Understanding the types of ISO audits is the first step every organization must take before pursuing ISO certification. Whether you are preparing for ISO 27001, ISO 9001, or ISO 42001, the audit process follows the same foundational structure — internal, external, and surveillance — each serving a distinct purpose in your compliance journey. This guide explains all three types of ISO audits, how they differ, and what your organization needs to know to approach each one with confidence.
TL;DR
Concern: Organizations frequently misunderstand the differences between ISO audit types, leading to poor preparation, unexpected nonconformities, and delays in achieving or maintaining certification.
Overview: There are three core types of ISO audits: first-party (internal audits), second-party (supplier audits), and third-party (certification audits). Certification audits run across two stages — Stage 1 (documentation review) and Stage 2 (implementation verification). After certification, annual surveillance audits and three-year recertification audits maintain ongoing compliance.
Solution: Understand the purpose, scope, and requirements of each audit type before engaging an auditor. Build internal audit capability early, maintain current documentation, and align your processes with the applicable ISO standard throughout the year — not just at audit time.
What Is an ISO Audit?
An ISO audit is a structured, evidence-based evaluation of whether an organization’s management system conforms to the requirements of a specific ISO standard. The International Organization for Standardization (ISO), headquartered in Geneva, Switzerland, develops and maintains these standards across industries from information security (ISO 27001) to quality management (ISO 9001), environmental management (ISO 14001), and AI governance (ISO 42001).
ISO audits serve two primary purposes. First, they provide organizations with an objective assessment of how their systems, controls, and processes align with a chosen standard. Second, they form the basis for formal ISO certification when conducted by an accredited third-party body.
Not all ISO audits result in certification. Internal and supplier audits are ongoing operational tools. Certification audits, by contrast, are formal examinations conducted by an accredited certification body and result in an ISO certificate if the organization meets all requirements.
WHAT ARE THE THREE TYPES OF ISO AUDITS?
The three types of ISO audits are defined by who conducts the audit and for what purpose: first-party (internal), second-party (supplier), and third-party (certification). Each type operates independently, though they collectively support an organization’s overall compliance posture.
1. First-Party Audit — Internal ISO Audit
A first-party audit, commonly known as an internal ISO audit, is conducted by the organization itself. An internal auditor — either an employee trained in ISO auditing or an external consultant engaged for this purpose — evaluates whether the organization’s management system meets the requirements of the applicable ISO standard.
Internal ISO audits are not optional formalities. Every major ISO standard, including ISO 27001, ISO 9001, ISO 14001, and ISO 42001, explicitly requires organizations to conduct internal audits at planned intervals. The results must be documented, reported to management, and used to drive corrective actions where gaps are identified.
What an internal ISO audit covers:
- Review of documented policies, procedures, and controls against the applicable standard
- Interviews with personnel responsible for key processes
- Evaluation of records and evidence demonstrating that controls are operating as intended
- Identification of nonconformities, observations, and opportunities for improvement
- Formal reporting to senior management and the management review process
Why it matters: Internal audits are the primary mechanism through which organizations identify and close compliance gaps before a formal external audit. Organizations that conduct rigorous internal audits consistently report fewer nonconformities during Stage 2 certification audits and surveillance visits.
Internal audits also fulfill a documentation requirement. Auditors at certification stage will review your internal audit records — including audit plans, checklists, findings, and corrective action logs — as part of their evidence review.
2. Second-Party Audit — Supplier ISO Audit
A second-party audit is conducted by one organization on another — typically a customer auditing its suppliers or vendors. The organization performing the audit evaluates whether the supplier meets specified ISO standards or contractual compliance requirements.
Supplier audits have grown in strategic importance as organizations face increasing scrutiny over supply chain risk. ISO 27001, in particular, includes specific controls under Annex A relating to supplier relationships and information security in the supply chain. A supplier that handles your data, integrates with your systems, or delivers critical services represents a direct extension of your risk environment.
When supplier audits are used:
- Before onboarding a new vendor that will handle sensitive data or critical operations
- During periodic reviews of existing supplier compliance
- Following an incident or breach that originated in the supply chain
- When renewing contracts with compliance-related obligations
What distinguishes second-party audits: Unlike internal audits, the organization being audited does not control the process. The auditing organization sets the scope, criteria, and reporting format. Results are used for procurement decisions, contract renewals, and risk management — not for ISO certification directly.
A well-structured supplier audit program is itself an ISO requirement. ISO 27001 Annex A.5.19 through A.5.22 specifically address supplier relationships, requiring organizations to document and monitor the information security requirements applied to their supply chain.
