Everything you need to know ahead of your ISO 27001 audit

We know that an upcoming audit can be daunting, so we’ve pulled together a short(ish) guide to answer your questions and explain how it works and what you need to do in advance.

Have a read, and if you have any other questions drop us a line!

hello@tempoaudits.com

  • The most important thing is to ensure your Management System is compliant - although we’re sure you’ll have been thinking about that in advance! Depending on which audit (e.g. Stage 1, Stage 2, Surveillance or Recert) - you may also want to check our guidance on what to expect for it. See the various questions relating to those on the right.

    Aside from this (which is a big job in itself!) there is little you need to prepare in advance - other than:

    1. making sure that you and the correct people in your team are available during the audit days (see the “Which Team Members are required for our ISO 27001 audit?” section), and that they’re ready to chat to the auditor, and provide evidence as necessary.

    2. Ensuring that you’ve given access to the auditor for whatever GRC platform you’re using (if you want to give them access). (see the “Granting Auditor access to any GRC platform you use” section)

  • An Audit Day typically spans 8 hours. At Tempo, this normally runs from 9am to 5pm UK time - although there may be flexibility to move the start and end times earlier or later by circa 1 hour (if this is something you want, please ask the auditor directly - or another Tempo contact if you’re yet in touch with the auditor). Lunch and morning / afternoon breaks are also scheduled.

    The auditor manages the audit and schedule - they’ll share an audit plan with you in advance (preferably at least 1 week in advance of the audit), providing more detail on the schedule. This will break down what will be covered (e.g. what clauses, controls, topics), at what timeslots. It may also cover “Interviews” - for which other team members will be required.

    Often the auditor will schedule some time at the end of the day (from 3pm-ish) in which they’ll gather evidence and review/collate their notes - so you might not be required after this point.

    The Audit Plan will give some guidance on who needs to attend. Further information on this is covered in the "Which Team Members are required for our ISO 27001 audit?” section.

  • Tempo and its auditor(s) need to gather sufficient evidence of conformity that we can issue you with your certificate. We cannot issue a certificate until our auditor has gathered evidence of conformity against every clause and applicable control of ISO 27001.

    With that in mind, generally speaking, the audit (particularly a Stage 2, or Recertification Audit, which are full-system audits) involves the auditor going through the standard clause-by-clause and control-by-control, looking for evidence of conformity. This means the auditor will specifically explore and ask for evidence from you to exemplify how your ISMS meets the requirements of each clause and control - and your job is to help them find this evidence (although sometimes the auditor can gather this in asynchronous parts of the audit (see the “Asynchronous vs Sychronous ISO 27001 Audits” section).  As the auditor gathers this evidence (perhaps taking screenshots, perhaps taking notes, perhaps asking further questions), they will record this in their report/notes. They may need some time to document and gather evidence as they go - so please be patient as they do so (it’s in your best interest to let them gather more evidence, since this helps to paint a picture of conformity, which we will show to UKAS, our accreditation body!)

    ________

    TOP TIP: As good preparation for an audit, put yourself in the auditor’s shoes - and go through the standard clause-by-clause, and control-by-control, and consider what evidence you’d show the auditor to evidence conformity, and whether this is sufficient? Effectively this is how the auditor will be thinking!

    _________

    Where there is evidence of non-conformity (or insufficient evidence of conformity), this will result in a non-conformity being recorded (either Major or Minor). There’s no need to worry about getting non-conformities - the auditor will notify you when this happens, and you will be able to resolve them after the audit in your Corrective Action Plan, so that Tempo can proceed to issue your certificate).   See the “Closing Non-Conformities raised at an ISO 27001” section below for more details about this.

    It’s also worth noting that nearly every certification audit results in at least some major or minor non-conformities, so do not be concerned if you have these (perhaps even well over 10). It’s not a big concern - and it’s most important that you focus on learning from them and resolving them quickly.

