Who audits the ISO auditors?

Every year, you hear about how an organization can prepare for ISO 27001 down to the sub-requirement level, but then bam! They get hit with some random topic chosen by their auditor on a whim – maybe it’s a flavor of the day.

And let's talk about auditors—they have this stereotype. They're seen as these compliance police carrying a quota of findings just to prove they did a thorough job. It's the reason why organizations, especially the mature ones, start getting frustrated when auditors are wrapping up and suddenly decide to dive deep. You're there, pointing to the same policy they've checked three times already, and then, out of the blue, it's like they've had a revelation. That annual user access review? Apparently, it's not "frequent enough" anymore, and now they're quoting ABC framework and some benchmark from their other clients. Hold up, are we being audited for more than just ISO 27001?

It's in these moments that irritation kicks in. It's like they're playing a game of "moving the goalposts." You thought you had the rules down, but in the blink of an eye, everything changes.

So, who is auditing these auditors?

In the world of ISO management system standards, a hierarchy of command is most simply expressed as follows:

An auditor may be part of an audit team overseen by a Lead Auditor.

The Lead Auditor ultimately determines a recommendation for certification, which is then passed off to a review committee within the Certification Body.

The Certification Body follows its own internally developed procedures in conformance with ISO/IEC 17021-1 and undergoes regular assessments to this standard by an Accreditation Body.

An Accreditation Body is a member of a larger group of accreditation oversight entities formed under mutual recognition practices of the International Accreditation Forum.

In short illustration (the below list is not exhaustive):

If your organization finds itself in a situation involving not necessarily a challenging auditor but an unfair assessor, there's a way out. First off, check if that auditor is the Lead Auditor assigned to the project. If not, appeal any finding where there's a disagreement with the actual Lead Auditor, and if you want to be particularly tactful, phrase it as a request for the Lead Auditor to take a second look.

Now, if the Lead Auditor is the issue, ask for information on the appeals process owned by the certification body they represent. In theory, the appeals process should be communicated during the audit closing meeting, but we've known some seasoned auditors to conveniently forget to mention it when they think an auditee might try to escalate an issue they'd rather put to bed.

Filing an appeal with the representing certification body gives you a chance to present your case to a new set of appointees from the certification body for their opinion. Note that it's rare for the certification body to overturn a determination from its lead auditor staff. They usually lean on the additional time the lead auditor has spent learning your system over the abbreviated meeting they had with you as the appellant. To successfully overturn a finding, objective evidence is your best friend. Our experience shows that a mutually beneficial appeal involves a clear misunderstanding by the audit team when applying the requirement to the client’s management system or possibly an omission of evidence (e.g., reviewing the wrong evidence item, but conformity evidence did actually exist).

*not a pyramid

To bring it to life, let's go back to the scene in Audit Nightmares #1. Bob 2 might have a case to issue a physical security or visitor sign-in procedure finding to our fictitious company “Field Day”. However, Field Day may be able to defend their procedure. Does their policy explicitly require government-issued identification to be presented to the front desk receptionist, or does it only state a photo ID? If it's the latter, the employee badge that Bob 2 presented seems sufficient to conform to the documented process.

So, does Bob 2 then tag the finding to the policy itself, stating that the policy is insufficiently written to address the underlying risk? If he goes this route, we now get into a situation where the burden of proof is on Bob 2 to demonstrate how a physical security risk is exposed by the presumably insufficient control language.

In short, it can be a headache, but knowing your options as an auditee will at least give you some ground to stand on when facing a situation that feels unfair or like a stretch of a requirement.

🧠 🧠 🧠 🧠 🧠 

We are all about creating awareness while poking fun. Will your team avoid the office with a 10-foot pole but is the last to leave the happy hour? This newsletter might be for them.

Reply

or to participate.