I recommend treating any
audit as a negotiation process with risks and opportunities* for both
parties i.e. auditees and auditors. Here's why.
In respect of ISO/IEC 27001 compliance, the certification auditors are supposed to be
formally checking that an ISMS complies with the standard’s formal requirements, plus information security requirements that the organization determines for its own purposes**. They are not supposed to conjure-up additional requirements out of thin air, then complain about noncompliance. However, auditors are human and make mistakes. So auditees are fully entitled to ask auditors to identify any requirements in the standard or in their corporate requirements that they say are not being fulfilled, if necessary down to the individual clause numbers and specific words from ‘27001, their policies etc. By all means discuss the wording and intent/meaning of those requirements, as well as reviewing the evidence and details of the alleged noncompliance. So far, that's conventional, an expected, routine part of the normal interaction between auditor and auditee. From that point, however, the process can proceed along various paths.
The auditee could take a very hard line, focusing myopically and
deliberately on strict compliance with the explicit requirements of the
standard, being really tough on the auditors about that … but beware as the auditors can take just as hard a line in response, perhaps even pointing out additional
minor noncompliance issues that they might otherwise have ignored. Bringing out the big compliance sticks is a viable but risky strategy. It
can be tricky to back down once either party starts down this path. It tends to
make the relationship between auditors and auditees highly adversarial and tough-nosed,
each party treating the other as the enemy to be beaten. It’s
stressful for all concerned, adding to the usual stresses of audits and
certification. [Speaking as a former/reformed auditor, this may be a sign of
either a naïve/scared or, paradoxically, a highly experienced/assertive
auditee. Identifying and responding proactively to the situation as it
develops is part of the auditor’s social skill set, which varies with the
auditor’s experience level plus their own personality. If things escalate, it draws-in
management on both sides, so each party really needs their management behind
them. It’s also something that experienced auditors will have dealt-with
many times (stress and challenge is very much part of the job), hence they tend
to be well-practiced at it and on the front-foot, whereas auditees tend to be less well prepared and on the back-foot.]
Alternatively, the auditee could make more of an effort to understand
and deal with the issues the auditor claims to have found, setting aside the
pure compliance aspects (at least for now). Discuss and negotiate with
the auditors, aiming towards finding mutually-acceptable solutions. Be
“reasonable” about things (whatever that means!). Consider the business
implications of what the auditors are saying, in particular consider whether
they might just have put their finger on genuine information risks that the organization probably ought to address in some way. Focus on addressing
those risks and reaching agreement on suitable responses, rather than
compliance. Make and seek little concessions, respond positively and
home-in on a resolution that both moves the business forward and
leads to certification. Work with the auditors, each party
treating the other as collaborators or colleagues with shared objectives. At the end of the day, either party can still reach for the big
compliance stick if the negotiation stalls and the other party becomes
stubborn, but that’s best left as a last resort option since it can lead to the
same souring of the relationship. [This is generally a less stressful, less
risky approach provided both parties are willing to play the game and
move things forward. It helps if both parties have negotiation skills, or
can get support from their managers/colleagues who do. It may take longer,
though, which can be an issue if there are deadlines such as other audits or
business demands. And there is inevitably some formality around this that
needs to be respected. The auditors must meet their own obligations or risk losing their accreditation.]
But wait, there’s more.
The audit report, in particular the precise phrasing and wording of any
adverse findings/noncompliance statements, is potentially another opportunity
to clash or collaborate. Although the auditors own their report and have the
final say (part of their formal independence), the auditee should have opportunities to review and discuss/respond to drafts, if appropriate challenging and ‘insisting’ that
the details are factually correct. In general, the issue comes down to the facts
and hence the audit evidence, which should be non-negotiable if the auditor has done a good job. The
way those facts are documented, explained and interpreted is where the
discussion tends to revolve. Again, both parties have their
objectives/requirements, and it’s best if they negotiate a mutually
satisfactory outcome and move ahead. Both parties being clear about priorities and
overall objectives helps immensely.
And one last thing.
The relationship between auditor and auditee generally extends beyond an
individual audit since audits are periodic. As well as the stage 1 and 2 certification audits, there are surveillance and re-certification audits to look forward to. So, the way the audit itself
goes, the manner in which issues are raised, discussed and addressed, and the
way audit findings and reports are resolved, is all part of the background for,
and hence to some extent affects, future audits. Auditors who personally experienced or have been briefed about an intensely adversarial auditee in a previous audit
are likely to anticipate a similar strategy and more aggravation on the next audit. Audit
management might even consciously pre-select tough auditors who are strong in that
situation for future audits, and likewise auditees might choose hard-nosed
compliance specialists and negotiators to front-up their team, escalating matters. This can
be the sting in the tail for auditors and auditees who have taken an
unreasonably hard line in the past: it takes effort on both sides to turn
things around and re-focus on more productive matters (namely the organization’s management of its information risks and security in support of business
objectives), rather than the audit/certification process itself.
--------------------
* Experienced negotiators appreciate the game-playing aspect to the typical negotiation process. Clued-up players enter the arena well-prepared, with goals and bottom-lines clarified and various game-playing strategies not just in mind but ideally refined through previous events. Each game plays out within the rules (mostly!), the players attacking and defending, trying various approaches, each pushing towards their own goals and exploiting weaknesses in the other, while gradually establishing and reaching agreement on neutral ground (hopefully!). At the end, the players depart with yet more experience under their belts, ready for another encounter. Every negotiation is a rehearsal for the next. Same thing with audits.
** ISO/IEC 27006:2015 says:
--------------------
* Experienced negotiators appreciate the game-playing aspect to the typical negotiation process. Clued-up players enter the arena well-prepared, with goals and bottom-lines clarified and various game-playing strategies not just in mind but ideally refined through previous events. Each game plays out within the rules (mostly!), the players attacking and defending, trying various approaches, each pushing towards their own goals and exploiting weaknesses in the other, while gradually establishing and reaching agreement on neutral ground (hopefully!). At the end, the players depart with yet more experience under their belts, ready for another encounter. Every negotiation is a rehearsal for the next. Same thing with audits.
** ISO/IEC 27006:2015 says:
- "Certification procedures shall focus on establishing that a client’s ISMS meets the requirements specified in ISO/IEC 27001 and the policies and objectives of the client." (clause 9.1.3.2);
- "The audit objectives shall include the determination of the effectiveness of the management system to ensure that the client, based on the risk assessment, has implemented applicable controls and achieved the established information security objectives." (clause 9.2.1.1);
- "In addition to evaluating the effective implementation of the ISMS, the objectives of stage 2 are to confirm that the client adheres to its own policies, objectives and procedures." (clause 9.3.1.2.1) ...
No comments:
Post a comment