Hi Guys!!
We r an ISMS 27001:2005 certified BPO company! We r planning to take our internal audit on stand..Exactly I don't know to conduct an internal audit what should an auditor look for and the entire responsibility is on pls help me guys...if u hv any format for internal audit (even for 9001 or any other standard) nothing like that...otws pls guide me what should we look for in internal audit...

From India, Ahmadabad
Behavioural Trainer & Manager
Operations Executive(generalist)
Vijay Shitole
Hr & Admin
Hr & Admin Executive
Training Hod
Manager Hr
Student/computer Programmer
Information Security,it Infrastructure
+2 Others



if i am be sharing the format, then i would be violating ISO27001:2005 Policies of my company itself.

however these are the mail business areas you should be looking at

Physical and Environmental Security - Admin

Asset Classification & Control, Access Control – Windows

Compliance, Information Security Incidents – Information Security Head

Operations Management, Access Control, Information System acquisition & maintenance, BCP – Operations Management, IT Security Head, Team Representatives (Wintel, N&S)

Human Resource Security – HR Head

2.1. Six Phases of audit

The Internal audit would be conducted in six phases.

 Planning and Scheduling Audit

 Selecting Appropriate Audit teams, assigning roles and responsibilities.

 Conducting Audit

 Conducting Follow up audits.

 Maintaining Audit programme records

 Monitoring performance and effectiveness of audit programme and reporting to the top management of the non-conformities.

2.2. Planning and Scheduling Audit

ISD will ensure that audits will be conducted once in 3 months. The audit plan will be published once a year. Both the audit parts (documentation and Implementation) would be covered each time the audit is conducted.

The ISD will inform Auditors about the audit dates 15 days in-advance and will confirm their availability. ISD shall also confirm the top-management, respective process owners presence for the audit.

Apart from the published audits, ISD shall perform informal audits as and when required to ensure BS7799 compliance.

2.3. Selecting Appropriate Audit teams, assigning roles and responsibilities

The management shall ensure that audit teams are announced and shall also assign proper roles and responsibilities. The audit teams shall be selected based on the following skill set. The auditor cannot audit his own work.

The auditor shall possess these personal attributes.

• Auditor shall be ethical i.e. be faithful sincere and honest.

• Auditor shall be open-minded i.e. willing to consider alternative ideas or point of view.

• Auditor shall be diplomatic i.e. tactful in dealing with people.

• Auditor shall be observant i.e. actively aware of physical surroundings.

The auditor shall possess these general skills.

• Audit leader shall organize the audit effectively

• Auditor shall collect information through effective interviewing, listening, observing and reviewing documents, records and data.

• Auditor shall maintain confidentiality and security of information.

• Auditor shall prepare the audit report.

The auditor shall possess these technical skills.

• Auditor shall be technically good to access the implementation part.

2.4. Conducting Audit

2.4.1. Meetings

The audit shall start with an opening meeting and end with a closing meeting. The meetings shall be held with the management representative.

The purpose of the opening meeting is

• To Confirm the audit plan

• To provide a short summary of how the audit activities will be undertaken

• To confirm the communication channels

• To provide opportunity for the auditee to ask questions.

• To introduce with the participants.

The purpose of the closing meeting is

• To Present the audit findings and conclusions

• To solve the disputes in the audit findings

• To agree upon the time frame for the corrective and preventive actions

2.4.2. Audit

The audit will be conducted in two parts

• Documentation audit.

• Implementation audit.

The documentation audit will allow the auditor to gain an understanding of ISMS in the context of the organization’s security policy, objectives and approach to risk management. The documentation audit includes documentation review that has to be completed before starting the implementation audit.

The audit team shall review all the documents related to ISMS including

 The security policy statement

 ISMS scope definition

 All procedures and controls supporting ISMS

 Risk assessment report

 Risk treatment plan

 All procedures regarding planning, operations and effective control of information security processes

 All records confirming conformity and effectiveness of ISMS operation.

 Statement of Applicability

The results of documentation audit will be contained in the report. Based on the finding the auditor will decide for the implementation audit or to postpone the implementation audit.

The Implementation audit will cover

 Confirmation of the organization’s compliance with its own policies, objectives and procedures.

