An ISO (International Organization for Standardization) surveillance audit is an occasional review of a company’s quality management system or information security management system (ISMS) by an accredited auditor, to confirm that the company still meets ISO standards, after the company had already achieved ISO compliance at some point in the past. 

To put it more simply: an ISO surveillance audit checks on your business to confirm whether you’re still on the ISO path.

What Is an ISO 9001 surveillance audit?

An ISO 9001 surveillance audit is a part of the process to monitor and maintain compliance with the ISO 9001 standard. ISO 9001 is a standard for quality management systems, and organizations that are certified to this standard must undergo regular surveillance audits to assure they continue to meet the standard’s requirements.

How often does the ISO 9001 surveillance audit occur?

Once a company achieves ISO 9001 compliance (which includes an outside audit) and obtains an ISO certification, that certification is valid for three years. ISO surveillance audits are then conducted in each of the next two years after certification — at which point, the company then needs to be re-certified. (The surveillance audits should help your organization to be ready for recertification when that time comes.)

The surveillance audit will always review specific areas that apply to certification audits. Depending on your organization and the specific ISO standards for which you are seeking certification, the audit areas may entail:

  • The performance and maintenance of the organization’s systems;
  • Preventive and corrective actions and processes;
  • The effectiveness of the organization’s internal auditing process;
  • The implementation of recommendations following the company’s internal audits;
  • Regular management reviews of the ISO implementation; 
  • Customer satisfaction rates; 
  • Updates to the company’s documentation systems.

The surveillance audit will be conducted by an auditor accredited by the same certification body that accredited the original ISO auditor. That auditor will review any nonconformities from previous inspections, how effective the company’s systems are within the context of its audits, any new activities that have begun since the previous certification, and previous results. 

What does a surveillance audit cover?

A surveillance audit for ISO 9001 can cover a range of areas within an organization. The specific scope can vary based on factors such as the organization’s size, complexity, and the auditors’ focus. Broadly speaking, however, a surveillance audit tends to address the following.

Quality management policy and objectives. Auditors will assess whether the organization has a documented quality management policy and clear quality objectives that are aligned with the ISO 9001 standard.

Quality manual and documentation. The audit may review the organization’s quality manual and documentation to assure that both are up to date and accurately reflect the organization’s processes and quality management system.

Management responsibility. This includes assessing the commitment of top management to the quality management system, their involvement in setting quality objectives, and their understanding of customer and regulatory requirements.

Resource management. Auditors may evaluate the allocation of resources, including personnel, equipment, and facilities, to assure that those items support the quality management system‘s objectives.

Product realization. This involves assessing the processes from design and development (if applicable) through production, testing, and delivery to assure they meet the organization’s quality standards.

Measurement, analysis, and improvement. Auditors will look at how the organization collects and analyzes data and information to measure its performance and drive continuous improvement. This may include a review of corrective and preventive actions taken in response to nonconformities.

Customer focus. The organization’s commitment to meeting customer requirements and assuring customer satisfaction is a key element of ISO 9001. Auditors may assess how the organization gathers and acts on customer feedback.

Internal audits. The surveillance audit may review the organization’s internal audit program to assess whether internal audits are performed effectively and that corrective actions are taken as needed.

Control of non-conforming products or services. Auditors will check how the organization identifies, handles, and mitigates non-conformities in its products or services.

Supplier management. This involves evaluating how the organization manages its relationships with suppliers, including how it assesses and monitors supplier performance.

Risk management. Assessing how the organization identifies and manages risks and opportunities related to its processes and quality management system.

Training and competence. Assuring that employees have the necessary skills and training to perform their roles effectively.

The scope and depth of the surveillance audit may vary from one audit to another, and it can also change over time based on the organization’s evolving needs and risks. Organizations must work closely with their auditor to determine the specific areas and processes that will be audited during each surveillance audit.

For additional information, refer to the Guide to ISO Certification and ISO Compliance.

Preparing for your ISO surveillance audit

It’s crucial to prepare for an ISO surveillance audit, to assure that your organization continues to meet its requirements for ISO 9001 compliance. Effective preparation involves careful planning, documentation review, process evaluation, and staff readiness. Here’s a step-by-step explanation of how to prepare for your ISO surveillance audit.

Review your quality management system (QMS). Start by reviewing your organization’s quality management system (QMS) documentation, including your quality manual, procedures, and work instructions. Confirm that these documents accurately reflect your current processes and that they are up to date. Any changes or improvements made since the last audit should be well-documented.

Internal audits. Conduct thorough internal audits of your QMS to identify and address any non-conformities. These internal audits should be carried out by trained auditors who can impartially assess the effectiveness of your QMS. Correct any issues identified during these internal audits and assure that corrective actions are well-documented.

Training and awareness. Assure that your employees are aware of the ISO 9001 standard, your quality policy, and quality objectives. Training should be provided to address any knowledge gaps, and employees should understand their roles in the QMS. It’s essential that staff can explain and demonstrate their understanding of the QMS processes to the auditors.

Documented information. Gather and organize all the necessary documented information for the audit. This includes records of key processes, evidence of compliance, and records of performance, such as customer feedback, supplier evaluations, and corrective action reports.

Management review. Hold a management review meeting to assess the performance of your QMS, discuss any issues, and set objectives for improvement. Assure that this meeting is well-documented and that any decisions or actions are clear.

Communication. Communicate the upcoming surveillance audit to all relevant personnel so that they are aware of the audit date, scope, and purpose. Encourage an atmosphere of openness and cooperation among employees and emphasize the importance of their roles in maintaining the QMS.

Auditor familiarization. If possible, provide the surveillance audit team with access to relevant documentation and an overview of your organization’s operations in advance. This will help auditors become familiar with your processes and make the audit process more efficient.

Mock audits. Conduct mock or practice audits with internal auditors or colleagues who are not directly involved in the areas being audited. This will help identify any gaps or issues in your readiness for the surveillance audit.

Continuous improvement. Assure that your organization has a culture of continuous improvement and that you can demonstrate how you’ve acted upon lessons learned from previous audits to enhance your QMS.

Pre-audit meeting. Before the actual surveillance audit, schedule a meeting with the surveillance audit team to discuss the scope, objectives, and expectations. This is an opportunity to clarify any questions and set the tone for the audit.

Effective preparation not only helps to assure a successful audit. It also contributes to the continued success of your organization’s quality management system.

Maintain your ISO compliance with ZenGRC

Sustaining ISO surveillance compliance is an intricate, ongoing endeavor that demands vigilant management and monitoring of an organization’s quality management system

ZenGRC offers an efficient and streamlined solution to assure continuous ISO standard compliance. Its extensive array of tools and features simplifies the preparations and navigation of surveillance audits. ZenGRC facilitates the maintenance of current documentation, the tracking of corrective actions, and the scheduling of internal audits, all within a user-friendly, consolidated platform. 

By using ZenGRC, organizations can not only attain initial certification, but also consistently exhibit their dedication to compliance, cultivating trust among stakeholders and upholding operational excellence in alignment with ISO standards.