← All posts

ISO 9001 Audit Checklist: What to Have Ready for Your Certification Audit

Published 8 March 2026 · Last reviewed 23 February 2026

You have done the implementation work, closed your gaps, run your internal audits. Now a UKAS-accredited auditor is booked to visit your site. This ISO 9001 audit checklist covers exactly what you need to have ready for your certification audit — the external one, conducted by your certification body, that results in a certificate (or doesn't). If you are still in the preparation phase, start with the gap analysis checklist instead; this post picks up where that leaves off.

Certification audits happen in two stages. Stage 1 is a document review. Stage 2 is the implementation audit where the auditor verifies your QMS works in practice. Both stages matter, and failing to prepare for either wastes audit days at £800–£1,200 per day.

How the certification audit works (and what it costs you)

Your UKAS-accredited certification body follows a structure defined by ISO 17021-1 and IAF Mandatory Document 5 (IAF MD 5), which sets minimum audit durations based on your employee count and complexity.

Stage 1 — documentation review

The auditor reviews your documented QMS, confirms the scope is appropriate, checks you have the mandatory documented information, and assesses whether you are ready for Stage 2. This typically takes 0.5–1 day for a company with fewer than 50 employees. It can be conducted on-site or remotely, though most certification bodies prefer at least a partial site visit.

Stage 1 is not a formality. If the auditor identifies significant gaps — missing procedures, no evidence of an internal audit, no management review — they will not schedule Stage 2 until you fix them. That delay costs you weeks and potentially another audit day fee.

Stage 2 — implementation audit

This is the main event. The auditor spends time on-site, interviews staff at all levels, reviews records, and observes processes. Duration depends on headcount:

Employee count Typical Stage 2 duration
1–10 1.5 days
11–25 2 days
26–45 2.5 days
46–65 3 days
66–85 3 days
86–125 3.5 days

These durations come from IAF MD 5 audit time tables. Multi-site operations, complex supply chains, or design activities can increase the time. Your certification body will confirm the exact duration in their quotation.

Stage 2 must happen within six months of Stage 1 completing. If you wait longer, you repeat Stage 1.

ISO 9001 audit checklist: Stage 1 document readiness

Stage 1 focuses on documented information. The auditor is answering one question: has this organisation built a QMS that covers the standard's requirements on paper?

Prepare these items before the Stage 1 auditor arrives:

QMS scope and boundaries

  • Documented QMS scope statement (Clause 4.3), naming your products/services, sites, and any clause exclusions with justification
  • Organisation chart showing quality responsibilities

Quality policy and objectives

  • Signed quality policy (Clause 5.2) — current, dated, and communicated to staff
  • Quality objectives (Clause 6.2) — measurable, with targets, owners, timeframes, and tracking method
  • Evidence that objectives are being monitored (even one data point helps)

Process documentation

  • Process map or interaction diagram showing how your key processes relate (Clause 4.4)
  • Documented procedures for the processes within your scope — these do not need to be 20-page documents; a one-page flowchart with controls and responsibilities is often sufficient
  • Document control procedure (Clause 7.5) — how documents are approved, reviewed, updated, and distributed

Mandatory documented information ISO 9001 explicitly requires documented information for specific items. The auditor will check these exist:

  • Context analysis — internal and external issues (Clause 4.1)
  • Interested parties and their requirements (Clause 4.2)
  • Risk and opportunity register (Clause 6.1)
  • Competence records — training, qualifications, experience (Clause 7.2)
  • Monitoring and measuring equipment records, if applicable (Clause 7.1.5)
  • Operational planning and control criteria (Clause 8.1)
  • Design and development records, if Clause 8.3 is in scope
  • Supplier evaluation records (Clause 8.4)
  • Product/service release criteria and traceability records (Clauses 8.5, 8.6)
  • Nonconforming output records (Clause 8.7)
  • Internal audit programme, reports, and findings (Clause 9.2)
  • Management review minutes with all required inputs and outputs (Clause 9.3)
  • Corrective action records (Clause 10.2)

Internal audit and management review

  • At least one complete internal audit cycle covering all QMS processes
  • At least one management review conducted with minutes covering all inputs required by Clause 9.3.2
  • Corrective actions raised from internal audit findings, with evidence of closure

If you do not have a quality manual pulling these documents together, the quality manual template guide covers what to include and how to structure it.