 Confirmation of the ISMS' compliance with all ISO 27001 requirements and of its attainment of the organization’s policy objectives (includes checking that the organization has a system of processes in place to cover the requirements given in Clauses 4 to 8 inclusively of the ISO 27001 standard)

 Assessment of information security related risks and the resulting design of its ISMS

 The approach to risk assessment

o Risk identification

o Risk assessment

o Risk treatment

o The choice of control objectives and controls for risk treatment

o Preparation of a Statement of Applicability.

 Performance monitoring, measuring, reporting and reviewing against the objectives and targets. This should include checking that processes are in place and being used for at least the following

o Clause 4.2.3 Monitor and review the ISMS

o Clause 7 Management review of the ISMS

o Clause 8 ISMS improvement.

 Management responsibility for the information security policy

2.5. Audit Report

The audit team leader shall be responsible for the preparation and contents of the audit report. The audit report shall be provided to security management forum. The audit report should provide a complete, accurate, concise and clear record of the audit, and should include

• Identification of audit team leader and members.

• The audit criteria.

• The audit findings.

• The audit conclusions.

• Recommendations for the audit findings. (corrective and preventive actions)

2.6. Corrective Actions

The organization shall take action in order to eliminate the causes of non-compliance resulting from the implementation and operations, and so prevent re-occurrence. Procedure for corrective action shall include the following information:

• Identification of non-compliance in implementation or operations;

• Identification of the causes for non-compliance;

• Determination of the actions required to eliminate re-occurrence;

• Definition and implementation of the required corrective action;

• Results obtained by the corrective action (see record control);

• Review of the corrective action.

Improvement does not happen without implementing changes. This requirement is related to ensuring that actions are identified, taken and verified for implementation/effectiveness. If a problem occurs, action needs to be taken to ensure that the problem is corrected and that it does not re-occur. This involves finding the cause of the problem, recording the results of the action taken and verifying that the action was effective. The intent of this requirement is to have a disciplined approach for making sure that actions happen and are effective.

make sure each and every process is documented.



From India, Bangalore

Here are some excerpts from an Ebook..

thought this part might help you

Certification Audits

13.4.1 You Cannot Fail

It is impossible to fail certification (unless you quit). The worst thing that can

happen is that it might take a little longer and cost a little more.

The final point that we wish to make in our discussion of the direct

sequence manual is that you cannot fail an initial assessment, unless you simply

quit. The worst thing that can happen is that is might take longer and cost

more. This is an established fact for the initial systems assessment (certification

assessment). One does not fail a third-party assessment; it is a part of the ISO

mythology. One does get nonconformances that need to be corrected. The

worst case is a major finding that could delay the certification process by up

to three months and cost some more to pay the registrar’s lead assessor to

come back and clear the nonconformance. But that is it. This is the primary

reason that so many consulting groups will agree to guarantee certification/

registration [6].

The steward’s task is to make sure that there are no major findings possible.

This is accomplished via in-depth internal audits by well-trained auditors.

The audits should be evenly distributed throughout the creation process and

not left to the last moment prior to the document review. The audits not only

increase the probability of a major nonconformance-free certification assessment,

but they form the base of a dynamic corrective and preventive action


220 Leadership

Inevitably there will be minor findings at the initial systems assessment,

the first surveillance, the second surveillance, the recertification assessment,

and the re-recertification assessment. That is what continuous improvement is

all about. I still come up with nonconformances with clients that I have

audited for over 8 years.

Organizations undergo all manner of change over 3 years (e.g., top management

changes; mergers; acquisitions; moves to new facilities; market ups

and downs; national and international tragedies, including war, floods, and

fires). Without sufficient audits, the documentation falls behind reality and

even the act of auditing begins to evaporate. It is equivalent to firing the sales

staff because sales are down. Find the root causes, make the necessary

changes to match the changed scenario, and move forward.

There, of course, can be major findings. By major findings we mean, for

example, an ineffectual management review, a poorly managed training program,

a lack of internal quality audits, a corrective and preventive action program

that is uncertain and loosely managed. The stewards must pay close

attention to these areas. One of the traps in the management review process is

for the top manager to use the management review as a “rah rah” session

instead of focusing on the enterprise’s deviations from its planned goals based

on firm and quantitative metrics. You say, “Never happens”? It does.

