• First and foremost, remember that you are not ‘on trial’, under examination or on oath. This is not an inquisition! The auditor is testing the system, not your knowledge. You must, however, know the location of procedures and use the correct forms, at the correct issue level.

• Remember that the auditors are impartial and try to be fair at all times. Your organisation invited them in and they want to see you succeed.

• Having said this, you should always listen to the question, and let the auditor finish the question before answering.

If you don’t understand the question, say so. Ask for clarification; if you still don’t see what (s)he is driving at, turn to the guide for help – (s)he will intervene to clear the matter up. Don’t jump in and guess what the auditor’s thought process might be… (‘Oh, you mean…?’).

• Answer each question with confidence, explaining what you mean. Answer briefly, factually and accurately. If you don’t know the answer or are not sure, say so. Do not guess. You do not lose marks if you know where to look for the information, or who to ask.

For example, if the auditor has been talking about reporting problems and you have described carefully the method for contacting your immediate manager, the auditor might then ask ‘And do you have a procedure for reporting these problems if your manager is on holiday?’

You think there may well be, but since you have never had occasion to use it, and have never seen it, you are not sure.

You should tell the auditor ‘Sorry, I don’t know, but I know where I can look it up.’ (Just as long as you do – they are likely to ask you to show them!) Familiarity with your company’s management system can help here – knowing where to look for the relevant procedure or form so that you can find any answers there and then.

• Never volunteer information – ever!

• Never argue with the auditor – even if (s)he is wrong!

• Never point out problems – the auditor has the task of identifying problems when they find them, not you. You could help your employer demonstrate continuous improvement by suggesting areas for improvement now, ahead of the audit. If you are not sure how to do this ask your line manager, or whoever is responsible for the administration of the information security management system.

• Never criticise:

– Your colleagues / manager / supervisor

– The company

• Never try to bluff, mislead, hoodwink or fool the auditor. It will always eventually backfire on the organisation – and on you.