Get 2 Documentation Toolkits for the price of 1
Limited-time offer – ends March 28, 2024

Expert Advice Community

Need Process Owner's presence during audit?

  Quote
Created:   Apr 20, 2022 Last commented:   Apr 23, 2022

Need Process Owner's presence during audit?

I have a few questions: 1. Do we need the process owner's presence to front the auditor(s)? 2. Why is the presence of the process owners important during the audit? 3. Who should be in the audit session with auditors? and Why? Thank you.
Tags: Audit
0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Apr 23, 2022

1. Do we need the process owner's presence to front the auditor(s)?

Answer: ISO 27001 does not prescribe the presence of process owner’s during the audit (in fact, ISO 27001 does not require defining process owners at all), but for some questioning the auditor may have, the process owner may be the person which can provide the proper answer to him.

During the audit opening meeting, you can ask the auditors who need to be present during the audit.

2. Why is the presence of the process owners important during the audit?

Answer: Please note that some decisions regarding a process, like objectives definition or changes, may only be answered, or best answered, by the process owner.

Alternatively, the person that is most used to the process (sometimes known as the key user) may provide these answers.

3. Who should be in the audit session with auditors? and Why?

Answer: In general, the people accompanying the auditor are the responsible for the audited area (so he can better understand the audited process and verify management commitment to information security) and the person responsible for the information security (this person usually acts as a guide and interpreter between the auditor and the auditees).

The auditor may require some person from the information security to be present, so he can ask questions to verify the employees' understanding of information security and their roles in the process (i.e., which information security activities they perform and how).  

For further information, see:
- Which questions will the ISO 27001 certification auditor ask? https://advisera.com/27001academy/blog/2015/07/20/which-questions-will-the-iso-27001-certification-auditor-ask/ 
- Infographic The brain of an ISO auditor: What to expect at a certification audit https://advisera.com/blog/2015/06/22/infographic-the-brain-of-an-iso-auditor-what-to-expect-at-a-certification-audit/

Quote
0 1

Comment as guest or Sign in

HTML tags are not allowed

Apr 20, 2022

Apr 23, 2022

Suggested Topics

Guest user Created:   May 26, 2023 ISO 27001 & 22301
Replies: 1
0 0

ISO 27001 compliance process

Guest user Created:   Apr 17, 2023 ISO 27001 & 22301
Replies: 1
0 0

Documented processes