Definition

Audit criteria

Audit criteria are the set of requirements used as a reference against which audit evidence is compared.

According to ISO 19011, audit criteria are the set of policies, procedures or requirements used as a reference against which audit evidence is compared. They can include ISO standard requirements, applicable legislation, contractual requirements, internal policies and documented management system procedures.

Key aspects

Types of criteria

Include applicable ISO standard requirements, legislation and regulations, contractual requirements, and the organization's internal policies and procedures.

Pre-audit definition

Criteria must be defined and communicated before the audit so both the audit team and auditee know the evaluation basis.

Basis for findings

Each audit finding is formulated by comparing collected objective evidence against a specific criterion. Without clear criteria, there is no valid finding.

Frequently asked questions

No. In addition to the standard, they can include applicable legislation, client contractual requirements, internal policies, documented procedures and sector codes.

Criteria are agreed before the audit and in principle are not modified during execution. Any changes must be agreed between the lead auditor and the auditee.

Comparison

Ready to act on these findings?

Need an assessment in this area?

Request diagnosis→View research→

Loading content…

Audit criteria

Key aspects

Types of criteria

Pre-audit definition

Basis for findings

Frequently asked questions

ISO 27001 vs ISO 42001: key differences between information security and AI management

ISO 9001 vs ISO 27001: quality management vs information security

How to implement ISO 27001 in your organization

How to prepare for an ISO audit

Shadow AI: artificial intelligence use without formal governance

Personal data breach: exposure assessment and privacy controls

Ready to act on these findings?

Audit criteria

Key aspects

Types of criteria

Pre-audit definition

Basis for findings

Frequently asked questions

ISO 27001 vs ISO 42001: key differences between information security and AI management

ISO 9001 vs ISO 27001: quality management vs information security

How to implement ISO 27001 in your organization

How to prepare for an ISO audit

Shadow AI: artificial intelligence use without formal governance

Personal data breach: exposure assessment and privacy controls

Ready to act on these findings?

Audit criteria

Key aspects

Types of criteria

Pre-audit definition

Basis for findings

Frequently asked questions

Related content

ISO 27001 vs ISO 42001: key differences between information security and AI management

ISO 9001 vs ISO 27001: quality management vs information security

How to implement ISO 27001 in your organization

How to prepare for an ISO audit

Shadow AI: artificial intelligence use without formal governance

Personal data breach: exposure assessment and privacy controls

Ready to act on these findings?

Audit criteria

Key aspects

Types of criteria

Pre-audit definition

Basis for findings

Frequently asked questions

Related content

ISO 27001 vs ISO 42001: key differences between information security and AI management

ISO 9001 vs ISO 27001: quality management vs information security

How to implement ISO 27001 in your organization

How to prepare for an ISO audit

Shadow AI: artificial intelligence use without formal governance

Personal data breach: exposure assessment and privacy controls

Ready to act on these findings?