The following questions were presented:
Audits are always a bit scary – how do you put people at ease during one?
Sadly this is true, as many people being
audited think that they will get punished if they give the wrong answer.
The process I adopt for the interviews
on site is always the same and I find it works well.
I always am accompanied by the client
‘guide’ who is there to make sure I get to the right place on time,
introduce me and generally facilitate me getting what I need to perform the
I always interview on my own as two
Auditors and a client guide can be a bit intimidating, especially if we are all
over 6 feet tall!
I also always try to interview people at
their own desks as they are in familiar territory, rather then being shut in a
small interview room and it means that if I ask for any documents or records
they should be readily at hand.
The process then goes like this:
Auditor(s) introduced to Auditee by client
Auditor(s) explain what they are doing and why;
Auditee asked to describe their job function
Auditor(s) work through Audit Work Plan (AWP),
noting documents to be provided;
Let respondent ask any questions;
The AWP is just a series of questions that
are based on BS7799 that I would ask the Auditee (the person being audited).
They are not magic or plucked from obscurity, typically I turn ISO 17799 round
and where it says ‘Do something’, I ask them if it is done and then how it
is done and then finally to show me the actual process.
I am not able to ask them questions outside
the standard as this is unfair and not the object of the exercise
What I want to determine or see at each
interview is the following:
To see objective evidence of compliance with
the documented ISMS;
To ensure that all mandatory requirements are
To ensure that the organisation has met the
requirements for the certification;
I am not out to fail them!