Methodology
Audit methodology
Audits are performed in line with ISO 19011 guidance for auditing management systems, using a risk-based and process-oriented approach.
ISO/IEC 27001:2022ISO 9001:2015ISO/IEC 27701ISO/IEC 27017ISO/IEC 27018
Audit approach
The methodology applies to internal and GAP audits across:
ISO/IEC 27001:2022ISO 9001:2015ISO/IEC 27701ISO/IEC 27017ISO/IEC 27018
Core audit principles
- independence and objectivity
- evidence-based auditing
- traceability of findings
- focus on effectiveness, not only formal compliance
- added value for the organisation
Audit process stages
1. Planning
- define scope and criteria
- prepare and agree an audit plan
- define methods and schedule
2. Audit execution
- interviews
- document/record review
- process/control testing
- collect objective evidence
3. Findings
- nonconformities (NC)
- observations
- opportunities for improvement (OFI)
- references to clauses/controls
4. Reporting
- structured final audit report
- overall assessment of effectiveness
- prioritised recommendations
5. Follow-up
- CAPA plan
- verification of corrective actions (as agreed)
Audit criteria and scope
Criteria are agreed upfront and may include:
- applicable ISO requirements
- internal policies/procedures
- legal/regulatory requirements
- contractual obligations
Scope is agreed with the client and documented in the audit plan.
Techniques and methods
We use a combination of:
- interviews
- document/record review
- process observation
- sampling-based control testing
All findings are based on verifiable evidence aligned with ISO 19011.
Documentation and traceability
Audit documentation ensures:
- traceability across criteria, tests and evidence
- consistent, clear findings
- ability for follow-up verification and analysis
Important note
These are internal and GAP audits with a consulting nature and do not represent a certification audit or the activity of a certification body.