The reasons why companies are failing audits are diverse and the ranking of the top causes might be different depending on the standards the organizations wish to be certified against. However, one of the most frequent non-conformities found across the various standards is the lack of documentation and the lack of organization of the documentation.
What does fall under the term documentation?
It is suggested by the ISO quality management standard to split documentation into 4 hierarchy levels, which basically differ by the abstraction level or the breadth of scope. On level 1 you will usually have global policy documents affecting the organization as a whole (describing the why), on level 2 will be procedures describing the who/what/when/where of the processes, level 3 are work instruction (the how) and level 4 are records. In ISO terminology records are logs which contain information about the actual performance of the processes which are generated while running the processes and therefore are valuable evidence for an auditor during stage 2 of an audit to verify that the management system indeed works as designed (level 1 - 3 describe the design).
Which kind of organization might have challenges on documentation process?
Especially larger organizations may find it challenging to keep track of hundreds or even thousands of documents and having the information available promptly when it is needed. They may also think that some documentation required by the standard is superfluous and that their processes are running smoothly without it. However, missing mandatory documentation will always attract the attention of an auditor because it is often an indication that something is going wrong and sometimes even going very wrong. If some documents are deemed as mandatory by a standard, there are very good and understandable reasons, why this is the case.
To address these shortcomings and to avoid failing an audit consequently an organization should describe formal aspects of document handling, the processes and run a document management system which helps to ensure all documents are labeled, versioned and stored consistently. Last but not least, personal should get trained on the intended way to work with the documentation.
Speaker
Friedhelm Düsterhöft
Is the Managing Director of msdd.neT GmbH, a company offering IT Security consultancy and training services for international companies from the IT, telecommunications, and financial industry. He has specialized in GRC topics around ISO 27001 and also has long-term experience in vulnerability management and penetration testing.