Preparing your audit audience: PowerPoint template to get them ready for an internal audit or external certification audit (incl. practical hints and tips)

1. Credits
2. In short
3. Audience
4. Typical audit issues to solve with this approach
   1. Audit Audience
   2. CISO/ISMS Consultant
   3. Auditor (internal/external)
5. Purpose of this template
6. Preparation to use the slide deck
7. What’s in the presentation template?
   1. 0. Before we start
      1. 0.1 Hidden slides
      2. 0.2 Slide layout (now anonymous blank)
   2. 1. Front page
   3. 2. Manual (hidden)
   4. 3. Your team in short
   5. 4. Team in organigram (visual)
   6. 5. Team responsibility & tasks
   7. 6&7. Process Turtle (2 versions, hidden)
   8. 8. Reference documentation
   9. 9. Current tasks & projects
   10. 10. Recent changes
   11. 11. Important success stories (good news to shine)
   12. 12. KPIs (Key Performance Indicators)
   13. 13. Incidents & issues
   14. 14. Sample operational evidence of normal operations
   15. 15, 16 & 17 Some hints and tips (hidden slides)
8. Next year
9. Downloads
10. Feedback

Credits

First of all I want to shout out to Nathalie Claes (find her on linkedIN), who brought the bright idea to guide her customers with some handy format of presentation. Thank you Nathalie!

I’ve been using her tactics and extended her approach since I’ve audited one of her customers… realizing that her approach has a lot of benefits, an increased efficency and it makes the audits more effective in many ways.

Both during implementation with customers I coach as with customers I audit.

In short

1. Download the auditee template from the Downloads section.
2. Customize the template with company layout
3. Distribute template to audited teams
4. Prepare audit
5. Ready, set, audit, …go!
6. Start over again next year.

Audience

• ISO management system implementers
• consultants
• internal auditors
• external auditors
• audit victims (auditees)
• …

The template provided below (posted on my Github, link in Downloads section) is focussed on ISO 27001, but it’s extremely easy to convert it to other standards.
Of course, you can use it for other types of audits too… It’s up to you.

Typical audit issues to solve with this approach

Audit Audience

In many cases, it might be helpful to provide some guidance to avoid stress, certainly when it’s the first audit, or when the audience has no experience in audits.

Furthermore it’s quite important the auditee understands what information to provide to the auditor.

Some tips:

• Prepare & check upfront.
• No stress. Keep breathing, it’s not more than an audit.
• The purpose of an audit is to check conformity and identify points of improvement.
• Show you’re in control of the system.
• It doesn’t need to be perfect, let some room to grow, a management system is based on a maturity.
• Be transparent even if the system does not run as smooth as you wish.
• Ask help when needed.
• If you don’t know the answer to questions, just say so. Don’t worry.

CISO/ISMS Consultant

The ISMS project team usually knows the ISMS, but isn’t the only team to be audited… Especially when the ISMS consultant is external to the company.

The audit focuses on the operational teams under the ISMS. The ISMS project team can help, but is not leading the conversation during the audit of the various teams…

Auditor (internal/external)

As mentioned earlier, the primary role of the auditor is to check conformity against the standard and the enterprise objectives and policies…
During an audit (both internal as external), the auditor is looking for evidence that 3 essential views match to each other:

1. policies and documentation
2. being executed by people responsible
3. prividing operational evidence & proof of operations

Purpose of this template

• provide a quick check list to the auditees
• getting prepared easily
• streamline and synchronize the audit feedback
• document the management system
• provide audit evidence
• make audit more efficient for both audience and auditor
• minimize stress, be relaxed
• make it easier next year

Preparation to use the slide deck

To use the slide deck, you’ll need some preparation:

• organigram (company organisational overview)
• ISMS process overview
• links to ISMS reference documentation
• samples of
  • recent team tasks & projects
  • recent changes (onboarding, offboarding, projects, updates, …)
  • success stories
  • KPIs (Key Performance indicators)
  • recent issues & incidents
  • operational evidence

The first time you prepare this deck, you’ll discover it takes a lot of work.

The good news, next year, it’s ready for reuse with less effort, you’ll simply need to update it (considering your ISMS is stable and hasn’t been overhauled from scratch).

What’s in the presentation template?

Sidenote: did you know you can quickly make an animated gif from a powerpoint (PPT > File > Export > Create an Animated GIF > choose options)

More info here : https://support.microsoft.com/en-au/office/make-an-animated-gif-from-a-slide-show-a598753e-92de-4f1b-8393-714db4d334b4)

0. Before we start

0.1 Hidden slides

In the deck you’ll see hidden slides, these are manuals and guidances, that don’t need to be presented to the auditor, but they help to prepare the audit:

• Slide 2 is a quick manual
• Slide 6 & 7 have a process turtle (based on ISO 9001 process map)
• Last 3 slides have hints and tips for the auditee team handling the presentation

If you wish, once your team’s slide deck is ready, you could consider to delete the hidden slides (but still, they might be useful for next year, to catch up again)

0.2 Slide layout (now anonymous blank)

The slide deck is designed without any theme, so you can make it more appealing with your company layout as you wish.