ISO 9001 audit checklist: Stage 2 evidence by clause area

Stage 2 is where the auditor tests whether your documented QMS works in practice. They will sample records, interview staff, and observe activities. Below is a clause-by-clause ISO 9001 audit checklist of the evidence they typically request.

Clause 4 — Context of the organisation

  • Can you explain your external and internal issues and how they influence QMS decisions?
  • Can you name your interested parties and their specific requirements (not vague categories)?
  • Does your scope match the work you actually deliver? The auditor may check recent contracts against your scope statement.

Common finding: scope statements that are too broad ("all engineering services") or too narrow (excluding processes the business clearly performs). Be precise.

Clause 5 — Leadership

  • Can the managing director or senior leader describe how they are involved in the QMS — not just that they signed the policy?
  • Is there evidence of resource decisions linked to quality objectives (budget approvals, training spend, equipment purchases)?
  • Do staff know the quality policy exists and can they explain what it means for their role?

The auditor will likely interview the MD directly. Prepare them. "I leave quality to our quality manager" is a problem — Clause 5.1 requires top management to demonstrate leadership and commitment personally.

Clause 6 — Planning

  • Risk register with likelihood/impact assessments and treatment actions — dated and reviewed
  • Quality objectives with measurement data (not just targets, but actual performance against those targets)
  • Evidence that planned changes to the QMS were managed — if you changed a process in the last six months, show the before, after, and reasoning

Clause 7 — Support

  • Training records and competence evidence for staff performing QMS-relevant work (not just attendance certificates — evidence that training achieved its objective)
  • Calibration certificates or verification records for measuring equipment, if applicable
  • Evidence that staff are aware of the quality policy, objectives, and their contribution to the QMS
  • Document control: the auditor will pick a random procedure and verify it is the current version and accessible to the people who need it

Clause 8 — Operation

This is where the auditor spends the most time. Expect them to:

  • Select 2–3 recent jobs, orders, or projects and trace them from customer enquiry through to delivery
  • Check that customer requirements were captured and confirmed before work started (Clause 8.2)
  • Review supplier evaluation records and verify your approved supplier list is current (Clause 8.4)
  • Examine product/service release records — who authorised the release and against what criteria (Clause 8.6)
  • Ask to see nonconforming output records and the dispositions applied (Clause 8.7)
  • If design is in scope (Clause 8.3): review a recent design from inputs through verification and validation

Clause 8 generates more nonconformities than any other section in UK certification audits. Have your operational records organised and accessible.

Clause 9 — Performance evaluation

  • Customer satisfaction data — surveys, complaint trends, repeat business metrics, NPS scores — with analysis showing what you learned and what you did about it
  • Internal audit reports with findings classified and corrective actions tracked to closure
  • Management review minutes covering all inputs per Clause 9.3.2: audit results, customer feedback, process performance, nonconformity and corrective action status, monitoring and measurement results, external provider performance, resource adequacy, risk/opportunity actions, and improvement opportunities
  • Management review outputs per Clause 9.3.3: decisions made, resources needed, improvement actions

Clause 10 — Improvement

  • At least 2–3 completed corrective action records showing: the nonconformity, containment action, root cause analysis, corrective action, and effectiveness verification
  • Evidence of continual improvement — this can be process changes, efficiency gains, updated procedures based on lessons learned, or measurable quality improvements
  • Records showing that corrections go beyond fixing the immediate symptom ("we re-did the work") to addressing systemic causes ("we revised the briefing process and retrained the team")

What happens if you get a nonconformity

Auditors classify findings into three categories:

Minor nonconformity: A single lapse or isolated failure that does not break the system. Example: one supplier on your approved list without a current evaluation. You can still get certified with minor nonconformities open, provided you submit a corrective action plan that the auditor accepts. You typically get 90 days to close minors before your next surveillance audit.

Major nonconformity: A systemic failure or complete absence of a required element. Example: no internal audit programme, no management review conducted, or a documented procedure that nobody follows. A major nonconformity means the auditor cannot recommend certification until it is resolved.

You get a 28-day window to close a major nonconformity. Closure requires submitting evidence to the auditor that:

  1. The root cause has been identified
  2. Corrective action has been taken
  3. The action is effective

If the major is significant enough, the certification body may require a follow-up audit visit to verify closure — at an additional cost of £800–£1,200 per day. If you cannot close the major within the window, the audit fails and you start again.

