Oxebridge Just Cracked the Code on Remote Auditing

Hey, World. It’s Chris from Oxebridge again. Remember all those problems I keep solving for you? I’ve got another one.

As you likely know, the IAF accreditation scheme actors, from the lowliest certification bodies to the IAF itself, have totally bungled the concept of remote auditing for ISO 9001 and other certifications. They invented tepid “do whatever you like” rules back in the early 2000’s or so, then updated them in 2011. Everyone ignored them, and the CBs refused to implement any remote auditing protocols because they are lazy and cheap. Doing so would have required spending money and training people, and that’s just too much effort. Yawn.

Now we’re in the middle of the coronavirus pandemic, and the various bodies are facing bankruptcy, with on-site auditing all but shut down for nearly every country on the planet. So, now they are paying attention.

But they’re still lazy and cheap, because a tiger never changes its stripes. The IAF can’t be bothered to get off its ass and update the ancient “internet communications techniques” rules it wrote years ago, and which were ignored by the industry, so it’s just doubled down and is instisting that the rules are fine as-is, and everyone should just adopt them now. Because doing more of what failed always works, right?

Remember, the IAF “ID3” rules were last updated in 2011, which was nine years before the pandemic. But IAF refuses to take another look at them.

Making matters worse, the IAF and its usual sycophants, ANAB, UKAS and DAkkS, are just telling people to use software and technology that totally doesn’t comply with national and international privacy and security laws, thus putting their clients and users at risk of being the victims of crimes, or committing crimes themselves.

Again, the IAF could update its rules. It has the resources, and is supposed to be staffed by smart people. But it is choosing not to, and instead spending its budget on trotting out Sheronda Jeffries to promote the half-baked and already-rejected IAF CertSearch database. (I’m not sure why we need a database of certificates if everyone is going to lose their certificate because all the CBs go belly up in the next few months.)

So once again, Oxebidge has to do the heavy lifting for the industry and fix a problem that seemed unfixable. And once again, it took mere hours to do so. Not months, not years. Hours.

The idea for trustworthy, secure remote auditing has been batting around my head for ages, and I’m also a tech nerd, so this was just a matter of putting it all down in writing. I’m happy to announce the publication of the new Oxebridge standard, Q017 Quality Management System Certification Audit – Remote Auditing Methods version 1.o. You can grab your free copy on this page (scroll to the bottom.)

Now, Q017 will be mandatory for any certification bodies operating in the Q001 Certification scheme, but the standard could be easily adopted by any CB, even those in the IAF accreditation scheme. I’m sending a copy to the IAF and inviting them to use it (but would appreciate some credit, goddammit.) It’s a near guarantee they will ignore it.

The standard is broken into three main sections. The first provides hard requirements for CBs on how they can use Remote Auditing Methods (or “RAM”) for specific evidence-gathering activities, such as telephonic verbal communications, file transfers, video conferencing, etc.

The second part then goes into suggestions on how such requirements could be met, offering options of current software and solutions which would likely comply. For example, the secure messaging app Signal solves a lot of remote auditing problems (but, of course, not all.)

Finally, the standard presents a simple checklist of steps for a CB to use when rolling out RAM, proving it’s not as complicated as it all sounds.

While it’s likely some user feedback will help improve this standard and point out any remaining weaknesses, there’s no doubt this is a huge step forward and a monstrous improvement over the IAF’s weak and confusing guideline documents. (Those documents largely leave a CB to do whatever it wants, provided it justifies it with an invisible risk assessment that no one will ever verify.)

So I invite you to download your free copy of Q017, along with any of the other available accreditation documents for the Q001 Certification Scheme. Then see how they can be used for activities under the traditional IAF scheme, too.

You’re welcome, world!

(PS: if any security experts or other stakeholders see flaws in the standard, write to me so we can improve it ASAP.)