When to external audit?
The short answer is… when they are due. Then we consider when it is convenient for the provider and then when it is convenient to us. For us, it is anytime. We don’t prepare for external audits. Our systems are living breathing systems that can come under scrutiny whenever. Sure we get busy. Sure there are always external factors that might sway us. But certification is a strategic objective for us so we give it the attention it deserves.
Having said this, we are fortunate with our provider (Global-Mark) who assigns us a dedicated client manager to deal with all planning matters when it comes the audit dates. It is also that person who turns up to do the audits as well. I am very happy to report that they are very accommodating with flexibility as we are with their needs as well. The great news is that we plan our audits up to a year in advance and we then both stick to a plan to meet that date. Very nice indeed.
As a footnote we are ‘preparing’ for our ISO 27001 certification over the next few months. And by preparation we mean we are designing components and generating records to ensure we can demonstrate effectiveness of our information security. The additional 114 requirements to meet an annex of the standard is exacting, but fortunately it just about lining up our ducks in a row to ensure the auditor is presented with the right information so a judgement can be made. Wish us ‘luck’.