Auditing multiple management systems new ISO Standard

Issue 35 – February 2012

Guidelines for auditing management systems ISO 19011:2011 provides guidance to conduct internal or external management system audits and to manage audit programmes. Many organisations incorporate several management systems, such as quality, environmental, information technology services, and information security. The revised ISO 19011 provides a uniform approach to multiple management system audits, to help organisations to combine the auditing of these systems and to save money, time, and resources.

The 2002 edition of ISO 19011 applied only to ISO 9001 (quality) and ISO 14001 (environment). ISO 19011:2011 has been expanded to reflect current thinking and the complexities of auditing multiple management systems. 'Compared to the 2002 version, the Standard adds the concept of risk and recognises more explicitly the competence of the audit team and individual auditors,' says Alister Dalrymple, Convenor of the team that updated the Standard. 'Also, the use of technology in remote auditing is acknowledged, for example, conducting remote interviews and reviewing records remotely.'

In the 2011 edition, the relationship between ISO 19011:2011 and ISO/IEC 17021:2011 Conformity assessment – Requirements for bodies providing audit and certification of management systems has also been clarified. While those involved in management system certification audits follow the requirements of ISO/IEC 17021, they might also find the guidance in ISO 19011 useful.

Users of ISO 19011 include auditors, audit team leaders, audit programme managers, organisations implementing management systems, and organisations that conduct audits of management systems for contractual or regulatory reasons.

Related Standards

  • AS/NZS ISO 9001:2008 Quality management systems – Requirements
  • AS/NZS ISO 14001:2004 Environmental management systems – Requirements with guidance for use
  • ISO/IEC 27000:2009 Information technology – Security techniques – Information security management systems – Overview and vocabulary
  • AS/NZS ISO/IEC 27001:2006 Information technology – Security techniques – Information security management systems – Requirements
  • AS/NZS ISO/IEC 27002:2006 Information technology – Security techniques – Code of practice for information management
  • ISO/IEC 27003:2010 Information technology – Security techniques – Information security management system implementation guidance
  • ISO/IEC 27031:2011 Information technology – Security techniques – Guidelines for information and communication technology readiness for business continuity

Related articles

Published in business and ICT.