|
For Certification Body Professionals & ISO Auditors
Monthly News on
ISO Standards & Tech
Issue No. 10 · May 2026
|
|
|
|
Lead Story
ISO 19011:2026 Brings Hybrid and Digital Auditing into the Mainstream
The revised ISO 19011, "Guidelines for auditing management systems," has moved to the Final Draft International Standard stage, signalling that a revised edition is approaching publication in May 2026, replacing the 2018 edition that has guided first-, second-, and third-party audit programmes for nearly a decade. The update is the most consequential refresh of audit guidance since the pandemic reshaped fieldwork, and it formally recognises what most certification bodies already practice: remote and hybrid auditing are now standard practice, supported by secure platforms and real-time collaboration tools. Beyond endorsing these methods, the new text expects audit programmes to be designed around them, requiring updated audit procedures and manuals to explicitly cover remote and hybrid methods, including feasibility, technology selection, data security and contingency plans. Auditor competence requirements have also been sharpened, with more emphasis on information and communication technology (ICT) skills, understanding of remote auditing methods, and the judgement to determine when on-site verification remains indispensable.
For certification bodies, the practical workload is significant: competence matrices, witness audit protocols, scheme rules and audit-time calculations will all need to be reviewed against the new clauses before accreditation bodies begin assessing conformance. CBs should anticipate questions from accreditors on how feasibility decisions between remote, on-site, and hybrid modes are documented, how the integrity and confidentiality of digitally collected evidence is preserved, and how auditor ICT competence is evidenced and maintained. Acting now to map current procedures against the FDIS text will shorten the transition window once publication is confirmed and reduce the risk of nonconformities at the next accreditation assessment.
|
|
|
News
UPDATE ISO 14001:2026 reaches FDIS stage with April publication targeted
The FDIS was released on 5 January 2026 for an eight-week ballot and comment period, with a transition period of three years expected based on a draft IAF mandatory document. The 2026 revision introduces important changes to the world's leading EMS standard, reflecting growing global priorities such as climate resilience, biodiversity and sustainable resource use, while also clarifying and strengthening existing requirements. Certification bodies should begin aligning auditor competence programs and transition planning ahead of the formal kick-off of conversion audits.
UPDATE ISO 9001:2026 advances toward September publication
The revised version of ISO 9001 is expected to be published in September 2026, presenting an opportunity for organizations to review and update their quality management systems. The DIS reveals a standard that evolves rather than revolutionizes, with most additions appearing in non-mandatory sections such as the front matter and Annex A, while core requirements in Clauses 4–10 feature only minor changes, meaning a minimal transition burden for organizations already compliant with ISO 9001:2015. The 2024 climate amendment has been formally integrated into Clause 4.1, requiring consideration of climate change as a factor in the organization's context.
NEW Global Accreditation Cooperation Incorporated formally launches
The formation of Global Accreditation Cooperation Incorporated will reduce duplication of efforts, harmonise accreditation policies and procedures and enable more consistent application of standards across sectors and borders. Existing accreditations issued under the ILAC MRA and IAF MLA will continue to be recognised as arrangements transition to the Global Accreditation Cooperation Incorporated MRA, with no service interruptions, and accreditation bodies, conformity assessment bodies, scheme owners and regional groups will continue operating as normal. CBs should monitor forthcoming GAC mark and reference guidance as legacy IAF and ILAC branding is phased out.
NEW ISO/IEC 27701:2025 republished as a standalone privacy standard
For the first time since 2019, the International Organization for Standardization has updated its international standard for managing privacy compliance programs, covering information security, cybersecurity and privacy protection through privacy information management systems requirements and guidance. ISO/IEC 27701 provides a structured, internationally recognised framework that helps organisations show accountability, manage risks around personally identifiable information, and continually improve their privacy practices. Auditors should note the standard's restructured relationship with ISO/IEC 27001 and prepare scoping conversations with clients pursuing combined ISMS/PIMS certifications.
ALERT IAF MD 4 reissued to govern ICT-based and remote auditing
The updated mandatory document for the use of information and communication technology in auditing and assessment aims to provide a methodology for the use of ICT that is sufficiently flexible and non-prescriptive in nature to optimize the conventional audit and assessment process, while ensuring that adequate controls are in place to avoid abuses that could compromise its integrity. Certification bodies relying on hybrid and remote audit delivery models should verify their procedures, risk assessments and auditor training reflect the current Issue 3 requirements during upcoming accreditation surveillance.
|
|
|
Market Intelligence
Global certificate volumes rebounded sharply in the most recent annual data, with the 2024 rebound to 1,474,118 ISO 9001 certificates marking the highest figure in the standard's five-year history, reflecting both genuine adoption growth and significantly improved data completeness through IAF CertSearch. The cybersecurity segment delivered the most dramatic shift: ISO/IEC 27001 valid certificates nearly doubled, jumping from 48,671 in 2023 to 96,709 in 2024, with certified sites reaching 179,877, a signal that data-protection assurance is moving from differentiator to baseline expectation across IT, financial services, and healthcare buyers. Environmental certification continues to track ESG procurement requirements, with construction remaining the leading specified sector for both ISO 14001 and ISO 45001 in the Survey breakdown (source). For certification bodies, the practical implication is a portfolio mix tilting away from legacy quality-only scopes toward bundled information-security, sustainability, and AI-governance engagements.