  • Tempo’s primary goal is to deliver a thorough and effective audit. Sometimes, we can review your documentation asynchronously, using an agile methodology. This means that, for a few hours at a time, you may be able to get on with other things, whilst you auditor reviews evidence on whatever compliance platform / GRC tool you use. However, you will need to be on hand for if/when they want to reconvene to discuss any points raised, ask questions, or request additional evidence as necessary.

    If you feel strongly about having more Agile / Asynchronous sections of your audit, or have a preference for working-through the audit alongside your auditor - then please express this to the auditor. We encourage our auditors to be flexible to your requirements.

    Agile/asynchronous aspects of an audit are only feasible if you have prepared your evidence in a format that allows the auditor to review on their own. Most commonly this works when you’re using a GRC tool, which stores the evidence for you, and grants the auditor access to review separately - although it could also work if you have downloaded evidence to Google Drive or Dropbox. If this is not the case, then the auditor will need to audit the old-school way - i.e. working through each clause and control with a Guide from your company showing them evidence.

    Please also note that fully asynchronous audits are not possible under the requirements of ISO 27006 (which provides guidelines on audit processes for ISO 27001 ) - so even if we incorporate asynchronous elements, we will need your participation in the audit (see the “Which team members are required for our ISO 27001 audit?” section).

  • If you want your auditor to make use of whatever GRC platform / tool you’re using, you’ll need to make sure you grant access to them in advance of the audit.

    Please speak to your customer success or project manager from your GRC platform / tool to support you with providing this access.

    You should have been introduced to your Tempo auditor (and be included on a calendar invite with them), so you will have their email address to give them access.

    Should you not want to give the auditor access to a platform or folder, or you are not using a GRC platform / tool, that is not a problem - but it means you will need to work with the auditor to provide evidence throughout the audit day(s) (and no agile / asynchronous elements will be feasible).

  • The Audit Plan will set out a schedule which will include a lunch break and a shorter morning and afternoon break.

    But don’t worry if you need to take additional breaks, or adapt the schedule - our auditors are flexible. If the audit needs to change based on how it's progressing or your circumstances, then it can do. Feel free to ask for breaks whenever needed. We understand that remote audits, , might come with occasional interruptions (whether you need to get the door for a delivery, or make another cup of tea) – that's no problem at all! Just let the auditor know and you can take 5/10 minutes!

  • As standard, we schedule 8 hour audit days and share calendar invites to block out the dates in advance. The calendar invites typically start at 9am UK time and finishing at 5pm UK time. 

    Often the auditor schedules some time at the end of the day (from 3pm-ish) to gather evidence and review the notes, which means that your day might end a bit earlier.

    If you have a preference to change the audit times (e.g. move the start time to 8am or 10am UK time - and finish one hour earlier or later accordingly), let us know and we will aim to update. A 1 hour or 30 minute earlier or later start time should rarely be a problem - but ultimately, it will be for the Auditor to confirm this works for their schedule, since they are responsible for managing the audit.

  • If your audit is remote, make sure you have a strong WiFi connection. Log in beforehand and choose a quiet location with good audio. Check your headphones and equipment in advance. If you foresee any problems, please let Tempo know as soon as possible. 

    Tempo usually uses Google Meets, but we’re happy to switch to Zoom or Microsoft Teams if that's better for you. Just let Rob or someone else in the team know your preference.

  • Tempo has calculated the audit length based on your company's size and circumstances, according to the “audit length” requirements of ISO 27006 - and we fully expect to deliver the audit completely within this time, so it's safe to assume that, by the end of the closing meeting, you'll be fully done (save for closing out any non-conformities highlighted, which happens afterwards - see the “Closing Non-Conformities raised at an ISO 27001 audit” and “When will we get our ISO 27001 certificate” sections).

    Your auditor will be responsible for managing the speed of the audit to ensure that everything is delivered within the allotted audit time, and it is highly unlikely that any extra time will be required. (Although if time is running short towards the end of the audit, that might mean slightly shorter breaks!).

