► Stage 1 audit – organisational readiness (desk top review)
► Stage 2 audit – assessment of the implementation through
the sampling of evidence (interviews and inspection of records etc).
The exact duration of the 2 different audit stages will be indicated by the CB during the initial discussion
and quotation. It is important to understand that not all CBs are UKAS accredited
and this should be taken into consideration when selecting your CB, i.e. a non-accredited body may not
satisfy client requirements.
During your selection process, it is recommended that you ensure the CB understands your organisational
context, scope and is a close cultural match. Where you have engaged external consultants to support the
implementation activities, they may be able to recommend CBs based on previous experience and provide
a view on the ‘market’. However, as stated above, make sure you select the CB that is right for you.
The certification body will provide the organisation with a statement of the audit purpose, confirm the audit
scope and criteria prior to the certification audit actually taking place. Post audit, the certification body will
report its findings highlighting any relevant evidence supplied.
The stage 1 report is usually short, matching the duration, and fundamentally provides a recommendation,
or not, for progressing to stage 2 with any areas that need to be addressed before that audit. A stage 2 audit
report is more detailed, addressing all areas examined and will provide a recommendation, if successful, for
Following the recommendation, the report will be internally reviewed by the CB’s compliance team, and if no
questions or queries are raised a certificate will be issued confirming registration.
Dealing with assessors
OK, what advice would we give when dealing with CB auditors/ assessors?
It is human nature to be helpful, but it is important to remember that auditors expect auditees, first and
foremost, to be honest. CB auditors are typically experienced individuals in their respective fields and
know what they are looking for in terms of evidence and conviction.
Our advice is to leave the leading role to them and provide factual, relevant and concise answers to any
questions. When in doubt, seek assistance from your peers or managers, don’t guess or blag! In situations
when the question is unclear, seek clarification until you understand what answer or demonstration is
Not understanding and trying to answer may lead to misunderstanding and an inaccurate reflection.
Also, don’t be afraid to challenge any findings you disagree with, don’t forget this is a 2-way process!
Whilst you can take a well-earned pat on the back for achieving certification, don’t lose sight of the fact
that this is a journey of continuous improvement and you can’t rest on your laurels! Management system
certification periods are 3 years with continual assessment visits (CAVs) being carried out throughout that
After three years, a recertification audit, effectively stage 2 again, will take place. Any nonconformities
identified will need to be addressed prior to the next visit or, if significant, addressed within an agreed
period of time.
Certificates can be withdrawn if there is evidence that that management system isn’t being maintained
which is why an embedded, business as usual, management system is a successful one. Don’t forget
management system documentation must reflect ‘reality’ not ‘aspiration’ in an organisation.
Annex A – Certification process
WANT TO LEARN MORE?
If you are looking to comply or certify with ISO 27001, ISO 22301, talk to us about how best
to do that and, should you need help, how URM can help you