slides bs 25999
DESCRIPTION
Course BS 25999TRANSCRIPT
BS 25999 Lead Auditor Course Presentation Slides
Issue 1.1 – August 2008 BCM-040-01-EN-US ©The British Standards Institution 2008 1
BS 25999 Lead Auditor Course
Issue 1.1: August 2008BCM-040-01-EN-US
2
Welcome!
• Safety - be aware of emergency exits• Restroom and Telephones - nearest locations• Restroom and Telephones - nearest locations• Contact Number - for urgent messages• Personal Property - keep possessions secure • Phones and Pagers - please avoid interruptions• Recording Devices - not allowed in class• Lunch and Breaks - please return on timep• Smoking - not permitted in the classroom• Special Needs - please inform the instructor
BS 25999 Lead Auditor Course Presentation Slides
Issue 1.1 – August 2008 BCM-040-01-EN-US ©The British Standards Institution 2008 2
3
Introductions
• Name• Organization and business sector• Organization and business sector• Job role• Knowledge of BS25999 (1 – 10 scale)• Knowledge of auditing (1 – 10 scale)• Your aim for attending this course• Something interesting about yourselfg g y
Learning Objectives
Upon completion of the course, students should be able to:
4
• Lead and carry out an audit of a business continuity management system
• Explain the requirements of BS 25999-2:2007• Understand the Business Continuity Management Code
of Practice• Clarify the different purposes of BS 25999 Part 1 and Part 2• Articulate and present audit findings• Manage successful audit communication and interviews• Write a succinct audit report• Conduct opening, closing, and follow-up audit meetings
BS 25999 Lead Auditor Course Presentation Slides
Issue 1.1 – August 2008 BCM-040-01-EN-US ©The British Standards Institution 2008 3
Business Continuity
Issue 1.1: August 2008BCM-040-01-EN-US
6
Defining Business Continuity
Strategic and tactical capability of the organization to plan for and respond to incidents and business disruption in p porder to continue business operations at an acceptable
pre-defined level
BS 25999-2:2007, 2.3
BS 25999 Lead Auditor Course Presentation Slides
Issue 1.1 – August 2008 BCM-040-01-EN-US ©The British Standards Institution 2008 4
Defining Business Continuity ManagementHolistic management process that identifies potential threats to an organization and the impacts to business
7
g poperations that those threats, if realized, might cause, and which provides a framework for building organizational resilience with the capability for an effective response that safeguards the interests of its key stakeholders, reputation, brand and value-creating activities
BS 25999-2:2007, 2.4
8
Business Continuity Terms
• Business Continuity management system
• BCM strategy• BCM exerciseg y
• BCM program• BCM response• Activity• Critical activities
BCM exercise• Incident Management Plan• Business Continuity Plan• Invocation• Business Impact Analysis
(BIA)
BS 25999 Lead Auditor Course Presentation Slides
Issue 1.1 – August 2008 BCM-040-01-EN-US ©The British Standards Institution 2008 5
9
BCM Standards
Code of Practice – Best practice, not auditable
Requirements – Shall statements, auditable
10
Relationship with other Standards
• BS 25999 modeled after PDCA cycle • Consistent with other management system standards:• Consistent with other management system standards:
BS ISO 9001BS ISO 14001ISO/IEC 27001ISO/IEC 20000-2
• Continuity mentioned in the following standards:ISO/IEC 27001 and ISO/IEC 27002ISO/IEC 20000
BS 25999 Lead Auditor Course Presentation Slides
Issue 1.1 – August 2008 BCM-040-01-EN-US ©The British Standards Institution 2008 6
Introduction to Auditing
Issue 1.1: August 2008BCM-040-01-EN-US
12
Auditing
What is an audit?• Systematic independent and documented process forSystematic, independent and documented process for
obtaining audit evidence and evaluating it objectively to determine the extent to which audit criteria are fulfilled (ISO19011: 2002 clause 3.1)
• Why audit?• Requirement of BS 25999-2• Monitor and measure the management system
f• Promote continual improvement of the management system
BS 25999 Lead Auditor Course Presentation Slides
Issue 1.1 – August 2008 BCM-040-01-EN-US ©The British Standards Institution 2008 7
13
Benefits of Auditing
• Verifies conformity to requirements• Increases awareness and understanding• Increases awareness and understanding• Provides a measurement of effectiveness of the
management system to top management• Reduces risk of management system failure• Identifies improvement opportunities• Continual improvement if performed regularly
14
Typical Audit ActivitiesInitiating the Audit
Conducting Document Review
Preparing for On-site Activities
Conducting On-site Activities
Preparing, Approving, Distributing Audit Report
Completing the Audit
Conducting Audit Follow-up
BS 25999 Lead Auditor Course Presentation Slides
Issue 1.1 – August 2008 BCM-040-01-EN-US ©The British Standards Institution 2008 8
Overview of Process-based Management Systems
Issue 1.1: August 2008BCM-040-01-EN-US
16
Management Systems
Common components of management systems:
• Policy• Planning• Implementation and operation• Performance assessment• Improvement• Management reviewManagement review
BS 25999 Lead Auditor Course Presentation Slides
Issue 1.1 – August 2008 BCM-040-01-EN-US ©The British Standards Institution 2008 9
17
Plan – Do – Check – Act (PDCA) Cycle
Continual improvement of the Business Continuity Management System
Interested Parties
Interested Parties
Establish
Maintain and improve
Implement and operate
Plan
Act Do
Business Continuity
requirements and
expectations
Managed Business Continuity
Check
Monitor and review
Exercise 1
Business Continuity Management Lifecycle
Issue 1.1: August 2008BCM-040-01-EN-US
BS 25999 Lead Auditor Course Presentation Slides
Issue 1.1 – August 2008 BCM-040-01-EN-US ©The British Standards Institution 2008 10
19
Business Continuity Lifecycle
??
