External audits and cake in a time of plague
By Anne Whiting EPCC on November 19, 2020
With ARCHER2 part arrived and in early access, and with all the preparation to move from ARCHER to ARCHER2, with staff working remotely from home and all the other work ongoing, why on earth were we preparing for our annual ISO external audit and how could we make it work?
In a typical year our external auditor comes onsite to both our office and datacentre locations, and spends a week poking at both our service delivery processes and our information security measures, to assess how well we are complying with the requirements of the ISO 9001 Quality and ISO 27001 Information Security standards. Audit sessions range from inspecting labels on kit and rattling fire doors, through to reviewing helpdesk queries, backup logs and staff induction records. The auditor comes looking for evidence that we are doing what we say we do and that we are improving how we do it. He looks at a evidence including paper and electronic records, physical security arrangements and technical monitoring. Not easy when we are based at home with the usual distractions of children, pets, lack of printers and lack of access to buildings and records. The techies at our datacentre, the ACF, were working onsite on a rota basis, but not those typically based in our office site.
The first question to be answered was, ‘were we allowed to have a remote audit?’, and the computer / certification body said ‘yes’. So, ‘did we want to put ourselves through it?’, and again a resounding ‘yes!’. We are very proud of the services we run and how securely we keep our user data, and passing our audits helps to keep us on our toes and demonstrates the success of our approach to the user community. So how to make it work?
You would think that a technical organisation would have everything computerised, but we are a University so there have to be at least some dusty folders on shelves and HR records in locked filing cabinets. We also had a staff induction process involving introductions over coffee and lunch and buns and more coffee and more buns, well you get the picture. Cake seemed to feature prominently, as of course is entirely appropriate. We had to therefore update (or some would say downgrade) the process to work remotely. Induction introductions moved to online and bring-your-own cake, with the poor newbie looking like a rabbit in the headlights as 30 staff chat in a video call. New online chat forums were set up to provide instant help and support, and laptops were shipped out over the country to new staff unable to move to Edinburgh because of COVID. HR records moved to electronic versions, only about 20 years late.
The auditor was booked and remote sessions set up for each topic. A lot of time was spent making sure that we could all find records, documents and logs; that no other paper records would be needed and most importantly cake was organised, individually wrapped, for any staff at the datacentre.
So how did it go? Surprisingly well. Evidence was produced, cake consumed and we passed our external audit, once more, with flying colours. We can still say that we are ISO 9001 and ISO 27001 certified. From choice we would prefer to do the whole thing in person next year if possible, but we now know we can pass an external audit remotely if we ever need to do so again.