Have a Question?
< All Topics
Print

Multiple Site Auditing

Posted
Updated
Byadmin

At Assurco, we follow internationally recognised standards to ensure that audits for organisations operating across multiple sites are fair, consistent, and effective.

Purpose

Our goal is to provide a clear and transparent process for auditing organisations with multiple locations under a single management system. This approach complies with IAF MD1:2023, ISO/IEC 27006-1:2024, and ISO/IEC 17021-1:2015.

Who Does This Apply To?

This procedure applies to:

  • Initial certification audits
  • Surveillance audits
  • Recertification audits

It is designed for organisations that:

  • Operate under one management system across multiple sites
  • Have a central function that manages and enforces corrective actions

Note: If local factors significantly affect security controls (e.g., in Information Security Management Systems), sampling may not be allowed.

Key Principles

  • Central Function Audit: We audit the central management function every year.
  • Site Sampling: Where permitted, we select a sample of sites to audit rather than visiting every location. This is based on international guidelines and only allowed when processes are substantially similar across sites.
  • Transparency: All audit time calculations and sampling decisions are documented and justified.

How We Plan Your Audit

  1. Eligibility Check
    • Confirm all sites operate under the same management system.
    • Verify that a central function oversees corrective actions.
    • Ensure processes at sites are substantially similar.
  2. Audit Programme
    • Include all sites in your certification scope.
    • Audit the central function annually.
    • For surveillance audits, at least 30% of sites are audited each year.
  3. Audit Time Calculation
    • Audit time is based on:
      • Organisation size and complexity
      • Scope and processes
      • Risk factors
      • Previous audit results
      • Use of ICT and remote auditing
    • For multi-site audits:
      • Sampling is allowed only under specific conditions.
      • Sample size formula:
        Sample Size = √(number of sites) + 1
      • Audit time per sampled site cannot be reduced by more than 50% compared to a full-site audit.
  4. Documentation
    • We record all calculations, assumptions, and references to international standards.
    • Justification for sampling or full-site audits is included in your audit records.
  5. Audit Plan
    • Assign audit days for each site and the central function.
    • Ensure the plan reflects site relevance and risk.

Compliance and Integrity

  • Sampling is prohibited for ISMS where local factors impact security controls.
  • All calculations are traceable and documented.
  • We maintain impartiality and consistency throughout the process.

See Also: Calculating Audit Time

Table of Contents