? ??
?
20
Business Continuity Lifecycle
Understanding the Organization
Determining BCM strategy
Developing and
Exercising,maintaining
and reviewingBCM Program Management
Developing and implementing BCM response
BS 25999 Lead Auditor Course Presentation Slides
Issue 1.1 – August 2008 BCM-040-01-EN-US ©The British Standards Institution 2008 11
21
Business Continuity Lifecycle and the Plan-Do-Check-Act Cycle
Understanding the Organization
Determining BCM strategy
Exercising,maintaining
and reviewingBCM Program Management
Interested Parties
Interested Parties
Business Continuity
M d
Establish
Maintain and
improve
Implement and
operate
Plan
Check
Act Do
Continual improvement of the Business Continuity Management System
Developing and implementing BCM response
requirements and
expectations
Managed Business Continuity
Monitor and
review
22
Requirements of BS 25999-2 and the PDCA Cycle
The organization shall develop, implement, maintain and continually improve a y pdocumented BCMS in accordance with 3.2 - 3.4
BS 25999-2:2007, 3.1DevelopDevelop
ImplementImplementContinually Improve
Continually Improve
MaintainMaintain
BS 25999 Lead Auditor Course Presentation Slides
Issue 1.1 – August 2008 BCM-040-01-EN-US ©The British Standards Institution 2008 12
Exercise 2
Requirements of BS 25999-2:2007
Issue 1.1: August 2008BCM-040-01-EN-US
Auditing BS 25999-2:2007
Issue 1.1: August 2008BCM-040-01-EN-US
BS 25999 Lead Auditor Course Presentation Slides
Issue 1.1 – August 2008 BCM-040-01-EN-US ©The British Standards Institution 2008 13
25
Value of Management System Audits
Management system audits enable management to:
• Make informed judgment on:ConformityEffectiveness of the system
• Make effective business decisions• Allocate necessary resources• Improve business processesp p
26
ISO 19011:2002
ISO 19011:2002 provides guidance on:
• Auditing principles• Managing audit programs• Conducting internal and
external audits• Competence of auditors
ISO 19011:2002 can also be applied to BS 25999-2
ISO 19011:2002 can also be applied to BS 25999-2
BS 25999 Lead Auditor Course Presentation Slides
Issue 1.1 – August 2008 BCM-040-01-EN-US ©The British Standards Institution 2008 14
27
Typical Audit ActivitiesInitiating the Audit
Conducting Document Review
6.16.1
g
Preparing for On-site Activities
Conducting On-site Activities
Preparing, Approving, Distributing Audit Report
Completing the Audit
Conducting Audit Follow-up
Note: reference to ISO 19011 clause
number
BS EN ISO/IEC 17021:2006
The initial certification audit shall be conducted in two stages:
28
g
• Stage 1: Audit client’s management system documentationReview the client’s status and evaluate whether client is ready for stage 2 audit
• Stage 2:Evaluate implementation of the client’s management systemShall take place at the site(s) of the client
BS 25999 Lead Auditor Course Presentation Slides
Issue 1.1 – August 2008 BCM-040-01-EN-US ©The British Standards Institution 2008 15
Exercise 3
Audit Definitions
Issue 1.1: August 2008BCM-040-01-EN-US
30
Types of Audits
• Registration/Certification• Product• Product • Customer contract• Gap assessment/Pre-assessment• Surveillance• Combined audit/Joint audit
BS 25999 Lead Auditor Course Presentation Slides
Issue 1.1 – August 2008 BCM-040-01-EN-US ©The British Standards Institution 2008 16
31
Dimensions of Auditing
IntentDoes Top Management intend to implement a BCMS and how is this i t t i t d?intent communicated?
Implementation Does the implementation of the BCMS reflect the intent of Top Management?
