CALL US 1-888-553-2256

The ISO 27001 & ISO 22301 Blog

Dejan Kosutic

How to approach an auditor in a certification audit

If you’re going for the certification audit, you are probably wondering how to approach the auditor. In my opinion, the most important thing is not to forget that auditors are only people, and no matter how professional they are, they will always be glad if you treat them fairly; on the other hand, treat them badly and they will be negative.

What shouldn’t you do?

blogpost-banner-27001-en

Here are the things to avoid:

  • Don’t avoid their questions. They will know right away if you’re hiding something, or if you want to divert the discussion to something else – this is a good way to make them suspicious, because they will think you’re hiding a nonconformity.
  • Don’t lie. When they find out you’re lying (and they will), they will completely lose trust in you, and they will become even more careful than they were before.
  • Don’t waste their time. Don’t drag them somewhere they don’t want to go, or spend too much time on things they want to move through quickly. This will make them nervous, because they won’t be able to go through some other stuff that is important to them.

Importance of the positive relationship

So why should you treat the auditor nicely in the first place? Because there is a grey area in the “rules” where you can benefit from building a positive relationship. (Don’t worry, by this grey area I don’t mean anything illegal or unethical, as I’ll explain a bit later.)

Auditors have a basic rule that they must do auditing, not consulting – this means that they must tell you if something is good or bad (i.e. if there are nonconformities or not) and they should give you a short explanation on why there is a nonconformity or why something is a good practice; however, they are not allowed to give you detailed advice on how to resolve your problem.

You should be aware that certification auditors have audited dozens, if not hundreds, of companies and that they have seen everything – from really worst-possible practices to fantastic examples of intelligent solutions. Basically, they are a walking encyclopedia of what’s good and bad for ISO 27001, ISO 22301, or whichever standard you are getting certified in.

So what’s this grey area? This is actually the length of the short explanation I mentioned – if you develop a positive relationship, this short explanation won’t be only a couple of words, but perhaps a couple of sentences, which could be enough to make several clicks in your head that will save you quite a bit of money and time afterwards. On the other hand, if you treat this auditor badly, he will (of course) keep his explanations to a minimum, and there goes your chance to learn something from him.

What you should do at the certification audit

Therefore, you should do the following to develop a positive relationship:

  • Answer the questions directly. Give them clear and timely answers, supported with facts.
  • Admit you have a problem. Of course, you’re not going to tell them all your problems self-initiatively, but if being asked directly – tell them openly what the problem is. The auditors will interpret your candor as your intention to improve the system – in such cases they might raise a nonconformity, but you will almost certainly get them to discuss what would be the best way to close such a nonconformity.
  • Ask them their opinion. They might not have time to answer such questions, but by showing your enthusiasm about the subject, they will get a positive picture about you and your company.

So if you approach the auditor from the positive side, you’ll certainly find your audit not only more pleasant, but also much more useful than you expected.

This article is an excerpt from the book Becoming Resilient: The Definitive Guide to ISO 22301 Implementation. Click here to see what’s included in the book…

To learn more about certification audit, check out this book: Preparing for ISO Certification Audit: A Plain English Guide.

If you enjoyed this article, subscribe for updates

Improve your knowledge with our free resources on ISO 27001/ISO 22301 standards.

You may unsubscribe at any time.

For more information on what personal data we collect, why we need it, what we do with it, how long we keep it, and what are your rights, see this Privacy Notice.

Leave a Reply

Your email address will not be published. Required fields are marked *

OUR CLIENTS

OUR PARTNERS

  • Advisera is Exemplar Global Certified TPECS Provider for the IS, QM, EM, TL and AU Competency Units.
  • ITIL® is a registered trade mark of AXELOS Limited. Used under licence of AXELOS Limited. All rights reserved.
  • DNV GL Business Assurance is one of the leading providers of accredited management systems certification.