ISO 19011 is the international guideline for auditing management systems. Therefore, your notified body considers ISO 19011 state-of-the-art when it checks during your ISO 13485 certification audit whether you are conducting your internal and supplier audits effectively.
Consequently, those responsible for quality management, in particular, should be familiar with and consider ISO 19011. This article will help you do so.
DIN EN ISO 19011:2018-10 (“Guidelines for auditing management systems”) is available from DIN Media and as EVS EN ISO 19011:2018 here at a lower price.
A draft of the next version of the standard (DIN EN ISO 19011 – 2025-04) is available. The final standard is scheduled for publication in Q1 2026 and will also cover AI.
1. Basics of ISO 19011
1.1 Scope and purpose of the standard (Chapter 1)
The standard provides guidelines for auditing management systems (e.g., ISO 9001, ISO 13485) but is not harmonized. Consequently, it does not formulate requirements but serves as guidance.
ISO 19011 applies to all organizations that carry out internal or external audits (e.g., of suppliers) as part of a management system.
The certification bodies themselves are subject to a different standard, ISO 17021.
ISO 19011 refers exclusively to ISO 9000:2015 for terms and definitions and contains no further normative references. Other standards (such as ISO 13485) may be used as a supplement.
ISO 19011 does not directly refer to medical or IVD medical devices. Consequently, the opportunities and risks mentioned in the standard do not relate to the devices’ performance and safety.
1.2 Structure of the standard
The standard is divided into seven chapters (see Fig. 1).
1.3 Changes compared to the previous version
The 2018 edition of ISO 19011 supplements the previous version with a risk-based approach and expands the guidelines for both the “administration” and implementation of the audit programme and the audits themselves. The requirements for auditor competence have also been expanded.
2. Key contents of the standard
2.1 The seven principles of auditing (Chapter 4)
ISO 19011 “requires” that organizations adhere to seven principles when conducting audits:
- Integrity: Basis for professionalism
- Objectivity: Commitment to truthful and accurate reporting
- Professional diligence: Appropriate judgment when conducting audits
- Confidentiality: No unauthorized disclosure of information
- Independence: Basis for impartiality and objectivity
- Evidence-based approach: Methodology for achieving reliable conclusions
- Risk-based approach: Consideration of risks and opportunities
2.2. Management of the audit programme in accordance with ISO 19011
Chapter 5 of the standard defines the audit programme’s meta-level, i.e., its management, from the definition of objectives to the review of the programme.
2.2.1 Objective
Organizations should begin by determining the objectives of the audit programme (Chapter 5.2). These objectives should be consistent with the organization’s overall strategy and evaluate the performance of the management system.
If the management system has changed, these must be taken into account when establishing the objectives. The results of previous audits must also be incorporated into the objectives.
2.2.2 Determination and evaluation of audit programme risks
In the next step, organizations should identify the audit programme’s opportunities and risks (Chapter 5.3).
Risks can arise if the auditors are not sufficiently competent, if the audits are not of sufficient duration, if not all locations are audited, if the audited areas are not cooperative, or if the audit results are not taken into account afterwards.
Concerning opportunities, ISO 19011 refers primarily to efficiency. Examples include conducting several audits during one visit or minimizing travel time. Selecting competent auditors in accordance with the audit objectives is not an opportunity but a requirement. On the other hand, an opportunity is to make processes more efficient, eliminate errors, and thus make products safer.
2.2.3 Establishing the audit programme
This information can then be used to plan the audit programme (Chapter 5.4). This includes:
- Defining roles and responsibilities for audit programme management
- Determining the scope of the audit programme according to the size/type of the organization
- Determining resources (financial, methods, team, etc.)
2.2.4 Monitoring, review, and improvement
This is followed by implementation (Chapter 5.5) and monitoring of the programme (5.6). Typical activities should include:
- Defining key performance indicators for monitoring the audit programme
- Regularly assessing the degree to which the audit programme is achieving its objectives
- Reviewing whether the schedule and budget are being adhered to
- Evaluating the competence of the audit team
- Assessing the ability to implement the audit plan
- Obtaining feedback from auditors, auditees, and other parties
- Identifying new practices/methods for audits
- Documenting opportunities for improvement
2.3. Conducting an audit in accordance with ISO 19011
Chapter 6 describes specific, proven procedures for conducting audits.
2.3.1 Preparation of audit activities
It begins with the preparation of the audit (Chapters 6.2, 6.3). If these requirements are transferred to manufacturers of medical and IVD medical devices, organizations should pay attention to the following:
- The audit plan must cover the QM-relevant processes in accordance with ISO 13485.
- The document review should cover the technical documentation and relevant regulatory requirements.
- Checklists must take specific MDR requirements into account.
- The selection of samples should be based on the risk classes of the devices.
- Access to the technical documentation must be ensured.
2.3.2 Conducting audit activities
Chapter 6.4 deals with conducting audit activities. For medical and IVD medical device manufacturers, the following practices would be recommended for internal audits, for example:
- The opening meeting clarifies regulatory changes since the last internal audit.
- A review of the effectiveness of the PMS/PMCF/PMPF system is carried out.
- Verification of conformity with general safety and performance requirements is checked randomly.
- The interfaces with notified bodies and authorities are also checked.
- Critical suppliers and outsourced processes should be given special attention.
2.3.3 Preparation and distribution of the audit report
When preparing and distributing the audit report (Chapter 6.5), it is also important to consider best practices, some of which are specific to the context of ISO 13485.
