Should advance notice be given for Disaster Recovery Audit?

Q

Quyoodhi

This is my first thread.

I've been assigned to conduct an audit for a disaster recovery plan as part of ISO22301 certification.

I am wondering if I have to notify the audited staff or shall I proceed with the drill test / audit without prior notification (surprise audit)?

appreciate your feedback ...

Rashid
 

somashekar

Leader
Admin
This is my first thread.

I've been assigned to conduct an audit for a disaster recovery plan as part of ISO22301 certification.

I am wondering if I have to notify the audited staff or shall I proceed with the drill test / audit without prior notification (surprise audit)?

appreciate your feedback ...

Rashid
Hi Rashid, Welcome to the COVE ~~~
This standard is about plan, establish, implement, operate, monitor, review, maintain and continually improve a documented management system to protect against, reduce the likelihood of occurrence, prepare for, respond to, and recover from disruptive incidents when they arise.
Are you talking about an internal audit...
In which case it must be via an audit plan. You will see as a part of the planned audit, if the staff have undertaken a drill test periodically and got learning out of it to continually improve.
 

AndyN

Moved On
This is my first thread.

I've been assigned to conduct an audit for a disaster recovery plan as part of ISO22301 certification.

I am wondering if I have to notify the audited staff or shall I proceed with the drill test / audit without prior notification (surprise audit)?

appreciate your feedback ...

Rashid

Have you had any training in how to plan and conduct an internal management system's audit, Rashid? If not, you should start there, not with this question. If you have been assigned to do an internal audit without any past training or experience, your organization will fail their ISO 22301 Certification Audit, because you will make all kinds of errors and the CB auditor will see them!
 
R

Reg Morrison

I am wondering if I have to notify the audited staff or shall I proceed with the drill test / audit without prior notification (surprise audit)?

appreciate your feedback ...

Rashid
Hello Rashid, and welcome to The Cove. You should clarify if you are being assigned to perform an audit or a drill/exercise. They are two separate things and, if the latter is the answer, be aware that the ISO TC 223 has developed a standard on Emergency Preparedness Exercises: ISO 22398:2013 Societal security - Guidelines for exercises
ISO 22398:2013 recommends good practice and guidelines for an organization to plan, conduct, and improve its exercise projects which may be organized within an exercise programme.

It is applicable to all organizations regardless of type, size or nature, whether private or public. The guidance can be adapted to the needs, objectives, resources, and constraints of the organization.

It is intended for use by anyone with responsibility for ensuring the competence of the organization's personnel, particularly the leadership of the organization, and those responsible for managing exercise programmes and exercise projects.

If you are expected to conduct an (internal) audit, good practice suggests they should be planned, scheduled and communicated with the parties, in advance. Unannounced audits are not common, nor typically desired in an internal audit program.

your organization will fail their ISO 22301 Certification Audit, because you will make all kinds of errors and the CB auditor will see them!
Every day, around the World, CB auditors fail to see and report glaring problems, based on evidence plentifully shared in this very Forum. There is no guarantee that a cb auditor would "fail" this organization if Rashid has not undergone any specific training.
 

AndyN

Moved On
Every day, around the World, CB auditors fail to see and report glaring problems, based on evidence plentifully shared in this very Forum. There is no guarantee that a cb auditor would "fail" this organization if Rashid has not undergone any specific training.

I didn't mention anything about "failing" the organization. Please don't put that spin on my words. My point is that, without competency in doing internal audits, the results (not just the internal audits, either) will be observed by the CB auditor (if the organization selects a CB who knows what they are doing)
 
Q

Quyoodhi

Have you had any training in how to plan and conduct an internal management system's audit, Rashid? If not, you should start there, not with this question. If you have been assigned to do an internal audit without any past training or experience, your organization will fail their ISO 22301 Certification Audit, because you will make all kinds of errors and the CB auditor will see them!

Thank you for the feedback, and yes I have successfully attended IRCA certified training (based on ISO 9001: 2008). I have also conducted few audits but not for DR plan.
 
Q

Quyoodhi

Hello Rashid, and welcome to The Cove. You should clarify if you are being assigned to perform an audit or a drill/exercise. They are two separate things and,.

What is the difference between the audit & drill exercise?
 

John Broomfield

Leader
Super Moderator
What is the difference between the audit & drill exercise?

Quyoodhi,

Auditing has to be independent, impartial and objective otherwise the process is not audit by definition.

This means you audit the system's learning and improving as a result of its drills after the organization has monitored the effectiveness of its drills.

If you combine auditing with practicing disaster preparedness then you have invalidated the audit and made the drill unrealistic.

John
 

AndyN

Moved On
Thank you for the feedback, and yes I have successfully attended IRCA certified training (based on ISO 9001: 2008). I have also conducted few audits but not for DR plan.

Then, perhaps, your next steps should be to understand the ISO 22301 standard and how it's applied. If you don't know the difference between an audit and a DR drill/exercise, things are not going to go well in your audit and you risk doing damage to the audit programme, plus, more importantly your reputation internal to your organization, IMHO.
 
Q

Quyoodhi

Then, perhaps, your next steps should be to understand the ISO 22301 standard and how it's applied. If you don't know the difference between an audit and a DR drill/exercise, things are not going to go well in your audit and you risk doing damage to the audit programme, plus, more importantly your reputation internal to your organization, IMHO.


Thank you for the valued feedback.
 
Top Bottom