You are an experienced ISMS audit team leader guiding an auditor in training. You are testing her understanding of follow-up audits by asking her a series of questions to which the answer is either "true* or ‘false’.

You are an experienced ISMS audit team leader guiding an auditor in training. You are testing her understanding of follow-up audits by asking her a series of questions to which the answer is either "true* or ‘false’.

Which four of the following questions should the answer be true"’
A . A follow-up audit may be carried out where nonconformities are major
B . A follow-up audit may be carried out where nonconformities are minor
C . The outcomes of a follow-up audit should be reported to top management and the audit team leader who carried out the audit where the nonconformities were initially identified
D . The outcome of a follow-up audit could lower a major nonconformity to minor status
E . The outcome of a follow-up audit could be a recommendabon to suspend the client’s certification
F . The outcomes of a follow-up audit should be reported to the individual managing the audit programme and the audit client
G . A follow-up audit is required in all instances where nonconformities have been identified
H . A follow-up audit is required only in instances where a major nonconformity has been identified

View Answer

Answer: A, B, C, F

Explanation:

A follow-up audit may be carried out where nonconformities are major. This is true because a major nonconformity is a situation that raises significant doubt about the ability of the organization’s management system to achieve its intended results, and therefore requires immediate corrective action. A follow-up audit is necessary to verify the effectiveness of the corrective action and the conformity of the management system12.

A follow-up audit may be carried out where nonconformities are minor. This is true because a minor nonconformity is a situation that does not affect the capability of the management system to achieve its intended results, but represents a deviation from the specified requirements. A follow-up audit may be conducted to check the implementation of the corrective action and the improvement of the management system12.

The outcomes of a follow-up audit should be reported to top management and the audit team leader who carried out the audit where the nonconformities were initially identified. This is true because the top management is responsible for ensuring the effectiveness and continual improvement of the management system, and the audit team leader is accountable for the audit process and the audit conclusions. The follow-up audit report should provide them with objective evidence of the status of the nonconformities and the corrective actions taken by the auditee13.

The outcomes of a follow-up audit should be reported to the individual managing the audit programme and the audit client. This is true because the individual managing the audit programme is responsible for planning, implementing, monitoring and reviewing the audit activities, and the audit client is the organization or person requesting an audit. The follow-up audit report should inform them of the results of the follow-up audit and any changes in the certification status of the auditee13.

Reference: =

ISO 19011:2022 Guidelines for auditing management systems

ISO/IEC 27001:2022 Information technology ― Security techniques ― Information security management systems ― Requirements

ISO/IEC 17021-1:2022 Conformity assessment ― Requirements for bodies providing audit and certification of management systems ― Part 1: Requirements