The International Organization for Standardization (ISO) is a global leader in developing standards across industries such as manufacturing, healthcare, finance, agriculture, utilities, information technology, and pharmaceuticals to keep our products and processes safe, effective, and sustainable. Many ISO standards like ISO 27001 and ISO 9001 offer certification; whether you’re seeking certification or just the assurance that accompanies ISO compliance, an ISO audit can benefit your organization in numerous ways. This article will educate you about ISO audits, break down the different types of audits you might employ, and provide you with a guide for preparing for both internal and external ISO audits.
What Is an ISO Audit?
An ISO audit is an audit of your organization’s compliance with one of the standards set forth by the International Organization for Standardization (ISO). ISO is a non-governmental organization based in Geneva, Switzerland, which develops international standards and control frameworks that guide industry best practices in fields from information security to car-seat safety. ISO is dedicated to fostering continuous improvement, and reviews each standard every five years. An audit measures your company’s systems against any ISO standard; beyond compliance, a few standards can be ISO certified via third-party audit among them:
- ISO 9001: Standards for Quality Management Systems (QMS)
- ISO/IEC 27001: Standards for Information Security Management Systems (ISMS)
- ISO 14001: Standards for Environmental Management Systems
- ISO 50001: Standards for Energy Management Systems (EnMS)
- ISO 45001: Standards for Occupational Health and Safety Management Systems
- ISO 13485: Standards for Medical Devices
- ISO 22000: Standards for Food Safety Management
The distinction between “ISO compliance” and “ISO certification” is that ISO compliance involves implementing practices, business processes, and policies that align with one or more target ISO standards, but does not require a formal third party audit. ISO certification involves all of the above, plus a formal third party audit by accredited ISO auditors. Nonetheless, ISO compliance can still involve audits — though these may be performed by internal auditors rather than external auditors.
Why Is an ISO Audit Important?
ISO audits are a critical component of maintaining and improving the management systems that organizations have implemented based on International Organization for Standardization (ISO) standards. Here are a few key reasons highlighting the importance of an ISO audit :
- Ensures Compliance: An ISO audit can tell you whether you are meeting requirements for ISO compliance and can expose the weak spots in your organization’s operations so that you can develop the strongest risk management strategy possible. These audits can identify areas of non-compliance, allowing for corrective action to better meet ISO requirements.
- Facilitate Risk Management: ISO audits often involve a thorough review of the organization’s risk management practices, helping to identify and mitigate potential risks before they can impact the organization’s operations or reputation. An ISO audit can be a part of the initial phases of a risk assessment plan, but it can also assist you in developing new systems or approaching new customer bases.
- Increases Credibility and Reputation: Successfully passing an ISO audit and launching yourself towards ISO certification demonstrates to customers, suppliers, and other stakeholders that the organization is committed to quality, security, environmental management, or other aspects covered by the ISO standards, enhancing its market reputation.
- Enhances Efficiency: By examining the effectiveness of processes and identifying inefficiencies, ISO audits can lead to improvements that enhance operational efficiency and reduce waste, contributing to better resource utilization.
What Are the Types of ISO Audits?
There are three types of ISO audits: internal audits (first-party audits), supplier audits (second-party audits), and external audits (third-party audits). Your choice of audit type will alter depending on your compliance and certification goals, scope, scale, and budget. Remember that ISO certification can only be achieved by partnering with an external, third-party auditor that has the appropriate credentials to perform the audit.
While there are several ISO standards that can be audited against, it is always important to specify the scope and objective of an audit project. An audit designed to evaluate an organization’s quality system or QMS and quality policies may not be the best place to audit for other regulatory requirements. That said, a well-planned audit can indeed knock multiple birds out with one stone, especially if there is an overlap between controls. Don’t neglect to assess the compatibility of one standard with another — it might just save you and your organization time, hours, and money to combine compatible compliance efforts.
1. Internal Audits (First-Party Audits)
An internal ISO audit can be conducted by a designated auditor within your company — if ISO compliance is your goal, an internal audit may be satisfactory for ensuring your company is adopting ISO standards as a model for best practices. Use an internal audit checklist to see how your organization’s systems measure up to ISO guidelines. Internal audits are also important preparation for certification, surveillance, or recertification audits. Like with all internal audit projects, an organization should seek out some kind of management review of the outcome of the audit and take corrective action wherever possible, and keep leadership abreast of compliance efforts. In general, audit results can and should be communicated to the appropriate stakeholders to encourage a culture of continuous improvement — this applies to all audits, not simply internal ones.
