Squeezing more value from certification audits



Finding weaknesses/concerns and improvement opportunities in the organisation's information risk, security and related arrangements is a valid and potentially valuable outcome of an ISO/IEC 27001 certification audit. Arguably, however, that is what the management reviews and internal audits are supposed to achieve.  

Certification auditing is primarily intended to provide assurance for the organisation and third parties that the organisation has correctly interpreted and implemented the standard, a specific key objective.

One way to resolve this conundrum is for certification auditors to distinguish:
  1. "Major nonconformities" - demonstrable and substantial failures to fulfil any of the mandatory requirements of 27001; from

  2. "Minor nonconformities" - insubstantial failures and/or failures against the discretionary requirements of 27001; and 

  3. "Observations" - anything else noted in the audit that the auditor believes is worth bringing to management's attention.
Of those three, only majors are grounds for refusing to issue the certificate.

The rating/categorisation of audit findings is therefore critical and may be worth challenging during the audit clearance/acceptance - an important phase in the audit process where findings are considered and management decisions are made about:
  • Addressing the findings; 
  • Planning, prioritising and resourcing the resolutions; and 
  • Moving forward - not just changing for change sake or 'because the auditor insists' but materially improving the organisation in some way, increasing its chances of achieving its business objectives.
Every major should:
  1. Explicitly identify the mandatory requirements that are not met, normally by specifying the particular main-body clauses from the standard; and
     
  2. Be supported by reasonably solid, credible, substantial evidence of the failures - potentially a tricky thing to do: how do you 'prove' the absense of something? 
Minors and observations are less important but, even so, they should still be based on analysis traceable to credible, factual, objective evidence gathered during the audit fieldwork. "Facts" are (in theory at least) the auditor's friends, the backstop, the undeniable basis for arguing that changes are necessary.

The audit analysis is more subjective and open to interpretation than the facts. This is where the auditors' experience and skills come into play: they need to construct a credible argument and persuade management to act appropriately - meaning in the best interests of the organisation meeting its business objectives, just one of which might be achieving 27001 certification. There are several other business objectives relating to information risk, security etc., hence several ways to evaluate audit findings. There are options here.

27001 certification audits can be a worthwhile means of identifing weaknesses in the organisation's information risk, security and related arrangements. Management has the opportunity to improve the organisation's overall security posture as well as being certified conformant, squeezing additional value from the certification audit process. 

Pragmatic bottom line: rather than being fixated on the audit remit/purpose, do whatever is best for the business.  Work it out and move on. 

PS I blogged at some length about how to challenge audit findings and about treating the audit clearance as a negotiation in 2019. Evidently my thinking has not really progressed since then. The bloggings will continue until morale improves.