EN ISO 19011-2018 en Guidelines for auditing management systems.pdf

1、BSI Standards PublicationWB11885_BSI_StandardCovs_2013_AW.indd 1 15/05/2013 15:06Guidelines for auditing management systems (ISO 19011:2018)BS EN ISO 19011:2018EUROPEAN STANDARD NORME EUROPENNE EUROPISCHE NORM EN ISO 19011 July 2018 ICS 03.100.70; 03.120.20 Supersedes EN ISO 19011:2011English Versio

2、n Guidelines for auditing management systems (ISO 19011:2018) Lignes directrices pour laudit des systmes de management (ISO 19011:2018) Leitfaden zur Auditierung von Managementsystemen (ISO 19011:2018) This European Standard was approved by CEN on 18 June 2018. CEN members are bound to comply with t

3、he CEN/CENELEC Internal Regulations which stipulate the conditions for giving this European Standard the status of a national standard without any alteration. Up-to-date lists and bibliographical references concerning such national standards may be obtained on application to the CEN-CENELEC Manageme

4、nt Centre or to any CEN member. This European Standard exists in three official versions (English, French, German). A version in any other language made by translation under the responsibility of a CEN member into its own language and notified to the CEN-CENELEC Management Centre has the same status

5、 as the official versions. CEN members are the national standards bodies of Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, Former Yugoslav Republic of Macedonia, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta,

6、Netherlands, Norway, Poland, Portugal, Romania, Serbia, Slovakia, Slovenia, Spain, Sweden, Switzerland, Turkey and United Kingdom. EUROPEAN COMMITTEE FOR STANDARDIZATION COMIT EUROPEN DE NORMALISATION EUROPISCHES KOMITEE FR NORMUNG CEN-CENELEC Management Centre: Rue de la Science 23, B-1040 Brussels

7、 2018 CEN All rights of exploitation in any form and by any means reserved worldwide for CEN national Members. Ref. No. EN ISO 19011:2018 ENational forewordThis British Standard is the UK implementation of EN ISO 19011:2018. It is identical to ISO 19011:2018. It supersedes BS EN ISO 19011:2011, whic

8、h is withdrawn.The UK participation in its preparation was entrusted to Technical Committee AUS/1, Revision of ISO 19011.A list of organizations represented on this committee can be obtained on request to its secretary.This publication does not purport to include all the necessary provisions of a co

9、ntract. Users are responsible for its correct application. The British Standards Institution 2018 Published by BSI Standards Limited 2018ISBN 978 0 580 97125 9ICS 03.120.10; 13.020.10; 03.100.70Compliance with a British Standard cannot confer immunity from legal obligations. This British Standard wa

10、s published under the authority of the Standards Policy and Strategy Committee on 31 July 2018.Amendments/corrigenda issued since publicationDate Text affectedBRITISH STANDARDBS EN ISO 19011:2018EUROPEAN STANDARD NORME EUROPENNE EUROPISCHE NORM EN ISO 19011 July 2018 ICS 03.100.70; 03.120.20 Superse

11、des EN ISO 19011:2011English Version Guidelines for auditing management systems (ISO 19011:2018) Lignes directrices pour laudit des systmes de management (ISO 19011:2018) Leitfaden zur Auditierung von Managementsystemen (ISO 19011:2018) This European Standard was approved by CEN on 18 June 2018. CEN

12、 members are bound to comply with the CEN/CENELEC Internal Regulations which stipulate the conditions for giving this European Standard the status of a national standard without any alteration. Up-to-date lists and bibliographical references concerning such national standards may be obtained on appl

13、ication to the CEN-CENELEC Management Centre or to any CEN member. This European Standard exists in three official versions (English, French, German). A version in any other language made by translation under the responsibility of a CEN member into its own language and notified to the CEN-CENELEC Ma

14、nagement Centre has the same status as the official versions. CEN members are the national standards bodies of Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, Former Yugoslav Republic of Macedonia, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Lat

15、via, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Romania, Serbia, Slovakia, Slovenia, Spain, Sweden, Switzerland, Turkey and United Kingdom. EUROPEAN COMMITTEE FOR STANDARDIZATION COMIT EUROPEN DE NORMALISATION EUROPISCHES KOMITEE FR NORMUNG CEN-CENELEC Management Centre: Ru

16、e de la Science 23, B-1040 Brussels 2018 CEN All rights of exploitation in any form and by any means reserved worldwide for CEN national Members. Ref. No. EN ISO 19011:2018 EBS EN ISO 19011:2018EN ISO 19011:2018 (E) 3 European foreword This document (EN ISO 19011:2018) has been prepared by Technical

17、 Committee ISO/PC 302 “Guidelines for auditing management systems“ in collaboration with CCMC. This European Standard shall be given the status of a national standard, either by publication of an identical text or by endorsement, at the latest by January 2019, and conflicting national standards shal