    In limited circumstances (typically where there has been some unforeseen circumstance that has delayed the auditor's availability to review evidence, such as: inaccessibility of evidence, the GRC platform you're using not working, unavailability of auditees, or auditees repeatedly struggling to find evidence promptly) then extra time might be required. In this instance, the auditor will communicate this with you, and arrange additional time with you before the end of the audit. Tempo will need to invoice for such extra time.

  • Tempo tries to be as understanding as possible to accommodate your needs to vary your audit dates.

    Make sure you notify the Tempo team (including your auditor, who ultimately will be the person who needs to arrange the new dates) as soon as possible, so that they can start looking into rearranging the dates.

    However, it’s also worth noting the contractual position set out in Tempo’s Terms & Conditions (Clause 9 - Postponement and Cancellation”). This states that, if notification of the postponement/cancellation happens between 28 days and 13 days before the days in question, you will be charged half the agreed fee for the cancelled/postponed days (in addition to the cost of the re-arranged days). If the cancellation comes less than 14 days before the day(s) in question, you will be charged the full fee for the cancelled days (in addition to the cost of the re-arranged days).

    Whilst this is Tempo’s contractual position, we will do our best to avoid charging you for the rearrangement where possible. The term in the contract is included because our auditors (who are typically contractors themselves) may not be able to find additional work at the last moment to replaced the cancelled days, and will therefore suffer loss of long-pre-scheduled earnings. They have similar terms in their contract with Tempo, so if they hold us to the terms, we will pass that on to you (and please do not be offended if that is the case).

    Equally, if your auditor is happy to rearrange (as they normally are), then Tempo will proceed without holding you to the terms in the contract.

    The only other thing to note - often your auditor’s diary is very booked up in advance. If you postpone your audit, you will need to work to your auditor’s next upcoming availability - so please do not be surprised if the rearranged audit ends up being later than you ideally would have wanted.

  • To ensure a smooth audit, it's crucial to have the right team members available. Some guidance on this (and your Auditor and their Audit Plan should build on this further):

    1. For starters, a top management representative (or representatives) should attend the opening meeting to demonstrate the commitment of leadership and provide an overview. It’s not a problem if all of top leadership cannot attend. If you have any concerns about this, you can always ask your auditor in advance around who they want to see for this (and when).

    2. Throughout the rest of the audit, an ISMS manager or a knowledgeable "Guide" needs to be on-hand to assist the auditor, showing evidence and facilitating access to necessary documents and areas. As a rule of thumb, this "Guide" needs to block out the allocated audit days fully - although there may be gaps when the auditor works through items asynchronously and reconvenes to discuss what they've reviewed with the Guide (see the “Asynchronous vs Synchronous ISO 27001 audits” section), or, towards the end of the day, takes some time to review their notes and write up their reports. 

    3. Additionally, other personnel, including Top Management Representatives, process owners, IT staff, and department heads, might be needed to participate in interviews or provide specific evidence as requested by the auditor. This will help Tempo to address audit requirements and ensure a straightforward audit. Potential interviewees do not need to block out all the audit days in the same way as the Guide, and Tempo's auditor can aim to work around their schedule if the Guide clarifies their availability with the auditor. The auditor will also share an audit plan that will shed some light on when interviews might be - and during the audit, the "Guide" should help the auditor to arrange these interviews.

    Tempo will share calendar invites with the company blocking out the audit dates. Please add any other representatives that you want to attend to these calendar invites, and/or notify us if your "Guide" is someone other than the person/people we have been communicating with Tempo to-date.

  • The Stage 1 audit is the shorter, first part of the certification audit - typically 1 day (sometimes 2 days or more for larger companies), and the goal of the Stage 1 audit is to review your policies and procedures.

    The desired outcome from the Stage 1 is for Tempo to be able to confirm that your company is ready to proceed to your Stage 2 audit, which is the main part of the certification audit.