Accreditation infrastructure is consolidating around fewer, more interoperable nodes, and audit-program planners should price that into capacity models. There are currently 80 Accreditation Bodies worldwide recognized under the IAF Multilateral Recognition Agreement, while at the governance tier IAF and ILAC confirmed in 2025 their decision to merge into a single global accreditation organization, Global Accreditation Cooperation Incorporated. Operationally, the IAF CertSearch API was launched in April 2025, accelerating the migration of validity checks away from individual CB websites and toward a single authoritative database that procurement teams and second-party auditors increasingly query directly. This combination of consolidation and API-level transparency is raising the floor on data quality but is also surfacing dormant or duplicated certificates that had previously inflated national totals.
Auditor capacity remains the binding constraint on the sector's near-term growth, and pricing has moved accordingly. Typical ISO 27001 stage-one and stage-two audit fees now sit in the $14,000 to $16,000 range for mid-sized scopes, with surveillance audits in years two and three running roughly 33% of the initial fee, and broader certification-audit pricing reaching $10,000 to $50,000 with annual maintenance of $6,000 to $40,000 for more complex estates (source). Demand for the new AI management standard is amplifying the squeeze: ISO/IEC 42001:2023 is the world's first international standard for Artificial Intelligence management systems, and the certifiable nature of the scheme has triggered a rush of scope extensions among CBs that requires retraining lead auditors with cross-disciplinary competence in data science, risk, and conformity assessment. Expect quoted lead times for first audits in cybersecurity and AI scopes to remain elevated through the back half of 2026.
The audit-technology curve is steepening faster than any prior digital transition the profession has navigated. A Wolters Kluwer survey found that AI adoption will double to 80% in 2026, as 39% of internal auditors are already employing AI and a further 41% intend to adopt AI in the next 12 months, and Gartner reports that 83% of audit functions are piloting or using AI, with another 12% planning to follow within the year. Over 70% of chief audit executives say that building AI capability is a strategic priority, pulling third-party assurance providers toward continuous-controls monitoring, evidence-collection automation, and large-language-model-assisted nonconformity drafting. Governance is the lagging variable: most governance models were not built for the volume of AI use cases organizations are now deploying, and centralized review bodies get overwhelmed as use cases multiply, creating bottlenecks that slow the business without actually reducing risk, which is precisely the gap ISO/IEC 42001 certification is being purchased to close.
|
|
|
Upcoming Events
3 June 2026 | EA Workshop on Regulation (EU) 2024/1787 on Methane Emissions Reduction — Online
This online workshop, held on 3 June 2026 from 09:00 to 12:00 CEST, addresses how national accreditation bodies will provide accreditation for verifiers operating under the EU Methane Regulation. Certification bodies and verification scheme operators preparing for the new regulatory verification market will gain direct insight into harmonised accreditation expectations across Europe.
20–27 June 2026 | APAC General Assembly — Indonesia
The Asia Pacific Accreditation Cooperation General Assembly convenes in Indonesia from 20 to 28 June 2026, bringing together accreditation bodies and stakeholders from across the region. The meetings shape regional MRA decisions, peer-evaluation outcomes, and technical positions that directly influence the operational requirements and recognition status of certification bodies accredited within the APAC framework.
22–24 June 2026 | IIA International Conference — Singapore
The IIA's 2026 International Conference takes place in Singapore and virtually on 22–24 June 2026, attracting more than 2,300 attendees from over 150 countries. Sessions on generative AI in auditing, risk assurance, and evolving professional standards offer ISO auditors transferable methodology and technology insights for sharpening third-party audit practice.
25 June 2026 | CQI International Quality Conference and Awards — United Kingdom
The CQI's leading conference and awards programme returns on Thursday 25 June, bringing together thought leaders and quality professionals for a full day of continuous professional development and to celebrate the best of the profession. For CQI and IRCA-registered auditors, the day delivers CPD-eligible content alongside networking with the wider quality management community as the ISO 9001:2026 revision enters its final stretch.
|
|
|
ISO OS Changelogs
NEW Multi-standard audit planning matrix
Auditors can now plan integrated audits across ISO 9001, 14001, 27001, and 45001 within a single timeline view, with shared controls automatically mapped between standards. This reduces duplicated effort on combined assessments and shortens preparation time for stage 1 and stage 2 visits.
UPDATE Client portal evidence requests
The evidence request module now supports bulk uploads, version history, and inline reviewer comments on each submitted document. Certification bodies gain a clearer audit trail and clients receive fewer back-and-forth emails during nonconformity closure.
NEW Certification report PDF templates with accreditation marks
Report templates now include configurable fields for IAF MLA signatories, accreditation body logos, and scope statements rendered in the certificate's working language. This allows CBs to issue compliant certificates directly from the platform without manual layout work in external editors.
|
|
|
|
|
.svg)
%201.svg)
.svg){kind=small}
.svg)
