Calculation of Audit Man-days; ISO 27001

[Sidney Vianna]

Re: Calculation of Audit Man-days

The original question also included ISO 27001. Games are being played with this standard like the early days of ISO 9001. Some registrars will tell you it's ok to certify one application, residing on one server, managed by 3 people. Then they want to say that the organization is certified when in fact the entire organization is not.

I've heard the same story from another source. And worse, this being a very large CB, makes me wonder if there is fire with this smoke....hopefully someone with evidence in their hands will bring this up to [highlight]UKAS[/highlight]

 

[Peter Selvey]

Re: Calculation of Audit Man-days

Just to give some additional background:

There was a IAF Guide (IAF GD 2:2003) for the old ISO/IEC Guide 62:1996. It is this IAF guide which has the widely used man-day table. You can find it on the internet easily.

This old Guide 2 is not compatible with newer ISO 17021, for example there are now Stage 1 and Stage 2 audits, and it is unclear how many days are needed.

Despite this many registrars are still using the old tables. They are of course only guidance, each registrar needs to have thier own system to determine the audit duration.

I spoke to to the IAF guide people and they said they planned to come up with a new guide with new tables soon.

That was December 2008.

I guess the problem is that the tables critically affect the operating models of each registrar so now it is hard to get to a common ground.

I know from working in two registrars that there can be big differences. The key point is whether technical staff get involved in the quote. Some registrars will have non-technical staff prepare a quote purely on your employee numbers, and make certain assumptions. The idea is to get you in, and then later when the technical people turn up they will say the assumptions are not true and they need to come for longer. Or they are one of the rubber stamp registrars that just do everything cheaply. The good registrars will involve technical people in the quoting stage, usually resulting in longer quoting time and more man-days, but better in the long run.

Look at the type/quality of the information you are required to give about your organization, the speed of the quote and technical interaction. Look at the assumptions in the quote. This will give you a hint as to what is going on.

I would probably go with a registrar that is looking at longer rather than shorter, I know from 10 years of auditing, if you stick to the minimum IAF time then there is no time for anything but a superfial check.

By the way, I no longer work for any registar so this is just impartial info.

 

[Sidney Vianna]

Re: Calculation of Audit Man-days

Just to give some additional background:

There was a IAF Guide (IAF GD 2:2003) for the old ISO/IEC Guide 62:1996. It is this IAF guide which has the widely used man-day table. You can find it on the internet easily.

This old Guide 2 is not compatible with newer ISO 17021, for example there are now Stage 1 and Stage 2 audits, and it is unclear how many days are needed.

Despite this many registrars are still using the old tables. They are of course only guidance, each registrar needs to have thier own system to determine the audit duration.

I spoke to to the IAF guide people and they said they planned to come up with a new guide with new tables soon.

That was December 2008.

I guess the problem is that the tables critically affect the operating models of each registrar so now it is hard to get to a common ground.

I know from working in two registrars that there can be big differences. The key point is whether technical staff get involved in the quote. Some registrars will have non-technical staff prepare a quote purely on your employee numbers, and make certain assumptions. The idea is to get you in, and then later when the technical people turn up they will say the assumptions are not true and they need to come for longer. Or they are one of the rubber stamp registrars that just do everything cheaply. The good registrars will involve technical people in the quoting stage, usually resulting in longer quoting time and more man-days, but better in the long run.

Look at the type/quality of the information you are required to give about your organization, the speed of the quote and technical interaction. Look at the assumptions in the quote. This will give you a hint as to what is going on.

I would probably go with a registrar that is looking at longer rather than shorter, I know from 10 years of auditing, if you stick to the minimum IAF time then there is no time for anything but a superfial check.

By the way, I no longer work for any registar so this is just impartial info.

Peter, CB's accredited by IAF MLA signatory AB's are required to use the IAF Mandatory Document for estimation of audit-days for QMS and EMS work.
IAF MD 5:2009 Duration of QMS and EMS Audits
(Issue 1, issued on 1 February 2009; Application from 1 May 2009)
This mandatory document was derived from the guidance previously available in two documents, IAF GD2:2005 Annex 2 and IAF GD6:2006 Annex 1. It provides mandatory provisions and guidance for CABs to determine the audit duration for stage 1 and stage 2 initial audits, surveillance audits and recertification audits.
A simple methodology is used to determine the audit duration (stage 1 plus stage 2) from tables based on the effective number of client personnel. For EMS audits, the duration varies according to the complexity of the audit. Factors which could add to, or subtract from the time are applied and checks made to ensure specified caveats are applied and any reductions in time do not exceed requirements specified in this document. The justification for the calculated time is recorded for future audit by an accreditation body.

 

[John Martinez]

Re: Calculation of Audit Man-days

Peter, CB's accredited by IAF MLA signatory AB's are required to use the IAF Mandatory Document for estimation of audit-days for QMS and EMS work.
IAF MD 5:2009 Duration of QMS and EMS Audits
(Issue 1, issued on 1 February 2009; Application from 1 May 2009)
This mandatory document was derived from the guidance previously available in two documents, IAF GD2:2005 Annex 2 and IAF GD6:2006 Annex 1. It provides mandatory provisions and guidance for CABs to determine the audit duration for stage 1 and stage 2 initial audits, surveillance audits and recertification audits.
A simple methodology is used to determine the audit duration (stage 1 plus stage 2) from tables based on the effective number of client personnel. For EMS audits, the duration varies according to the complexity of the audit. Factors which could add to, or subtract from the time are applied and checks made to ensure specified caveats are applied and any reductions in time do not exceed requirements specified in this document. The justification for the calculated time is recorded for future audit by an accreditation body.

In addition, ISO 27001 should have additional times added based upon the Risk involved in the processes.

 

[Sidney Vianna]

Re: Calculation of Audit Man-days

In addition, ISO 27001 should have additional times added based upon the Risk involved in the processes.

ISO 27006:2007 Annex C describes the process for estimating audit-days for ISMS audits. The chart below is the starting point. As you can tell by the chart, audit days for ISMS are, in general, higher than for QMS and EMS audits.