Choosing Auditors - ISO 9001 / ISO 27001 (UK)

[MarcusClissoldLesser]

Apologies if this has already come up - happy to re-post elsewhere.

Can anyone share experiences of selecting and/or changing ISO auditors?

My company (in the UK) has been ISO 27001 and 9001 accredited for over 10 years. We've used the same auditors for a long time (they are UKAS accredited) - they're OK but I'd like to understand if other auditors are better (and also check if we're paying the right amount and getting good value). But changing auditors would seem like a huge hassle - and it feels difficult to work out the pros and cons - and to get a real feel about what prices are going to be - both initially and over time.

It would frustrate me to stay with a particular supplier purely because it's too much of a faff to change. Then again "better the devil you know" is a strong driver in this instance.

 

[GStough]

I can share an experience I had in a previous life.....

The company where I worked was (still is) registered to ISO 9001 and ISO 13485. Due to the type of products we made, there were only 2 auditors in the entire registrar organization who could also do a product audit at the same time as the QMS audit, so we had had the same auditor (US-based) for a number of years. He was very familiar with our processes, procedures, etc., and he knew where all of our skeletons were. This one year we had a hiccup with scheduling him and his colleague at the normal time of year (August-October time frame). Turns out, due to this scheduling issue we ended up getting the other auditor who could do the product audit and the QMS audit, and he happened to be on the other side of globe. Side note: My manager and I had often had the conversation about whether it might be good to have "new eyes" to do our audit. So, when the registrar was finally able to get the audit scheduled with the other auditor, it was close to the end of the year (not a good thing).

The audit team consisted of completely new-to-us auditors who had never seen our QMS or visited our facilities. It was a disaster! They wrote nonconformance after nonconformance for things that our regular auditor had never caught. Some of the nonconformances were complex and took a while to address, and as a result, we lost our ISO certs for a short period of time. In the medical device world, this was devastating to our company, as we did business in Canada, Europe, Asia, everywhere! It took a few months for all of the nonconformances to be addressed and corrected to the satisfaction of the lead auditor before we were able to get our new certificates.

Moral of this story: Be very careful what you wish for!

 

[MarcusClissoldLesser]

Many thanks - very good point and extremely useful to hear! We didn't change auditors but when we integrated our systems one auditor had to cover both and as it happened that resulted in a large number of non conformances etc. Similar to you the pool of auditors qualified to take on both 9001 and 27001 seems to be quite small. Nonetheless I'm still a bit uncomfortable with the implication that it's difficult or impossible to change...