Do Internal Audit plans have to specifically cover the ISO 55001 clauses?
There is often an assumption that an organisation’s internal audit programme must include audits against the clauses of ISO 55001:2014.
However, this may not suit a company that uses a risk-based audit planning methodology.
Technically, there is no specific requirement in the ISO 55001 for internal audit to audit against clauses of ISO 55001. The actual requirement is ….” Conduct audits … to assist in the determination on whether the asset management system (AMS) conforms to … the requirements of this international standard.”
Some organisations don’t audit against the standard at all. They use a risk-based audit programme, and normally this would not give scope or objectives listing the clauses of the standard. The way they satisfy the ISO requirement quoted above is by using information from audits, together with other evidence, in a systematic review by management of whether the AMS conforms to the requirements of the international standard. This is good practice and it complies with the ISO requirement.
Another common way is to make a compliance matrix showing how the organisation’s own processes ensure compliance with the respective ISO clauses. Then by auditing the processes, this gives assurance of compliance to the requirements of ISO 55001. This seems to be supported by the ISO 55002 guidance standard, which talks about audit “to ensure the AMS conforms to its requirements (and to the requirements of ISO 55001)”.
Contact us if you have any questions about internal auditing