27

Immagine creata con IAAI-generated image

ISO 19011:2026, the art of auditing updates: hybrid audits, digital evidence and auditor competence

In May 2026 the fourth edition of ISO 19011 was published, the international guidance for auditing management systems, transposed as UNI CEI EN ISO 19011 and entering the national body of standards on 27 May 2026. Remote and hybrid audits treated as ordinary modes, digital evidence alongside interviews and direct observation, vocabulary aligned with the renewed ISO 9000. And, being guidance, no transition period: it applies immediately. What changes for those who design, conduct and undergo audits?

There is a standard every auditor — of quality, environment, safety, information security or Artificial Intelligence — carries with them on every engagement: ISO 19011, “Guidelines for auditing management systems”. In May 2026 its fourth edition was published, ISO 19011:2026, transposed at European and national level as UNI CEI EN ISO 19011 (May 2026), replacing the 2018 edition. This seems the right place to examine, on the basis of public sources, the update’s directions and its operational fallout, given that the standard provides guidance on auditing management systems, including the principles of auditing, the management of audit programmes and the conduct of audits, as well as guidance on evaluating the competence of the persons involved.

A technical revision, not a revolution

A methodological clarification first: this is a technical revision, updating and clarifying the existing guidance without overturning its framework. The principles of auditing remain the foundation; what changes is the full recognition of modes and tools that, in practice, had already become everyday. The first direction is the normalisation of remote and hybrid audits: no longer a special case relegated to an appendix, but an ordinary mode of conduct, to be designed with the same rigour as the on-site audit, starting from the feasibility and specific-risk assessment (connection quality, confidentiality, authenticity of remotely observed evidence). The second is that of digital evidence: the new edition expands the guidance on collecting, verifying and protecting digital information, treated as primary sources of evidence alongside interviews and direct observation. For the audit team this means new competences: the ability to interrogate information systems, to assess the integrity of logs and records, to document the chain of custody. The third is the systematic realignment: the 2026 edition is coordinated with the ISO/TC 176 revision cycle, starting with the renewed vocabulary of ISO 9000:2026.

No transition: it applies immediately

Here is a clarification of fundamental practical importance: ISO 19011 is a guidance, not a requirements standard; it is not the object of certification and therefore knows no transition periods. The new edition is usable, and appropriately used, from the day of publication. For certification bodies and internal-audit functions this translates into an essentially organisational adaptation: updating audit procedures, forms and, above all, auditor training.

The fallout for bodies and organisations

For certification bodies, ISO 19011 operates in synergy with the ISO/IEC 17021 series, which sets the requirements — including competence — for bodies certifying management systems in the various areas: from the sectoral technical specifications on auditor competence, such as the one dedicated to occupational health and safety, to the recent standard on bodies certifying AI management systems. In this framework, 19011 is the common grammar of audit conduct; the accreditation standards are its institutional frame. For certified organisations, the update is anything but neutral: those preparing for a transition audit — think of the three-year period of the new ISO 14001 — or for sampling checks on delicate areas — such as the conformity of work equipment in OSH certifications — will meet audit teams increasingly oriented to digital evidence and hybrid modes. Overseeing the quality of one’s own data and information systems becomes, to all effects, part of audit preparation. For auditors, finally, competence returns to centre stage: the standard devotes ample guidance to evaluating the persons involved, and the new directions — digital, remote, sustainability of techniques — redraw the required professional profile. Continuing training is no longer a formal obligation: it is the condition of credibility of the whole system.

Conclusions

The fourth edition of ISO 19011 photographs a craft that has already changed: contemporary auditing is hybrid, data-driven and distributed, and the standard acknowledges it with the balance typical of good guidance, updating the tools without betraying the principles. It is now up to bodies, auditors and organisations to turn the guidance into practice. In the light of the above, one wonders whether the audit professional community will seize the occasion of this update, conducting audits that are not reduced to digitised checklists but preserve what no technology can replace: the independent professional judgement of those who verify, safeguarding the trust of those who rely on certificates.