• ABCD
• GHIJ

ACCAB Policy on Audit Time Determination

1.0 Policy Statement
1.1 ACCAB is committed to ensuring that Conformity Assessment Bodies (CABs) apply a consistent, risk-based approach in determining audit time for Quality, Environmental, and Occupational Health & Safety Management Systems. This policy aligns with ISO/IEC 17011 and IAF MD 5:2023 and sets the framework for calculating appropriate audit durations based on relevant factors.

2.0 Scope
2.1 This policy applies to all Certification Bodies (CBs), Verification Bodies (VBs), and Validation Bodies (VVBs) seeking accreditation from ACCAB.

2.2 It covers the determination of audit time for Quality (ISO 9001), Environmental (ISO 14001), and Occupational Health & Safety (ISO 45001) Management Systems.

2.3 The policy incorporates risk-based approaches and factors influencing audit duration, ensuring alignment with IAF MD 5:2023.

2.4 It includes single-site, multi-site, and complex organizational structures, following sampling principles outlined in IAF MD 1:2023.

3.0 Principles of Audit Time Determination
3.1 The determination of audit time must be risk-based, incorporating the complexity, maturity, and performance of the management system.

3.2 Factors influencing audit time include:

• The size and scale of the organization.
• The number of employees and operational processes.
• The nature and complexity of products, services, and processes.
• Regulatory and statutory requirements.
• The level of integration of management systems (where applicable).
• Previous audit results and risk factors identified.

4.0 Consideration of Multi-Site Organizations
4.1 For multi-site organizations, the sampling methodology must align with IAF MD 1:2023 and MD 5:2023.

4.2 The number of sites to be audited must be proportionate to the risk, operational complexity, and the nature of activities conducted at each site.

4.3 Justification for site sampling and audit time allocation must be documented.

5.0 Use of Information and Communication Technology (ICT)
5.1 ICT may be utilized for remote audits where applicable, following IAF MD 4:2023 and MD 5:2023.

5.2 The use of remote audit time must be justified, documented, and must not compromise audit integrity.

5.3 ICT-based audit activities must consider the availability of reliable technology and cybersecurity measures.

6.0 Special Considerations
6.1 High-risk industries require extended audit time and specialized assessment methods.

6.2 Complex processes, regulatory compliance, and operational risks necessitate additional assessment time.

6.3 When integrated management systems are audited, time reductions or increases must follow IAF MD 5:2023 guidelines.

7.0 Flexibility in Audit Time Adjustment
7.1 Audit time may be revised based on risk reassessment and unforeseen circumstances.

7.2 Justifications for time variations must be documented and reviewed by competent personnel.

7.3 The audit time determination must ensure it meets the credibility, impartiality, and integrity of the accreditation process.

8.0 Competency Requirements for Auditors
8.1 Auditors must be trained and competent in audit time determination methodologies in accordance with IAF MD 5:2023.

8.2 Auditor experience, industry expertise, and familiarity with CAB operations influence time allocation decisions.

9.0 Review of Audit Time Methodology
9.1 Audit time determination must be reviewed periodically to ensure alignment with IAF MD 5:2023 updates.

9.2 Adjustments must reflect emerging risks, industry trends, and accreditation best practices.

10.0 Documentation and Record-Keeping
10.1 All audit time calculations and justifications must be documented for transparency and accountability.

10.2 Records must be maintained in accordance with ISO/IEC 17011 and accreditation body requirements.

11.0 Continuous Improvement
11.1 ACCAB shall periodically review this policy to enhance its effectiveness, integrating feedback from stakeholders and regulatory updates.

11.2 CABs are encouraged to provide input to refine the audit time determination process.

12.0 Ensuring Compliance
12.1 CABs must demonstrate compliance with this policy and IAF MD 5:2023 requirements during assessments.

12.2 Non-compliance with audit time determination methodologies may result in corrective actions or reassessment of accreditation.

13.0 Further Guidance
13.1 CABs may refer to IAF MD 5:2023 for detailed audit time determination criteria and implementation guidelines.

14.0 References

Understand the Standard: Familiarize yourself and your team with the ISO 22301 standard. This includes understanding its structure, requirements, and objectives. You can obtain a copy of the standard from ISO or various other sources.

Top Management Commitment: Gain commitment from senior management to support the implementation of ISO 22301. This includes allocating resources, defining roles and responsibilities, and integrating business continuity objectives into the organization’s overall strategic direction.