2. Supplier Audits (Second-Party Audits)
Supplier audits are audits undertaken by a purchasing company over their suppliers or supply-chain providers. These audits are critical in an interconnected world where many businesses rely on other businesses to provide key services, materials, and products. Risks from a supplier can easily translate to risks for the purchasing company, especially if they have a long-term relationship with the compromised or non-compliant supplier. In fact, many of the recent cybersecurity breaches of the near past have resulted from compromises, not of the target organization, but of their suppliers. Performing supplier audits may be a necessary step in attaining and maintaining ISO compliance, and is a great best practice for organizations that heavily rely on suppliers for day-to-day operations.
3. External Audits
External audits are conducted by third-party auditors to assess an organization’s ISO compliance. There are a few types of external audits in relation to ISO standards, which often require compliance by all members of the supply chain. Certification and surveillance audits also fall under the umbrella of “external audit.”
Certification and Recertification Audits
ISO standards that offer certification require a special certification audit — when you seek certification for a standard like ISO 27001, a certification body will conduct an audit and issue a certificate of compliance that is good for three years. In turn, your organization commits to keeping up the processes, product controls, and systems that are covered by that certificate. For ISO 27001, you would be bound to maintain your information security management system for three years, with the initial certification audit reviewing the ISMS in totality, focusing on policies and procedures, and two subsequent years of surveillance audits, which are slightly less rigorous than the certification and recertification audits. With ISO certification audits, and indeed, audits in general, document control should remain a point of focus.
Surveillance Audits
Once your organization has achieved ISO certification, you must schedule surveillance audits with the certification body at least once per year until your recertification audit. A surveillance audit includes reviews of management, any steps the organization has taken to mitigate or correct prior nonconformities, and a review of how the organization has responded to recommendations from internal audits. After two years of surveillance audits, an organization has to undergo another recertification audit, with the same or close to the same rigor as the initial certification audit. The process then repeats in a 3-stage cycle.
Image: ISO Certification Audit Lifecycle
How Can ISO Audits Be Conducted?
Depending on the audit type, an ISO audit can be conducted onsite or remotely. An internal audit can be carried out by the organization as a self-audit, and can be conducted onsite or remotely. Some external audits can also be conducted remotely. However, any certification or surveillance audit must be conducted by a registrar onsite. In some cases, businesses (like startups) may not have a physical presence, operating fully virtually or remotely. Check with your external auditors to determine whether a remote audit is sufficient, or if plans need to be made to bring auditors onsite.
What Happens During an ISO Audit?
ISO audits focus on systems, products, or processes; the exact steps will differ depending on whether an auditor is assessing an information security management system (ISMS), quality management system (QMS), or other types of management systems according to the target ISO standard. Regardless of whether you are conducting an internal or external ISO audit, auditors will test your systems against an audit checklist, determine whether daily operations adhere to the standards, and assess progress in mitigating prior gaps or non-conformities.
How Do I Prepare for an ISO Audit?
When conducting an ISO audit, preparation is key — each audit you conduct helps you prepare for the next one. Internal audits help you prepare for certification, recertification, and surveillance audits, and surveillance audits help you prepare for recertification audits. We’ve outlined some tips for your first ISO audit below.
5 Tips for Preparing for ISO Audit
Preparing for any kind of audit has its own nuances and risk, audit, and compliance professionals have their preferences as well. In terms of getting started preparing for an ISO audit, it’s important to create an audit plan that will 1) determine your goals, 2) create an audit schedule, 3) compile your audit checklists, 4) get organized, and 5) conduct internal audits first!
1. Determine Your Goals
Before undertaking any major project, it’s a good idea to identify your goals and desired outcomes. Without a clear direction to move towards, it can be hard to understand and communicate why your organization is doing all of this work. If your goal is to achieve certification, it is best to keep that goal in mind when you create your audit schedule. Certification can take time, more time than compliance alone, especially as you conduct a gap analysis and mitigate nonconformities. Being aware of your goal to certify will help you streamline your energies and save time and money during ISO audits.
