ISO 19011:2026 is now published. Edition 4 of the international guidelines for auditing management systems replaces the 2018 version and brings the most significant updates the standard has seen in years. If you run internal audits, manage an audit programme, or work as an auditor across any management system standard, this revision affects how you plan, deliver, and document your work.
On this page
The changes are not cosmetic. The 2026 edition responds to a decade of change in how audits are actually conducted, the tools auditors use, and the broader environmental context organisations operate in. Remote auditing went from a niche footnote to a core practice during and after the COVID years. Digital tools became embedded in audit delivery. Climate change entered regulatory and business planning conversations at every level. ISO 19011:2026 catches up with all of that.
This guide breaks down every major change, what stayed the same, and exactly what you need to do to bring your audit programme into line with the new edition.
What Is ISO 19011?
ISO 19011 provides guidelines for auditing management systems. It covers the principles of auditing, how to manage an audit programme, how to conduct audits, and how to evaluate auditor competence. It applies to any organisation that needs to plan and conduct internal or external audits of management systems, whether that is ISO 9001, ISO 14001, ISO 45001, ISO 27001, or any other standard.
Crucially, ISO 19011 is a guidelines document, not a requirements standard. Organisations are not certified to ISO 19011 itself. Instead, it provides the framework and vocabulary that underpins good auditing practice across all management system standards. If you are new to ISO 19011, our beginners guide covers the fundamentals in detail.
Edition 4 was published in May 2026 and immediately supersedes ISO 19011:2018. There is no grace period for a guidelines document, though in practice organisations will update their audit procedures at their own pace.
Why Was It Revised?
ISO standards are reviewed on a five to seven year cycle. The 2018 edition was already due for review, but the case for revision was reinforced by several developments that changed auditing practice materially since then.
Remote auditing moved from theory to standard practice during the COVID period and never fully retreated. Auditors, certification bodies, and organisations all discovered that much of what was traditionally done on site could be done effectively via video call, shared screens, and document platforms. The 2018 edition had only a brief Annex A reference to remote methods. That was no longer adequate.
At the same time, ISO released a climate action amendment in 2024 that applied to all management system standards, adding a requirement to consider whether climate change is a relevant issue in the organisational context. ISO 19011:2026 reflects that amendment in its guidance on how auditors should approach context evaluation.
Finally, the growing use of AI and data analytics in audit planning and the emergence of ISO/IEC TS 17012:2024 as a dedicated technical specification on remote auditing methods both created a need to update the reference framework.
The Biggest Change: Remote and Hybrid Auditing Embedded Throughout
The single most significant change in ISO 19011:2026 is how it treats remote auditing. In the 2018 edition, remote auditing appeared in Annex A as an add-on consideration. It was treated as something you might bolt on to an existing on site plan in special circumstances.
Edition 4 takes a fundamentally different approach. Remote, hybrid, and on site methods are now treated as equally valid options that must be considered and decided upon at every stage of the audit lifecycle, not just at delivery. This means:
- At programme level: The audit programme description must now explicitly state which audit methods will be used, including whether on site, remote, or hybrid approaches are planned.
- At planning level: Audit planning must consider digital platform requirements, document access logistics, time zones, and data security when remote methods are involved.
- At delivery level: Auditors must exercise professional judgement on when remote evidence gathering is appropriate and document that judgement.
- At reporting level: Audit reports must clearly state which methods were used during the engagement.
A new Annex A.16 has been added specifically to cover remote auditing methods and virtual locations. The content draws on ISO/IEC TS 17012:2024, which was developed as a dedicated technical specification for remote audits. The Introduction to ISO 19011:2026 explicitly references that document, positioning the two as complementary references rather than alternatives.
The practical implication is that the choice of audit method is no longer a late stage delivery decision. It is a design decision that should be made when the audit programme is being established, informed by risk, the complexity of the management system, auditee maturity, and the availability of reliable ICT infrastructure on both sides.
ICT Competence Is Now a Formal Auditor Requirement
The 2026 edition adds explicit information and communication technology competence to the criteria for auditor evaluation. This is a meaningful addition because previous editions described auditor competence in terms of knowledge of management system requirements, audit techniques, and sector-specific expertise. Digital skills were assumed or ignored.
Under ISO 19011:2026, auditors are expected to demonstrate:
- Ability to use digital audit tools, video conferencing platforms, and cloud-based document systems effectively
- Understanding of cybersecurity risks when collecting and handling evidence remotely
- Ability to evaluate the risks and opportunities associated with using digital tools in an audit
- Judgement about when remote evidence gathering is reliable and appropriate versus when on site observation is required
For organisations managing internal audit programmes, this means your auditor competence evaluation criteria need updating. If you have an auditor evaluation form or a competence matrix for your internal auditors, add ICT competence as a assessed dimension. This does not mean every auditor needs to be a technology expert. It means they need to be comfortable and effective with the tools used in modern remote and hybrid audit delivery.
For organisations that use external auditors or conduct remote certification audits, this change also signals that certification bodies will be expected to assess and demonstrate ICT competence in their auditors under the parallel requirements of ISO/IEC 17021 and ISO/IEC TS 17012.
Climate Change Enters the Audit Scope
ISO 19011:2026 incorporates the climate action amendment that ISO applied to all management system standards in 2024. The amendment adds a requirement for organisations to determine whether climate change is a relevant issue when evaluating internal and external factors that affect the management system.
