Guidelines on words and phrases a certification auditor should/should not use

The article gives some guidelines on what words and phrases certification auditors should and should not use during a certification audit or in their report. I have focused on ISO27001 but what it says should apply to all certification auditors (e.g. for ISO9001, ISO14000).

And yes I know lots of them do you use these words/phrases. And yes I know I used them when I was a certification auditor ??

?

A certification auditor should only make statements such as “What you have done meets/does not meet requirement X.Y of ISO27001”. If it does not meet the requirements of ISO27001 then this sentence needs to be followed by “and the objective evidence (i.e. facts) are X, Y and Z”.

This means that certification auditors should not say things like:

? “That is not a proper/reasonable/valid/correct/good/bad interpretation of ISO27001”.

? “You have/have not met the intent of ISO27001”. An auditor cannot audit “intent”,

? “The standard implies that you must do Y”. There are no implicit requirements for ISO27001.

? “You have not done X”.

Also, certification auditors should not make any of the following statements as they not allowed to do so because they are consultancy and certification auditors are not allowed to do consultancy/give advice/recommendations (although lots of them do):

? “You should do Z”.

? “We recommend that you do X”.

? “It is a good idea to do Y”.

? “Best/good/common practice is to do Z”

? “Consider doing Z”.

? “I have seen lots of organisations do it way X”.

? “It would be best if you did/did not do Z”

? “In my opinion/judgement”.

Auditors should operate on the basis that there is either a Non Conformity or there isn’t. This means that they should not use the following words and phrases:

? “Weakness”.

? “Finding”.

? “Uncovered”.

? “Unsatisfactory/Satisfactory”.

? "Effective/not effective".

? “Good/Bad”.

? “Clearly”.

? “Possibly”.

Or words equivalent to these. You get the idea.

As well as saying none of the above during the audit, written Non Conformities and Opportunities for Improvement (OFI) in the report should not use any of these words or phrases. In practice this is quite hard if the auditor wants to raise an OFI but they do still need to be very careful with the wording so that it does not sound like consultancy.

Of course auditors are human beings and many use some of these words and phrases “off the record”.

Also, some of this is all a bit unrealistic as auditors are not automatons or robots. But they should certainly try to take the above into account – especially in the report.

See also this article about how to word non conformities. https://www.dhirubhai.net/pulse/guide-raising-documenting-iso27001-non-conformity-chris-hall/

IMPORTANT: What I have said above only applies to certification audits. It DOES NOT apply to any other kind of audit, for example, internal audits, gap analysis, reviews, maturity analysis.

?

Chris

A list of my articles is in here: https://www.dhirubhai.net/pulse/list-chris-hall-articles-chris-hall-j671e/

#iso27001 #chrishalliso27001