ISO 19011 is the international standard that gives guidance on auditing management systems. It is guidance, not requirements, so nobody gets "certified to ISO 19011." It is the playbook behind your internal audits: how to run an audit program, conduct an audit, and judge whether your auditors are competent.

Almost every organization that runs a management system leans on ISO 19011 whether it knows the number or not. When your internal auditor plans a schedule, holds an opening meeting, gathers evidence, and writes up findings, they are following the pattern this standard lays out. The current edition is ISO 19011:2018, the third edition, published in July 2018. It applies to any management system, quality, environmental, safety, energy, information security, because auditing is auditing regardless of the clause being checked. This guide covers what the standard contains, the seven principles that anchor it, how it differs from the certification standard, and how to turn its guidance into internal audits your floor actually learns from.

What does ISO 19011 actually cover?

It covers three things: managing an audit program, conducting individual audits, and evaluating the competence of the people who audit. Those map to the three working parts of any real audit function, the calendar, the visit, and the auditor.

The three parts of ISO 19011: program, audit, and auditor What ISO 19011 gives guidance on MANAGE THEAUDIT PROGRAM objectivesrisks + opportunitiesresources + rolesschedule CONDUCT THEAUDIT initiate + prepareopening meetinggather evidencefindings + reportfollow-up EVALUATEAUDITOR COMPETENCE personal behaviorknowledge + skillsevaluationcontinual growth Findings from the audit feed back into the program. It is a loop, not a checklist.
ISO 19011 structures auditing as a managed program, a repeatable audit method, and a defined idea of what makes an auditor competent, the three things a real audit function needs.

Clause 5 covers the audit program: setting objectives, weighing risks and opportunities, assigning roles and resources, and scheduling audits so coverage matches importance and past performance. Clause 6 covers a single audit end to end, initiating it, preparing (document review and an audit plan), conducting it (opening meeting, gathering and verifying evidence by sampling, generating findings, closing meeting), reporting, and following up on corrective actions. Clause 7 covers auditor competence: the personal behavior, knowledge, and skills an auditor needs, and how to evaluate and maintain them. The 2018 edition also expanded practical guidance on remote auditing and combined audits, where one team assesses several standards, say quality and safety, in a single visit.

What are the seven principles of auditing?

ISO 19011 rests on seven principles, and they are worth knowing by name because they are what separate a real audit from a walkthrough. The 2018 edition added the seventh, a risk-based approach, to the six carried over from earlier editions.

The seven principles of auditing in ISO 19011:2018 Seven principles behind a credible audit 1 INTEGRITYhonest, fair, responsible 2 FAIRreport truthfully 3 DUE CAREdiligence + judgment 4 CONFIDENTIALprotect information 5 INDEPENDENCEimpartial, unbiased 6 EVIDENCE-BASEDverifiable, sampled 7 RISK-BASEDadded in 2018 Principles 1–5 govern how the auditor behaves. Principles 6–7 govern how conclusions get reached.
Integrity, fair presentation, due professional care, confidentiality, and independence keep the auditor honest. The evidence-based and risk-based approaches keep the conclusions defensible.

These are not decoration. Independence is why you do not let someone audit their own work. The evidence-based approach is why a finding needs a record, a reading, or an observation behind it rather than a hunch. The risk-based approach, new in 2018, is why the audit program should spend more time where the consequences of failure are higher, and why the auditor should keep asking during the audit where the real risks sit rather than mechanically ticking a checklist.

How is ISO 19011 different from ISO 17021?

ISO 19011 gives guidance for first-party and second-party audits; ISO/IEC 17021-1 gives the requirements for third-party certification audits. If a certification body is auditing you to grant a certificate, they follow ISO/IEC 17021-1. When you audit yourself or your suppliers, ISO 19011 is your reference.

First-, second-, and third-party audits and which standard governs each Three kinds of audit, two standards FIRST PARTYyou audit yourself(internal audit) SECOND PARTYyou audit a supplieror a customer audits you GUIDED BY ISO 19011 THIRD PARTYa certification body audits youto grant a certificateREQUIRED BY ISO/IEC 17021-1(ISO 19011 is useful extra guidance)
You can not be "certified to ISO 19011." It governs the audits you run on yourself and your suppliers; certification bodies work to ISO/IEC 17021-1.

