How does this work and what tips are there for preparing your audit? In conversation with Danielle de Vaal.
You help many clients prepare for an audit, what is it like to go through this process yourself?
Danielle de Vaal indicates, that an audit is also an important day for Protify. Because we support many parties in the field of certification, we are looked at extra critically. After all, we are expected to have the knowledge as an expert by experience. On the other hand, we have our affairs in good order, so we knew we had nothing to worry about.
Background information Protify and ISO 27001
Protify has been certified for ISO 27001 since 2015, the year of its establishment. This year, Protify went through a follow-up audit, which took place remotely because of COVID. For the first time, a second entity was also included in the audit, namely the ProActive Compliance Tool (PCT), which is also officially integrated into Protify’s management system. As a result, the auditor paid close attention to the process of this and what services are provided. In order to ensure that the auditor has a good picture of how the organisation is put together.
Continuous improvement is an important part of maintaining your management system and in the certification process. The auditor therefore looks specifically at the improvements you have implemented as an organisation. This means that every year you raise the bar for your organisation.
Can you talk a bit more about continuous improvements?
Improvements are essential, think for example what resources you can put in place to improve your Information Security Management System (ISMS); your information security management system, due to the change in technology. We do not develop software (which many companies do that go through ISO 27001 certification), but provide services, which in turn requires us to fulfil different requirements, which is different from a physical product. For instance, we store a lot of data, so it is important to know what happens to it and how to store it securely. For us, the focus is on monitoring: ‘How can we make sure what, meets the requirements.’
An improvement that Protify itself has implemented in the past year is the performance of an IT audit on its own IT systems by an external party. To get even more assurance as to whether what we are doing is doing well and can learn from this in turn to improve it. So that we can contribute even more to the integrity of how we handle information within Protify.
Were there any questions you found difficult?
We breathe information security indicates Danielle, yet you will always see that sometimes just a certain control is covered that you may have paid a little less attention to. Should you have the same problem during an audit or perhaps be unable to answer a question? Danielle’s tip: always be honest and clear about this and don’t make up an answer. Remember that you are doing the audit for your company and not for the auditor.
When you talk about certification and about an ISMS, it is an ongoing process and a way of working in your organisation. It has to be in your company’s DNA.
Do you have more tips to prepare for the audit?
The important thing is that you don’t think, I’ll get started on my audit, but work on your management system as part of your business process throughout the year. Danielle sees a lot in practice that companies really do it for the audit and therefore have to record or implement things at the last minute. When you talk about certification and about an ISMS, this is a continuous process and a way of working in your organisation. It has to be in your company’s DNA.
Of course, it might remain exciting, so make sure precisely that you don’t try your best for the auditor. And keep in mind that it is for your organisation. If you work on your ISMS throughout the year and continuously work with and on this, you will no longer see it as tedious. And you will find that it helps your business further, gives insights and enables you to improve your organisation and services! So… change your mindset and stop worrying about the audit! Get started.
Tips from Danielle de Vaal for your audit at a glance
- Be honest, indicate if you don’t know the answer to a question.
- You conduct an audit for your organisation, not for the auditor!
- Work on your management system throughout the year and don’t just ‘get started with the audit’.
- Change your mindset and have confidence!
- Contact Protify for advice in preparation for your certification or audit.
Want more tips or advice on ISO 27001 certification or parts of it?
This year Protify has again completed the audit positively and next year the triennial recertification for ISO 27001 will take place again.Would you like to obtain ISO 27001 certification yourself? Or would you like to go through a so-called preparation rehearsal in preparation for your audit? Danielle and her colleagues are happy to give advice or other tips! We are happy to help you, please contact us to see which service suits you best.
