From ISO:9001 auditing to ISO:27001 implementation

In 2015 I joined a supply chain compliance company called Altius VA Ltd as the HSQE manager. Before this I had spent over ten years in the NHS/Skanska Facilities Management department carrying out a mixture of roles but mainly as a health and safety advisor. Through self-funding courses and devoting a lot of time to health and safety in the company, I managed to achieve chartered status in IOSH. To keep up my CPD I read a lot of health and safety magazines and noticed a trend. This was that many job roles were changing from purely health and safety positions to health, safety, fire, quality and environment. I decided to start educating myself in these other areas and completed a Nebosh Fire safety and risk management course and then an environmental management certificate with the Institute of Environmental Management and Assessment (IEMA), before going on to join the institute at practitioner level.

I had started to consider quality management and decided to learn the history behind it and what benefits it brought to organisations. I soon realised that it was a very interesting topic which had a rich history. I enjoyed reading about the method of mass production during World War II, Henry Ford’s production lines and Deming/Shewhart’s concepts that helped Japan turn around its ailing economy, which inevitably resulted in Japan overtaking the USA in the auto and electrical goods markets. I must admit that I got a bit obsessed, and when watching Lord of the Rings one night, I noticed that the orcs were using the mass production process when creating their weapons for war. It was at this point that I realised I needed a holiday.

When I joined Altius they asked if I could audit their ISO:9001 quality management system. I agreed and looked forward to learning about ISO:9001 and the differences between the 2008 standard and the 2015 one. At Altius, they were very supportive and put me through to an IRCA-accredited internal auditor course and later in the year the IRCA accredited lead auditor course for ISO:9001. I enjoyed both courses immensely and really began to learn the history of quality management, how it can help a business run more effectively and its importance in different industry sectors. I carried out two classroom-based courses and part of the benefit of this was that I met other delegates from different work backgrounds. Some of them came from oil and gas, manufacturing and health care sector. Even though these sectors were very different from my own, the quality aspects were all very similar and it was nice to compare the different thought processes and methods on how to carry out internal audits and what areas to focus on. I kept in touch with some of the delegates and it was great to see how they were getting on with it, discussing different parts of the standards and comparing ideas and opinions.

Upon returning to work with my new skills under my belt, I pin pointed areas to audit and set about creating an audit plan. I sat down and thought about what I wanted to achieve as an auditor and my focus was to address two things. The first one was something I had noticed during my time as a health and safety consultant; I found in the past that employees can get quite worried when they hear that you will be in the area carrying out work, which I think is a shame. I wanted to quash this feeling and challenge the stereotype of auditors/health and safety consultants coming around with a clipboard like the Grim Reaper and asking staff lots of difficult questions about their job role and the tasks they carry out. The second challenge came about through something my course tutors, Dominic and Steve, said to me on my course and that was that you are there to give the client value from the audit. This really resonated with me and I did not want audits to be a tick box exercise. I wanted to give the business value from the audit to help them improve where possible.

To challenge both these points, I made a conscious decision to always take the approach of being friendly, trying to put people at ease and to show genuine interest in them and the processes and procedures in their work place. I think if you show that you are there to help, you are genuinely interested, and respect people and their role in the company, then you build a strong relationship with people and they are more likely to be open with you, helping you where possible and enabling you to get better quality information. This then creates an atmosphere where people are more at ease when you are onsite auditing, and they know that you are there to help improve the business, not to try to trip people up or catch people out.

I thoroughly enjoyed the internal audits and I am pleased to say we flew through our own recertification audit with zero non-conformities. Since that, I am proud to say I have joined IRCA and have become a certified auditor for quality management systems.

Recently I have been tasked with implementing ISO:27001 into our business, so this time I can see the challenges people have when implementing a standard, as opposed to auditing it. I am really enjoying the experience and think this helps add to my auditing skills, by understanding and appreciating the challenges from both sides.

Being an auditor is a very rewarding job. Not only do you get to see different businesses in many different industries, you also realise that when all is said and done you are there helping a business become the best version of itself. I would recommend it to anyone as a great career profession.  

Bio: Adam Gomes, CMIOSH, CBIFM, is an OSHCR Registered Consultant and a Senior Assurance Specialist at Altius VA Limited.