    To give you an idea of what the auditor will focus on at the Stage 1 audit (and therefore how you might prepare), they’ll be looking to gather evidence relating to the following areas:

    1. The Scope of your ISMS (and what activities are included, and what's excluded - ensuring there are no inappropriate exclusions) - clause 4.3 of ISO 27001

    2. Whether your scope is reflected in your Information Security policy - clause 4.3 and 5.2 of ISO 27001

    3. Your Information Security objectives - Clause 5.2b & 6.2of ISO 27001 - inc whether you have established appropriate controls for creating and updating documented information on InfoSec objectives - clause 6.2 of ISO 27001

    4. Your process for establishing your external and external issues - clause 4.1 of ISO 27001

    5. Your legal register - Clause 4.2 of ISO 27001 - this should be comprehensive and auditors will often find a Minor (or a Major here) if you have missed obvious ones. TIP: ChatGPT might help you cross-check your list to check you haven’t missed any glaring legislation, if you put in a prompt such as “My company is a [XYZ SaaS] company based in [Country], and selling to customers across [the EU / the world / America]. Please provide me a list of legislation that might apply to our company, including the legislation that governs corporates/companies in our country of origin, and any legislation that requires us to have insurance”. You should do additional research beyond this, but it will be a useful starting place!

    6. Your Risk Assessment methodology is defined - Clause 6.1.2 of ISO 27001

    7. The criteria for determining when to perform a risk assessment has been defined - Clause 6.1.2 of ISO 27001

    8. Your Acceptable level of risk is defined - Clause 6.1.2 of ISO 27001

    9. Your Risk owners are correctly allocated -Clause 6.1.2 of ISO 27001

    10. Your Statement of Applicability (and that you have correctly included all the right controls): in particular, ensuring that it covers:

      1. Justification for exclusion and inclusion of controls (make sure you have a column in your SoA to cover this!) - clause 6.1.3 of ISO 27001

      2. Evidence that you determined infosec controls are based on information security risk assessment (UKAS have been hot on requesting evidence of this, so make sure you can show the auditor how you did this) - clause 6.1.3 of ISO 27001

    11. Your competency requirements and awareness training for personnel - clause 7.2 of ISO 27001

    12. Your process to evaluate effectiveness of training process - clause 7.2b of ISO 27001

    13. Your process to maintain and improve awareness of personnel - clause 7.3 of ISO 27001

    14. Your policy or processes regarding the need for internal and external communications relevant to the information security management system - clause 7.4 of ISO 27001

    15. Your policy or processes regarding the inclusion of documented information required by the ISO/IEC 27001 standard or determined to be necessary by the Organization for the effectiveness of the ISMS - Clause 7.5 of ISO 27001

    16. Your methods and criteria for monitoring, measurement, analysis and evaluation - Clause 9.1 of ISO 27001

    17. Your internal audit evidence - Clause 9.2 of ISO 27001

    18. Evidence of competency of your internal auditor - you may want to ask your internal auditor for their qualifications to evidence this - Clause 9.2 of ISO 27001

    19. Your process to react to non-conformities and corrective actions - Clause 10.2 of ISO 27001

    20. Your Management Review evidence (including that the minutes cover all of the required inputs and outputs) - Clause 9.3 of ISO 27001

    After a Stage 1 audit, you’ll receive a Report from Tempo (typically within a week of the audit). Provided all went smoothly, this will provide a recommendation to proceed to your Stage 2.

    The Report may also produce a list of Minor and Major “Areas of Concern” highlighted by the auditor during the Stage 1. Effectively these are items that, at a Stage 2 audit, if unresolved, will become Minor or Major Non-Conformities - so they provide a helpful starting point for you to resolve them before the Stage 2 audit. You might want to put them into your process to react to non-conformities and corrective actions (which will be helpful evidence for your Stage 2).

