4 Principles

• 4.1 Management principles
• 4.2 Audit principles
• 4.3 Performance of the QMS

4.1 Management principles

Quality management principles

The seven quality management principles (cf. figure 4-1) will help us achieve sustained success (ISO 9001, sub-clause 0.2).

Figure 4-1. The 7 quality management principles 

Top of the page

4.2 Audit principles

Audit principles for the auditor, the audit and the auditee

Certain principles must be followed for an audit to be a value added tool.

For the auditor:

• professional ethics, to guarantee:
  • mutual trust
  • compliance with legal requirements
• impartial presentation, to ensure:
  • honest and precise audit conclusions
  • detailed findings and audit reports
• professional integrity to guarantee:
  • the importance of the task
  • the trust given
• confidentiality, to treat with care information which is:
  • sensitive
  • confidential
• independence, to:
  • conduct an impartial audit
  • write objective conclusions
• the evidence-based approach, to reach conclusions that are:
  • reliable, verifiable and
  • reproducible
• risk-based thinking, to achieve the objectives of the audit by:
  • identifying and decreasing threats
  • seizing opportunities

But also:

• common sense - always the best tool
• curiosity, to learn and succeed
• goodwill to help the auditee identify improvement opportunities
• understandable language
• positive attitude is gratifying for the auditee

For the audit:

• independence (the auditor and audited activity do not have conflicts of interest), to guarantee:
  • objective conclusions
  • findings based on objective evidence
• a factual approach, to ensure:
  • the audit evidence is verifiable
  • the audit conclusions are repeatable

For the auditee:

• remain available
• do not try to hide the truth
• do not be afraid of the answers
• objectively accept the nonconformities found
• be aware of participating in the improvement of the ISMS by being:
  • benevolent and
  • cooperative

An auditor cannot audit their own department as:

No-one should be a judge in his own case. Latin proverb

Minute of relaxation. Cf. joke "The engineer and the shepherd"

Top of the page

4.3 Performance of the ISMS

Performance, effectiveness, efficiency

For an information security management system what is of interest is the degree of achievement of objectives or, in other words, performance. The performance of an ISMS is measured by its effectiveness and, above all, by its efficiency (see figure 4-2).

Figure 4-2. Performance of an ISMS

Effectiveness: capacity to perform planned activities with minimum effort
Efficiency: financial relationship between achieved results and resources used

N.B. We can be effective because we achieved our objective, but are not efficient if we used too many resources or tolerated and produced too much waste!

Minute of relaxation. Game: Audit principles

The rest of the T 44v22 ISO 27001 internal audit version 2022 training is accessible on this page.

See also the training T 24v22 ISO 27001 readiness version 2022 and the training package ISO 27001 version 2022.

Top of the page

• Home
• My account
• Site map
• FAQ
• GTU