Find an auditor

Find an auditor to get his informed opinion on how well your organization’s controls meet the relevant clauses. There are a few things you should consider when selecting an auditor:

1. Accreditation: Ensure that your auditor is a member of ANSI National Accreditation Board (ANAB). ANAB assesses and accredits certification bodies. Only certified bodies can issue an ISO 9001 certification.
2. Find a reputable firm. A firm with a good reputation is sufficient. If you need guidance in this area, TrustCloud provides recommendations.
3. Experience matters. An auditor with more experience is likely to have a better and more thorough understanding of ISO 9001, how to evaluate controls against your organization, and the best practices that apply.
4. It’s important that your auditor understands your business so they can expertly assess if there are any gaps or deficiencies

The IIA Standard Code of Ethics guides auditors toward being independent and objective. An auditor sees your documentation as evidence and proof that a particular control exists, which helps them evaluate operational effectiveness (whether or not the control is performing as it should).

Using a combination of techniques, an auditor obtains an in-depth understanding of your program and how it fits into the ISO 9001 framework. These techniques may include:

1. Observation: Observing you perform a task relevant to specific control.
2. Inquiry: Interviewing you or your team to learn about a specific process.
3. Inspection: Requesting evidence of compliance with a control

Stage 1 vs. Stage 2 Audit

The audit process for ISO 9001 is broken down into two distinct stages.

Stage 1

In stage 1, an auditor reviews the QMS, typically on-site, to determine if mandatory requirements are being met and whether the management system is good enough to proceed to stage 2. This initial review is primarily focused on validating whether your QMS is appropriately designed and whether the documented processes exist, are effective, and comply with the standard requirements. The auditor will also gauge your own understanding of the standard and discuss planning for stage 2. Ideally, stage 1 should take place at most two to four weeks before stage 2, so that the management system does not substantially change between the two stages.

Stage 2

In stage 2, the auditor will more thoroughly assess your QMS and evaluate whether its implementation effectively meets ISO 9001 requirements.

In order to satisfy the auditor’s needs, it’s imperative that documentation be complete and accurate. The source of information in the document has to be identified and verified; the content of the document must be written with integrity; and the documentation has to be easily accessible and retrievable for audit purposes. It is important to get an auditor to come to the same conclusion about the state and health of your information security program as you do. You can help them come to that conclusion.

At the end of this long journey, once an auditor has reviewed your work and determined that your controls, policies, and procedures meet all requirements, and after you have implemented the corrective actions to address the auditor’s findings raised during stages 1 and 2, your auditor will give you their stamp of approval and can now recommend you for certification.

An independent and certified body reviews your QMS files to decide in your favor and grant you certification. You can now shout out (or post on your website) that you are ISO 9001 compliant, for now.

An ISO 9001 certificate is valid for three years. However, ISO 9001  imposes an additional “continual improvement” requirement. To maintain your certification, you must go through surveillance audits every year, ensuring that you’re continually improving and adhering to your information security protocols.

Learn more about continuous ISO 9001 compliance with TrustOps for ISO 9001!