A key requirement from Clause 9.2 of ISO 27001, ISO 22301 and ISO 9001 is the need to:
‘Plan, establish, implement and maintain an audit programme(s) including the frequency, methods, responsibilities, planning requirements and reporting, which shall take into consideration the importance of the processes concerned and the results of previous audits’.

URM’s auditors are highly proficient and experienced in establishing audit schedules where the following factors are taken into account:

  • Three-year plan to ensure all elements/controls are covered in the certification period
  • Aspects of your management system are assessed in the certification lifecycle and more regularly if deemed appropriate
  • Audits are prioritised based on:
    – Risks to your organisation
    – Incidents that have occurred
    – Previous audit findings
    – Management requirements
    – Criticality of processes
    – Legal and regulatory requirements
    – Contractual requirements.

As a general rule of thumb, when scheduling audits, URM will prioritise those areas which represent the greatest risk (in terms of information security, business continuity and quality) to the organisation, both in terms of timing and frequency.  If there have been previous incidents or audit findings in certain areas, URM is again likely to be auditing more often and sooner.

URM will also consider the best approach for your organisation to maximise the return whilst minimising the internal overhead.  So ,for example, does process-based auditing work best in your organisation, or maybe by department, or perhaps by control group.  URM will understand the best approach for you and align the audit schedule and approach accordingly.

Integrated audits

For those organisations which implement a number of international management system standards, such as ISO 27001, 22301, 20000 and 9001, there is the opportunity to operate a single management system.  This opportunity has been created by the common adoption of the Annex SL high level structure in terms of identical sub-clause titles, identical text, common terms, and core definitions within each of the standards.  When auditing a single combined managed system, this is termed as an ‘integrated audit’.  

By integrating your audits, your organisation can benefit from less disruption to your business, less duplication of questions, reduced certification costs and a reduction in documentation.  There will also be greater consistency of objectives across the different systems.

With its breadth of expertise and knowledge of multiple standards, URM is adept at implementing and auditing integrated management systems.  URM’s auditors are able to assist you to develop a single audit plan, with a reduced number of audits, opening meetings, closing meetings and audit reports, along with the accompanying reduction in system administration, the organisation having a single audit will reduce the amount of work interruptions.  URM often finds that integrated audits are deeper and more meaningful and provide a better understanding of the relationship between related processes and critical systems.

Why URM?

Audit and Subject Matter Specialists

URM’s expertise incorporates a combination of auditing skills (e.g., CISA qualified), knowledge of Annex SL standards (e.g., ISO 27001, ISO 22301, ISO 9001), IT technical knowledge (e.g., databases, networking, operating systems and applications) and the experience of conducting integrated audits.  URM guarantees that the competence requirements of Clause 7.2 from the above standards will be met in respect of its auditing services.

ISO certification specialists

When conducting internal audits for those organisations certified to ISO 27001/22301/9001 etc, URM is hugely experienced in understanding the assessment requirements of certification bodies.  This has been gained through assisting hundreds of organisations achieve certifications, sitting in on many of the assessments, as well as the fact that a number of URM’s auditors are ex-certification body assessors.  As such, when conducting internal audits, we will ensure the same reporting approach will be adopted.

ISO/IEC 27001:2022 Key Changes

Latest update:
2 Mar

Following the publication of ISO/IEC 27001:2022 on 25 October 2022, this blog will provide you with our high-level analysis of the key changes.

Read more
Thumbnail of the Blog Illustration
Information Security
How Secure is Zoom?

Many organisations have had to adapt very quickly to the rapidly changing restrictions brought in across the globe to help combat the spread of COVID-19.

Read more
Thumbnail of the Blog Illustration
Information Security
Risk Management – What is it and What Role Does it Play in ISO 27001?

We are going to explore why the focus on a risk-based approach has helped turn ISO 27001, the International ISM Standard, into such a world-beater.

Read more
Thumbnail of the Blog Illustration
Information Security
What are the Basics of Internal Auditing?

With this blog, the spotlight turns to internal audit and specifically in the context of ISO 27001, the International Standard for ISM.

Read more
We used URM as we had a large amount of information to redact for a Court of Protection case and neither had the time nor the knowledge to be able to complete this appropriately. URM were suggested to us and we made contact. They responded very quickly and were able to explain their role, estimated timescales & costings. During the initial consultation, they were very professional and approachable, and certainly had the skills we required. URM’s consultant provided us with details of the work they had completed before & we felt confident to pursue the work with them. We were on a tight deadline for court and URM were confident that they could provide the services we required in a timely manner. The logistics of sending a large amount of confidential documents were easy to navigate and straightforward. We were unable to very accurately gauge how much work was required, however URM’s Team supported us with this and maintained regular contact regarding their progress and addressed any concerns they had. When we needed to contact them, they were prompt with their responses. The work did take longer that envisaged, however that was due to the amount of work that we, as clients, were unable to accurately identify would be required. We did, however, meet the deadline for court. I would certainly use the services of URM again & if possible would work with same team. The services are not cheap, however redacting sensitive information is a skilled task and, therefore, having a professional complete this work is priceless.
contact US

Let us help you

Let us help you in your compliance journey by completing the form and letting us know how we can best support you.