. A through internal audit leaves no room for arguments.
Sometimes project timeframes can be challenging, or other disruptions occur in the business which cause the internal audit programme to be delayed past the scheduled date.
At the initial project stage we would try to identify this before the stage 2 audit occurs, and take action to realign the project plan in order to complete a full internal audit of the system wherever possible. Where-as if internal audit delays occur within an established system there may be more flexibility.
If it is not possible to maintain the intended audit schedule, we would take a risk-based approach, auditing the clauses and controls which are most critical to the business first, while completing the remainder as soon as possible.
While the need to complete a full internal audit before your stage 2 certification body assessment may be debatable, the value an organisation gets from a comprehensive internal audit can not be overstated.
Therefore our team will plan to conduct full internal audits as soon as the management system has been established.
Assent risk Management can help you through every step of your ISO Certification process, talk to our team today.