This blog is a membership based discussion forum on Project Management, Software Quality, CMMI® for development, ISMS and associated subjects. It provides a common platform for our training participants and others to share views and obtain expert opinion on issues related to above subjects. Also, it is used by QualityMentors training participants to upload their personal details in a secured manner in line to the guidelines laid down in ISO/IEC 17024:2003. This blog draws its strength from its members who are welcome to share professional and personal experiences, comments, articles and reference links to make it a preferred knowledge repository for their collective use. It encourages fact based decision making as an success enabler for projects in member organizations.
Risk based auditing
January 6, 2017Posted by on
My friend AKM Desai (email@example.com ) wants me to comment on this topic.
ISO 9000:2005 defines the term risk as ‘effect of uncertainty’, i.e. any potential deviation from expected results which may be positive or negative…
ISO 19011:2011 introduced the concept of risk in auditing. It included both, the risk of the audit process not achieving its objectives and the risk of the audit to interfere with the auditee’s activities and processes. However, it does not provide specific guidance on the
organization’s risk management process.
Specific requirements for managing an effective risk management is provided in Annex SL standards like ISO 9001:2015 (QMS Requirements), ISO 27001:2013 (ISMS Requirements) and ISO 27002:2013 (Implementation guidance to ISMS) etc. Internal and external audits conforming to ISO 19001:2011 guidelines and clause 9.2 of requirements standards like ISO 9001:2015 and ISO 27001:2013 can be defined as ‘Risk based auditing’. Such internal and external audits should be conducted in a seemliness manner to achieve stated audit objectives, without interfering with organisational operations to the extent possible and with full conformance to the requirements in clause 4, 6 and 8 of above requirements standards.