This attitude analyzes Clause 9.2, ISO 22000’s requirement of internal audit, understood to be a completely independent assessment that gives management with feedback concerning the performance from the management system. The information present in this attitude is particularly according to training learned from your ISO 22000 certification audit (which Avalution completed effectively early in the year of 2013).

ISO 22000 may be the first standard to use the brand new ISO format for management systems standards, that involves a great deal of “templatized” management system content across ten clauses. As this format, language, and most of the needs are a new comer to most business continuity professionals, it’s vital that you review and think about the intent connected with a few of the content and ideas.

This attitude may be the 4th inside a series to go over important elements from the ISO 22000 business continuity management system, including value-adding aspects of the conventional or needs that may “trip up” a company throughout the certification process.

Today we’re going to have a look at Clause 9.2, the standard’s requirement of internal audit. The information present in this attitude is particularly according to training learned from your ISO 22000 certification audit (which Avalution completed effectively early in the year of 2013).

Clause 9.2 – Internal Audit

The business shall conduct internal audits at planned times to showcase if the business continuity management system adjusts towards the organization’s own needs because of its BCMS, the needs of the Worldwide Standard, and it is effectively implemented and maintained.

Introduction

Among the important elements of management systems is the opportunity to monitor, measure, and constantly enhance the performance from the organization. In Clause 9 – Performance evaluation, ISO 22000 offers the needs for evaluating the BCMS and also the business continuity methods. A vital thing about this is internal audit, like a well-designed and performed internal audit program provides assurance the BCMS is conforming to the goals and carrying out.

ISO 22000 Internal Audit Needs

There are two major elements within the ISO 22000 audit needs. The very first, as proven above within the Clause 9.2 excerpt, signifies the information from the audit and assesses the conformance from the BCMS. The 2nd element on Clause 9.2 includes the needs associated with creating and operating the audit program – the management system component.

Assessing Conformance from the BCMS

In compliance with ISO 22000, an organization’s BCMS must:

  1. Comply with the needs from the Standard – ISO 22000
  2. Comply with the needs established through the organization to satisfy the needs from the standard and
  3. Prove the business has implemented and maintained those activities to conform using the first couple of elements.

The needs from the Standard are recognized in every clause by using “shall” claims. As a result, an audit plan, as observed in the instance below, ought to be developed that identifies all “shall” claims on the clause by clause basis and seeks validation regarding conformance to those claims.

The needs established through the organization would be the techniques selected and documentation defined that report the requirement is addressed. Within the example above, included in the Test Plan Documentation, the business recognized the insurance policy, standard operating procedure (SOP), and BIA report as proof the intent from the Standard has been met.

The ultimate requirement would be that the BCMS is effectively implemented and maintained. The audit process is really a key process accustomed to ensure compliance. Within the example above, the auditor will verify the organization’s intent within the policy, the technique to find out scope as defined within the SOP, and also the execution from the process as recorded within the BIA and through strategy identification.

Avalution Quick Tip: Remember, it’s not the auditor’s job to find out when the scope is true, that the operation is correctly defined, adopted, and recorded.

The ultimate element – verifying the BCMS is maintained – is validated by making certain that processes and outcomes happen to be reviewed and up-to-date in compliance using the timeline defined within the SOP.

Creating and Operating the Audit Program

Another requirement noted in Clause 9.2 pertains to the dwelling from the audit program itself. Just like every other aspect of the BCMS, the business must define the way it expects to conduct the audit program. Within BCMS documentation, the business must:

a) Identify the regularity, techniques, duties, planning needs, and confirming for that audit programb) Define audit criteria and scopec) Select objective and impartial auditorsd) Ensure audit answers are correctly reported ande) Retain recorded proof of the audit program and results.

Furthermore, the business must base its audit program around the outcomes of risk checks and evolve in line with the outcomes of previous audits. The ultimate requirement is the fact that corrective actions recognized with the audit process are recognized, recorded, prioritized and addressed to get rid of nonconformities and drive BCMS continual improvement.

Maintaining your Program on the right track

The intent from the internal audit would be to provide information that enables management to achieve a conclusion regarding BCMS conformance to some standard as well as their anticipations. A properly-designed audit program and regular internal audits provide assurance the BCMS meets the advantages of the conventional and it is operating as designed, getting rid of surprises during certification (when the organization seeks certification) and supplying interim course corrections between exterior audits. Even when certification towards the Standard isn’t a objective of a company, including internal audit included in the BCMS will give you management with periodic guidance and safeguard an investment the business makes in developing and applying a BCMS.

Continue to visit business continuity also it disaster recovery blog for additional posts in Avalution’s Conforming to ISO 22000.

Meanwhile, don’t hesitate to achieve to us to go over aligning towards the standard or going after certification. We anticipate talking with you!