EffectivenessIs the implementation effective (i.e., does it meet the parameters established by the intent)
32
Management System Standards and the Process Approach• BS 25999-2:
Is based upon the PDCA cycle which can be appliedIs based upon the PDCA cycle which can be applied to processesApplies the PDCA cycle to implementing, operating, monitoring, exercising, maintaining and improving the effectiveness of a BCMS
• ISO 19011:2002 does not explicitly mention process audits, but is written for application to all management system auditssystem audits
BS 25999 Lead Auditor Course Presentation Slides
Issue 1.1 – August 2008 BCM-040-01-EN-US ©The British Standards Institution 2008 17
33
Applying the Process Approachto AuditingAuditors can apply the process approach to auditing by ensuring the auditee:g
• Can define the objectives, inputs, outputs, activities, and resources for its processes
• Analyzes, monitors, measures, and improves its processes
• Understands the sequence and interaction of its processests p ocesses
34
Process Auditing Approaches
Individual Process:• Input / Output/Value-added ActivityInput / Output/Value added Activity• Plan-Do-Check-Act• Resources
Relationship with other Processes:• Flow/Sequence/Linkage/Combination• Interaction / Communication• Evidence• Customer and supplier contract(s)
BS 25999 Lead Auditor Course Presentation Slides
Issue 1.1 – August 2008 BCM-040-01-EN-US ©The British Standards Institution 2008 18
35
Process Auditing “Turtle Diagram”With what?Resources With Who?
Personnel
OutputsTo whom/
where
InputsFrom
whom/ where
ProcessProcess(specific value(specific value--
added activities)added activities)
What results?Performanceindicators
How done?Methods/
Documentation
36
Process Auditing ExampleWith what?Systems,
applications
With Who?BC manager, IT
manager
OutputsWritten report, feedback for
improvement, actions
InputsBCP, IMP,
Scope, Risks, Critical Activity
Exercising IT
Support Processes
What results?Reduction in recovery
times, successful recovery,
How done?Desk check, simulation,
walk-through
BS 25999 Lead Auditor Course Presentation Slides
Issue 1.1 – August 2008 BCM-040-01-EN-US ©The British Standards Institution 2008 19
Exercise 4
Process Auditing and the Turtle Diagram
Issue 1.1: August 2008BCM-040-01-EN-US
38
Managing an Audit ProgramProcess Flow
PLAN DO CHECK ACT 5.15.1
AUTHORIZE
ESTABLISH IMPLEMENT MONITOR& REVIEW IMPROVE
• OBJECTIVES• EXTENT• ROLES
• RESOURCES• PROCEDURES
• SCHEDULE AUDITS• EVALUATE
AUDITORS• SELECT TEAMS
• DIRECT ACTIVITIES
• MONITOR• REVIEW
• IDENTIFY NEEDFOR CA/PA
• IDENTIFY OPP’S
SPECIFIC AUDITACTIVITIES
AUDITOR COMPETENCE
& EVALUATION
• PROCEDURES DIRECT ACTIVITIES• MAINTAIN RECORDS
• IDENTIFY OPP S TO IMPROVE
BS 25999 Lead Auditor Course Presentation Slides
Issue 1.1 – August 2008 BCM-040-01-EN-US ©The British Standards Institution 2008 20
39
Audit Program
Audit program includes:
• One or more audits depending on, size, nature and complexity of the auditee
• All activities necessary for planning, organizing, and providing resources to conduct audits
40
Audit Program
• Top management should authorize responsibility for program managementp g g
• Those assigned responsibility should:Establish, implement, monitor, review, and improve the audit programIdentify the necessary resources and ensure they are provided
BS 25999 Lead Auditor Course Presentation Slides
Issue 1.1 – August 2008 BCM-040-01-EN-US ©The British Standards Institution 2008 21
41
Audit Program
• Audit program processes should include:Planning and scheduling auditsPlanning and scheduling auditsAssuring competence of auditors and audit teamsConducting audits and audit follow-upMonitoring the performance of the audit program
• Program should be managed by a member of the organization Keep appropriate audit records to monitor and review the• Keep appropriate audit records to monitor and review the audit program
42
Audit Program and Plan
• An audit plan is an output from the audit programp g
• Audit plans give details about the audit, including:
Which processesWhich areasWhich clauses
BS 25999 Lead Auditor Course Presentation Slides
Issue 1.1 – August 2008 BCM-040-01-EN-US ©The British Standards Institution 2008 22
Exercise 5
Considerations of the Audit Program
Issue 1.1: August 2008BCM-040-01-EN-US
44
Audit ActivitiesInitiating the Audit
Conducting Document Review
6.16.1
Preparing for On-site Activities
Conducting On-site Activities
Preparing, Approving, Distributing Audit Report
Completing the Audit
Conducting Audit Follow-up
BS 25999 Lead Auditor Course Presentation Slides
Issue 1.1 – August 2008 BCM-040-01-EN-US ©The British Standards Institution 2008 23
45
Initiating the Audit
Initiating the audit includes:
A i ti th dit t l d
6.26.2
• Appointing the audit team leader• Defining audit objectives, scope, criteria• Determining feasibility of the audit• Selecting the audit team• Establishing initial contact with the auditee
Defining Audit Objectives, Scope, CriteriaAudit objectives may include:
46
6.2.26.2.2
• Determination of the extent of conformity of auditee’s BCMS with audit criteria
• Evaluation of capability of BCMS to ensure compliance with statutory, regulatory, and contractual requirements
• Evaluation of effectiveness of the BCMS to meet its objectives
• Identification of areas of improvement• Identification of areas of improvement
BS 25999 Lead Auditor Course Presentation Slides
Issue 1.1 – August 2008 BCM-040-01-EN-US ©The British Standards Institution 2008 24
47
Defining Audit Objectives, Scope, CriteriaAudit scope describes extent and boundaries of audit, including:g
• Physical locations• Organizational units• Activities and processes• Time period covered by audit
48
Selecting the Audit Team
For team size and competence, consider: 6.2.46.2.4
• Audit objectives, scope, criteria, and duration• Whether audit is combined or joint• Competence of team to meet objectives• Statutory, regulatory, contractual and accreditation /
certification requirements
BS 25999 Lead Auditor Course Presentation Slides
Issue 1.1 – August 2008 BCM-040-01-EN-US ©The British Standards Institution 2008 25
49
Selecting the Audit Team
For team size and competence, consider: 6.2.46.2.4
• Independence of the team• Ability of team members to interact with auditee and
each other • Language of the audit • Auditee’s social and cultural characteristics
50
Auditor Responsibilities
• Document and support all findings• Keep auditee informed• Keep auditee informed• Safeguard all documents• Maintain confidentiality• Be objective and ethical• Verify corrective actions, if required
BS 25999 Lead Auditor Course Presentation Slides
Issue 1.1 – August 2008 BCM-040-01-EN-US ©The British Standards Institution 2008 26
51
Auditor Competence
• Auditor competence is based on:Personal attributes
7.17.1
Personal attributesApplication of knowledge and skills
• Competence is to be developed, maintained, and improved
52
Auditor CompetencePersonal Attributes• Ethical• Open-minded
7.27.2
• Open-minded• Diplomatic• Observant• Perceptive• Versatile• Tenacious• Decisive• Self-reliant
BS 25999 Lead Auditor Course Presentation Slides
Issue 1.1 – August 2008 BCM-040-01-EN-US ©The British Standards Institution 2008 27
53
Auditor CompetenceGeneric Knowledge and SkillsAudit principles, procedures, and techniques: 7.3.17.3.1
• Apply principles, procedures, and techniques• Plan and organize work• Conduct audit within time schedule• Collect information through interviewing, listening, observing,
and reviewing documents• Understand sampling techniques• Confirm evidence to support findings• Prepare audit reports• Maintain confidentiality and security
54
Auditor CompetenceGeneric Knowledge and Skills• Organizational situations:
Size, structure, functions, and relationships7.3.17.3.1
, , , pBusiness processes and terminologyCultural and social customs
• Laws, regulations, and other requirements:Local, regional, and nationalContracts and agreementsInternational treaties and conventions
• Management system and reference documents: Interaction between the components of the systemApplicable standards, procedures, and reference documents
BS 25999 Lead Auditor Course Presentation Slides
Issue 1.1 – August 2008 BCM-040-01-EN-US ©The British Standards Institution 2008 28
55
Auditor CompetenceBCM Knowledge and SkillsKnowledge and skills BCM should cover:
• Techniques used to develop and implement the BCM process
• Analysis methods and techniques to examine business impact and risk assessment
• Understanding of strategy development• Understanding of planning techniques to examine the
development and implementation of BCM responsesdevelopment and implementation of BCM responses and exercises
• Understanding of training and awareness programs for BCM
BS EN ISO/IEC 17021:2006
The initial certification audit shall be conducted in two stages:
56
g
• Stage 1: Audit client’s management system documentationReview the client’s status and evaluate whether client is ready for stage 2 audit
• Stage 2:Evaluate implementation of the client’s management systemShall take place at the site(s) of the client
BS 25999 Lead Auditor Course Presentation Slides
Issue 1.1 – August 2008 BCM-040-01-EN-US ©The British Standards Institution 2008 29
57
Conducting Document Review
A review of auditee’s documentation: 6.36.3
• Should be conducted prior to on-site audit activities unless deferring review is not detrimental to the effectiveness of the audit
• May include relevant BCMS documents, records, and previous audit reports
• May include a preliminary site visit
58
Conducting Document Review
When conducting a document review, ask:
• Are all requirements of BS 25999 addressed?• Does documentation match the audit scope?• Is management commitment clearly defined?• Have responsibilities been adequately defined?• Is the lower level documentation referenced?• Are you familiar with the area to be audited?Are you familiar with the area to be audited?