For auditors, this means that when auditing an organisation's context evaluation under any management system standard, you now need to verify that climate change was considered as a potential issue, even if the conclusion was that it is not relevant for that particular organisation or industry.
This is not a requirement to find climate-related risks. It is a requirement to have genuinely assessed the question. A manufacturing business in a flood-prone region has a different answer to a software firm operating entirely in the cloud. Both need to show the assessment was done.
In practice, auditors should add a specific check to their context evaluation audit questions: has the organisation considered whether climate change represents a relevant internal or external issue, and is that assessment documented? If the organisation has ISO 14001 certification, this is likely already covered. For organisations with only ISO 9001 or ISO 45001 certification, the climate consideration may be new territory.
A More Explicit Risk Based Approach
Risk based thinking has been a principle of ISO 19011 since the 2018 edition, when it was added as a seventh principle. The 2026 edition does not remove or replace that principle but makes the risk examples considerably more specific and practical.
Where the 2018 edition discussed risks in general terms, the new edition provides concrete examples of the kinds of risks that should be considered when designing and managing an audit programme:
- Risks arising from the selection of audit method, particularly the choice between on site and remote delivery
- Technology security and reliability risks when using digital platforms to collect and handle audit evidence
- Risks associated with the loss or unavailability of key auditors
- Risks arising from an auditee that lacks ICT competence or infrastructure to support a remote audit effectively
These are not hypothetical scenarios. Any auditor who has experienced a video platform failing mid-audit, an auditee who cannot share screens reliably, or a remote session where document access was restricted by IT security policy will recognise these as real operational risks. The 2026 edition formalises them as part of what a well-managed audit programme should account for.
AI and Data Analytics in Auditing
The 2026 edition acknowledges AI and data analytics as emerging tools in audit planning and sampling. This is not yet a detailed or prescriptive section of the standard, but the acknowledgement is significant. It signals that ISO is watching this space and that future guidance or amendments may address AI-assisted auditing more formally.
For now, the practical relevance is that auditors using AI tools for document review, data analysis during audit preparation, or pattern recognition in large datasets are working within the intent of the standard. Organisations do not need to adopt AI tools to comply with ISO 19011:2026, but those already using them can reference the standard's acknowledgement as validation of that direction.
The broader question of how AI is changing ISO auditing is one that the industry is actively working through, and ISO 19011:2026 positions itself at the leading edge of that conversation without prescribing answers that the profession is still developing.
What Stayed the Same
ISO 19011:2026 is an evolution of the 2018 edition, not a rewrite. The core structure and the fundamental guidance remain largely intact. Organisations and auditors who understand the 2018 edition will find the 2026 revision familiar.
The five core areas of the standard remain unchanged: scope and purpose, principles of auditing, managing an audit programme, conducting management system audits, and evaluating auditor competence. The seven principles introduced or refined over previous editions, including integrity, fair presentation, due professional care, confidentiality, independence, evidence-based approach, and risk based approach, are all retained.
This means that existing audit programmes built on ISO 19011:2018 do not require wholesale redesign. The adjustments are targeted: update audit method documentation, revise auditor competence criteria, add climate consideration to context audit questions, and ensure your risk register for the audit programme includes the new explicit risk categories.
What Organisations Need to Do Now
There is no mandatory transition deadline for ISO 19011 because it is a guidelines document rather than a certifiable standard. That said, certification bodies auditing your management system are expected to work to current guidance, which means you may start seeing auditor competence and audit methodology questions shift in line with the 2026 edition sooner than you expect.
Here are the practical steps to bring your organisation into alignment:
1. Review your audit programme documentation. Check whether your current audit programme description states the methods to be used. If it simply says audits will be conducted without specifying on site, remote, or hybrid, update it to reflect actual practice and planned approach.
2. Update your auditor competence criteria. Add ICT competence dimensions to however you currently evaluate and record auditor qualifications and capabilities. This could be as simple as adding a section to an existing competence matrix.
3. Check your context evaluation audit questions. Add a specific question about climate change consideration to your context evaluation audit checklist. Make sure evidence of the assessment, whatever the conclusion, is being captured.
4. Brief your internal audit team. Run a short session covering the 2026 changes. The biggest risk is auditors continuing to treat remote methods as add-ons rather than design decisions. That mindset shift is the most important change the 2026 edition asks for.
5. Update your internal audit procedure. If you have a documented procedure for internal audits, update it to reflect the audit method selection requirements and the new risk examples. This is the document your certification body will review to assess whether your internal audit system is fit for purpose.
The Bigger Picture
ISO 19011:2026 is part of a broader pattern of ISO standards catching up with operational reality. The official ISO 19011:2026 page confirms the publication date and scope. The standard's acknowledgement of remote auditing, digital competence, and climate considerations reflects where management system practice has already moved.
For most organisations, the 2026 edition will not trigger a significant compliance burden. If you were already conducting remote and hybrid audits thoughtfully, evaluating auditor ICT competence informally, and asking questions about climate-related context, you are largely already operating to the spirit of the new edition. The update formalises and structures what good practice already looks like.
Where the edition will have real impact is in organisations that have been slow to adapt to remote auditing, or that have treated their internal audit programme as a tick-the-box exercise without genuine attention to auditor competence development. For those organisations, ISO 19011:2026 provides a useful framework for raising the bar.
If you are looking to strengthen your audit team or connect with experienced auditors who work to current standards, CertBetter connects businesses with verified ISO consultants and certification providers across Australia and internationally.
