Audit of management systems
We internally audit your management systems: ISO 27001 as the most frequent case, and also ISO 22301 for continuity, ISO 42001 for AI management, the ENS and the VDA ISA self-assessment that prepares your TISAX in automotive. The internal audit is not a formality: it is the requirement of the standard itself that checks, before anyone from outside does, that the system complies and works. Outsourcing it gives you the two things that cost the most: real independence and a lead auditor's eye, with findings that arrive while there is still time to fix them.
Certified lead auditors (CISA, CISSP, CISM) with experience in ISO 27001, 22301, 42001, ENS and TISAX.
Why outsource
The standard requires objectivity, and no one can audit their own work. Outsourcing breaks the loop of whoever operates and reviews the system.
We audit with the methodology of the certification bodies: objective evidence, sampling and findings that cite the requirement and the fact.
It does not spend weeks preparing and running the audit: it receives it, understands it and is left with a clear action plan.
A serious audit finds the problems before Stage 2 or the body's surveillance. That is exactly its job.
Service
Audit programme and plan: objectives, criteria, scope and agenda agreed with you.
Documentary review of the ISMS: clauses of the standard and statement of applicability.
Fieldwork: interviews by role, observation and sampling of evidence and records.
Verification of the controls in Annex A applicable according to your statement of applicability, with the justification of the exclusions.
Audit report: major and minor nonconformities, observations and improvements, each finding with evidence and requirement.
Closing meeting with management and support on the corrective action plan.
Closure verification of the findings, if you want to include it.
Supply chain
Security no longer ends at your perimeter. NIS2 requires managing the risk of the whole supply chain, even of suppliers you do not contract directly, and controls 5.19 to 5.22 of ISO 27001 ask for the same: know, assess and monitor whoever has access to your systems and your data.
We audit your critical suppliers with the same lead auditor methodology: assessment of their security, verification of evidence and a report per supplier that tells you who to trust and what to demand. If you operate in automotive, we also assess your suppliers against the VDA ISA criteria that underpin TISAX. The attacks that come in through a supplier are among the fastest growing today, and the due diligence is yours even when the failure is someone else's.
Method
Scope, criteria, audit plan and request for documentation, within a week.
Interviews, observation and sampling of evidence, two to five field days depending on scope, remotely, at your premises or both.
Findings with evidence, closing meeting and action plan ready for the management review, within a week.
When
Always: it is a prerequisite and the body will ask for its report in Stage 2.
The standard requires it. The interval is set by your programme according to risks, changes and previous results, and we help you define and defend it.
Off schedule, when the scope, the technology or the organization change, or after a relevant incident.
We also audit integrated systems, continuity with ISO 22301 and AI management with ISO 42001, in the same visit, and we prepare the VDA ISA self-assessment prior to your TISAX assessment if you work for the automotive industry. And if your framework is the ENS, an internal review prior to the ordinary audit avoids nasty surprises at the worst moment.
Questions
Yes. The standard requires it at planned intervals as part of the performance evaluation of the ISMS, and the certification body will check that it exists, that it is independent and that its findings are managed.
They can, if they are competent in auditing and independent of what they audit. That is where the practical problem lies: in mid-sized organizations, the person who knows about security is the one who operates the system, and auditing your own work does not count. That is why outsourcing is the cleanest route.
Only with real independence: the auditor is always a member of the team who did not take part in the implementation, and if the engagement does not allow us to guarantee that, we tell you openly and help you resolve it with a third party. We would rather lose an audit than sign one we would not defend.
Yes, and it is one of the most in-demand services right now. We audit your critical suppliers with lead auditor methodology and give you a report per supplier. NIS2 and controls 5.19 to 5.22 of ISO 27001 make you responsible for the risk of your supply chain, even of indirect suppliers, so that due diligence is yours even when the failure is someone else's.
It means the audit worked. Each finding comes with its evidence, its requirement and its severity, and the report ends in a corrective action plan. It is infinitely better that we find them than the certification body.
Yes. TISAX relies on the VDA ISA questionnaire, which adapts ISO 27001 to the automotive industry, and its preparation runs through an internal self-assessment that we carry out with you before the official assessment. It is worth knowing that TISAX does not grant a certificate but a label, valid for three years, recognized by manufacturers; we get you ready to obtain it and, if you need it, we also assess your suppliers against the same criteria.
The ENS is audited externally by an accredited body, but a prior internal review with auditor methodology detects nonconformities before the ordinary audit, while fixing them is still cheap.
Shall we talk?
Tell us where your ISMS stands, on the way to certification or in maintenance, or whether what you need is to audit your suppliers, and we will propose the audit plan.
Get in touch