    In the unlikely event that we have not been able to recommend your company to progress to a Stage 2 audit, the auditor will communicate the reason why, and explain next steps. That might involve re-arranging a new Stage 1 at a later date, or it might require you to resolve some highlighted Areas of Concern (and providing evidence of such resolution) before we can schedule the Stage 2. This could result in the Stage 2 being delayed by a few weeks, a month, or perhaps more. In this instance, Tempo will work with you to find a new date.

  • The Stage 2 audit is the main part of the certification audit. 

    In this audit, the auditor will cover every clause of the standard, and every control that you have included (or should have included, if there were incorrect exclusions!) in your Statement of Applicability.  As such, we will not provide a list of what you need to do in advance of the audit here - since realistically, the ISO/IEC 27001 standard does this for you. Your goal is to ensure you are compliant with every clause and control.

    ________

    TOP TIP: As good preparation for a Stage 2 audit, put yourself in the auditor’s shoes - and go through the standard clause-by-clause, and control-by-control, and consider what evidence you’d show the auditor to evidence conformity, and whether what you’ve done is sufficient? Effectively this is how the auditor will be thinking!

    _________

    Within the audit, you’ll need to make sure that you have suitable evidence to show the auditor for each clause and control. If you’re using a GRC platform, this will help.

    Potential Outcomes

    At the Closing Meeting at the end of the Stage 2, the auditor will share an immediate recommendation based on the results of the audit. These are the 3 possible outcomes:

    1. Recommendation to Certify - This only happens where there are no non-conformities. This is pretty rare, since it’s unusual in a Certification Audit to have no non-conformities - but it means we can move quickly through to issuing your certificate (provided your Technical Review does not flag any other issues)

    2. Recommendation to Certify, provided a corrective action plan is accepted to resolve non-conformities. This is where there were minor non-conformities highlighted (but no major non-conformities). This is a fairly likely outcome, and is not a concern. You’ll simply need to provide an acceptable corrective action plan for each Minor NC for the auditor to sign-off. Once the auditor has signed-off (and we have approved their report), we will be able to issue your certificate

    3. No Recommendation to Certify - This is where there is one or more major non-conformities. Again, this is a relatively common occurrence and isn’t typically a cause for concern. You simply need to provide evidence in your Corrective Action Plan for how you closed the Major NC(s). Once that’s provided, and the auditor has accepted it, we can proceed to issue your certificate

    After the end of the Stage 2 audit, it’s highly likely that you will have some major or minor non-conformities to close (options 2 or 3 above). The auditor will aim to share these non-conformities with you as soon as possible after the audit (hopefully at the closing meeting, but if the auditor needs more time to gather their thoughts, at least within a day or two of the close of the audit). You can then start work on closing these out (See the “Closing Non-Conformities raised at an ISO 27001 audit” section below for more details about this).

    Alongside this, Tempo’s auditor and technical reviewers will prepare your report. We aim to have the report finalised and “Technically Reviewed” within 10 days of the end of the Stage 2, and often quicker. (FYI - it’s possible that some additional minors or majors might be highlighted in the Technical Review - in which case these will be communicated to you, so that you can include them in your Corrective Action Plan). 

    As soon as non-conformities have been closed, and the report has been Technically Reviewed successfully, Tempo will issue your certificate, and this will be emailed to you.

    Once issued, your certificate will last for 3 years from the date of the issuance.

  • In the first 2 years of your certificate being issued, Tempo will conduct shorter “Surveillance” audits. 

    The first needs to be within 12 months of the certificate being issued. Tempo typically looks to arrange this around 11 months from your certificate being issued (your auditor will either schedule this with you at the Stage 2 audit - or Tempo will book in dates as we issue the certificate).

    The Surveillance Audit is a shorter “check-in” audit - around ⅓ of the length of a certification audit (and half the length of a recertification audit) - and is not a full-system audit. As a result, we will not review every clause and control, but might sample a selection of clauses or controls (with the auditor taking a “risk-based approach” - ie checking on controls or clauses where there might be particular risk, or where changes in the business mean that these controls or clauses need particular review).

