ISO 19011

Our certifications
Standards & Directives nav.iso19011

ISO 19011 is an international standard that provides guidelines for auditing management systems. It is published by the International Organization for Standardization (ISO) and was last revised in 2018.

Perform a security audit

The objective of the ISO 19011 standard

The objective of the ISO 19011 standard is to help organizations carry out effective audits of management systems. It provides a framework for the audit process, including the principles of auditing, planning and conducting audits, and communicating and monitoring audit results.

The ISO 19011 standard is applicable to all types of organizations, regardless of their size, sector of activity or location. It can be used to audit management systems of all kinds, such as quality, environmental, occupational health and safety, information security or liability management systems. social.

The principles of auditing

The ISO 19011 standard defines seven audit principles that must be respected to carry out an effective audit:

  • Independence: The auditor must be independent of the auditee. This means that the auditor must have no personal or financial interest in the management system being audited.
  • Objectivity: The auditor must be impartial and objective in his conclusions. This means that the auditor should strive not to let their own opinions or beliefs influence their conclusions.
  • Professionalism: The auditor must act in a professional and competent manner. This means that the auditor must have the knowledge and skills necessary to carry out the audit.
  • Confidentiality: The auditor must respect the confidentiality of the information obtained during the audit. This means that the auditor should only disclose this information to authorized persons.
  • Communication: The auditor must communicate clearly and concisely. This means that the auditor must use language that is simple and understandable to the auditee.
  • Evidence-based approach: Auditors should base their conclusions on the audit evidence collected. This means that they must collect sufficient and relevant evidence to determine whether the management system complies with the requirements.
  • Continuous improvement: Auditors must contribute to the continuous improvement of management systems. This means they must identify areas of the system that can be improved and provide recommendations to address them.

Why carry out an ISO 19011 certified security audit ?

Going through a 19011 certified auditor offers several advantages, including:

Audit quality assurance

Certified 19011 auditors have completed training and taken an exam to demonstrate their skills and experience. They are therefore more likely to carry out audits that are effective and comply with the requirements of the standard.

For example, a certified 19011 auditor will be able to understand the requirements of the standard and apply them consistently. They will also be able to use effective audit techniques to collect audit evidence and assess compliance.

International recognition

The 19011 certification is internationally recognized. This means that audit reports produced by 19011 certified auditors are generally accepted by certification bodies, clients and other stakeholders.

Audit reports produced by 19011 certified auditors are generally considered to be more credible and reliable than reports produced by non-certified auditors.

Objectivity and impartiality

Certified 19011 auditors are required:

  • Respect the principles of independence, objectivity and confidentiality. They are therefore more likely to provide an objective opinion on the management system.
  • To avoid any conflict of interest and to take measures to guarantee their objectivity. They are also required to respect the confidentiality of the information collected during the audit.

The advantages of the ISO 19011 standard

The ISO 19011 standard offers many benefits to organizations that implement it, including:

Improving audit effectiveness

The ISO 19011 standard provides a reference framework that allows organizations to perform more effective audits. This means that audits are more likely to cover all important aspects of the management system and provide reliable conclusions.

Increased credibility of audits

ISO 19011 is a recognized international standard that helps increase the credibility of audits. This means that audit findings are more likely to be accepted by stakeholders.

Improving the performance of management systems

Audits carried out in accordance with the ISO 19011 standard can help organizations improve the performance of their management systems. This means that management systems are more likely to meet the needs of organizations and their stakeholders.

Carrying out a 19011 standard audit

Carrying out a 19011 standard audit is a complex process that requires a good understanding of the principles and requirements of the standard. Auditors must be qualified and experienced to carry out effective audits.

Triggering the audit

The first step is to determine the need for an audit. The reasons for an audit can be diverse, such as:

  • Implementation of a new management system: an initial audit is necessary to ensure that the system complies with the requirements of the standard.
  • Certification of a management system: a certification audit is carried out by a third party organization to verify that the system complies with the requirements of the standard.
  • Monitoring the operation of a management system: a surveillance audit is carried out regularly to ensure that the system is operating effectively and achieving its objectives.
  • Improving a management system: an improvement audit can be used to identify areas of the system that can be improved.

Carrying out the document review

The second step is to review the management system documents. Documents to be reviewed include:

  • The quality policy.
  • Procedures.
  • Work instructions.
  • Registers.

The objective of document review is to ensure that these documents are complete, consistent and conform to the requirements of the standard.

For example, an auditor can review the quality policy to ensure that it complies with the requirements of ISO 9001. The auditor can also review the procedures to ensure that they are clear, concise and easy to understand.

Preparing for on-site audit activities

The third step is to plan the on-site audit activities. Tasks to be performed include:

  • Definition of audit objectives.
  • Selection of auditors.
  • Preparation of an audit plan.
  • Communication with the auditee.

The audit objectives should be clear and concise. They should indicate what the audit should achieve.

The selection of auditors should be carried out taking into account the skills and experience of the auditors. Auditors must have the knowledge and skills necessary to successfully complete the audit.

The audit plan should describe the audit activities that will be performed. It must include the following elements:

  • The objectives.
  • The scope.
  • The criteria.
  • Methods.
  • The calendar.

The audit plan should be communicated to the auditee to enable them to prepare for the audit.

On-site audit activity

The fourth step is to collect on-site audit evidence. Audit evidence can be obtained through observations, interviews, document reviews, etc.

Auditors must collect sufficient and relevant audit evidence to determine whether the management system complies with the requirements of the standard.

For example, an auditor can observe ongoing processes to ensure that they comply with procedures. The auditor may also interview employees to obtain their views on the management system. Finally, the auditor can review the documents to ensure they are updated and complete.

Preparation, approval and distribution of the audit report

The fifth step is to prepare, approve and distribute a report that documents the results of the audit. The audit report must include the following elements:

  • A summary of the objectives and scope of the audit.
  • A summary of the audit findings.
  • A list of deviations from requirements.
  • Recommendations to improve the management system.

The audit report must be approved by the audit leaders before being released. It must then be distributed to the auditee and any other person concerned.

Monitoring of corrective actions

The audit is not complete once the audit report has been issued. The auditee must take corrective action to address the discrepancies identified in the audit report. Auditors should monitor corrective actions to ensure they are implemented effectively.

A need for an IT security audit?

Our team of IT security experts is ready to offer you the audit that best suits your needs and your business.

Your satisfaction and security are our priorities. Contact us

Contact us!

+33 1 85 09 15 09
*required