COVID just made having an ISO audit easier…
So in the time of COVID, having an ISO audit just got a bit easier! Usually Auditors insist on rocking up and hanging out for days in your office. Now they can’t. Yay! ?
Preparing the documents
First, set up a new site, upload your content for the ISO audit into the right folders.
The files everyone needs to share will of course vary, but it’s usually a mix of process documents and evidence.
We keep all of our process documents online in our data room. In our case this is our ISMS (Information Security Management System). The documents are always in the cloud, with the latest version ready for whoever needs it.
Then we decide what the auditors need to see. We’re happy for them to have full access to most of our documents, but for sensitive details like staff names/addresses, Risk and Asset Registers, we reduce their permissions to view on screen only. This means our information is being protected from accidental leaks.
Get ready for a lot of video calls!
Then, during the ISO audit we have a Zoom or video call, where we share files in real-time and chat. When the auditor wants to look into individual documents, we just send them a read-only link from Projectfusion.
This has some clear benefits, namely your important and often sensitive documents are not being sent externally, the auditor is just reviewing Read-only.
Secondly, if the auditor wants to drill deeper into a document they can do so on their own time without having to hold you into the screenshare. This saves time for both parties involved.
Thirdly, all your documents will be in the right place before the ISO audit, so you will save time preparing. Most document management systems will also track versions, dates and changes – which is something auditors always want to see.
Tracking the evidence with Trello
For the evidence part of the ISO audit we tend to track all of our issues, opportunities for improvement, incidents et cetera in Trello. Doing this again means it can be easily reviewed by the auditor, and we have date stamps and checklists where our team have to follow protocols. We use protocols for everything. I like checklists! ?
The beauty of Trello is that it provides a great board view of all your audited activity & schedules. So for example, we have to monitor key suppliers every 6 months. This is a trello card that has an assigned person and date. When the monitoring has been done (yes, there is a checklist!) then the card gets copied to that quarters done list, and then redacted for when it is next due. This way nothing gets forgotten, and when the auditors come to look, they can see when the tasks were done.