3. Third-Party Audit — ISO Certification Audit
A third-party audit is an independent examination conducted by an accredited certification body. It is the only type of ISO audit that results in formal ISO certification. The certification body must be accredited by an IAF (International Accreditation Forum) member body — such as UKAS in the UK, DAkkS in Germany, NABCB in India, or ANAB in the USA.
Third-party ISO certification audits are structured across two stages for initial certification, followed by ongoing surveillance and recertification cycles.
Stage 1 — Documentation and Readiness Review
Stage 1 is a desk-based review of your organization’s documented management system. Auditors evaluate whether your policies, procedures, risk assessments, and Statement of Applicability (for ISO 27001) are complete, appropriate, and aligned with the standard’s requirements. Stage 1 identifies any significant gaps that must be resolved before Stage 2 can proceed.
Stage 1 is typically conducted remotely, though on-site visits are arranged when the auditor needs to understand the operating context of the organization more fully.
Stage 2 — Implementation Verification
Stage 2 is an on-site audit that verifies whether the management system described in your documentation is actually implemented and operating effectively in practice. Auditors conduct interviews, observe processes, test controls, and review evidence across all areas within the defined scope.
Findings are categorized as major nonconformities, minor nonconformities, or observations. Major nonconformities must be resolved before certification is granted. Minor nonconformities require a corrective action plan but may not prevent certification, depending on the certification body’s policy.
Surveillance Audits: After initial certification, most ISO standards require annual surveillance audits to confirm that the certified management system continues to operate effectively. Surveillance audits are narrower in scope than the full Stage 2 audit — they typically focus on specific areas, any previously identified nonconformities, and changes to the organization that may affect the management system.
Recertification Audits: ISO certificates are issued for a three-year period. At the end of this cycle, a full recertification audit is required. Recertification audits are comparable in scope to a Stage 2 audit and result in a renewed three-year certificate if the organization continues to meet all requirements.
ISO Audit Methods: How Audits Are Conducted
Regardless of audit type, ISO audits use a consistent set of evidence-gathering techniques:
Document Review: Auditors examine policies, procedures, risk registers, training records, incident logs, corrective action records, and management review minutes. Documentation must be current, version-controlled, and accessible.
Interviews: Auditors conduct structured interviews with personnel at all levels from process owners and department heads to front-line staff. Responses are cross-referenced with documented procedures to confirm alignment between written policy and actual practice.
Observation: Where applicable, auditors directly observe processes and activities to verify they operate as described. This is particularly relevant for physical security controls, operational procedures, and access management practices.
Sampling: Given the volume of records in most organizations, auditors use statistical sampling to test a representative subset of evidence. Consistent patterns of nonconformance in a sample will be escalated to a formal finding.
Remote vs. On-Site Audits
ISO audits can be conducted on-site, remotely, or through a hybrid of both. Internal audits are commonly conducted remotely using shared document repositories and video conferencing. Stage 1 certification audits are almost always remote. Stage 2 audits, surveillance visits, and recertification audits typically require on-site presence, though accreditation bodies have updated their guidance to permit remote components where justified.
How Long Does ISO Certification Take?
The timeline for achieving ISO certification depends on the standard, the organization’s size, existing documentation maturity, and how actively gaps are addressed during preparation.
For organizations starting from a low baseline:
- Gap analysis and documentation: 2 to 4 months
- Implementation and internal audit: 1 to 3 months
- Stage 1 and Stage 2 certification audit: 4 to 8 weeks from engagement
A realistic total timeline for first-time ISO 27001 certification in a mid-sized organization is 4 to 9 months. Organizations with existing compliance frameworks or prior ISO certification in a related standard can move significantly faster.
The choice of standard also affects timeline complexity. ISO 27001 and ISO 42001 involve more extensive control frameworks than ISO 9001, which typically has a shorter implementation cycle for organizations with mature quality management processes.
Preparing for an ISO Audit: Five Practical Steps
1. Define scope and objectives clearly Before any audit begins, confirm what systems, processes, locations, and personnel fall within the audit scope. An overly broad scope extends timelines and increases audit complexity. A scope that is too narrow may not satisfy customer or regulatory requirements.
2. Conduct a gap analysis before your internal audit Use the applicable ISO standard’s requirements as a checklist to identify where your current practices fall short. A structured gap analysis gives you a prioritized list of issues to address before your formal internal audit.
3. Maintain audit-ready documentation throughout the year Do not treat documentation as an audit preparation activity. Policies, risk registers, asset inventories, access logs, training records, and corrective action logs should be maintained and updated as a continuous operational practice. Auditors can and do verify document modification dates.