BS 25999 Lead Auditor Course Presentation Slides
Issue 1.1 – August 2008 BCM-040-01-EN-US ©The British Standards Institution 2008 30
Exercise 6
Document Review (Stage 1 Audit)
Issue 1.1: August 2008BCM-040-01-EN-US
60
Audit Plan Preparation
• Objectives/scope/criteria • Expected time and duration
The Audit Plan should identify or include: 6.4.16.4.1
• Objectives/scope/criteria• Personnel responsible for
objectives and scope• Reference documents• Audit team members• Language of the audit• Areas to be audited
• Expected time and duration of each major audit activity
• Confidentiality requirements• Audit reporting details• Logistics• Resolution of any plan
objections• Areas to be audited• Schedule of meetings.• Allocation of
appropriate resources
objections• Audit follow-up actions
BS 25999 Lead Auditor Course Presentation Slides
Issue 1.1 – August 2008 BCM-040-01-EN-US ©The British Standards Institution 2008 31
61
Audit Planning
• Determine the objective of the audit• Identify specified requirements• Identify specified requirements• Determine audit duration and resources needed• Select the team• Contact the auditee – agree the date(s)• Draw up audit plan• Brief the team• Prepare work documents
Exercise 7
Creating an Audit Plan
Issue 1.1: August 2008BCM-040-01-EN-US
BS 25999 Lead Auditor Course Presentation Slides
Issue 1.1 – August 2008 BCM-040-01-EN-US ©The British Standards Institution 2008 32
63
Prepare Work Documents
• Prepare work documents • Use as a reference and for recording audit proceedings• Use as a reference and for recording audit proceedings• Include checklists, sampling plans and forms,
BS 25999-1:2006 and BS 25999-2:2007 standards, etc.• Keep checklists flexible to allow changes resulting from
information collected during the audit• Safeguard any confidential and proprietary information
R t i k d t d d• Retain work documents and records
64
Checklists Benefits
• Keeps audit scope and objectives clear• Provides evidence of audit planning• Provides evidence of audit planning• Maintains audit pace and continuity• Reduces auditor bias• Reduces workload during audit• Provides space for auditor notes• Identifies expected evidencep
BS 25999 Lead Auditor Course Presentation Slides
Issue 1.1 – August 2008 BCM-040-01-EN-US ©The British Standards Institution 2008 33
65
Checklists Potential Drawbacks
• Checklists tend to lose value if they are:Tick listsTick listsQuestionnaires
• Checklists may lead to rigid adherence to pre-planned questions
Prepare them as memory aids
66
Checklists Preparation
One approach is to:
• Identify audit scope and process(es) within scope• Identify applicable factors (inputs, outputs, measures,
resources, etc.)• Use these points and other requirements
(BS 25999-2, system documentation, etc.) to:• Plan what to look at
Pl h t t l k f ( dit id )• Plan what to look for (audit evidence)• Prepare checklist
BS 25999 Lead Auditor Course Presentation Slides
Issue 1.1 – August 2008 BCM-040-01-EN-US ©The British Standards Institution 2008 34
67
Checklist Structure
Audit checklist structure:
Process/Activity Audited:
Requirement Source Evidence Notes
BS 25999-2Clause # or other requirement
What to “look at”
What to“look for”
Notes
Exercise 8
Creating Audit Work Documents
Issue 1.1: August 2008BCM-040-01-EN-US
BS 25999 Lead Auditor Course Presentation Slides
Issue 1.1 – August 2008 BCM-040-01-EN-US ©The British Standards Institution 2008 35
69
Conduct On-site Audit Activities
• Conduct Opening Meeting• Communicate during the audit
6.56.5
• Communicate during the audit• Explain roles and responsibilities of participants• Collect and verify information• Generate audit findings• Prepare audit conclusions• Conduct Closing Meetingg g
70
Opening Meeting
• Hold opening meeting with auditee top management and those responsible for
6.5.16.5.1g p
processes audited• Meeting may range from informal (1st party) to
formal (3rd party)• Chaired by team leader• Audit team present• Purpose is to confirm all prior arrangementsPurpose is to confirm all prior arrangements
BS 25999 Lead Auditor Course Presentation Slides
Issue 1.1 – August 2008 BCM-040-01-EN-US ©The British Standards Institution 2008 36
71
Opening Meeting
1. Introduction / roles / attendance2. Objective / scope / criteria
:6.5.16.5.1
2. Objective / scope / criteria3. Documentation status4. Audit plan confirmation5. Audit methods6. Sampling 7. Communication channels8 Language of audit8. Language of audit9. Audit progress10. Closing / interim meetings
72
Opening Meeting
11. Logistics: Resources, safety, security, etc.12 Confidentiality
6.5.16.5.1
12. Confidentiality13. Availability of guides14. Reporting methods including nonconformities15. Conditions for audit termination16. Appeal system: Audit conduct / conclusions17. Restrictions / questionsq
BS 25999 Lead Auditor Course Presentation Slides
Issue 1.1 – August 2008 BCM-040-01-EN-US ©The British Standards Institution 2008 37
Exercise 9
Conducting an Opening Meeting
Issue 1.1: August 2008BCM-040-01-EN-US
74
Collecting and Verifying Information
Sources of information
Collect by appropriate sampling & verification
