The fourth edition of ISO 19011, Guidelines for auditing management systems, was published in May 2026. It replaces the 2018 edition, which has now been withdrawn.
Before anyone reaches for the panic button, remember that this is a guidance standard, not a requirements standard.
No organization is certified to ISO 19011, and there is no transition window. That last point matters.
Unlike ISO 9001 or ISO 45001, where you get years of runway, the revised guidance applies the moment it is published. If you audit management systems, the clock has already started.
The short version
This is an evolution, not a revolution like the article about ISO 14001:2026.
• The seven principles still stand.
• The clause structure is familiar.
• Your existing audit programme does not need to be torn up.
What has shifted is the emphasis, the language, and a meaningful expansion in two areas that reflect how we work now: remote auditing and risk.
Language and terminology
A lot of the rewording is cosmetic, but it will touch your reports.
The standard now leans towards “auditing” rather than “audit” as the activity word, so “audit methods” becomes “auditing methods” and so on.
1. The word “organization” now refers to the auditee, while the body doing the work is the “auditing organization”.
2. External providers are now described as organizations in the supply chain.
3. The “extent” of an audit programme is now its “scope”.
4. And an audit conclusion is now described as the result of an audit rather than the outcome.
None of these changes what you do. All of it changes the words in your templates, checklists and finding statements. If you do not update them, you will look like you are still working from a withdrawn edition.
Remote and virtual auditing finally grows up
This is the major headline for me. The guidance now folds in thinking from ISO/IEC TS 17012:2024 on remote auditing methods, and Annex A has been expanded around remote methods and virtual locations.
Sections A.15 and A.16 were heavily reworked, with A.16 now framed around using remote auditing methods.
Worth a reality check here. Although A.15 and A.16 look dramatically changed, much of it is text moved between the two sections rather than brand new material. So read it properly, but do not assume the rules of remote auditing have been rewritten.
The profession has simply caught the documentation up to the practice most of us adopted years ago.
Risk gets pushed earlier and wider
Risk-based thinking is not new to 19011. What is new is where it reaches.
The 19011 2026 edition expects the risk-based approach to shape the audit programme itself, not only individual audits.
Risks and opportunities to the programme are now to be “determined” rather than merely “considered”, and that is a deliberate word choice. Determining something means you reviewed evidence and reached a conclusion you can show.
The list of programme risks has grown in useful ways. It now calls out loss of auditor independence or impartiality, choosing unsuitable auditing methods, and failing to run audits as the programme intended.
It explicitly names undue influence, the manager who leans on you to defer an audit, drop it, or quietly narrow its scope. Anyone who has worked inside a certification body or a busy internal function knows exactly why that sentence earned its place.
Two modern additions that name the present
Two inclusions stand out because they name the world we audit in today.
1) climate change.
The design of an audit programme should now consider whether climate change is a relevant issue for the auditee. This mirrors the amendment already made across the management system standards.
2) technology and competence.
When you judge whether you are competent for a specific audit, you now weigh your knowledge of emerging technology, including artificial intelligence-based evaluation tools, both as something you might audit and as something you might use to audit.
Data protection and information security are now expected parts of an auditor’s regulatory awareness.
On personal behavior, the word “tenacious” has been replaced by “determined”, and “able to act with fortitude” has been dropped, though in practice the expectation of a spine has not.
Supply chain and second-party audits
If you conduct supplier or external provider audits, this is the section to read first. It is the most practically useful expansion for anyone doing client-side assurance.
Annex A.12 on auditing the supply chain has been substantially expanded, with new material centered on second-party audits.
