I cannot resist quoting one of my favourite books and films, but in this case the reference is not gratuitous.
A standard to rule them all is exactly what ISO 19011 is.
If you have ever received a compliance audit report — ISO 27001, ISO 9001, ISO 22301 — that report followed a precise logic.
ISO 19011 governs how audits are conducted and how what was audited is documented. It dictates how an audit is planned, carried out, and concluded in a report.
Yet ISO 19011 is almost invisible in compliance conversations. People talk about the audited standard — ISO 27001, ISO 27701, ISO 42001, and so on. Rarely about the standard that governs how we audit.
Understanding ISO 19011 means understanding what the auditor is supposed to do, how they must document it, and what your organization can legitimately expect of them.
ISO 19011:2018 — Guidelines for auditing management systems.
It is a generic standard that applies to all management system audits, regardless of the standard being audited. It defines how to audit them.
It covers four major questions:
- What principles govern the audit?
- How do you plan and manage an audit programme?
- How do you conduct an individual audit, from preparation to the final report?
- What competencies must an auditor possess?
ISO 19011 applies equally to internal audits and to first-, second-, and third-party external audits. It is the competence reference for ISO 27001 auditors, which is why accredited certification bodies such as Bureau Veritas, BSI, and SGS train their auditors on this basis.
The 7 fundamental audit principles according to ISO 19011
ISO 19011 sets out seven principles that are not suggestions. They are the foundations on which the credibility of every audit report rests.
1. Integrity
The auditor acts with honesty and responsibility. They report what they observe, not what the client wants to hear. An auditor who minimizes non-conformities to avoid conflict violates this principle.
2. Fair presentation
Findings, conclusions, and reports must faithfully reflect audit activities. No bias, no favourable selection of evidence. This principle is directly tied to the obligation to base findings on objective evidence.
3. Due professional care
The auditor applies professional judgement throughout the audit. That means adapting the depth of verification to the organization’s risk profile, not applying an identical template to every client.
4. Confidentiality
Information obtained during the audit is protected. The auditor does not disclose to third parties what they saw in your systems, except where required by law or with explicit consent.
5. Independence
The auditor must be free from any influence that could bias their conclusions. That is why a consultant who helped you implement your ISMS should not then audit it themselves. That conflict of interest is a direct violation of ISO 19011.
6. Evidence-based approach
This is the most operational principle. Audit findings must be based on verifiable evidence. An opinion, an impression, an intuition — that is not an audit finding. If an auditor hands you a non-conformity without linking it to objective evidence, they are deviating from this principle.
7. Risk-based approach
Audit planning and conduct must account for risks related to audit objectives. In practice: the auditor does not spend as much time on a low-criticality control as on one that protects sensitive data. Audit effort allocation must be proportional to risk.
The verification path: how ISO 19011 structures an audit
ISO 19011 describes a five-step cycle. This is what I call the verification path — the sequential logic that every well-conducted audit follows.
Step 1: Establishing the audit programme
Before even planning an individual audit, ISO 19011 requires an audit programme to be established. This programme defines the scope, frequency, methods, and resources for all audits planned over a given period.
For an ISO 27001–certified organization, that means an annual schedule of internal audits covering the entire ISMS — not a one-off audit triggered when someone has time.
What this reveals: an organization without a structured audit programme immediately signals insufficient maturity on ISO 27001 Clause 9.2.
Step 2: Planning the audit
Each individual audit begins with documented planning. It specifies objectives, criteria, scope, methods, people to meet, documents to examine, and the schedule.
ISO 19011 requires this planning to be communicated to the auditee before the audit. This is not a formality; it is an obligation that allows the organization to prepare relevant evidence and designate the right contacts.
What this reveals: an auditor who shows up without a documented plan does not comply with ISO 19011. You have the right to ask for it.
Step 3: Conducting the audit
This is the execution phase. It includes the opening meeting, evidence collection (interviews, direct observation, document review), analysis of findings, and the closing meeting.
ISO 19011 stresses a point that is often neglected: the closing meeting. The auditor must present their findings to the auditee before finalizing the report. This allows factual misunderstandings to be corrected — not to negotiate non-conformities, but to ensure the facts are accurately represented.
If you receive a report with findings you never heard in the closing meeting, there is a process problem with the auditor.
Step 4: Producing the audit report
The report must be produced within an agreed timeframe after the audit. ISO 19011 defines its minimum content: objectives, scope, dates, auditor identification, auditee identification, findings with normative basis and evidence, conclusions, and recommendations.
A report that does not contain these elements is incomplete, regardless of the quality of the fieldwork.
Step 5: Closure and follow-up
The audit is not finished when the report is delivered. ISO 19011 provides for follow-up on corrective actions for identified non-conformities. The organization must demonstrate that corrections have been made, and the auditor (or their client) should verify their effectiveness.
Competencies required of an auditor
ISO 19011 devotes an entire section to the competencies required of auditors. This is what distinguishes a qualified auditor from a consultant filling in a template.
Competencies cover four areas:
Knowledge of the audited standard: an ISO 27001 auditor must master the 93 Annex A controls, Clauses 4 through 10, and their interpretation in an operational context.
Audit knowledge: interview techniques, evidence collection, writing findings, managing conflicts of interest.
Knowledge of the industry sector: an auditor who does not understand the organization’s operational context cannot assess the relevance of controls.
Personal competencies: rigour, objectivity, ability to communicate difficult findings without ambiguity.
ISO 19011 does not say an auditor must hold a particular certification. It says they must demonstrate these competencies. Certification (CISA, ISO 27001 Lead Auditor) is an indicator, not a guarantee.
What you can expect from your auditor
If you take one thing from this article, let it be this: ISO 19011 gives you rights as an auditee.
You can require:
- A documented audit plan before work begins.
- That every finding be linked to objective evidence and a specific clause or control.
- A closing meeting before the report is finalized.
- A report delivered within the agreed timeframe, with the minimum content defined by the standard.
- Documented follow-up of corrective actions.
An auditor who refuses these requests does not comply with ISO 19011. And a report produced without following these steps is a report whose rigour you are entitled to challenge.
In short, ISO 19011 is not an optional standard for people who like reading standards. It is the framework that governs the credibility of every management system audit.
So when you receive an ISO 27001 audit report, you know how to evaluate whether it is good or bad!