    The core agenda for a Surveillance Audit will be as follows (and each of these sections might lead the auditor to review other areas of your ISMS that might be raised in the course of the conversation):

    • Changes to your Business since Previous Audit (e.g. Staff Numbers, Locations,  Scope, Activities/Processes]

    • Review of Non-Conformities raised at your last audit (this is an obvious place to prepare for, ahead of a Surveillance Audit!)

    • Use of certification marks (a review of how you’re using the Tempo / UKAS certification marks across your website and/or other materials)

    • Review of Internal Audits and Management Review Meetings

    • Complaints / Feedback from Interested Parties

    • Review of Management System Changes

    • Progress of planned activities aimed at continual improvement

    • Effectiveness of the management system with regard to achieving the company’s objectives and the intended results of the respective management system

    • Review of your Statement of Applicability and Information Security Risk Assessment

    The 3 outcomes of an ISO 27001 surveillance audit are similar to those at Stage 2 of a certification audit, but this time relate to “continued registration” of your certificate.

    The process for closing any non-conformities highlighted is exactly the same as at the Stage 2 audit. (See the “Closing Non-Conformities raised at an ISO 27001 audit” section below for more details about this). However, if there are only Minor Non-Conformities highlighted, Tempo will maintain certification, and will review the corrective action plan at the next assessment to check the Minors have been resolved. If Major Non-Conformities are highlighted, these will be closed following the Corrective Action Plan process. In this instance, Tempo will also conduct a review of the major non-conformity(ies) to determine if your certificate needs to be suspended until the Corrective Action Plan is approved - but even if this were to happen, once they are closed, then your certificate would be restored.

  • A Recertification Audit happens in the 3rd year of your certification cycle, with the goal of providing evidence of conformity against every clause and applicable control of the standard, so that we can issue you a new 3-year certificate. It’s typically 2/3rds of the length of the Certification Audit, and twice the length of a Surveillance Audit (although note that, if your company has grown in the meantime, audit lengths might grow accordingly, based on the ISO 27006 audit length requirements).

    The Recertification Audit is very similar to the Stage 2 certification audit, in the sense that it’s a full-system audit - so we will cover every clause of the standard, and every applicable control.  Although by the time you’ve reached a Recertification Audit, you should be old hat with the audit process - so hopefully it’ll be less daunting for you!

    Again, there’s no point us providing you a list of what you need to do in advance of a Recertification audit here - since realistically, the ISO 27001 standard does this for you. Your goal is to ensure you are compliant with every clause and control.

    The 3 outcomes of the audit are the same as at Stage 2 of a certification audit - this time relating to the decision of whether to issue a new certificate for the following 3 years. See the “What happens at a Stage 2 (Certification) Audit” section to get additional detail on the 3 options.

    The process for closing any non-conformities highlighted is exactly the same as at the Stage 2 audit. The auditor will aim to share these non-conformities with you as soon as possible after the audit (hopefully at the closing meeting, but if the auditor needs more time to gather their thoughts, at least within a day or two of the close of the audit). You can then start work on closing these out (See the “Closing Non-Conformities raised at an ISO 27001 audit” section below for more details about this). Once they’re closed, and the report is finalised and technically reviewed, we can issue your renewed certificate for the next 3 years.

  • After a certification or recertification audit, you’ll receive your certificate once Tempo has gathered evidence of compliance against every clause and control.

    First of all, during the audit, the auditor will keep you informed on progress (in terms of number of non-conformities raised). Then, at the Closing Meeting at the end of the audit, the auditor will provide a recommendation.