Evaluate againstaudit criteria
Audit evidence
Audit findings
Audit conclusions
Review
BS 25999 Lead Auditor Course Presentation Slides
Issue 1.1 – August 2008 BCM-040-01-EN-US ©The British Standards Institution 2008 38
75
Auditing ProcessCollect and Verify Information• Collect information relevant to:
Audit objectives scope and criteria6.5.46.5.4
Audit objectives, scope, and criteriaInterfaces between functions, activities and processes
• Collect audit evidence by appropriate sampling and verify and record it
• Be aware of sampling limitations, if acting on the audit conclusion
• Use only information that is verifiable as audit evidence
76
Auditing ProcessTechniques to Obtain Audit Evidence• Interview:
Personnel that manage perform andPersonnel that manage, perform, and verify activitiesAlso ensure they are responsible for the activity being auditedListen carefully to responses
• Observe:Identity, status, condition, processes, y, , , p ,equipment, activities, environment, and people
BS 25999 Lead Auditor Course Presentation Slides
Issue 1.1 – August 2008 BCM-040-01-EN-US ©The British Standards Institution 2008 39
77
Auditing Process Audit Evidence
• Review documents that describe:ActivitiesPlansControlsStrategiesExercisesTests
• Review business continuity records for evidence of conformity to documents
• Review records, statements of fact, or other information which are relevant to the audit criteria and verifiable
• Audit evidence may be qualitative or quantitative
78
Communication and Interpersonal Skills• Put auditee at ease• Ask short questions and listen• Ask short questions and listen• Reflect right attitude, tone of voice, body language,
and facial expressions• Smile and show eye contact• Avoid interruptions• Avoid off-cuff and condescending remarks• Give praise when appropriate
BS 25999 Lead Auditor Course Presentation Slides
Issue 1.1 – August 2008 BCM-040-01-EN-US ©The British Standards Institution 2008 40
79
Communication and Interpersonal Skills • Show interest• Be tactful and polite• Be tactful and polite• Show patience and understanding• Remember to say please and thank you• Ask the right person• Don’t say you understand when you don’t
80
Questioning Techniques
• Open question:Using why who what where when or how gets moreUsing why, who, what, where, when, or how gets more than a yes or no answer
• Expansive question:Further elaborates the current point
• Opinion question:Asks opinion about current point
Non verbal:• Non-verbal:Uses body language, for example: raise eye-brow to elicit further information
BS 25999 Lead Auditor Course Presentation Slides
Issue 1.1 – August 2008 BCM-040-01-EN-US ©The British Standards Institution 2008 41
81
Questioning Techniques
• Repetitive question:Repeats back response in form of a questionRepeats back response in form of a question
• Hypothetical questionUses what if, suppose that, etc.
• Closed question:Gets a yes or no answerAvoid using too oftenUsed for confirmation
• Silence:Draws more information
82
Note Taking
• Notes could be used as reference for:Immediate investigationImmediate investigationInvestigation laterUse by a colleagueSubsequent audits
• Notes must therefore be:LegibleRetrievable
BS 25999 Lead Auditor Course Presentation Slides
Issue 1.1 – August 2008 BCM-040-01-EN-US ©The British Standards Institution 2008 42
83
Note Taking
• Notes taken during an audit are a record of:The audit sample takenThe audit sample takenWhat was reportedWhat was observed
• Notes may be referenced by subsequent auditors
84
Control of the Audit
• Checklist is an aid, not a requirement• If potential audit trails appear decide to:• If potential audit trails appear, decide to:
DisregardNote for laterFollow up immediately
• Following audit trails may affect:Sample sizeAudit plan
BS 25999 Lead Auditor Course Presentation Slides
Issue 1.1 – August 2008 BCM-040-01-EN-US ©The British Standards Institution 2008 43
85
Handling Difficult Situations
• Cannot find document• Uncooperative
• Called away• LanguageUncooperative
• Unprepared• Long telephone calls• Constant interruptions• Provocation• Long-winded auditees
Language • Noisy environment• Interdepartmental or
personality conflicts• Dog-and-pony show• Volunteered informationg
• Diversionary tactics
86
Establish the FactsKeep the Auditee Informed• For constructive, professional, and helpful audits:
Review audit progress and findings regularlyReview audit progress and findings regularlyBeat the grapevine or rumor millGenerate rapport
• Use auditee’s terminology• Make audit documentation:
CompleteHelpfulConcise
BS 25999 Lead Auditor Course Presentation Slides
Issue 1.1 – August 2008 BCM-040-01-EN-US ©The British Standards Institution 2008 44
87
Establish the FactsJudgment in the Audit Process• Audit focus must be on conformity and effectiveness,
NOT on finding nonconformitiesg• The auditee must be given the benefit of any doubt
where there is insufficient audit evidence
88
Establish the Facts
• Get help from the auditee• Discuss concerns• Discuss concerns• Verify the findings• Record all the evidence:
Exact observationWhere, what, etc.