Another danger area is the loss of internal auditors due to downsizing,

burnout, disinterest, and promotion. It is important to maintain a constantly

trained group of auditors to cover such contingencies. A safe level of auditors

depends on the organization’s size in both people and square footage and the

degree of outsourcing. Today, we have situations where the organization consists

of one person in the site and everything else is outsourced. Your registrar

will work with you to cover this event. It does happen and people get certified.

13.4.2 Audit Focus

An experienced assessor pays special attention to the requirements in the


◗ Section 4: Quality Management System—In this set lies the superstructure of

the QMS and where change is controlled, especially with regard to

processes and continual improvement.

◗ Section 5.4: Planning—This determines how closely quality objectives are

planned and measured.

◗ Section 5.6: Management Review—This somewhat prescriptive set of paragraphs

contains the review of continual improvement drivers of internal

13.4 Certification Audits 221

audits, customer feedback, process performance, product conformity,

preventive and corrective actions taken, and the manner in which

top management responds to required change and opportunities for


◗ Section 7.3: Design and Development—Special attention is to be directed to

the design review, verification, and validation functions.

◗ Paragraph 8.2.2: Internal Audit—This looks especially at whether all areas

of the organization have been audited against all appropriate paragraphs

and the audits have included all pertinent regulatory requirements.

◗ Paragraph 8.5.2: Corrective Action—This applies especially the management

of customer complaints.

◗ Paragraph 8.5.3: Preventive Action—This requirement indicates clearly the

degree to which the organization is either reactive to nonconformances

(e.g., performs root-cause analysis on a set of nonconformances

reported during corrective action) or takes a proactive perspective (e.g.,

performs risk analysis and designs in safety and introduces best practices

to all operating groups based on improvements in one group to prevent

nonconformities [7]) not only during the initial assessment but at every

subsequent surveillance assessment. It is customary for registrars to

require management review, design and development, internal audits,

review of customer complaints, and review of QMS document changes

to be mandatory for some percentage of the surveillance audits (e.g.,

every 6 months for internal audits and every 12 months for the design

and development).

Special attention to these requirements ensures that the continuous

improvement cycle is maintained throughout the life of the ISO 9000 program.

When the Shewhart cycle is enforced, the odds are very high that the

supplier will derive the benefits inherent from an effective QMS [8].

13.4.3 Assessor Role

Indeed, the role of the assessor is to teach and clarify. If this goal is met, the

assessor feels fulfilled at the end of a long and intense audit, and the client feels

that the effort was worth it. Alternately, if the assessor feels that the goal is to

catch the client, both parties will end up with a feeling of uselessness, and the

client will begin to seek out other registrars [9]. That the audit findings must be

substantive, and of value to the client, is the foundation upon which the ISO

third-party schema will either continue to expand or eventually decline.

222 Leadership

In the search for added value, my most effective rule is to ask the gutoriented

question: does the method sound stupid? If it sounds stupid, it is—try

another approach. This works every time. I always consider whether my finding

will be of economic value to the enterprise. There is a fine line between

conformance to the Standard and worth to the client. No system is perfect to

start with, and no system becomes perfect in the process. Organizations are in

constant change through new products, new technologies, acquisitions, mergers,

the vagaries of markets, and the potential horrors of nationalistic power


It is vital that the organization continually stretch its processes for

improvement but not stretch beyond its economic boundaries. The auditor

can play an important role in this scenario. It is best to try to get inside the

mind of the top executive and see what makes sense within the strategic

parameters of the operation. Auditors with this perspective will find themselves

welcomed back more times than not.

13.4.4 Structure of the Audit

To carry out an effective audit of the Standard requires that we apply the pertinent

clauses of the Standard against every enterprise process. This also

means that we also ensure that each subprocess is covered in detail. Table 13.5

uses the same core competencies as shown in Figure 1.2.

Our example, shown in Table 13.5, is based on a small organization hierarchy.

We have assumed that the departmental processes contain the following


1. Executive: business plan, management review, and steering committee;

2. Marketing and sales: servicing, product managers, marketing, sales, and


3. RDT&E: research and development, design, product support, engineering

change, and document and engineering records control.

