Preparing for a ISO 9001 audit

Preparing for an ISO 9001 audit is made easy with TrustCloud! If you’ve been through an ISO 9001 audit before, you are well aware of how tedious and time-consuming it can be for your team and yourself. 

Learn more about continuous ISO 9001 compliance with TrustOps for ISO 9001!

The People

After you’ve made the decision to pursue an ISO 9001 attestation, here’s something to keep in mind when drafting your audit preparation strategy. Create a taskforce of employees from the quality and IT teams, with support from team members familiar enough with your technical systems. Having an executive or manager own this process with the team is also beneficial.

The ISO 9001 process requires commitment, and team members may need to take time away from their other tasks to focus on preparing for an audit. You should account for a loss in productivity and ensure you are staffed accordingly.

The Process

The first thing you may want to do is examine ISO 9001’s ten clauses and determine which are applicable to your business. The following five steps will guide you through this process. Contact the TrustCloud team to help you with this process.

Step 1: Understanding the Audit Process

While preparing for an ISO 9001 audit, let’s start by outlining the three stages that make up the ISO 9001 certification process. Keeping this broader view in mind will save you time and help you better structure your preparation.

Stage 1

In stage 1, the selected auditor will review your QMS, typically on-site, to determine if mandatory requirements are being met and whether the management system is good enough to proceed to stage 2.

This initial review is primarily focused on validating whether your QMS is appropriately designed and whether the documented processes exist, are effective, and comply with the standard requirements. The auditor will also gauge your own understanding of the standard and discuss planning for stage 2. Ideally, stage 1 should take place two to four weeks before stage 2, so that the management system does not substantially change between the two stages.

Stage 2

In stage 2, the auditor will conduct a more thorough assessment of your QMS and evaluate whether it is implemented effectively and meets ISO 9001 requirements.

In order to satisfy the auditor’s needs, it’s imperative that documentation be both complete and accurate. The source of any documented information is identified and verified; documents are written with integrity, and documentation is easily accessible and retrievable for audit purposes. It is important to get an auditor to come to the same conclusion about the state and health of your information security program as you do. You can help them come to that conclusion.

Stage 3

Once the first two stages are completed, you can now apply for certification. An auditor assists in submitting your QMS files to a formally accredited certification body. You can find a list of reputable certification bodies in the ANAB directory.

However, the ISO 9001 process doesn’t end when you obtain your certification. To maintain your certification, you must go through surveillance audits every year, ensuring that you’re continually improving and adhering to your information security protocols. Additionally, the certification itself is only valid for three years!

Understanding the certification process is important as it helps you gauge the continual effort you need to put into maintaining compliance.

As you understand the level of commitment, time, and dedication required to implement and manage an effective QMS program, you can start gauging your level of readiness.

Step 2: Take an Inventory

Step two is to take stock of your resources and team. Given the level of effort required to become ISO 9001 compliant, it is important that knowledgeable team members lead the effort. If your team doesn’t have the right skill set, you can consider hiring people with the appropriate expertise.

To demonstrate compliance with clause 7.2, It is a key requirement that your QMS is managed by competent and properly trained employees.

Now you can create an inventory of your business, systems, and assets and map those to the control requirements outlined in ISO 9001’s ten clauses and Annex A. You can generally do this in one of two ways:

DIY

You can open up Excel and start manually mapping each of the clauses and subsequent requirements to your existing controls, policies, and procedures. This requires you to have (or, most likely, obtain) a deep understanding of the standard’s often complex requirements.

Using A Compliance Automation Tool

With a compliance automation tool such as TrustOps, you simply upload your business stack, and the tool auto-generates controls, tests, and policies, each mapped to the appropriate ISO 9001 clause or control.

We’ve experienced the DIY route firsthand and decided to build a tool to save you from having to spend countless months buried in spreadsheets. We sincerely hope that you learn from us and don’t pick the DIY option.

Once your mapping is complete, you can compare what you have with what the standard requires and find where your gaps are. This gap analysis helps add and implement specific processes, documentation, and controls. Your gaps are now on your to-do list. 

Step 3: Implementing a Management Review Program

When it comes to ISO 9001, senior management has a tremendous amount of responsibility. Clause 9.3 explicitly states: Senior management shall review the organization’s Quality Management System at planned intervals to ensure its continued suitability, adequacy, and effectiveness.

ISO 9001 also requires the implementation of a management review team. This team should be composed of senior management and should review the QMS often enough to ensure that it continues to be effective. Additionally, these meetings must conform to specific guidelines: they must occur on a predefined, periodic basis; meeting notes and action items must be recorded; and specific agenda items must be discussed.

Step 4: Adopt Controls

Your to-do list will quickly become flooded with documents and controls that you need to have in place.

If you’re using a compliance automation tool such as TrustOps, you are covered! TrustCloud is working to save you from spending your time and energy on spreadsheets and menial tasks. It has analyzed the ISO 9001 requirements and designed a comprehensive set of controls and policies for you to adopt. It has also mapped out the evidence requirement for each control in plain English, translated from the original legalese. It automatically learns where you are and helps you understand what you need to do to get where you want to be.

Some ISO 9001 controls require you to implement security tools and services to improve your security and business processes, and you have to research, purchase, and configure these appropriately. Examples include performing pen testing, enrolling in asset management, and conducting background checks. Depending on your organization’s processes and the workload of your employees, the procurement process can stretch on and become a significant risk factor in your adoption of the standard, but TrustCloud takes care of it all.

Throughout this process, you need to gather evidence to show that you are accurately compliant with all relevant controls by writing or amending policies and documenting procedures that explain how certain controls are satisfied.

Step 5: Conducting an Internal Audit

One of the biggest challenges for organizations preparing for an ISO 9001 audit is meeting the requirement for clause 9.2. This clause requires that the organization conduct internal audits to provide information on the organization’s own requirements for its QMS (9.2a) and conform to the requirements of the standard (9.2b).

In order to fulfill these requirements, an independent and objective auditor must conduct internal audits at (frequent) planned intervals, and any issues or non-conformities must be tracked, documented, analyzed, and remediated.

Some organizations choose to hire external consultants. This can be a good option, as long as the consultant is competent and has unrestricted access to records and personnel to perform their review without issues.

The Audit

The ISO certification obtained after stage 3 (read the process section above for further details) is valid for three years. However, it is a requirement that, annually, an ISO ‘surveillance’ audit be performed to continually reassess the conformance of your QMS.