We look forward to them.
Not at all. I think if you’re overly worried about an audit then your implementation should probably be revisited. That isn’t a bad thing, and continual assessment and improvement is at the heart of our ISO standards.
At Ixis, our Information Security policies and Quality processes were designed and implemented by the staff, so are now a way of working life. An external audit is a chance to review our original thinking and evolution, and to hear expert advice, both usual exercises.
Two representatives from ISOQAR audited two ISO standards this month, specifically the 27001 Information Security and 9001 Quality Standards. Ixis passed, of course, with no non-conformances, we expected to, but the real value came from the discussions of the processes and policies. Having an expert pair of eyes and having to explain what and why we do something a particular way is a perfect way to challenge and validate our implementation.
The audit consists of a review of the assessment and implementation of each standard, and then having a look at evidence at various random elements. One of the auditors roamed freely amongst the staff asking questions relevant to their role relating to one of the standards. Daunting for the staff perhaps, but our advice to ‘just answer the question because what you do and how you do it is the right way’ wins every time. We can get hung up on perhaps the correct parlance or a fear of saying something that might jeopardise our certification - but ultimately that only happens if the implementation isn’t correct, which, will be identified and during an audit and later corrected by you.
Don’t worry, and use the audit as can opportunity to review your implementation.