4. Operations: QA&RA, manufacturing, production control, purchasing,

inventory control, and shipping and receiving;

5. QA&RA: ISO management representative, document and record control,

metrology, corrective and preventive action, audits, quality

control inspection, reliability, and data analysis and trending;

6. Finance: human resources, management information systems, financial

control and analysis, and cost of quality support;

13.4 Certification Audits 223

Human resources: hiring, training, and employee development;

8. Servicing: customer service, repair, and installation.

The chart suggests which clauses to apply to which process and thereby suggests

which employees are to be interviewed. The planned date of the audit and

auditors could also be placed in the box instead the star. Other usual audit

activities are also implied, such as auditing the distribution of documents

throughout the facility, auditing records in various file cabinets, asking employees

what they believe the quality policy means and who they think is the ISO

9000 management representative, and examining the status of training.

Unfortunately, there is no end of concern with regard to the manner

in which we are to audit either (1) the requirement that no procedure is

required for many clauses, or (2) the sometimes extremely descriptive language

of some clauses (e.g., Clause 7.5.5: Preservation of Product). This clause

is about as short and sweet as you can get with regard to a most complex and

extensive issue that includes electrostatic discharge protection, shelf-life control,

and a number of different types of preservation coatings as well as packaging

and delivery. Fortunately, the topic of audit management has received

wide recognition and many authors offer sensible ideas on how to approach

the subject [10].

To formulate such an audit structure, it is important to realize that this

process-oriented scenario has an intrinsic hierarchal structure of the type

shown in

If you want more material- the Ebook

Send me your mail ID and Ill send it to you



From India, Mumbai
Hi Roopa,
thank u very much for your kind information...yes i understand the consequences of security nonconformance but i think u did a great job for me even though following ur rules...
thanx again

From India, Ahmadabad
In addition to this following Deptt are to be covered
Finance & Accounts
Third Party Vendors-Payroll, Transport etc
Check the Training results also ie ask employees all questions as to what they have been taught

Hi Ken,

I am management representative of ISO group of my organization. I request you to kindly send the e book at following ID



From India, Madras

the basic principle on any ISO system developed is - Plan - Do - Check - ACT. your audit also should be on the same principle.

seven friends of auditors (6 W and 1 H) - Who - What - Where - When - Which - Why - How.

Frame your audit checklist with the above.

keep the standard copy with you, make columns for elements of standard (Requirement), document reference (manual, procedure, work instructions, etc), record reference (forms, register, log, etc), interview refererence (who are all those, you would like to audit), inspection reference (looking for evidence - location), and special notes or remarks.

with the above paragraph, you might have got the idea to use 6 W and 1 H. for easy remembering, i call it as 6 wives and one husband

While you are doing the audit, check for

Plan - what are the procedures available, what forms are used for documenting and recording, resources, who does - what - when, etc

Do - investigate wether the function is being carried out as per procedure. check relevant records, interview persons, etc.

Check - check how do they evaluate the functional performance, the analysis, outcome, the results, - what methods they use to do the same

Act - check what corrective and preventive actions are taken for the non conformatives raised so that or any deviations observed during their evaluation.

this is the simplest way of understanding the auditing principles. still if you need, i can help you with the format.

From United Arab Emirates, Dubai
Hello Ken
I have recently started my masters thesis at a leading car company, in the ISMS department. I have to develop/enhance their existing internal auditing tool etc. Can you please send me the said auditing ebook? It will definitely be of huge help for me.
Thanking you in advance.
Msc. student
University of Magdeburg

From Germany, Wolfsburg
No one is sending or sharing any ebook so please stop sending requests emails to him (Ken). He doesn’t respond at all!
From Germany, Wolfsburg

Pls. find attachments of Cause Analysis & Corrective Action Hope u shall find a good sample... Thanks Deepak 09336154871
From India, Calcutta

Attached Files (Download Requires Membership)
File Type: doc RootCauseAnalysisSummaryForm.doc (207.0 KB, 568 views)
File Type: doc attch1rca_report_form.doc (110.0 KB, 359 views)
File Type: doc CAPA Guidelines.doc (198.0 KB, 489 views)
File Type: doc W0-F002.doc (312.5 KB, 317 views)
File Type: xls Audit_Summry Format.xls (32.0 KB, 542 views)

If You Are Knowledgeable About Any Fact, Resource or Experience Related to This Topic and Want to Be Part of Such Discussions in Future - Please Register and Log In to Cite Community.

About Us Advertise Contact Us Testimonials
Privacy Policy Disclaimer Terms Of Service

All rights reserved @ 2023 CiteHR®

All Material Copyright And Trademarks Posted Held By Respective Owners.
Panel Selection For Threads Are Automated - Members Notified Via CiteMailer Server