Phase 1 – Initiating the audit

Appointing the Audit Team Leader

• For each audit, there shall be only one audit team leader appointed by the certification body.
• The responsibility for conducting the assigned audit remains with the audit is completed
• Main responsibilities:
  • Planning the audit and identify/address the audit risks
  • Managing communications with the audit client and the auditee
  • Managing the audit team
  • Assigning responsibilities for each auditor
  • Solving conflicts
  • Establishing the audit conclusions
  • Drafting the audit report

Validation of the Audit Objectives

In an ISO 27001 certification audit, the main audit objectives are to confirm that:

• The management system is confirm to the requirements of the standard
• The organization has implemented the declared ISMS, that it is maintained and improved
• The organization can reach the objectives it has set for itself based on its own security criteria

Validation of the Audit scope

The audit scope describes the range and limits of he audit; for example, the locations, the organizational units, the activities and the process to be audited as well as the time period covered by the audit.

Determining the Audit Criteria & Validating the audit feasibility

• In a certification audit, the audit criteria are the requirement of the ISO 27001 standard with the controls determined on the basis of the risk assessment
• The audit can include additional criteria derived from:
  • Controls from ISO 27001, Annex A, Internal policies
  • Laws and regulations
  • Commercial contracts and agreements

The feasibility of the audit should be determined taking into consideration the following factors:

• Sufficiency and appropriateness of the information provided to plan the audit
• Adequate cooperation from the auditee, Competencies of the audit team, Cultural aspects including the language used during the audit.

Selecting the Audit Team

Guides, observers & tech experts

Preparing the Audit Plan

Adequate planning helps ensuring that:

• Appropriate attention is given to information deemed material
• The audit team has the necessary qualifications to reach the audit objectives
• Potential problems are identified
• The audit agreement is organized and managed correctly

The audit plan should cover the following items:

• Audit objectives , criteria and scope
• Identification of the auditee and his representative
• Dates and locations
• Schedule and duration of expected activities
• Roles and responsibilities of audit team members and their guides
• Logistics and communications (language of audit, travel, meals, etc.)
• Allocation of appropriate resources to critical areas of the audit

Assigning the audit team(Auditors)

• Based on the audit mission
• Based on the audit team
• Depending on the auditor

Audit Plan Creation

Please refer to the below sample audit plan template.

Audit Plan