Making auditors' lives
e-easier
discusses the positive impact of e-communications on assessing conformity to information security standards
E-communications and shared drives have had a huge impact on document control. It is now more straightforward for auditors to assess an organization’s conformity to standards.
Networked computer systems have largely standardized the way electronic documents are filed and stored and unnecessary documentation is easily disregarded. Gone are the days when an auditor would arrive at an organization to be confronted with mountains of paperwork.
Most organizations going for certification now operate a computerized system for their document control and even organizations that still use paper systems are changing as the pace of new technology increases and interconnected information systems become commonplace.
One of the greatest changes I have seen working at a certification body is that assessments take less time. The fact that auditors can now assess an organization from one computer in one venue helps enormously. Document control procedures covering validity, issue status and system access can all be checked from one place in a comparatively short space of time.
Our recent switch to electronic reporting means our auditors can now get the assessment report to the client and our head office swiftly – often the same day. This in turn means that nonconformities can be ironed out and the client organization can gain certification more quickly.
A new approach
When assessing an organization, I make a point of finding the newest starter and asking them to pull up the procedures for the management system being assessed. This is a guide to how well the system has been organized and communicated: if the most recently employed member of staff knows what I’m asking them to find – and where to find it – then the system owner has communicated effectively.
Recording communications is easier now that the business world uses email to stay in touch. It’s easier to trace a sequence of events through a properly saved and filed email system than through a paper trail.
However, decisions about what to keep and what to trash can be difficult to make, so an organization needs a policy in place outlining how e-communications should be recorded with a set format for storage and filing. It’s all too easy to lose an important email forever (or bury it in an archive that’s difficult for users who are not IT experts to access). This needs to be prevented so that important records are not archived or deleted unintentionally and can be easily accessed when needed.
When it comes to the assessment process decisions must be made about how e-communications will be accessed. Is the auditor granted direct access to the email system? Are emails saved as text files on the network? Or are the relevant emails printed out for the auditor? All three methods have a place in the process and the organization must decide which is the most appropriate.
Running smoothly
There can be complications when organizations are in the process of switching from paper to networked systems and occasionally it’s not possible for an entire system to be computerized (for example architectural practices with technical drawings). Confusion over what’s viewed on the computer and what’s viewed as a paper copy can complicate the assessment. Within these organizations, the system owner must take care to ensure the smooth running of the assessment.
One of the key points of an assessment is to give the auditor confidence that a management system is working. A well-managed electronic system immediately gives an auditor confidence that an effective document control system is in place.
However, with shared drives and e-communication come all sorts of potential problems – government mishaps over lost information are well documented by the media. Since we can now store a filing cabinet-worth of information on a tiny memory stick, it’s no surprise that things go missing. A recent UK survey found that in 2009 4,500 memory sticks were left forgotten in pockets of clothes taken to their local dry cleaners!
Any organization serious about its management procedures and systems also needs to consider an information security system to prevent loss of important and confidential information. ISO 27001 provides a good framework for managing a variety of risks effectively; misuse, theft, corruption and deletion can all have serious consequences for any organization.
As new communications technologies are developed they will no doubt bring both benefits and new risks for businesses. For auditors they do seem to be a helping hand so far.
About the author
Dave Stewart is field operations manager at certification body, NQA. www.nqa.com
 |
 Have an issue to raise? A question to ask? Give us your opinions now in the Online Forums. |