Professional article: How software solutions support certification audits

Organizations (companies, NGOs or public institutions) see themselves in a thicket of ever more and more complex laws, regulations and standards. All not only have to be complied with, but conformity must also often be proven without any gaps. In the case of several standards, e.g. ISO specifications, all of which must also be audited—this undertaking becomes increasingly intransparent, error-prone and resource-intensive. At least when appropriate software support and a superordinate, structural understanding of the world of ISO standards are missing.

However, this systematic understanding is essential, especially when it comes to qualitative assessment of management systems within organizations. Only with this comprehensive know-how and detailed knowledge of the often widely ramified tool landscapes, it is possible to gain an overview of the process map to be audited. Only then meaningful audit plans that can be easily and efficiently executed step by step.

The reason for the increasingly complex requirements is—due to the growing vulnerable surfaces—caused by an increasing number of networked systems and the risks and threats associated with them. This is especially true in the area of information security.

To ensure business success despite this development, the ITSM environment is increasingly extended by the topics of governance, risk management and compliance (GRC). This includes all methods that contribute to the secure achievement of the business objectives of all stakeholders in an organization. This applies to both internal instructions for action, for example in the form of compliance codes, as well as external norms, standards and laws.

Today’s service organizations must not only score points for efficiency and service quality, but also ensure that all services offered are available at all times without restriction and in consistently high quality. This shift in the focus of service organizations towards more prevention and information security is also reflected in the desire to comply with the associated ISO standards on management systems, especially on the topics of risk management (ISO 31000), information security (ISO 27001) and business continuity (ISO 22301)—and to be certified for these.

In simple terms, ISO audits are catalogs of requirements for standards that ask whether minimum standards within an organization (e.g., with regard to IT security) are being met in such a way that the overriding goals of prevention and security are achieved with the highest possible probability. The intersections between ISO certifications and GRC are obvious.

Integrated risk management (IRM) is about identifying, analyzing and assessing risks as completely as possible so that (preventive) measures can be taken to avert or mitigate threats—with the intention of achieving the goals set by management, such as growth, profit, legal compliance or timely product launches. Integrated risk management moves the focus away from isolated processes to the entire risk landscape of an organization. The knowledge gained from this then serves as the basis for decision making and prioritization in risk prevention.

IT services play a key role here, as disruptions within the IT infrastructure are particularly serious and could paralyze large parts of the business in a worst-case scenario. Due to the immense damage potential of cross-organizational and cross-process threats, the topic of risk management is also required in the auditing of all ISO management systems. The use of a company-wide GRC tool, which is essentially to be understood as integrated risk management, offers the advantage here that all areas of the company are managed centrally, resulting in an overarching understanding of threats.

This know-how helps to better identify weaknesses in the holistic system of all processes and services, to allocate necessary resources, so that countermeasures can be taken in time. Such a structured and tool-based approach in the fulfillment of relevant ISO management systems directly and indirectly helps to ensure the resilience of a service organization more easily and transparently.

The aforementioned connections between ITSM, GRC and IRM are important for understanding the advantages of an all-in-one solution that is not only designed for auditing processes, but also combines elements of GRC with integrated risk management. Individual audits relating to a single ISO standard are usually easy to plan and implement.

GRC-based auditing software is particularly useful when the number of standards to be certified increases, i.e., as the complexity of the requirements expands. Thematically similar content can then be reused across several ISO requirement catalogs, so that integrated management systems can be checked more easily during audits.

In addition, GRC software facilitates the documentation of all audit-relevant information during recertifications and surveillance audits, since in the event of content overlaps, knowledge that has already been compiled and documented can be quickly accessed.

Furthermore, all necessary data is available in a central data pool. Automated reports (such as audit plans, audit reports) or even the automated addressing and tracking of corrective actions create enormous savings in working time and provide management with significantly improved transparency. This effect is multiplied if, in addition to ISO standards and management systems, internal guidelines also have to be met with the help of GRC software, for example, to check compliance with regulations.

To remain in the metaphor of the above-mentioned jungle: Organizations should not have to fight their way through the thicket again and again from scratch with every audit. Here, it is important to use paths that have already been tried and tested in order to reach the auditing goal quickly and safely. This not only makes it easier for organizations to pass currently pending audits, but also creates an ideal foundation for comprehensive risk minimization and qualitative process improvement at all levels, whether for the organization as a whole or for individual service areas. When looking at individual audits in isolation and without tool support, these improvement potentials often come up short. And it is precisely this potential for improvement that must be seized as an opportunity.

Audits are in no way an end in themselves; they are rather intended to ensure that corporate goals are achieved with the highest possibility. Or, in other words, without deviations to ISO and other standards. And this is precisely where the added value of integrated GRC solutions comes into play—especially for services and processes with critical characteristics and those with particular relevance to the company.

• Modular structure to expand the range of functions as needed

• Multistandard capability to digitally map all norms and standards

• Experienced and established tool manufacturer to guarantee long-term stability

• All-in-one solution with the GRC elements of risk, audit, compliance, and business continuity management

• In-depth risk management expertise, as required, for example, in the IT service management environment (ITIL®-compliant and corresponding certification)

• Standardized interfaces for greater flexibility when integrating into the existing software landscape

This article was published in December 2021 in the magazine IT Service Management (magazine for the ITSM community by the itSMF Deutschland e. V.), #58, pages 35 to 36.