2. Create an Audit Schedule
Create a schedule for your audits including a timeline for certification, if that is your goal — and stick to it. Break down larger project goals into smaller milestones and delegate activities to appropriate personnel with the right competencies. Start with your schedule for internal audit, build in flexibility to complete projects or mitigate problems, and progress towards an estimated timeline for engaging a certifying body.
3. Compile Audit Checklists
Audit checklists walk you step-by-step through the audit process applicable to the ISO guidelines you are using. In broad strokes, the audit checklist ensures that you understand how the audit fits into your business’ overarching goals and context. In detail, it covers each component of the specific ISO standard for which you seek compliance and assesses whether you are meeting those requirements or need modification to your systems, processes, or products. It’s important to update audit checklists periodically to keep on top of updated standards and changes to best practices.
4. Get Organized
If you are inviting a third-party auditor into your work environment, it helps if that space is well-organized and clean. Maintaining good document control and having your documents ready for review will shorten the time it takes to conduct the audit, and help your auditor streamline the work to provide the best possible feedback for improvement. A lack of evidence, after all, can set back your audit, so being able to find what you need when you need it can make the audit process go that much more smoothly.
5. Conduct Internal Audits First
Again, an internal audit is your best preparation for external, certification, or surveillance audit. Auditors want to know about your progress towards your goals and improving your systems to align with ISO standards. An internal audit will start that process and demonstrate to your auditors that your organization is serious about ISO compliance, and it will prepare the business for the questions and requests that may come in an external audit.
What ISO Standards Apply to Information Security?
The ISO 27000 family of standards, specifically ISO 27001, pertains to Information Security Management Systems (ISMS); this family of standards provides a detailed overview of how to develop, assess, and maintain a secure ISMS for your organization, preventing breaches and data leaks, optimizing your implementation of cybersecurity measures, and ensuring your compliance with strict data privacy laws like GDPR.
ISO Certification
ISO offers certification for several standards, including ISO 27001 and ISO 9001; certification requires an external audit by a qualified third-party auditor called a registrar. Certification can be lengthy and pricing can be costly upfront, but your certification lasts you three years and can greatly enhance your reputation; certain clients require or request ISO certification, as well. When searching for an ISO auditor, keep in mind that ISO itself does not perform certification audits, so you will have to find a qualified third-party to complete your ISO certification audits.
How Long Does It Take to Become ISO Certified?
There’s no set time frame for becoming ISO certified because it will depend on your organization’s prior preparation, specific needs, team size, and scale. If you are starting from scratch in developing your ISMS or need an overhaul of your systems, it will take longer than an organization that already has a healthy ISMS, is compliant with ISO 27001, or is compliant with adjacent standards like the NIST CSF. However, it is safe to plan for at least 3-6 months to prepare for your initial certification audit. Those months of preparation will include multiple internal audits and potentially the audits of customers and suppliers.
How Automation Can Help You Be ISO Certified and Compliant
Becoming ISO certified and compliant has numerous steps and therefore shouldn’t be rushed, but it doesn’t have to be overwhelming. Automation can make your job much easier and help you keep track of the details of your ISO compliance journey. Employing the right compliance management software can help you manage spreadsheets, audit checklists, control assessments, audit schedules, and other moving parts to make your ISO audit smoother and more efficient. Even if you’re pursuing compliance with multiple ISO standards, and frameworks outside of ISO, AuditBoard’s CrossComply can help you streamline your compliance workflows, centralize stakeholder communications, and facilitate success, no matter what your compliance portfolio looks like.
Frequently Asked Questions About ISO Audits
What is an ISO audit?
An ISO audit is an audit of your organization’s compliance with one of the standards set forth by the International Organization for Standardization (ISO).
What are the types of ISO audits?
There are three types of ISO audits: internal audits (first-party audits), supplier audits (second-party audits), and external audits (third-party audits).
What are the steps to prepare for an audit?
In terms of getting started preparing for an ISO audit, it’s important to 1) determine your goals, 2) create an audit schedule, 3) compile your audit checklists, 4) get organized, and 5) conduct internal audits first!
Vice Vicente started their career at EY and has spent the past 10 years in the IT compliance, risk management, and cybersecurity space. Vice has served, audited, or consulted for over 120 clients, implementing security and compliance programs and technologies, performing engagements around SOX 404, SOC 1, SOC 2, PCI DSS, and HIPAA, and guiding companies through security and compliance readiness. Connect with Vice on LinkedIn.