• Establish why a nonconformity or otherwise• State who (if relevant) - preferably by job title• Obtain agreement with the facts
BS 25999 Lead Auditor Course Presentation Slides
Issue 1.1 – August 2008 BCM-040-01-EN-US ©The British Standards Institution 2008 45
89
Generate Audit Findings
• Evaluate audit evidence against audit criteria to generate audit findings
6.5.56.5.5g g
• Indicate if findings are conformities, nonconformities or opportunities for improvement
• Meet (audit team) to review findings• Specify (with supporting evidence) or summarize
conformity by location, functions, or processes, as required by audit plan
90
Nonconformity
• Non-fulfillment of a specified requirement:Not doing it
6.5.56.5.5
Not doing itPartially doing itDoing it the wrong way
• Specified requirements:Conditions of customer contractBC standard (BS 25999-2)Business Continuity management systemStatutory or regulatory requirements
BS 25999 Lead Auditor Course Presentation Slides
Issue 1.1 – August 2008 BCM-040-01-EN-US ©The British Standards Institution 2008 46
Exercise 10
Auditing Live Wild Logistics
Issue 1.1: August 2008BCM-040-01-EN-US
92
Generate Audit Findings
• Record nonconformity findings and supporting evidence
6.5.56.5.5pp g
• Obtain auditee acknowledgement of nonconformities for accuracy and understandability
• Try and resolve differences of opinion• Keep a record of unresolved issues
BS 25999 Lead Auditor Course Presentation Slides
Issue 1.1 – August 2008 BCM-040-01-EN-US ©The British Standards Institution 2008 47
93
Nonconformity – Minor
• Failure to comply with a requirement which (based on judgement and experience) is not likely to result in j g p ) yBCMS failure
• Single observed lapse or isolated incident• Minimal risk of nonconforming product or service• Examples:
A two month lapse in the exercise programA training record not availableA training record not availableNo actions taken to improve or review BCM arrangements after exercises
94
Nonconformity – Major
• Absence or total breakdown of a system to meet a requirementq
• A number of minors related to the same clause or requirement
• A nonconformity that experience and judgement indicate will likely result in BCMS failure or significantly reduce its ability to assure controlled processes and products
BS 25999 Lead Auditor Course Presentation Slides
Issue 1.1 – August 2008 BCM-040-01-EN-US ©The British Standards Institution 2008 48
Nonconformity – Major
Examples:
95
• No documented procedure for a required BS 25999-2:2007 process/activity
• Document changes routinely made without authorization
• No awareness program for the business continuity management system
• No future planned internal audits• No future planned internal audits• Insufficient scope• Numerous minor nonconformities found in the business
continuity plan
96
Nonconformity Classifying the NonconformityConsider the Seriousness:
• What could go wrong if the nonconformity remains uncorrected?
• Is it likely the system would detect it before the customer is affected?
• If you are not certain it is a nonconformity, it is not. You must have:
A requirement that has been brokenA requirement that has been brokenProof that it has been broken
BS 25999 Lead Auditor Course Presentation Slides
Issue 1.1 – August 2008 BCM-040-01-EN-US ©The British Standards Institution 2008 49
97
Nonconformity Poor Report Examples
The nonconformity statements below are inadequate due to the lack of specified q prequirements and detailed evidence:
• Steering Group meeting minutes are not adequate• The authority level for the Emergency Controller must
be documented for clarity purposes
98
Nonconformity Good Report Examples
ABC BCMS Audit
Nonconformity Report
Incident Number: 1
C d A di XYZ ICompany under Audit: XYZ, Inc.
Area under Review: BCP
BS 25999-2 Clause Number: 4.3.3.3
Category: Major Minor
Requirement:
Clause 4.3.3.3 of BS 25999-2:2007 states that the business continuity plan must identify lines of communication.
Nonconformity Finding:
Upon review of the business continuity plan for XYZ, Inc. Issue 2, it was found that the contact information for the BCP still names employees that have left XYZ, Inc.
BS 25999 Lead Auditor Course Presentation Slides
Issue 1.1 – August 2008 BCM-040-01-EN-US ©The British Standards Institution 2008 50
Exercise 11
Writing Nonconformities
Issue 1.1: August 2008BCM-040-01-EN-US
100
Review Meeting with Auditee
The review meeting, normally 15 to 20 minutes in duration, is carried out at the end of each auditing
6.5.26.5.2g
day with the management representative and guides to:
• Review any nonconformities• Resolve any problems• Report audit progress
Cl if i d t di• Clarify any misunderstandings• Obtain signatures to any nonconformities
BS 25999 Lead Auditor Course Presentation Slides
Issue 1.1 – August 2008 BCM-040-01-EN-US ©The British Standards Institution 2008 51
101
Preparing Audit Conclusions
Audit team should confer prior to the closing meeting:
6.5.66.5.6g g
• Scheduling of the audit plan• To plan for closing meeting• Purpose is to:
Review audit findings and other information Agree on audit conclusions
• To prepare the audit report and recommendations• If included in audit plan, to discuss audit follow-up
102
Audit Report Prepare, Approve and Distribute1. Audit reference2 Client and Auditee details
6.6.16.6.1
2. Client and Auditee details3. Audit team details 4. List of auditee representatives5. Objectives, scope, and criteria 6. Audit plan – dates, places, areas audited
and timing
6.6.26.6.2
7. Summary of audit process8. Audit Summary 9. Uncertainty due to sampling
BS 25999 Lead Auditor Course Presentation Slides
Issue 1.1 – August 2008 BCM-040-01-EN-US ©The British Standards Institution 2008 52