    Effectively there are 3 options for this recommendation:

    - If no non-conformities, great job, and the auditor willl recommend to certify

    - If minor non-conformities (but no majors), the auditor will make a recommendation to certify provided an acceptable plan to address these Minor NCs has been created (see the “Closing Non-Conformities raised at an ISO 27001 audit” section)

    - If there are major NCs, a recommendation can only be made once these are acceptably closed (see the “Closing Non-Conformities raised at an ISO 27001 audit” section)

    However, it’s important to note- the recommendation is not the final decision, since it’s simply a snapshot of the situation at the end of the audit which the auditor is required to make. Even where the recommendation from the auditor after the audit is not to certify, you simply need to resolve the non-conformities highlighted, by following the process set-out below, and Tempo can then proceed to issue a certificate. 

    So the answer to this question is: once we have evidence that your whole Management System is compliant with every clause and control, we will proceed to certification. With that in mind, do not get too hung up on the result, and focus on moving quickly through the Corrective Action Plan!

    To understand more on timeframe to receiving your certificate, see the “When we will get our ISO 27001 certificate” section.

  • Nearly every certification audit results in at least some major or minor non-conformities, so do not be concerned if you have these (perhaps even well over 10). It’s not a big concern - and it’s most important that you focus on learning from them and resolving them quickly.

    The auditor will notify you when this happens, and you will be able to resolve them after the audit in your Corrective Action Plan, so that Tempo can proceed to issue your certificate.   See the “Closing Non-Conformities raised at an ISO 27001 audit” section below for more details about this process.

  • If you have any Non-Conformities, Tempo will share a Corrective Action Plan with you (in a Notion format that we like to use).

    We encourage our auditors to share this with you as soon as possible after the audit (preferably on the same day) so that you can get working on it alongside Tempo finalising your report.

    We'll provide instructions on completing the corrective action plan - but effectively for each non-conformity, you’ll need to provide the following 3 things:

    1. Root Cause Analysis:   Here you investigate what caused the non-conformity, so that you can ensure that the underlying cause of the issue is addressed, rather than merely treating the symptoms. Here you look at broader ISMS processes that might contribute to the non-conformity. For example, a missing control may indicate gaps in risk assessments, training, or leadership oversight - so you would summarise the causes here.

    2. Correction: A correction is an immediate fix to address the non-conformity, essentially resolving the problem at hand. For example, if a security incident is caused by improper access control, the correction would be restricting or updating user permissions. 

    3. Corrective Action: Corrective action is a longer-term solution designed to eliminate the root cause of the non-conformity, ensuring that it doesn’t recur. It involves identifying the underlying reasons for the non-conformity, making systemic changes, and possibly updating processes or policies. For example, in the case of improper access control, the corrective action might involve revising the access control policy and training employees on the new procedures.

    For Minor Non-Conformities, you just need to make the plan by providing the 3 items above, and you do not need to have delivered the planned actions before the auditor closes them out (you simply need to have developed the plan). Tempo will then review these and check you delivered on the plan at the next audit.

    However, for Major Non-Conformities, you need to have closed the non-conformity before we can proceed to issue a certificate - so in this instance, Tempo / our auditor will need to see evidence (screenshots, PDFs, documents etc) to prove that the Major Non-Conformity is acceptably closed.

  • If all goes smoothly, you can expect your certificate within 2 weeks after the Stage 2 audit closes. 

    However, Tempo can only issue your certificate once all these things have happened:

    1. (If there are non-conformities) you've completed the Corrective Action Plan to close these non-conformities
    2. Your auditor has approved your Corrective Action Plan (if the auditor has comments/questions on your Corrective Action Plan, they will send these to you - so you’ll need to respond to those before we can close them)
    3. The auditor has finalised your report (typically within 1 week after audit)
    4. Tempo has finalised its technical review of the report (typically within a few days of auditor submitting the report)

    The biggest potential delay in the above scenario is the corrective action plan being finalised by yourselves, so if you’re in a hurry to get your certificate, please make sure you move through it quickly!

    And if you have an urgent need for your certificate, make sure you relay this requirement to Tempo. We will always do our best to expedite requests to support your needs - although we note that we always need to follow the above steps.