1. Front page

You’ve got a title and subtitle to customize.

And important, check

• the date (which is auto set)
• set the proper security labeling in the footer (based on your classification scheme in your ISMS.)

2. Manual (hidden)

• Slides with no-presentation icon in upper right corner are hidden
• You’ll find some guidance, hints and tips at the end of the presentation
• Presentation has no graphical layout, you can add company layout to it as you wish

3. Your team in short

Briefly introduce the team being interviewed.

4. Team in organigram (visual)

Position your team in the company.
Explain

• what’s the relation to management
• reporting hierarchy
• …

5. Team responsibility & tasks

Explain what the team is doing… what is on your agenda…

6&7. Process Turtle (2 versions, hidden)

As most of the ISO standards are process based, you can refer to the proces flow diagram posted in ISO9001. (Source: ISO 9001:2015 Section 0.3.1)

In short, to perform any activity, you need input from certain sources (you need to document).

When performing and completing the activity, you have output (deliverables) that probably need to be handed over to receiving interested parties.
These interested parties, senders and receivers, are an essential part of your context definition (ISO 27001 clause 4) in your Management System (MS), whether it is a ISMS (27001), PIMS (27701), QMS (9001), BCMS (22301),… or other.

8. Reference documentation

While requirements of other standards slightly differ, ISO 27001 is very explicit about requirements for policies & procedures

• ISO 27001 Clause 5.2 policy
• ISO 27001 Clause 7.5 Documentation
• ISO 27001 Annex 5.1 Policies for Information security
• ISO 27001 Annex 5.37 Documented operating procedures

In this slide, you list the main polices, procedures, operational documents… that you use as team.

9. Current tasks & projects

Describe

• what has been on your agenda last year
• what you’re planning next year

10. Recent changes

ISO27001 v2022, clause 6.3 (and also other standards, similar chapter) requires to handle changes in a planned manner.
This requirement is supported by ISO 27001 v2022 Annex 8.32 Change management. (BTW, is was ther

11. Important success stories (good news to shine)

It’s always nice for the auditee to tell what has been the greatest success last year.

12. KPIs (Key Performance Indicators)

ISO 27001 Clause 9.1 requires performance evaluation via monitoring and measurement.
Therefore the audited team needs to document relevant performance indicators as part of the management system.

In ISO 9001 all processes needs KPIs in a broad sense, but for ISO 27001 the organisation needs to determine what needs to be measured for the ISMS, which is a smaller scope of operations in most of the cases.

13. Incidents & issues

What are your most important incidents & issues your encountered recently and how did you handle them?
ISO 27001 has an important requirement of handling incidents (deviations), in the 2013 version covered by Annex A.16

In 2022 it has been moved to various sections (ISO 27002:2022 has a mapping table B.2, that explains the transfer)

ISO 27001:2013	ISO 27001:2022
A.16
A.16.1
A.16.1.1	A.5.24
A.16.1.2	A.6.8
A.16.1.3	A.6.8
A.16.1.4	A.5.25
A.16.1.5	A.5.26
A.16.1.6	A.5.27
A.16.1.7	A.5.28

Source: ISO27002:2022 Table B.2

The purpose here is to show how trouble is solved, not the amount of trouble, but how continuous improvement is achieved.

14. Sample operational evidence of normal operations

As mentioned earlier, during an audit there are 3 pillars to collect and verify information

• policies and documentation
• interviewing people responsible
• operational documentation (evidence & proof of operations)

This slide provides the information where to find it.
What systems can be used to prove that the ISMS actually works, for example

• HR system (showing onboarding, change and offboarding of people)
• Access control system
• Badge management system
• IT systems (like Active Directory, Azure Entra formerly known as Azure AD, …)
• Ticketing systems, …

The auditee should document recent

• events,
• activity,
• incidents,
• changes

with exact refernences, that can be traced (also one year later, next audit…)

15, 16 & 17 Some hints and tips (hidden slides)

A bit of short overview what we covered in this article:

• Prepare & check upfront.
• No stress. Keep breathing.
• Be transparent.
• If needed, ask guidance by ISMS team, ISMS project team, CISO, …
• If you don’t know the answer to questions, just say so. Don’t worry.
  • Don’t lie, the auditor will cross check other evidence and correlate/corroborate.
• If audit questions are not clear, ask clarification to auditor…

Before (external/internal) audit

• Exercise, do a dry-run to present your audit slot
• Prepare

During the audit

• Make sure to have a coach available during all meetings
• Usually ISMS project lead, ISMS specialist, CISO, …

Next year

Next year, for the next audit, you copy this year’s presentation and provide an easy update, including

• changes and updates since least year
• show trend analysis (which is required to document in the management review)

Downloads

You can download the template for free from my Github page: GitHub\Peter Geelen\ISO27000\Audit Support

Direct link for the ppt v2: https://github.com/PeterGeelen/ISO27001/blob/main/Audit%20Support/ISO27001%20auditee%20guidance%20v2.pptx

Always check for the latest version in the Audit support folder.
Don’t need to tell you there is more interesting and free stuff to download from my Github repositories.

Feedback

Do you think this post or material needs an update, let me know!
Any suggestion for improvement deserves credits.