What the Coronavirus Means to Your ISO Audit

What the Coronavirus Means to Your ISO Audit

Unless you have been living under a proverbial rock, you’re probably aware of a new strain of the virus that is manifesting all around the globe, one that has you contemplating hiding under that aforementioned rock for your own health.

As the situation continues to be the subject of international interest, one issue, perhaps in the far recesses of your mind is “how is the coronavirus going to affect my upcoming ISO certification review?”  Despite seemingly more urgent matters, this is still a fair question, given that all accredited ISO certification reviews require on-site meetings with management and process owners to ensure the management system’s effectiveness.

Thankfully, the International Accreditation Forum (IAF) has specific Informative Documents (ID) that are intended to address these kinds of extreme circumstances and global events.  In particular, IAF ID 3 provides guidance on how certification bodies and certified entities should manage extraordinary events and/or circumstances that are beyond the control of an organization—that includes war, strikes, riots, political instability, geopolitical tension, terrorism, crimes, pandemics, flooding, earthquakes, and malicious computer hacking, among other natural or man-made disasters.

Moreover, accreditation bodies serve as the entities that provide oversight of certification body activities, including reviewing requests to modify a certification audit approach in lieu of new conditions—they act as mediator in determining if the appropriate balance between protecting human life and ensuring that certified entities continue to meet the requirements of the Standard(s) is being made.  In doing this, these accreditation bodies take into account the rationale for justifying modifications to on-site audit time, as well as audit fieldwork timing.  

So how will these responsible parties respond to this latest coronavirus strain and the globe’s growing exposure?  What measures can be taken by certified entities or entities seeking certification to manage the risk?  For entities that are already certified, on-site audit time adjustments and changes to the audit certification timeline are both applicable options to consider.  For entities that are not yet certified, the on-site audit time adjustments appear to be the primary mechanism for recourse.

On-site Audit Time Adjustments

Should a certified entity, or entity seeking certification, still desire to achieve certification or demonstrate maintenance of its certification without adjusting its timelines for such a unique situation, IAF Mandatory Document (MD) 4 includes guidance on remote auditing techniques that can be used in lieu of on-site time.  During the standard process, remote audit time cannot exceed more than 30% of the certification audit review’s total audit time, as remote time is generally reserved for planning and wrap-up activities.  However, in extenuating circumstances where on-site audit time would pose an unnecessary risk to the persons involved, communication between the accreditation bodies, certification bodies, and certified entities will be critical to ensure that the appropriate approval for a go-forward plan is obtained.  Accreditation bodies review each of these communications on a case-by-case basis for approval, and while it is likely that approval for additional remote auditing time will be obtained, it is imperative that all parties agree on the approach prior to commencing official audit activities.

Changes to the Audit Certification Timeline for Currently Certified Entities

As per the established process, entities that have already achieved certification are required to undergo recurring audit reviews in the form of surveillance and recertification review activities to maintain their certified status.  These organizations have some additional flexibility with regard to taking a wait-and-see approach in accordance with IAF ID 3 mentioned above, which provides some guidance on the audit timeline adjustments that can be made for a surveillance or recertification review.  

Surveillance Reviews 
The same is not necessarily applicable for organizations that are slated for their first surveillance review to occur in the near future. ISO requirements traditionally mandate the surveillance review be conducted within 12 months after the conclusion of the Stage 2, but approval can be requested for a review to be postponed an additional six months in the event of extenuating circumstances, meaning that the initial surveillance review can be completed within 18 months of completing the Stage 2 review once approval is obtained.  While there is no specific guidance for organizations that are prepared to undergo their second surveillance review, it stands to reason that a similar six-month grace period is on the table for discussion and approval with accreditation bodies.  

Recertification Reviews
Recertification reviews traditionally require that a certified entity complete their recertification audit and that the certification decision is made prior to the previous certificate expiration date to ensure the certification status is maintained.  In extenuating circumstances, consideration can be made to conduct a recertification review up to six months after the certificate expiration date, pending approval from the accreditation bodies.  If the recertification audit cannot be conducted within this extended period, the certificate could be at risk of expiring, whereby the certified entity would need to undergo a completely new initial certification audit—including Stage 1 and Stage 2 reviews—to regain its certified status.

What To Do Now

Even now, there are more new cases of coronavirus appearing in new countries around the globe.  As ISO is an international standard, our team is keenly aware of the concerns and predicaments that our clients are facing and we have every interest to ensure that health and safety are kept as the number one priority.  Where remote auditing techniques and timeline shifts need to be made in an effort to curtail concerns around the virus, we look forward to working with your teams to minimize the risk and impact to all parties with whom we interact.  In these tense times, we also ask that you think of your auditors, who oftentimes are already considered to be cold and austere—these days, everyone, unfortunately, has to think twice about a friendly handshake.

About the Author

Alex Hsiung

Alex Hsiung is a manager and ISO 27001 audit lead. Prior to joining Schellman, Alex worked as an Associate at KPMG, specializing in Sarbanes-Oxley compliance audits and IT advisory engagements. Alex also led and supported various other projects, including business process and information technology readiness assessments, internal audit services and regulatory compliance engagements. Over 8 years of experience comprised of serving clients in various industries, including financial services, healthcare and manufacturing. Alex is a dedicated member of the ISO Service Team.

More Content by Alex Hsiung
Previous Article
Tech Industry Occupies Front Line on Coronavirus Battleground
Tech Industry Occupies Front Line on Coronavirus Battleground

The coronavirus is posing global threats that are challenging businesses worldwide forcing them to put new ...

Next Article
California Privacy Law: Its Impact on Businesses
California Privacy Law: Its Impact on Businesses

A sweeping consumer privacy law went into effect in 2020 in the state of California but it seems many busin...

×

First Name
!
Success
Error - something went wrong!