4. Train your team on what to expect Personnel who will be interviewed during an audit should understand the purpose of the audit, the scope of their role within the management system, and how to respond to auditor inquiries accurately. Common audit failures occur when staff give responses that contradict documented procedures — not because controls are absent, but because training is insufficient.
5. Close internal audit findings before your certification audit Any nonconformities or observations identified during internal audits must have documented corrective actions before your Stage 2 audit. Auditors will review internal audit records and will follow up on previously identified findings. Unresolved findings from internal audits are a flag during certification reviews.
How to Build an ISO Audit Checklist
The same issues appear repeatedly across ISO certification audits, regardless of the standard or organization size:
Incomplete or outdated documentation: Policies that reference outdated versions of the standard, risk registers that have not been reviewed in over a year, and procedures that do not match actual practice are among the most cited findings.
Insufficient internal audit frequency: Many organizations conduct a single internal audit immediately before their certification or surveillance audit. ISO standards require audits at planned intervals which in practice means at least annually, covering all areas of the management system across the certification cycle.
Weak risk assessment methodology: Particularly for ISO 27001, auditors look for evidence that risks have been identified, evaluated against consistent criteria, and treated through documented controls. Risk registers that list risks without owner assignment, treatment status, or residual risk ratings are a common finding.
Training records not maintained: ISO standards require evidence that personnel whose work affects the management system are competent to perform their roles. Missing, incomplete, or unsigned training records are a straightforward but frequently cited nonconformity.
Corrective actions not closed out: Finding a nonconformity is expected. Failing to close it out with documented evidence of root cause analysis and corrective action is not acceptable. Auditors routinely follow up on previously identified nonconformities.
Common ISO Audit Findings — and How to Avoid Them
The same issues appear repeatedly across ISO certification audits, regardless of the standard or organization size:
Incomplete or outdated documentation: Policies that reference outdated versions of the standard, risk registers that have not been reviewed in over a year, and procedures that do not match actual practice are among the most cited findings.
Insufficient internal audit frequency: Many organizations conduct a single internal audit immediately before their certification or surveillance audit. ISO standards require audits at planned intervals — which in practice means at least annually, covering all areas of the management system across the certification cycle.
Weak risk assessment methodology: Particularly for ISO 27001, auditors look for evidence that risks have been identified, evaluated against consistent criteria, and treated through documented controls. Risk registers that list risks without owner assignment, treatment status, or residual risk ratings are a common finding.
Training records not maintained: ISO standards require evidence that personnel whose work affects the management system are competent to perform their roles. Missing, incomplete, or unsigned training records are a straightforward but frequently cited nonconformity.
Corrective actions not closed out: Finding a nonconformity is expected. Failing to close it out with documented evidence of root cause analysis and corrective action is not acceptable. Auditors routinely follow up on previously identified nonconformities.
FAQ
What is the difference between an internal audit and a certification audit?
An internal audit is conducted by the organization itself to evaluate compliance with a chosen ISO standard and identify gaps before formal assessment. A certification audit is conducted by an independent, accredited third-party certification body and results in formal ISO certification if the organization meets all requirements.
How often are ISO surveillance audits conducted?
Most ISO certification bodies require annual surveillance audits during the three-year certification cycle. The exact schedule is agreed upon between the organization and the certification body at the time of initial certification.
Can ISO audits be conducted remotely?
Stage 1 certification audits and many internal audits are routinely conducted remotely. Stage 2 certification audits, surveillance audits, and recertification audits typically involve on-site presence, though hybrid formats are permitted where justified and agreed upon with the certification body.
What happens if a major nonconformity is found during a Stage 2 audit?
A major nonconformity indicates a significant failure to meet a requirement of the ISO standard. Certification cannot be granted until the nonconformity is resolved and evidence of corrective action is reviewed and accepted by the certification body.
How long is an ISO certificate valid?
ISO certificates are issued for a three-year period, subject to successful annual surveillance audits. At the end of the three-year cycle, a full recertification audit is required to renew the certificate.
What is the difference between ISO compliance and ISO certification?
ISO compliance means an organization has implemented controls and practices that align with a chosen standard. ISO certification means an accredited third-party body has independently verified that compliance through a formal audit and issued a certificate. Certification provides third-party validation that compliance cannot.
About the Author
ANUPAM SAHA
Anupam Saha, an accomplished Audit Team Leader, possesses expertise in implementing and managing standards across diverse domains. Serving as an ISO 27001 Lead Auditor, Anupam spearheads the establishment and optimization of robust information security frameworks.
