Definition

External audit

An external audit is an independent assessment performed by an accredited certification body to verify a management system's conformity with an ISO standard.

The external (or third-party) audit is conducted by a certification body accredited under ISO/IEC 17021-1. It is divided into two stages: Stage 1 (documentation review and readiness assessment) and Stage 2 (on-site implementation audit). Its result determines whether certification is granted, maintained or withdrawn.

Key aspects

Stage 1 and Stage 2

Stage 1 evaluates documentation and readiness. Stage 2 verifies effective implementation in the organization's actual operations.

Body independence

The certification body must be accredited and independent: it cannot offer consultancy to the same organization it audits.

3-year cycle

Certification has a 3-year cycle: initial audit, annual surveillance and recertification at cycle end.

Frequently asked questions

Internal audit is performed by the organization or a hired consultant. External audit is executed by an accredited certification body with authority to grant, maintain or withdraw certification.

It depends on scope, organization size and standard. ISO/IEC 17021-1 and IAF MD documents establish minimum auditor-days. A mid-sized organization may require 4-8 total auditor-days.

Comparison

Ready to act on these findings?

Need an assessment in this area?

Request diagnosis→View research→

Loading content…

External audit

Key aspects

Stage 1 and Stage 2

Body independence

3-year cycle

Frequently asked questions

ISO 27001 vs ISO 42001: key differences between information security and AI management

ISO 9001 vs ISO 27001: quality management vs information security

How to implement ISO 27001 in your organization

How to prepare for an ISO audit

Shadow AI: artificial intelligence use without formal governance

Personal data breach: exposure assessment and privacy controls

Ready to act on these findings?

External audit

Key aspects

Stage 1 and Stage 2

Body independence

3-year cycle

Frequently asked questions

ISO 27001 vs ISO 42001: key differences between information security and AI management

ISO 9001 vs ISO 27001: quality management vs information security

How to implement ISO 27001 in your organization

How to prepare for an ISO audit

Shadow AI: artificial intelligence use without formal governance

Personal data breach: exposure assessment and privacy controls

Ready to act on these findings?

External audit

Key aspects

Stage 1 and Stage 2

Body independence

3-year cycle

Frequently asked questions

Related content

ISO 27001 vs ISO 42001: key differences between information security and AI management

ISO 9001 vs ISO 27001: quality management vs information security

How to implement ISO 27001 in your organization

How to prepare for an ISO audit

Shadow AI: artificial intelligence use without formal governance

Personal data breach: exposure assessment and privacy controls

Ready to act on these findings?

External audit

Key aspects

Stage 1 and Stage 2

Body independence

3-year cycle

Frequently asked questions

Related content

ISO 27001 vs ISO 42001: key differences between information security and AI management

ISO 9001 vs ISO 27001: quality management vs information security

How to implement ISO 27001 in your organization

How to prepare for an ISO audit

Shadow AI: artificial intelligence use without formal governance

Personal data breach: exposure assessment and privacy controls

Ready to act on these findings?