ISO Audit

ISO 9000 & 9001 are part of a system of quality management. ISO 9000 describes the key elements of a quality system, while ISO 9001 describes how companies can prove that they fulfill the ISO 9000 quality management system.

ISO 9000 & 9001 are part of a system of quality management. ISO 9000 describes the key elements of a quality system, while ISO 9001 describes how companies can prove that they fulfill the ISO 9000 quality management system. Originally, it was created to ensure that a supplier produces parts to a high-quality standard and define a global standard to evaluate suppliers. Once a company is certified by an independent external auditor, the customers do not need to run their own audits.

The ISO 9000ff audit is the shortcut name for the main audit or annual repeat audit (if no main audit takes place). The certified external auditor will check whether the company works according to its defined quality management system. The process documented in this blueprint describes the yearly activities to prepare for the audit and provide the necessary audit papers.


The following stages are identified in the blueprint:

  1. Collect Data and Information - Yearly

    This stage prepares the information for the management evaluation. The quality management officer collects performance data from all KPIs, that will be part of the management evaluation. This includes customer satisfaction data and internal complaint information. The data is needed by top management to evaluate the actions and the progress toward the quality goals.

  2. Update of Key Documents - Yearly

    Many documents need to be reviewed. During the review, the quality management officer checks for any update necessity. At first, he checks, if the standard itself was changed or updated. If a change happens, the quality management officer will identify, when the new standard applies to the company and plan the transition to the new standard.

    Many different content documents are required by the ISO 9000 standard. The stakeholder analysis needs to be assessed, if they need an update. The risk-based methodology asks for a risk register, which in most companies is called the risk and opportunity register (Opportunity is a positive risk, which ISO calls a risk). The Political, Economic, Social, Technological, Legal, Environmental (PESTLE) analysis needs to be checked with compliance, legal, HR, sustainability, and finance if relevant changes need to be incorporated and the document needs to be updated. The strengths, weaknesses, opportunities, and threats (SWOT) analysis needs to be reviewed with sales, product development, industrial engineering, product management, marketing, and other relevant departments. For most of these documents, last year's documents will be reviewed and updated as needed. 

    As a last point, the corrective actions from the last audits will be reviewed, and the effectiveness of the measures assessed and documented.

  3. Evaluate Overall Results

    Based on all the prepared information, the chief executive officer (CEO) will review the status of the quality management system as a whole and evaluate the overall status. This includes the corrective actions from the last quality audit and the progress toward last year's quality goals. The CEO will also review the PESTLE, SWOT, and stakeholder analysis. Any input from the CEO will lead to updates to these documents. The focus is to evaluate, how effective the quality management system as a whole is working. Having a working quality management system will reduce the workload for the CEO, as the processes are set up correctly to achieve the goals. If this is not the case, the CEO needs to initiate actions to ensure, that the processes are set up correctly in the future.

    Then, the CEO will define the quality management policy for the new year. Based on last year's results, new areas for improvement will be identified and defined. The review needs to be documented for the external audit. The new quality goals are defined. In order to track the progress, key performance indicators (KPIs) are selected and defined, which will be used to monitor the quality goals. For each KPI a target needs to be defined.

  4. Initiate Actions from Last Audit

    The open issues and action items from the last audit will be followed up automatically in the next audit. An action plan is defined to ensure that the identified issues will be solved and the action items are executed by the responsible process owners in the organization. The quality management officer will monitor the progress and initiate extra actions to ensure that these issues will be solved at the next external audit.

  5. Develop Internal Audit Plan

    Internal audits are the internal tools to check if the quality management system is working. Internal auditors will audit different departments to collect information on the actual state and planned initiatives to improve the processes. For each year, the areas, which are covered by internal audits, are defined and internal auditors are assigned to the areas. The audits are scheduled and a plan with all planned internal audits is collected. The quality management officer is responsible for training the internal auditors so they know, what their tasks and objectives are and how they best can run the audits.

  6. Manage Internal Audits

    Based on the audit plan, the audits are executed to the defined schedule. The internal auditors are responsible for documenting the audits and the results, which may include process improvements or other actions, that are included in the overall quality action plan.

  7. Review Progress - Monthly

    Monthly, the quality management officer is reviewing the progress of the company towards the quality goals. The results of the processes are monitored with the key performance indicators (KPI). New actions are initiated; if the KPIs do not improve or improve too slowly as well as if the defined action items are not effective or their execution is delayed.

    A monthly progress check and review of customer and internal complaints ensure, that the quality management system is working well. The progress of internal audits compared to the plan is monitored and, if necessary, new actions are initiated. The internal audit and external supplier audit results are assessed. If the audits identify deficiencies, new action items will be created. Other long-running approaches, such as the test system surveillance and the calibration of test tools are also included to avoid any last-minute actions before the external audit.

  8. Update Process Documentation - Quarterly

    If any process needs an update, the gaps in the processes need to be documented and a team will be charged to define process upgrades. The changes in the processes will be documented in the system. Before the release of the updated process, the documented process is reviewed by the team to check if all gaps are addressed and the process describes the best execution. Once the process is in the best possible shape, the process will be released by the process owner and integrated into the quality management documentation.

  9. Train New Employees

    When new employees join the company or a new owner is assigned to a process, the quality management officer is responsible for training them about the quality management system. After the training, the effectiveness of the training needs to be reviewed.

  10. Plan Yearly Audit

    For the yearly audit, dates with the management need to be blocked for the audits. The organization needs to be prepared and receive instructions for the external audit. The quality management officer prepares the documentation for the external auditor. Then the date and scope of the external audit are agreed upon with the external auditor. A schedule for the audit is defined and the meetings with the auditees are scheduled. The external auditor receives the documentation to prepare for the audit. Before the audit, management receives an update on the quality management system and the audit preparations.

  11. Execute Yearly Audit

    The external auditor arrives for the audit and he runs the audit, meeting with the auditees and management to review and assess the quality management systems. After the audit, the auditor creates the preliminary results and presents the result to management and the quality management officer, who can provide their input and view on the results. The preliminary results will be passed on to the quality management officer. They include the findings, any deviations, and any new actions recommended to deal with any deviations.

  12. Process Results from Yearly Audit

    If the company passes the audit, the company will receive the updated certification, which will be distributed through the marketing department. The quality management officer will review the results and update the action item list.


This blueprint is best used for any company, that requires an ISO 9001 audit. It covers all companies from all industries. It is mostly applicable to companies that have other businesses or the government as customers, as these organizations focus more on ISO 9000 than consumers.


The advantage of the ISO 9000 certification is the reduced effort for supplier audits from different customers. Using an overall quality management system and proofing that your company adheres to this system will increase the quality of your products and services.

The overall process will be managed by the quality management officer. He was named by management to run the overall quality management system. The process supports the company in achieving the certification. As there are many parallel activities, that need to be coordinated, required, the process helps to ensure that all information needed for the audit is generated.

Achieving ISO 9001 is important for most customers of a B2B company. Without ISO 9001 the company will potentially lose customers if they cannot prove their ISO 9000ff certification. This process will facilitate the interaction of all departments in the company to implement the quality management policy initiated by top management and achieve certification from an external auditor.