- Findings must clearly indicate regulatory references.
- The documentation must comply with the requirements of the certifier.
- The report is distributed to the relevant parties.
- The audit report must be archived as part of the QM documentation.
2.3.4 Audit completion and follow-up
Chapters 6.6 and 6.7 refer to completing audits and implementing “audit follow-up measures.” For medical device manufacturers, this means, for example:
- Verify corrective actions for regulatory conformity
- Ensure testing of effectiveness, taking into account MDR/IVDR requirements
- Ensure that results are taken into account in management review
- Consider reporting obligations (vigilance)
- Prepare documentation for possible audits by authorities
2.4. Competence and evaluation of auditors
ISO 19011 places particular emphasis on the competence of the audit team (Chapter 7).
2.4.1 Determining the auditor’s competence
This begins with determining the competence of the auditors (Chapter 7.2.3). For medical device manufacturers, this includes:
- Proven knowledge of ISO 13485 and MDR/IVDR
- Understanding of general safety and performance requirements
- Knowledge of harmonized standards and common specifications
- Understanding of the special features of the various device categories
- Experience with classification rules for medical devices
- Understanding of risk management according to ISO 14971
- Knowledge of clinical evaluation/performance evaluation and PMS/PMCF/PMPF
2.4.2 Competence criteria
Organizations must also demonstrate these competencies (Chapters 7.2.3, 7.2.4). In the medical device environment, this can be achieved, for example, through:
- Professional experience in the medical device sector
- Proof of specific medical device training
- Experience in comprehensive audits in the MD sector
- Activities at, for example, a notified body or supervisory authority
- Participation in seminars with proof of effectiveness
Manufacturers should systematically train their internal auditors, not only because it is required by the standard but also because it is beneficial. Consider attending the “Internal Auditor” seminar offered by the Johner Institute.
2.4.3 Evaluation methods
In addition to the formal requirements, the auditors themselves should be continuously monitored and evaluated (Chapters 7.3, 7.4):
- Observation during audits with a regulatory focus
- Review of audit reports for regulatory completeness
- Assessment of the ability to identify regulatory deviations
- Evaluation of communication with the QMR role and the regulatory affairs team
- Evaluation of the understanding of regulatory approval processes
- Review of competence in different device categories
2.4.4 Continuity and improvement of competence
Regardless of these results, it is advisable to expand and update your competence (Chapter 7.6) continuously:
- Regular participation in training courses on regulatory changes
- Participation in workshops on MDR/IVDR-specific topics
- Continuous updating of knowledge on harmonized standards
- Exchange of experience with other auditors in the medical device field
Organizations must document all this training and its effectiveness.
3. Five tips for implementation
Tip 1: Don’t forget internal audits of internal audits
ISO 19011 helps to plan and conduct internal audits. However, the effectiveness of the internal audits themselves should also be checked. This is done through internal audits of the internal audits as well as within the management review. Accordingly, ISO 19011 should be taken into account in both cases.
Tip 2: Create a risk-based audit programme
ISO 19011 does not refer to medical or IVD medical devices or patient safety. Manufacturers should follow ISO 19011’s risk-based approach while keeping an eye on the risks as defined in ISO 14971.
ISO 19011 recommends considering the risks posed by auditors’ lack of competence. Medical device manufacturers should also consider the consequences for patients that could result from this lack of competence.
Tip 3: Don’t just check conformity
The audits should enable organizations to achieve more than just fulfilling their legal obligations. The organization can also benefit from the audits to
- determine the effectiveness of processes,
- identify and eliminate inefficiencies in processes,
- streamline standard operating procedures and work instructions,
- identify weaknesses in suppliers (and select better ones if necessary), and
- promote knowledge within the organization about the organization and its devices.
Tip 4: Make use of the results in many ways
The results of the audits can also be useful to companies
- to minimize audits by their customers (particularly relevant for suppliers),
- as input for management reviews and the CAPA system,
- to improve devices,
- as information for risk management and post-market surveillance,
- as proof of regulatory requirements.
Tip 5: Keep specific requirements in mind
Because ISO 19011 is “domain-agnostic,” medical and IVD medical device manufacturers should keep an eye on the specific requirements. These include, for example:
- Document retention requirements
- Reporting requirements to authorities and notified bodies in case of audit findings
- Specific competence requirements
- Requirements of ISO 13485 and MDR/IVDR for the QM system
4. Conclusion and summary
The standard is a very useful guideline that helps ensure compliance with ISO 13485’s requirements for quality management system planning, internal audits, and supplier audits.
That is another reason ISO 19011 is a must-read for anyone who plans, prepares, and conducts audits. This includes not only quality management representatives but also the process owners involved in the audits.
ISO 19011 has been expanded to include a risk-based approach compared to its predecessor standard. When considering these risks, medical device manufacturers should explicitly consider regulatory risks and risks to product safety, not just the risks mentioned in the standard.
The effectiveness of quality management systems depends on the competence of the auditors. That is why the standard devotes an entire chapter to this aspect.
The Johner Institute helps medical and IVD medical device manufacturers and operators set up, review, and optimize QM systems.
Seminars such as Internal Auditor and Certified ISO 13485 Lead Auditor provide the required competence.
Change history:
- 2025-05-19: Article completely rewritten, taking into account the 2018 version of ISO 19011, reference to new version of the standard added
- 2016-01-12: First version of the article published
