1.2 The ISO Standards Family, the Auditor's Role & Key ISO 9000 Terms
Key Takeaways
- Four standards matter: ISO 9000 (vocabulary), ISO 9001 (requirements/audit criteria), ISO 19011 (how to audit), and ISO/IEC 17021-1 (certification body rules)
- ISO 9004 is guidance for sustained success and is never used as audit criteria or for certification decisions
- Correction eliminates a detected nonconformity's symptom; corrective action eliminates its root cause and prevents recurrence
- Audits are classified as first-party (internal), second-party (customer-on-supplier), or third-party (independent certification body)
- An auditor's role is to gather objective evidence and evaluate it against criteria, not to design or fix solutions for the auditee
The ISO Standards Family, the Auditor's Role & Key ISO 9000 Terms
Quick answer: A Lead Auditor works across four related standards: ISO 9001 (the requirements you audit against), ISO 9000 (the vocabulary that defines every term you'll use), ISO 19011 (the guidance on how to audit), and ISO/IEC 17021-1 (the rules that govern certification bodies themselves). Precise use of ISO 9000 vocabulary is non-negotiable — nonconformities are written in that vocabulary.
The Four Standards an Auditor Must Know
It is easy to think "the standard" means only ISO 9001, but a competent Lead Auditor moves fluently between four documents, each with a distinct job:
| Standard | Full Title (short) | Auditor's Use |
|---|---|---|
| ISO 9000 | Fundamentals and vocabulary | Defines every term used across the family — the dictionary |
| ISO 9001 | Requirements | The only certifiable, auditable document — the audit criteria |
| ISO 9004 | Guidance for sustained success | Guidance beyond 9001; not used for certification decisions |
| ISO 19011 | Guidelines for auditing management systems | How to plan, conduct, and manage an audit — covered in Chapters 6–8 |
| ISO/IEC 17021-1 | Requirements for certification bodies | Governs the certification body itself — covered in Chapter 9 |
Notice that ISO 9004 is guidance, not requirements — you cannot cite an organization as nonconforming to ISO 9004, and a certification body cannot certify against it. It exists to help organizations go beyond minimum compliance, and an auditor may reference it for context but never as audit criteria.
Core ISO 9000 Vocabulary You Must Know Cold
Nonconformities, findings, and reports are all written in precise ISO 9000 terminology. Getting these definitions wrong on the exam — or in a real audit report — undermines the defensibility of your work.
- Quality — the degree to which a set of inherent characteristics of an object fulfills requirements.
- Requirement — a need or expectation that is stated, generally implied, or obligatory. "Generally implied" matters: unstated customer expectations still count.
- Conformity — fulfillment of a requirement.
- Nonconformity — non-fulfillment of a requirement. Every nonconformity must trace back to a specific, identifiable requirement.
- Correction — action taken to eliminate a detected nonconformity. It fixes the immediate symptom (e.g., re-calibrating one out-of-tolerance gauge).
- Corrective action — action taken to eliminate the cause of a nonconformity and prevent recurrence. This is a systemic fix (e.g., revising the calibration schedule so gauges never drift out of tolerance again).
- Process — a set of interrelated or interacting activities that use inputs to deliver an intended result.
- Procedure — a specified way to carry out an activity or a process; may or may not be documented.
- Objective evidence — data supporting the existence or verity of something; obtainable through observation, measurement, test, or other means. Auditors collect objective evidence, never opinion.
- Audit — a systematic, independent, and documented process for obtaining objective evidence and evaluating it objectively to determine the extent to which audit criteria are fulfilled.
- Audit criteria — the set of policies, procedures, or requirements used as a reference against which objective evidence is compared (for a certification audit, this is ISO 9001 plus the organization's own documented QMS).
- Audit evidence — records, statements of fact, or other verifiable information relevant to the audit criteria.
- Audit findings — the results of evaluating collected audit evidence against audit criteria; findings can indicate conformity, nonconformity, or opportunities for improvement.
The correction-versus-corrective-action distinction is one of the most heavily tested concepts across this whole body of knowledge — expect it to reappear in Chapter 5 (clause 10.2) and Chapter 8 (writing nonconformities).
First-, Second-, and Third-Party Audits
The exam repeatedly tests whether you can identify which "party" an audit scenario describes:
- First-party audit — an organization audits its own QMS (the internal audit required by clause 9.2). Self-interest, but still expected to be objective and impartial.
- Second-party audit — an organization audits an external party with a direct interest in it, most commonly a customer auditing a supplier, or a regulator conducting a compliance audit.
- Third-party audit — an independent body, typically an accredited certification body, audits an organization with no direct commercial relationship to either side. This is the audit type that leads to ISO 9001 certification, and it is governed by ISO/IEC 17021-1.
A single organization may face all three types simultaneously: it runs first-party internal audits, is audited by its largest customer (second-party), and is audited by its certification body (third-party) — all against the same ISO 9001 requirements, but under different rules of engagement and consequence.
The Auditor's Role: Evaluate, Don't Fix
A recurring exam theme, especially in the "Audit concepts and auditor responsibilities" section, is the boundary between auditing and consulting. An auditor's job is to gather objective evidence and evaluate it against criteria — not to design solutions, write procedures for the auditee, or tell them how to fix a nonconformity. Suggesting what is wrong (citing the requirement and the evidence) is the auditor's job; deciding how to fix it belongs to the auditee. This separation protects the auditor's independence and objectivity, two of the seven audit principles you will meet formally in Chapter 6, and it is why a certification-body auditor cannot also have consulted on the same client's QMS design.
A calibration gauge is found out of tolerance during an audit. The technician immediately re-calibrates that one gauge so it passes. What has the technician performed, in ISO 9000 terms?
A company's largest customer sends its own quality manager on-site to audit the company's QMS before placing a major order. What type of audit is this?