103
Audit Report Prepare, Approve and Distribute10. Nonconformity reports11 Recommendation
6.6.16.6.1
11. Recommendation12. Obstacles encountered13. Any areas in audit scope not covered14. Any unresolved issues between the auditee and team15. Confirmation that audit objectives accomplished16. Confidentiality statement
6.6.26.6.2
y17. Distribution list
104
Audit Report Distribution
• Issue within agreed time period• If delayed provide reasons and agree on
6.6.16.6.1
• If delayed, provide reasons and agree on new issue date
• Report must be dated, reviewed, and approved as per procedures
• Distribute to recipients designated by audit client• Report is property of audit client
R i i t d dit t t t th• Recipients and audit team must respect the confidentiality of the report
BS 25999 Lead Auditor Course Presentation Slides
Issue 1.1 – August 2008 BCM-040-01-EN-US ©The British Standards Institution 2008 53
105
Completing the Audit
• Audit is complete when all activities in audit plan have been carried out and audit report
6.76.7p pis distributed
• Maintain or dispose of audit documents based on contractual, regulatory, and audit program procedures
• Maintain confidentiality of audit documents, information, and report
• Notify audit client and auditee ASAP if disclosure of audit information is required
106
3rd Party AuditRecommendation Options• Recommend registration without conditions• Recommend conditional registration based on• Recommend conditional registration based on
submission of acceptable plan and follow-up:Verification at next surveillance visitEvaluation of the mailed evidence Special visit to verify corrective action
• Unable to recommend registration at this time:P ti l ditPartial re-auditFull re-audit
BS 25999 Lead Auditor Course Presentation Slides
Issue 1.1 – August 2008 BCM-040-01-EN-US ©The British Standards Institution 2008 54
Exercise 12
Creating the Audit Report
Issue 1.1: August 2008BCM-040-01-EN-US
108
Closing Meeting
• Hold closing meeting (with auditee, audit client, and other parties) to present audit findings
6.5.76.5.7p ) p g
and conclusions• Cover situations encountered during audit that may
decrease reliance on audit conclusions• Discuss and resolve diverging audit findings
and conclusions• Keep a record if not resolved• Provide recommendations for improvement where
specified by audit objectives.• Keep minutes and attendance records
BS 25999 Lead Auditor Course Presentation Slides
Issue 1.1 – August 2008 BCM-040-01-EN-US ©The British Standards Institution 2008 55
109
Closing Meeting
Team Leader prepares and works to an agenda and controls the meeting:
6.5.76.5.7
• Attendees• Thanks• Objective / Scope• Reporting system• Limitations
• Audit Summary • Nonconformities• Agreement (sign)• Recommendation• Clarification
g
• Confidentiality • Depart
Exercise 13
Conducting the Closing Meeting
Issue 1.1: August 2008BCM-040-01-EN-US
BS 25999 Lead Auditor Course Presentation Slides
Issue 1.1 – August 2008 BCM-040-01-EN-US ©The British Standards Institution 2008 56
111
Completing the AuditConducting the Follow-up • Audit conclusions may require corrective,
preventive, or improvement actions6.86.8
p p• Auditee decides and carries out these actions
within agreed timeframe• These actions are not part of the audit• Auditee should keep client informed of status of
these actions
112
Completing the Audit Conducting the Follow-up • Audit team member should verify completion
and effectiveness of actions taken6.86.8
• This verification may be part of a subsequent audit• Maintain independence in subsequent
audit activities
BS 25999 Lead Auditor Course Presentation Slides
Issue 1.1 – August 2008 BCM-040-01-EN-US ©The British Standards Institution 2008 57
113
Completing the Audit Corrective Action Follow-Up• Auditee receives the nonconformity report• Auditee prepares and approves a corrective
6.86.8
• Auditee prepares and approves a corrective action plan
• Auditee submits the plan to audit organization• Audit organization evaluates and approves the plan• Auditee implements the approved corrective action plan
114
Completing the Audit Corrective Action Follow-Up• Auditee collects and evaluates evidence
of effectiveness6.86.8
• Auditee revises the plan, if necessary• Auditee documents the changes in the BCM system• Auditor verifies the implementation and effectiveness• Records of all actions taken by auditor and auditee
BS 25999 Lead Auditor Course Presentation Slides
Issue 1.1 – August 2008 BCM-040-01-EN-US ©The British Standards Institution 2008 58
Exercise 14
Conducting Audit Follow-up
Issue 1.1: August 2008BCM-040-01-EN-US
Exercise 15
Sample Exam
Issue 1.1: August 2008BCM-040-01-EN-US
BS 25999 Lead Auditor Course Presentation Slides
Issue 1.1 – August 2008 BCM-040-01-EN-US ©The British Standards Institution 2008 59
Conclusion
Issue 1.1: August 2008BCM-040-01-EN-US
118
Business Continuity Lifecycle
Understanding the Organization
Determining BCM strategy
Developing and
Exercising,maintaining
and reviewingBCM Program Management
Developing and implementing BCM response
BS 25999 Lead Auditor Course Presentation Slides
Issue 1.1 – August 2008 BCM-040-01-EN-US ©The British Standards Institution 2008 60
119
Typical Audit ActivitiesInitiating the Audit
Conducting Document Review
Preparing for On-site Activities
Conducting On-site Activities
Preparing, Approving, Distributing Audit Report
Completing the Audit
Conducting Audit Follow-up
120
Questions?
BS 25999 Lead Auditor Course Presentation Slides
Issue 1.1 – August 2008 BCM-040-01-EN-US ©The British Standards Institution 2008 61
Thank you for your attendance and participation!
BS 25999 Lead Auditor course
Issue 1.1: August 2008BCM-040-01-EN-US