ISO Audits – Just A Project With A Scary Face



The word audit alone can cause panic-inducing sweats but pair that with all the various versions ISO has and getting certified can seem even more daunting. The process can feel extremely intimidating, especially when you struggle to know where to start. I recently performed a combo ISO 20000:2018 / 27001:2013 implementation and wanted to share some thoughts to demystify the whole process.

Spoiler alert….

An ISO audit implementation is like any other project. I don’t want to want to walk us through a full compare and contrast of ISO to PMI, but here are some high points that can allow you to breathe a little easier as you begin your own journey:


Scope is the first piece of your ISO certification that must be decided and documented, and for right reason! Knowing the boundaries of what you are certifying is crucial to the success of ensuring it doesn’t become a never-ending project. Certifying is an awesome way to improve your level of excellence in processes, however, trying to attain excellence across the entire organization can sometimes create so much work that it can sink the project before it really gets started. Instead, take an Agile approach and determine an MVP (minimum viable product) that you can certify with and build iteratively from there. Keep your scope tight and check all your tasks through it!

Gathering Requirements

Like any project, the next step of ISO certification is figuring out what you are actually trying to accomplish. Fortunately, you are able to buy the standards from ISO that list the requirements. This will be the foundation from which you determine the policies and procedures your organization needs to build in order to certify. With most of the standards, ISO releases an initial requirements document and then follows it with a subsequent interpretation document that provides more details for how to potentially implement the requirement. The interpretation document is generally the more useful of the two, and is what I would recommend you purchase for your implementation:

With the right standard document in hand, your task in this phase will be to perform a gap analysis to record how your business currently compares to the requirement. This is similar to utilizing a Work Breakdown Structure (WBS) to decompose the scope in order to transition to scheduling the work (tasks).



If doing a career-long ISO implementation is your thing, DON’T make a schedule. For everyone else, I would suggest otherwise. Like setting goals and plans for losing weight, schedules give us a target to adhere to with discipline. To continue the weight loss analogy, we should step on “the scale” often to check progress. It may feel better in the short run to not know you are behind, but catching slips early will allow you to more easily correct. Additionally, this will also help you identify who needs a little more attention (i.e. pushing and prodding). Your schedule is a measuring stick that will be used to guide your project to success so take the time to make a realistic schedule and it will pay dividends.



With projects, schedules and plans are the easy part. It only gets complicated when you add people. A make or break in your ISO project will be having the right people at the table and leading them strategically. Here are three groups that absolutely must be included:

  • Leadership
    • Any ISO project is going to require resources (both time and money). Ensure you have the full support of your leadership, as you will be calling on their powers to remove obstacles.
  • Team members
    • An ISO implementation can’t be done alone. You will need a strong team to push the project across the finish line. Having them intimately involved as the beginning will help create the shared purpose and vision needed to be successful.
  • Customers
    • These are the people that will be directly impacted (or delighted) by the new policies and procedures. They could be internal or external. Either way, we have to realize and act on the fact that “value” must be CO-CREATED with the customer. Your ISO end-product cannot and should not be made in isolation.

Lessons Learned

Obviously, as a certified PMP, I would be remiss to not end with my top personal lessons learned when it comes to ISO certifications:

What works well

  • Implement processes that are primarily helpful to your business and secondarily achieve certification
    • Making processes that authentically move your business forward will build motivation and sustainability with your team
  • When performing your requirement gap analysis, think with an evidence-based mindset
    • What things prove that you are meeting the requirement?
      • Tribal knowledge and practices must be solidified
    • Be proactive in your stakeholder management by identifying what level and type of interaction each individual needs from you
      • Some may need an email update once a week
      • Some may need a daily work session w/ you
      • Either way, adjust and do what works

What should be avoided

  • Using overly bloated and ambiguous policy templates
    • If you don’t currently have a lot of existing policies documents, 18 pages on change management might be over the top
    • Making your ISO processes at a vastly higher maturity level than the rest of your org will only make it more difficult to sustain
  • Sweating it
    • As mentioned above, ISO audits are really just another project. The specific knowledge around ISO and the particular standard you are using is only a minor piece. The core skills of managing the project to completion is the major component that will more than likely determine your success.


To help you out in your project, I’ve attached a 20K gap analysis template for you to record your notes in.


Need more demystifying? If you are embarking on a certification project (ISO, CMMI, CMMC), we would love to be your resource. Comment below or feel free to reach out to us at

Next, check out our blog 4 Fundamental Values To Look For In Top Consulting Firms  


Jon Land, Consultant – Arrowhead Consulting