ISO adds information security to management system audit standards

The updated standard, ISO 19011, combines existing guidelines for management system audits in the areas of quality and environment, and adds information security and IT services to the mix.

By harmonizing and consolidate management system auditing, ISO 19011 is expected to save organizations money, time, and resources, the ISO said in a statement.

The update “will help user organizations to optimize and facilitate the integration of their management systems and, in facilitating a single audit of its systems, will streamline the audit processes, reduce duplication of effort and decrease disruption of work units being audited”, the ISO explained.

ISO 19011 provides guidance on the conduct of internal or external management system audits, as well as on the management of audit programs. Intended users include auditors, audit team leaders, audit program managers, organizations implementing management systems, and organizations needing to conduct audits of management systems for contractual or regulatory reasons.

“The standard adds the concept of risk and recognizes more explicitly the competence of the audit team and individual auditors. Also, the use of technology in remote auditing is acknowledged, for example, conducting remote interviews and reviewing records remotely”, said Alister Dalrymple, convenor of the ISO team that updated the standards.

What’s Hot on Infosecurity Magazine?