Doubts about lead auditors in 27001

1) In which cases, an auditor can decide whether to waive an audit in a company.

Answer: Considering certification/surveillance audits, these cannot be waived, because not performing a certification/surveillance audit will impact the certificate issuance.

In the case of internal audits, these can be waived considering the results of previous audits, provided that all ISMS scope is audited before a certification/surveillance audit.

For example, if you have a process audit twice a year, due to the results of previous audits (that were good), you can decide to waive one audit and perform audits only once a year.

2) In case of detecting illegal software in an audit which is the procedure for which an auditor has to go, who is required to communicate how to proceed.

Answer: This is a situation to be treated very politely.

The recommended approach is to state that it was not possible to evidence the proper management of intellectual property rights of software *** (you should NEVER state that software is illegal, remember that your findings are based on the evidence you have found, or not found).

Regarding who to communicate with, you need to communicate with the audit customer during the briefings at the end of each audit day, and that the nonconformity will be also formally communicated in the Audit report.