That distinction clears up the most common confusion. A first-party audit is your own internal audit, the health check a good quality team runs on itself. A second-party audit is you assessing a supplier, or a customer assessing you, the kind of visit that feeds a supplier quality program. A third-party audit is the independent certification body granting or maintaining a certificate. ISO 19011 is written for the first two and is explicitly useful as extra guidance for the third. The requirements those certification bodies work to are published separately as ISO/IEC 17021-1 (ISO/IEC 17021-1, standard 60125), and their accreditation is overseen by members of the International Accreditation Forum (IAF).

What makes an auditor competent under ISO 19011?

Competence, in clause 7, is the combination of personal behavior and the right knowledge and skills, demonstrated and kept current. The standard is blunt that auditing is not a role you assign by seniority; it is a skill set you evaluate. Personal behavior covers being ethical, open-minded, observant, and tactful, an auditor who cannot hold a professional conversation on the floor will not gather honest evidence. The knowledge and skills side splits into generic audit skills (how to plan, sample, question, and report) and discipline-specific knowledge (understanding the process, the standard, and the applicable rules for the area being audited).

The practical implication is that a competent internal auditor for a machining cell and a competent internal auditor for a food-safety program are not interchangeable, even though both follow ISO 19011. Both need the generic method; each needs the domain knowledge for the risks in front of them. The standard also expects competence to be evaluated and maintained, through training, witnessed audits, and feedback, so an auditor's skill does not quietly decay into rubber-stamping. That evaluation is exactly what keeps an audit program credible when a certification body comes to check that your internal audits actually work.

How do you turn ISO 19011 into internal audits that matter?

The standard describes good auditing; whether your audits are worth the hours is a matter of execution. These habits separate audits that drive improvement from audits that generate paperwork:

  1. Audit against risk, not the calendar. The 2018 risk-based principle says the process that hurts most when it fails deserves the most audit attention. A flat annual checklist that gives equal time to trivial and critical processes wastes the auditor and misses the danger. Weight your program toward the areas with the worst consequences and the weakest recent history.
  2. Make findings evidence, not opinion. A finding should point to a record, a reading, or an observation. "I think training is weak" is a hunch; "three of five operators on this line have no signed competency record" is a finding someone can act on. The evidence-based principle is what makes a finding survive a disagreement.
  3. Sample honestly. An auditor cannot check everything, so they sample, and the sample has to be representative, not the three records the area supervisor hands over. Choosing where to look is where an experienced auditor earns their keep.
  4. Close the loop with real corrective action. An audit finding that does not drive a root cause analysis and a verified fix through your CAPA process is just a note. The follow-up in clause 6 is where the value is realized, not the report.
  5. Keep the auditor independent. Never let someone audit the area they run. Independence is a principle for a reason, people do not find the problems they are responsible for creating.
  6. Standardize the mechanics. A shared quality audit checklist keeps audits consistent across auditors and shifts, so a finding means the same thing no matter who spotted it, and trends become visible across the program.

Sources for ISO 19011

  • ISO 19011:2018, Guidelines for auditing management systems third edition, is published and maintained by the International Organization for Standardization (ISO 19011:2018, standard 70017).
  • ISO 19011 is guidance, not certifiable requirements; the requirements for bodies performing third-party certification audits are in ISO/IEC 17021-1, and the two documents are deliberately aligned.
  • The American Society for Quality summarizes the standard and its seven principles as a working reference for practitioners (ASQ, ISO 19011).
  • The 2018 third edition added a seventh principle, the risk-based approach, and expanded guidance on remote and combined audits.

Where does auditing meet the plant floor?

An internal audit is only as good as the evidence the floor can produce on demand. The audit asks: show me the last three shifts of quality checks, the calibration status of this gauge, the corrective action from that customer complaint. When those records live on clipboards and in a dozen spreadsheets, the audit becomes a scavenger hunt and the findings are shallow because nobody can reconstruct what actually happened.

That is the gap an operational data layer closes. Harmony captures station-level checks, downtime, and quality events as structured, timestamped data connected to the QMS and ERP, so when an auditor asks for evidence it is already there, searchable, with a trail. It also strengthens the practice underneath any certified system, the internal audits that keep automotive suppliers ready for their IATF 16949 surveillance and every organization ready for the ISO 9001 certification process. See how the modules fit together or read the CLS case study on moving paper logging to real time. ISO 19011 tells you how to audit; good data is what makes the audit find something worth fixing.