Opportunity for improvement (OFI): An observation, not a finding. The auditor notes something that works but could be better. No action is required, though addressing OFIs demonstrates commitment to continual improvement.

Most first-time certification audits result in a few minor nonconformities. That is normal. Zero findings is unusual and sometimes means the auditor was not thorough enough. The goal is no majors.

Choosing your certification body

Your certification body must be accredited by UKAS (the United Kingdom Accreditation Service) for ISO 9001 certification. This is non-negotiable for most procurement purposes — many public sector tenders and supply chain requirements specify UKAS accreditation explicitly.

To find accredited bodies, search the UKAS directory. Filter by "management systems certification" and ISO 9001.

When comparing quotations:

  • Get at least three quotes. Certification body fees vary by 30–50% for the same scope. Our certification cost breakdown covers the full fee structure.
  • Check the proposed audit duration matches IAF MD 5 minimums. If a CB offers significantly fewer audit days than the table above, question why. Under-auditing is a UKAS compliance issue and could affect your certificate's credibility.
  • Ask about auditor sector experience. A certification body may be UKAS-accredited but assign an auditor with no experience in your industry. Ask whether your assigned auditor has audited similar businesses.
  • Confirm what happens if you get a major. Some CBs include one follow-up visit in their fee. Others charge separately. Know this before you sign.

The week before your audit: final preparation

With your audit date confirmed, use this final-week checklist:

  1. Confirm logistics. The auditor needs a quiet room, access to relevant areas, and access to staff. Block out interview time in people's diaries.
  2. Brief all staff. Everyone should know an external audit is happening, what an auditor might ask them, and that honesty matters more than perfection. Coach people to answer what they actually do, not what they think the auditor wants to hear.
  3. Run a quick document check. Verify every controlled document is at the current revision. Remove or archive obsolete versions from shared drives, notice boards, and workshop areas.
  4. Review corrective action status. Every corrective action raised in internal audits should be closed or have a documented plan. Open corrective actions with no progress signal a broken improvement process.
  5. Check your records are retrievable. The auditor will ask for specific records — a recent customer complaint, a training record, a supplier evaluation. Know where they are and confirm you can retrieve them within minutes, not hours.
  6. Review management review minutes. Ensure the most recent management review covers all required inputs. If your last review was more than 12 months ago, consider holding one before the audit.
  7. Walk the site. Look at what the auditor will see. Outdated quality posters, unmarked chemicals, equipment with expired calibration stickers — these are easy wins to fix before the audit and easy findings if you don't.

If you are unsure whether you are ready, the ISO 9001 readiness quiz gives you a clause-by-clause assessment in under five minutes. For businesses going through certification for the first time without consultant support, the DIY certification guide covers the full process from start to finish.

Practical takeaway checklist

Print this. Work through it before your Stage 1 date.

  • QMS scope documented, accurate, and matching your actual work
  • Quality policy signed, dated, and communicated
  • Quality objectives measurable, tracked, and showing real data
  • Risk register completed and reviewed
  • All mandatory documented information in place per the Stage 1 checklist above
  • At least one full internal audit cycle completed with findings and corrective actions
  • Management review held within the last 12 months with all required inputs and outputs
  • Corrective actions showing root cause analysis, not just symptom fixes
  • Operational records organised and retrievable for 2–3 sample projects
  • Supplier evaluations current for active suppliers
  • Staff briefed on the audit and prepared for interviews
  • Certification body confirmed as UKAS-accredited, with audit dates and logistics agreed
  • Budget confirmed: Stage 1 + Stage 2 fees, plus contingency for a follow-up visit if needed

Get these right and you walk into your certification audit with evidence rather than anxiety. The auditor is checking whether your QMS works — not whether it is perfect. Demonstrate that you know your system, use it daily, and improve it when things go wrong, and the certificate follows.

This article is for general informational purposes only and does not constitute legal, regulatory, or professional compliance advice. ISO certification requirements vary by scope, sector, and certification body. Always verify requirements with your UKAS-accredited certification body or a qualified consultant before making compliance decisions.

ClauseWise is coming soon

Generate your ISO 9001 and ISO 27001 documentation without consultant fees.

Related articles

ISO 9001 vs ISO 27001: Which Does Your Business Need?ISO 27001 Certification Cost UK: What Small Businesses Actually PayISO 9001 for Small Business: A Proportionate Guide to Certification