4 Principles
4.1 Management principles
Quality management principles
The seven quality management principles (cf. figure 4-1) will help us achieve sustained success (ISO 9001, sub-clause 0.2).
Figure 4-1. The 7 quality management principles
4.2 Audit principles
Audit principles for the auditor, the audit and the auditee
Certain principles must be followed for an audit to be a value added tool.
For the auditor:
- professional ethics, to guarantee:
- mutual trust
- compliance with legal requirements
- impartial presentation, to ensure:
- honest and precise audit conclusions
- detailed findings and audit reports
- professional integrity to guarantee:
- the importance of the task
- the trust given
- confidentiality, to treat with care information which is:
- sensitive
- confidential
- independence, to:
- conduct an impartial audit
- write objective conclusions
- the evidence-based approach, to reach conclusions that are:
- reliable, verifiable and
- reproducible
- risk-based thinking, to achieve the objectives of the audit by:
- identifying and decreasing threats
- seizing opportunities
But also:
- common sense - always the best tool
- curiosity, to learn and succeed
- goodwill to help the auditee identify improvement opportunities
- understandable language
- positive attitude is gratifying for the auditee
For the audit:
- independence (the auditor and audited activity do not have conflicts of interest), to guarantee:
- objective conclusions
- findings based on objective evidence
- a factual approach, to ensure:
- the audit evidence is verifiable
- the audit conclusions are repeatable
For the auditee:
- remain available
- do not try to hide the truth
- do not be afraid of the answers
- objectively accept the nonconformities found
- be aware of participating in the improvement of the ISMS by being:
- benevolent and
- cooperative
An auditor cannot audit their own department as:
No-one should be a judge in his own case. Latin proverb
Minute of relaxation. Cf. joke "The engineer and the shepherd"
4.3 Performance of the ISMS
Performance, effectiveness, efficiency
For an information security management system what is of interest is the degree of achievement of objectives or, in other words, performance. The performance of an ISMS is measured by its effectiveness and, above all, by its efficiency (see figure 4-2).
Figure 4-2. Performance of an ISMS
Effectiveness: capacity to perform planned activities with minimum effort
Efficiency: financial relationship between achieved results and resources used
N.B. We can be effective because we achieved our objective, but are not efficient if we used too many resources or tolerated and produced too much waste! |
Minute of relaxation. Game: Audit principles
The rest of the T 44v22 ISO 27001 internal audit version 2022 training is accessible on this page.
See also the training T 24v22 ISO 27001 readiness version 2022 and the training package ISO 27001 version 2022.