Scope Definition: Clearly define the scope of your business continuity management system (BCMS). Identify the relevant processes, activities, and functions that will be covered by the BCMS.

Risk Assessment and Business Impact Analysis (BIA):

• Conduct a thorough risk assessment to identify potential threats and vulnerabilities to your organization.
• Perform a business impact analysis (BIA) to understand the potential consequences of disruptions to your organization’s operations.
• Based on the risk assessment and BIA, prioritize risks and determine the necessary controls and mitigation measures.

Business Continuity Strategy and Plans:

• Develop a business continuity strategy that outlines how your organization will respond to and recover from disruptions.
• Develop business continuity plans (BCPs) for key processes and functions identified in the BIA. Ensure that the plans are documented, communicated, and regularly tested and updated.

Resource Management:

• Allocate resources (human, financial, technological, etc.) to support the implementation and maintenance of the BCMS.
• Ensure that personnel are trained and competent to fulfill their roles within the BCMS.

Incident Response and Management:

• Establish procedures for incident detection, notification, and escalation. Define roles and responsibilities for responding to incidents and activating the appropriate business continuity plans.
• Implement measures to minimize the impact of incidents and facilitate timely recovery.

Monitoring, Measurement, and Evaluation:

• Establish key performance indicators (KPIs) to measure the effectiveness of your BCMS.
• Regularly monitor and evaluate the performance of the BCMS against these KPIs.
• Conduct internal audits to identify areas for improvement and ensure compliance with the standard.

Continual Improvement:

• Implement processes for identifying and addressing non-conformities, corrective actions, and preventive actions.
• Continuously review and improve your BCMS to adapt to changes in the organization, its operating environment, and the nature of threats and vulnerabilities.

Certification (Optional):

• If desired, engage a third-party certification body to assess the conformity of your BCMS with the ISO 22301 standard.
• Prepare for and undergo certification audits to demonstrate compliance and achieve ISO 22301 certification.

Understand the Standard: Familiarize yourself and your team with the ISO 22301 standard. This includes understanding its structure, requirements, and objectives. You can obtain a copy of the standard from ISO or various other sources.

Top Management Commitment: Gain commitment from senior management to support the implementation of ISO 22301. This includes allocating resources, defining roles and responsibilities, and integrating business continuity objectives into the organization’s overall strategic direction.

Scope Definition: Clearly define the scope of your business continuity management system (BCMS). Identify the relevant processes, activities, and functions that will be covered by the BCMS

.

Risk Assessment and Business Impact Analysis (BIA):

• Conduct a thorough risk assessment to identify potential threats and vulnerabilities to your organization.
• Perform a business impact analysis (BIA) to understand the potential consequences of disruptions to your organization’s operations.
• Based on the risk assessment and BIA, prioritize risks and determine the necessary controls and mitigation measures.

Business Continuity Strategy and Plans:

• Develop a business continuity strategy that outlines how your organization will respond to and recover from disruptions.
• Develop business continuity plans (BCPs) for key processes and functions identified in the BIA. Ensure that the plans are documented, communicated, and regularly tested and updated.

Resource Management:

• Allocate resources (human, financial, technological, etc.) to support the implementation and maintenance of the BCMS.
• Ensure that personnel are trained and competent to fulfill their roles within the BCMS.

Incident Response and Management:

• Establish procedures for incident detection, notification, and escalation. Define roles and responsibilities for responding to incidents and activating the appropriate business continuity plans.
• Implement measures to minimize the impact of incidents and facilitate timely recovery.

Monitoring, Measurement, and Evaluation:

• Establish key performance indicators (KPIs) to measure the effectiveness of your BCMS.
• Regularly monitor and evaluate the performance of the BCMS against these KPIs.
• Conduct internal audits to identify areas for improvement and ensure compliance with the standard.

Continual Improvement:

• Implement processes for identifying and addressing non-conformities, corrective actions, and preventive actions.
• Continuously review and improve your BCMS to adapt to changes in the organization, its operating environment, and the nature of threats and vulnerabilities.

Certification (Optional):

• If desired, engage a third-party certification body to assess the conformity of your BCMS with the ISO 22301 standard.
• Prepare for and undergo certification audits to demonstrate compliance and achieve ISO 22301 certification.