ISO 9001 FAQ

The standard requires an Internal Audit to be carried out before an external audit can be performed.

The Internal Audit must be carried out by a competent and objective auditor.

The auditor can be in-house (from the organization’s own staff) or an external consultant. If in house, it is important that the auditor is independent and has no prior or current involvement in the development and implementation of the QMS.

The Internal Audit review include:

• A documentation review of policies and procedures to confirm they adhere to the standards requirements
• An evidence review through sampling and analysis to determine that the policies are being adhered to

Any findings from the Internal Audit must be tracked to resolution.

The internal audit is meant to be continuous throughout the certification period (3 years).

An external audit is essentially the same as for the internal audit, expect that the outcome is the obtention for a certification. 

The external audit starts with a stage 1 and a stage 2.

Stage 1: Consists of an extensive documentation review of your QMS program. This typically can lasts couple hours to a day.

The outcome of the stage 1 is a list of findings (non-conformities) that would need to be remediated before moving to the Stage 2.

Stage 2: Consists of an extensive review of evidence that supports the documentation provided during the Stage 1 to confirm that the controls operate according to the ISO 9001 requirements. This takes a bit more time than the Stage 1 and can last couple days to a week.

The outcome of the stage 2 is a list of findings (non-conformities) that would need to be remediated before being recommended for a certification.

An ISO 9001 certification is valid for three years.

Doesn’t mean you do nothing for 3 years, no!

ISO requires surveillance audits to be performed each year to ensure the QMS program and  controls continue to operate effectively.