Get 2 Documentation Toolkits for the price of 1
Limited-time offer – ends March 28, 2024

Infographic: The brain of an ISO auditor – What to expect at a certification audit

Infographic: Inside the brain of an ISO certification auditor

If your company is going for the ISO certification (e.g., ISO 9001, ISO 14001, OHSAS 18001, ISO 20000, ISO 22000, ISO 22301, or ISO 27001), you’re probably not very happy about it – certification auditors are usually perceived as persons who are not very open minded and who will insist on a whole bunch of unnecessary details. But the truth is, it doesn’t have to be this way – if you understand how the auditor thinks, your audit can turn out to be much more pleasant and useful. Here’s what you need to know.

Infographic: The brain of an ISO auditor – What to expect at a certification audit - Advisera

How to choose the certification auditor

There are many certification bodies (registrars) available in each country, and each certification body has several auditors. Therefore, you need to choose the registrar that fits your needs the best (e.g., price, language, flexibility, specialization, reputation, etc.), and ask them for an auditor who has experience in your industry. Learn more here: How to choose a certification body.

Which standards are the certification auditors dealing with?

Although the certification auditor will perform an audit in your company against only one standard (e.g., ISO 27001), most auditors are skilled in several ISO standards (e.g., ISO 9001, ISO 14001, ISO 22301, ISO 20000, ISO 22000, etc.). So you should use auditor’s knowledge and experience to get a wider picture of which standards might be suitable for you, i.e., how you could further improve the operations of your company.

What will the auditor be looking for?

The auditor must assess whether: (1) you have all the mandatory documentation, (2) if your activities and documentation comply with the standard, and (3) if your activities comply with your own documentation. So you should not write policies and procedures that you don’t need and that you don’t intend to comply with – only go for those documents that you really need; once you publish a document, make sure everyone knows why it is required. See also: How to get ISO 27001 certified.

What the certification auditor can do…

During the audit, the certification auditor is allowed to speak to anyone who is within the scope of the certification, he is allowed to see any document, and he is allowed to walk around all of your premises. Therefore, make sure that all the employees are ready for the certification audit, and that your documentation is completed and complied with.

… and what the auditor cannot do

The certification auditor cannot raise a nonconformity if he didn’t find the requirement in the ISO standard or in your documentation (i.e. policies and procedures), and if he didn’t find a solid proof that you’re not compliant with that requirement. So prepare to argue with the auditor if you notice that he didn’t find a written requirement or if he didn’t find indisputable proof – for example, the auditor might require you to place your disaster recovery site 30 miles away from your primary site, but the fact is: there is no such requirement in the standard.

What will annoy the auditor

Certification auditors are only people, and they will be annoyed if you try to prevent them from doing their job. So don’t avoid their questions (they will know right away if you’re hiding something), don’t lie (when they find out you’re lying, they will completely lose trust in you), and don’t waste their time (don’t drag them somewhere they don’t want to go, or spend too much time on things they want to move through quickly).

What will make him happy

The fact is that certification auditor is not allowed to consult you – he cannot explain to you in detail how to resolve a particular problem you have. However, you should develop a positive relationship – for example, give clear and timely answers, supported with facts; admit if you have a problem as opposed trying to hide it; ask for the auditor’s opinion; in such cases the auditor won’t stop at simply telling you that you have a nonconformity – he will take it a step further, and in a couple of sentences, give you some guidance on how to approach the nonconformity – this is still not consulting, but it will save you a lot of time. See also: How to approach an auditor in a certification audit.

What will the auditor expect when he visits you again?

A certification audit is not the only occasion when the certification auditor will visit you – you’ll be seeing him again at the surveillance visits – see an explanation here: Surveillance visits vs. certification audits.

So the point of your certification should not be merely to pass the audit – you should also make sure your system works, and consequently your documentation is maintained. Therefore, the more you implement the standard because of yourself and less because of an auditor, the more will your auditor be pleased.

To learn about the certification process, download this free white paper:: What to expect at the ISO certification audit: What the auditor can and cannot do.

Advisera Dejan Kosutic

Dejan Kosutic

Leading expert on cybersecurity & information security and the author of several books, articles, webinars, and courses. As a premier expert, Dejan founded Advisera to help small and medium businesses obtain the resources they need to become compliant with EU regulations and ISO standards. He believes that making complex frameworks easy to understand and simple to use creates a competitive advantage for Advisera's clients, and that AI technology is crucial for achieving this.

As an ISO 27001 and NIS 2 expert, Dejan helps companies find the best path to compliance by eliminating overhead and adapting the implementation to their size and industry specifics.
Read more articles by Dejan Kosutic