ISO 17799 and ISO 27001 Newsletter

The David L Watson Interview

The following questions were presented:


Audits are always a bit scary – how do you put people at ease during one?

Sadly this is true, as many people being audited think that they will get punished if they give the wrong answer.

The process I adopt for the interviews on site is always the same and I find it works well.

I always am accompanied by the client ‘guide’ who is there to make sure I get to the right place on time, introduce me and generally facilitate me getting what I need to perform the Audit.

I always interview on my own as two Auditors and a client guide can be a bit intimidating, especially if we are all over 6 feet tall!

I also always try to interview people at their own desks as they are in familiar territory, rather then being shut in a small interview room and it means that if I ask for any documents or records they should be readily at hand.

The process then goes like this:

l   Auditor(s) introduced to Auditee by client ‘guide’;

l   Auditor(s) explain what they are doing and why;

l   Auditee asked to describe their job function and responsibilities;

l   Auditor(s) work through Audit Work Plan (AWP), noting documents to be provided;

l   Let respondent ask any questions;

The AWP is just a series of questions that are based on BS7799 that I would ask the Auditee (the person being audited). They are not magic or plucked from obscurity, typically I turn ISO 17799 round and where it says ‘Do something’, I ask them if it is done and then how it is done and then finally to show me the actual process.

I am not able to ask them questions outside the standard as this is unfair and not the object of the exercise

What I want to determine or see at each interview is the following:

l   To see objective evidence of compliance with the documented ISMS;

l   To ensure that all mandatory requirements are met;

l   To ensure that the organisation has met the requirements for the certification;

I am not out to fail them!





 

 


**The Newsletter**

The ISO 17799 and ISO 27001 Newsletter is published periodically. It provides news and background for those interested in information security generally, and ISO17799 / ISO27001 specifically. In addtion, we provide occasional 'breaking news' bulletins covering any major event related to the standards.



Subscribe

Free subscription is via our online form

 

 

Contact Us

© Copyright 2005/2006.