ISO certification glossary
Certification has its own vocabulary. These are clear, accurate definitions of the ISO and audit terms you will meet — from nonconformity and CAPA to surveillance audits and the Statement of Applicability.
General
ISO(International Organization for Standardization)
ISO is the International Organization for Standardization, an independent body that develops and publishes voluntary international standards. ISO does not certify organizations itself; accredited certification bodies audit and certify against ISO standards such as ISO 9001 and ISO 27001.
Certification
Certification is formal confirmation by an independent body that an organization meets the requirements of a standard. After a successful audit, the organization receives a certificate, typically valid for three years subject to surveillance audits.
Accreditation
Accreditation is the recognition that a certification body is competent to perform audits and issue certificates. It is granted by a national accreditation body, giving the certificates the certification body issues credibility and international recognition.
Certification Body(CB)
A certification body (CB) is an accredited, independent organization that audits management systems and issues certificates. The certification body is separate from the consultancy that helps an organization prepare, to keep the audit impartial.
Management System
A management system is the set of policies, processes, and procedures an organization uses to meet its objectives. ISO management system standards — such as ISO 9001 for quality or ISO 27001 for security — define what an effective system must include.
Integrated Management System(IMS)
An integrated management system (IMS) combines two or more ISO standards into a single system — for example ISO 9001, ISO 14001, and ISO 45001. Because the standards share the Harmonized Structure, audits, documentation, and reviews can be run together.
Certification Cycle
The certification cycle is the three-year period a certificate is valid. It begins with the Stage 1 and Stage 2 audits, includes annual surveillance audits in years one and two, and ends with a recertification audit in year three.
Scope (Certification Scope)
Certification scope defines exactly what a certificate covers — which sites, products, services, and processes. A clear scope statement tells customers and auditors precisely what has been certified.
Continual Improvement
Continual improvement is the ongoing effort to make a management system more effective over time. It is a core principle of ISO standards, driven by audits, management review, and corrective action.
Audit
Gap Analysis
A gap analysis is an assessment that compares an organization's current practices against the requirements of a standard. It identifies the gaps that must be closed before certification and is usually the first step in an ISO implementation project.
Internal Audit
An internal audit is an audit an organization performs on its own management system to check conformity and find improvements before the certification body arrives. ISO standards require internal audits at planned intervals.
External Audit
An external audit is conducted by an independent certification body to decide whether to grant or maintain certification. External audits include the initial Stage 1 and Stage 2 audits, annual surveillance audits, and the three-year recertification audit.
Stage 1 Audit
A Stage 1 audit is the first part of the initial certification audit. The auditor reviews documentation and readiness to confirm the management system is in place and the organization is ready for the more detailed Stage 2 audit.
Stage 2 Audit
A Stage 2 audit is the main certification audit. The auditor evaluates how effectively the management system is implemented in practice, gathering objective evidence against the standard before recommending certification.
Surveillance Audit
A surveillance audit is a periodic check, usually annual, that a certification body performs during the three-year certificate cycle. It confirms the management system is still effective and being maintained between full recertification audits.
Recertification Audit
A recertification audit is a full audit conducted at the end of the three-year certificate cycle to renew certification for another three years. It is more comprehensive than a surveillance audit and reviews the whole management system.
Nonconformity(NC)
A nonconformity (NC) is a failure to meet a requirement of the standard. Auditors classify nonconformities as major or minor. Major nonconformities must be resolved before a certificate can be issued or maintained.
Major Nonconformity
A major nonconformity is a serious gap — such as a missing process or a complete failure of a requirement — that puts the management system's effectiveness in doubt. It must be corrected and verified before certification can proceed.
Minor Nonconformity
A minor nonconformity is an isolated lapse that does not threaten the overall management system, such as a single missing record. It requires a corrective action but usually does not block certification.
Objective Evidence
Objective evidence is verifiable proof — records, statements, or observations — that a requirement has been met. Auditors base their findings on objective evidence rather than opinion or assumption.
Audit Trail
An audit trail is a chronological record of activity that shows who did what and when. It lets auditors trace decisions and changes back to their source, supporting accountability and evidence of conformity.
Lead Auditor
A lead auditor is the qualified professional who plans and directs an audit and makes the certification recommendation. Lead auditors hold recognized training and follow the auditing principles in ISO 19011.
Compliance
Corrective Action
A corrective action is the step taken to eliminate the cause of a nonconformity so it does not happen again. ISO standards require organizations to identify the root cause, act on it, and verify that the action worked.
CAPA(Corrective and Preventive Action)
CAPA stands for corrective and preventive action — a structured process for fixing existing problems and preventing potential ones. It is central to quality systems such as ISO 13485, where CAPA records must be tracked to closure.
Root Cause Analysis(RCA)
Root cause analysis (RCA) is the practice of finding the underlying reason a problem occurred, rather than just its symptoms. Effective corrective action depends on identifying and addressing the true root cause.
Risk Assessment
A risk assessment is the process of identifying, analyzing, and evaluating risks to an organization. ISO standards such as ISO 27001 require a documented risk assessment to decide which controls and treatments are needed.
Risk Treatment
Risk treatment is the action taken to address an identified risk — by reducing, avoiding, transferring, or accepting it. In ISO 27001, the risk treatment plan records the controls chosen to manage each risk.
Management Review
A management review is a formal meeting where top management evaluates the management system's performance and decides on improvements. ISO standards require management reviews at planned intervals as evidence of leadership involvement.
Documented Information
Documented information is the term ISO uses for the documents and records a management system must control — policies, procedures, and evidence. Organizations must keep it current, available, and protected.
Document Control
Document control is the practice of managing documents through versions, approvals, and access so people always use the current version. ISO standards require controlled documented information to keep the management system reliable.
Standards
Annex SL (Harmonized Structure)
Annex SL, now called the Harmonized Structure, is the common 10-clause framework shared by modern ISO management system standards. It lets organizations integrate standards like ISO 9001, ISO 14001, and ISO 45001 because they share the same structure.
Statement of Applicability(SoA)
A Statement of Applicability (SoA) is a core ISO 27001 document that lists the Annex A security controls, states whether each applies, and justifies inclusions and exclusions. Auditors use it as a map of the information security management system.
HACCP(Hazard Analysis and Critical Control Points)
HACCP is a systematic method for identifying, evaluating, and controlling food safety hazards. It is the foundation of food safety management and is built into ISO 22000 as part of a full management system.
Prerequisite Programs(PRPs)
Prerequisite programs (PRPs) are the basic conditions and activities needed to maintain a hygienic environment in food production — such as cleaning, pest control, and hygiene. ISO 22000 requires PRPs to support hazard control.
See SWC CRM for yourself
Run leads, projects, audits, invoicing, and renewals in one customizable platform built for ISO certification teams.