Book FREE Consultation

URM is pleased to provide a FREE 30 minute consultation on Transitioning to ISO 27001:2022 for any UK-based organisation. Once an enquiry form has been submitted, we will be in touch to understand the nature of your enquiry and to book a mutually convenient time for a 30-minute consultation slot with one of URM’s specialists.

Establishing Audit Schedules

Flexible range of audit services from planning and implementing to conducting individual audits

Establishing Audit Schedules

A key requirement from Clause 9.2 of ISO 27001, ISO 22301 and ISO 9001 is the need to:
‘Plan, establish, implement and maintain an audit programme(s) including the frequency, methods, responsibilities, planning requirements and reporting, which shall take into consideration the importance of the processes concerned and the results of previous audits’.

URM’s auditors are highly proficient and experienced in establishing audit schedules where the following factors are taken into account:

  • Three-year plan to ensure all elements/controls are covered in the certification period
  • Aspects of your management system are assessed in the certification lifecycle and more regularly if deemed appropriate
  • Audits are prioritised based on:
    – Risks to your organisation
    – Incidents that have occurred
    – Previous audit findings
    – Management requirements
    – Criticality of processes
    – Legal and regulatory requirements
    – Contractual requirements.

As a general rule of thumb, when scheduling audits, URM will prioritise those areas which represent the greatest risk (in terms of information security, business continuity and quality) to the organisation, both in terms of timing and frequency.  If there have been previous incidents or audit findings in certain areas, URM is again likely to be auditing more often and sooner.

URM will also consider the best approach for your organisation to maximise the return whilst minimising the internal overhead.  So ,for example, does process-based auditing work best in your organisation, or maybe by department, or perhaps by control group.  URM will understand the best approach for you and align the audit schedule and approach accordingly.

Integrated audits

For those organisations which implement a number of international management system standards, such as ISO 27001, 22301, 20000 and 9001, there is the opportunity to operate a single management system.  This opportunity has been created by the common adoption of the Annex SL high level structure in terms of identical sub-clause titles, identical text, common terms, and core definitions within each of the standards.  When auditing a single combined managed system, this is termed as an ‘integrated audit’.  

By integrating your audits, your organisation can benefit from less disruption to your business, less duplication of questions, reduced certification costs and a reduction in documentation.  There will also be greater consistency of objectives across the different systems.

With its breadth of expertise and knowledge of multiple standards, URM is adept at implementing and auditing integrated management systems.  URM’s auditors are able to assist you to develop a single audit plan, with a reduced number of audits, opening meetings, closing meetings and audit reports, along with the accompanying reduction in system administration, the organisation having a single audit will reduce the amount of work interruptions.  URM often finds that integrated audits are deeper and more meaningful and provide a better understanding of the relationship between related processes and critical systems.

Get in touch

Please note, we can only process business email addresses.

Why URM?

Audit and subject matter specialists

URM’s expertise incorporates a combination of auditing skills (e.g., CISA and PCI QSA qualifications), knowledge of standards (e.g., ISO 27001, ISO 22301, ISO 9001 and PCI-DSS), IT technical knowledge (e.g., databases, networking, operating systems and applications) and the interpersonal skills necessary to extract the maximum information from interviewees.  URM guarantees that the competence requirements from Clause 7.2 of ISO 27001, 22301 and 9001 will be met in respect of its auditing services.

ISO certification specialists

When conducting internal audits for those organisations certified to ISO 27001/22301/9001 etc, URM is hugely experienced in understanding the assessment requirements of certification bodies.  This has been gained through assisting hundreds of organisations achieve certifications, sitting in on many of the assessments, as well as the fact a number of URM’s auditors are ex-certification body assessors.  As such, when conducting internal audits, we will ensure the same reporting approach to nonconformities etc will be adopted.  It is also guaranteed that all of the mandatory internal audit requirements from Clause 9.2, along with the control requirements from ISO 27001 will be satisfied if the whole of your internal audit programme is outsourced to URM.

Flexible and pragmatic

URM can offer your organisation a flexible range of audit services from planning and implementing a full 3 year’ ISO 27001 audit programme, to conducting individual audits against any aspect of the ISMS or any specific controls.  Our auditors are also able to apply a pragmatic business-based approach to audit requirements.

Information Security FAQISO 27001 FAQ

Common Pitfalls Identified in Organisations Seeking ISO 27001 Certification

Published on

URM’s blog discusses the common pitfalls of the ISO 27001 implementation and certification process, and how you can avoid making the same mistakes.

Read more
Thumbnail of the Blog Illustration
Information Security
Published on
Planning Your ISO 27001 Audit Programme

URM’s blog drills down into ISO 27001 audits, offering advice on how to effectively develop and implement an ISO 27001 conformant audit programme.

Read more
Thumbnail of the Blog Illustration
Information Security
Published on
How to Meet the ISO 27001 Requirements Around Interested Parties

URM’s blog provides advice and guidance on how you can meet the ISO 27001 requirements around interested parties and their needs and expectations.

Read more
Thumbnail of the Blog Illustration
Information Security
Published on
Lessons Learnt from Early ISO 27001:2022 Transitions

URM’s blog, produced in collaboration with BSI, discusses common mistakes we have seen in early ISO 27001:2022 transitions, and how to avoid them.

Read more
Without doubt, URM helped us to achieve our planned objectives a lot sooner than expected. The engagement was a huge success and couldn’t have gone any better.
Group IT Director, UK Mail
contact US

Let us help you

Let us help you in your compliance journey by completing the form and letting us know how we can best support you.