What does the external audit process look like?
Heading 1
Heading 2
Heading 3
Heading 4
Heading 5
Heading 6
Lorem ipsum by sit amet, consectetur adipiscing elit, sed do eusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Dis aute irure door in reprehenderit in voluptate velit se cillum dolore eu fugiat nulla pariatur.
Block quote
Ordered list
- Item 1
- Item 2
- Item 3
Unordered list
- Item A
- Item B
- Item C
Bold text
Emphasis
Superscript
Subscript
Heading 1
Heading 2
Heading 3
Heading 4
Heading 5
Heading 6
Lorem ipsum by sit amet, consectetur adipiscing elit, sed do eusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Dis aute irure door in reprehenderit in voluptate velit se cillum dolore eu fugiat nulla pariatur.
Block quote
Ordered list
- Item 1
- Item 2
- Item 3
Unordered list
- Item A
- Item B
- Item C
Bold text
Emphasis
Superscript
Subscript
Three-year cycle
The external audit process consists of a 3-year cycle and is the final agreement of the implementation process. This starts with the initial audit (obtaining the certificate). A control audit (surveillance audit) then takes place twice. At the end of this cycle, the recertification audit determines whether the certificate will be renewed and the organization will enter a new 3-year cycle. This review is carried out by a Certifying Authority (CI). A CI is an external, independent body that determines whether the organization meets the standard (s) to be certified. This CI is again supervised and controlled by the Accreditation Council (RvA).
Preliminary investigation
The external audit cycle starts with the preliminary investigation. During the preliminary investigation, an auditor (from the above mentioned CI) investigates whether the management system has been implemented effectively and effectively. This takes place, among other things, by means of a document search that checks whether all mandatory documentation is present. We also meet the organization and its representatives and look at some processes. During the preliminary investigation, documents are not yet assessed in terms of content, but the presence of mandatory documentation is mainly examined. After the preliminary investigation, the organization receives a report with the auditor's findings, which also describes whether the organization is ready for the certification audit.
Certification audit
The certification audit is about the practical functioning of the management system. By conducting interviews, viewing documents and watching the organization's daily activities, the auditor tests whether processes are in line with the management system. After the certification audit, the auditor determines whether the organization qualifies for the certificate. Here, too, a report is provided by the auditor afterwards, in which all findings are described in detail.
Surveillance audit
Now that the certificate has been obtained, it is done with the work. Right? Certainly not! To do this, read our article”Post-certificate maintenance, essential?”. After obtaining the certificate, the auditor will test whether the processes and management system continue to comply with the standard over the next 2 years. The two surveillance audits do not fully control the management system, but will assess whether the organization can continue to maintain the certificate by means of pre-planned samples.
Recertification audit
The ISO certificate, such as the ISO 27001 and NO 7510, is valid for 3 years. After the 3rd year, the validity of the certificate would expire, but it is possible to recertify. The auditor then comes by again to check the entire management system, taking the same steps as during the certification audit.
In short, the entire audit cycle is a mouthful. Hopefully, this article has provided you with more clarity about what to expect when your organization gets certified.
