Although I wrote this in the context of ISO/IEC 27001 certification audits, it applies in other situations where there is a problem with something the auditors are reporting such as a misguided, out of scope or simply wrong audit finding.
Here are some possible strategies to consider:
- Have a
quiet word with the auditor/s about it, ideally before it gets written up
and finalized in writing. Discuss the issue – talk it through,
consider various perspectives. Negotiate a pragmatic
mutually-acceptable resolution, or at least form a better view of the
sticking points.
- Have a
quiet word with your management and specialist colleagues about it, before
the audit gets reported. Discuss the issue. Agree how you will
respond and try to resolve this. Develop a cunning plan and gain
their support to present a united front. Ideally, get management
ready to demonstrate that they are definitely committing to fixing this
e.g. with budget proposals, memos, project plans etc. to substantiate
their commitment, and preferably firm timescales or agreed deadlines.
- Gather
your own evidence to strengthen your case. For example:
- If you
believe an issue is irrelevant to certification since there is no
explicit requirement in 27001, identify the relevant guidance about the
audit process from ISO/IEC 27007 plus the section of 27001 that does not state
the requirement (!)
- If the
audit finding is wrong, prove it wrong with credible
counter-evidence, counter-examples etc. Quality of evidence does
matter but quantity plays a part. Engage your extended team,
management and the wider business in the hunt.
- If
it’s a subjective matter, try to make it more objective e.g. by gathering
and evaluating more evidence, more examples, more advice from other
sources etc. ‘Stick to the facts’. Be explicit about stuff. Choose your words carefully.
- Ask us
for second opinions and guidance e.g. on the ISO27k Forum and other
social media, industry peers etc.
- Wing-it. Duck-and-dive. Battle it out. Cut-and-thrust. Wear down
the auditor’s resolve and push for concessions, while making limited
concessions yourself if you must. Negotiate using concessions and
promises in one area to offset challenges and complaints in another. Agree on and work towards a mutually-acceptable outcome (such as, um,
being certified!).
- Be
up-front about it. Openly challenge the audit process, findings,
analysis etc. Provide counter-evidence and arguments. Challenge the language/wording. Push the auditors to their limit. [NB This is a distinctly risky approach! Experienced auditors have
earned their stripes and are well practiced at this, whereas it may be
your first time. As a strategy, it could go horribly wrong, so
what’s your fallback position? Do you feel lucky, punk?]
- Suck it
up! Sometimes, the easiest, quickest, least stressful, least risky
(in terms of being certified) and perhaps most business-like response is
to accept it, do whatever you are being asked to do by the auditors and
move on. Regardless of its validity for certification purposes, the
audit point might be correct and of value to the business. It might
actually be something worth doing … so swallow your pride and get it
done. Try not to grumble or bear a grudge. Re-focus on
other more important and pressing matters, such as celebrating your
certification!
- Negotiate
a truce. Challenge and discuss the finding and explore
possible ways to address it. Get senior management to commit to
whichever solution/s work best for the business and simultaneously
persuade/convince the auditors (and/or their managers) of that.
- Push
back informally by complaining to the certification body’s management
and/or the body that accredited them. Be prepared to discuss the
issue and substantiate your concerns with some evidence, more than just
vague assertions and generalities.
- Push
back hard. Review your contract with the certification body for
anything useful to your case. Raise a formal complaint with the
certification body through your senior management … which means briefing
them and gaining their explicit support first. Good luck with
that. You’ll need even stronger, more explicit evidence here. [NB This and the next bullet are viable options even after you have been
certified … but generally, by then, nobody has the energy to pursue it and
risk yet more grief.]
- Push
back even harder. Raise a complaint with the accreditation body
about the certification body’s incompetence through your senior management
… which again means briefing them and gaining their explicit support
first, and having the concrete evidence to make a case. Consider
enlisting the help of your lawyers and compliance experts willing to get
down to the brass tacks, and with the experience to build and present your
case.
- Delay
things. Let the dust settle. Review, reconsider, replan. Let your ISMS mature further, particularly in the areas that the
auditors were critical of. Raise your game. Redouble your
efforts. Use your metrics and processes fully.
- Consider
engaging a different certification body (on the assumption that they won’t
raise the same concerns … nor any others: they might be even harder to
deal with!).
- Consider
engaging different advisors, consultants and specialists. Review your
extended ISMS team. Perhaps push for more training, to enhance the
team’s competence in the problem areas. Perhaps broaden ‘the
team’ to take on-board other specialists from across the business. Raise awareness.
- Walk
away from the whole mess. Forget about certification. Go back
to your cave to lick your wounds. Perhaps offer your resignation,
accepting personal accountability for your part in the situation. Or
fire someone else!
Although that's a long shopping list, I'm sure there are other possibilities including some combination of the above. The fact is is that you have choices in how to handle such challenges: your knee-jerk response may not be ideal.
For bonus marks, you might even raise an incident report concerning the issue at hand, then handle it in the conventional manner through the incident management part of your ISMS. An adverse audit finding is, after all, a concern that needs to be addressed and resolved just like other information incidents. It is an information risk that has eventuated. You will probably need to fix whatever is broken, but first you need to assess and evaluate the incident report, then decide what (if anything) needs to be done about it. The process offers a more sensible, planned and rational response than jerking your knee. It's more business-like, more professional. I commend it to the house.
No comments:
Post a Comment