18、l be withdrawn at the latest by January 2019. Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights. CEN shall not be held responsible for identifying any or all such patent rights. This document supersedes EN ISO 19011:2011. This docume

19、nt has been prepared under a mandate given to CEN by the European Commission and the European Free Trade Association. According to the CEN-CENELEC Internal Regulations, the national standards organizations of the following countries are bound to implement this European Standard: Austria, Belgium, Bu

20、lgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, Former Yugoslav Republic of Macedonia, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Romania, Serbia, Slovakia, Slovenia, Spain, Sweden, Switz

21、erland, Turkey and the United Kingdom. Endorsement notice The text of ISO 19011:2018 has been approved by CEN as EN ISO 19011:2018 without any modification. BS EN ISO 19011:2018ISO 19011:2018(E)Foreword vIntroduction vi1 Scope . 12 Normative references 13 Terms and definitions . 14 Principles of aud

22、iting 55 Managing an audit programme . 65.1 General . 65.2 Establishing audit programme objectives . 95.3 Determining and evaluating audit programme risks and opportunities 95.4 Establishing the audit programme . 105.4.1 Roles and responsibilities of the individual(s) managing the audit programme 10

23、5.4.2 Competence of individual(s) managing audit programme 115.4.3 Establishing extent of audit programme 115.4.4 Determining audit programme resources 125.5 Implementing audit programme 125.5.1 General. 125.5.2 Defining the objectives, scope and criteria for an individual audit .135.5.3 Selecting a

24、nd determining audit methods 145.5.4 Selecting audit team members .145.5.5 Assigning responsibility for an individual audit to the audit team leader155.5.6 Managing audit programme results .165.5.7 Managing and maintaining audit programme records 165.6 Monitoring audit programme . 175.7 Reviewing an

25、d improving audit programme . 176 Conducting an audit .186.1 General 186.2 Initiating audit 186.2.1 General. 186.2.2 Establishing contact with auditee 186.2.3 Determining feasibility of audit . 196.3 Preparing audit activities 196.3.1 Performing review of documented information196.3.2 Audit planning

26、 .196.3.3 Assigning work to audit team 216.3.4 Preparing documented information for audit .216.4 Conducting audit activities 216.4.1 General. 216.4.2 Assigning roles and responsibilities of guides and observers .216.4.3 Conducting opening meeting . 226.4.4 Communicating during audit . 236.4.5 Audit

27、information availability and access .236.4.6 Reviewing documented information while conducting audit .236.4.7 Collecting and verifying information 246.4.8 Generating audit findings 256.4.9 Determining audit conclusions 256.4.10 Conducting closing meeting 266.5 Preparing and distributing audit report

28、 276.5.1 Preparing audit report .276.5.2 Distributing audit report . 276.6 Completing audit 286.7 Conducting audit follow-up. 28 ISO 2018 All rights reserved iiiContents PageBS EN ISO 19011:2018ISO 19011:2018(E)7 Competence and evaluation of auditors 287.1 General 287.2 Determining auditor competenc

29、e 297.2.1 General. 297.2.2 Personal behaviour .297.2.3 Knowledge and skills 307.2.4 Achieving auditor competence . 327.2.5 Achieving audit team leader competence .337.3 Establishing auditor evaluation criteria. 337.4 Selecting appropriate auditor evaluation method 337.5 Conducting auditor evaluation

30、 . 337.6 Maintaining and improving auditor competence.34Annex A (informative) Additional guidance for auditors planning and conducting audits .35Bibliography .46iv ISO 2018 All rights reservedBS EN ISO 19011:2018ISO 19011:2018(E)ForewordISO (the International Organization for Standardization) is a w

31、orldwide federation of national standards bodies (ISO member bodies). The work of preparing International Standards is normally carried out through ISO technical committees. Each member body interested in a subject for which a technical committee has been established has the right to be represented

32、on that committee. International organizations, governmental and non-governmental, in liaison with ISO, also take part in the work. ISO collaborates closely with the International Electrotechnical Commission (IEC) on all matters of electrotechnical standardization.The procedures used to develop this

33、 document and those intended for its further maintenance are described in the ISO/IEC Directives, Part 1. In particular the different approval criteria needed for the different types of ISO documents should be noted. This document was drafted in accordance with the editorial rules of the ISO/IEC Dir

34、ectives, Part 2 (see www .iso .org/directives).Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights. ISO shall not be held responsible for identifying any or all such patent rights. Details of any patent rights identified during the dev

35、elopment of the document will be in the Introduction and/or on the ISO list of patent declarations received (see www .iso .org/patents).Any trade name used in this document is information given for the convenience of users and does not constitute an endorsement.For an explanation on the voluntary na

36、ture of standards, the meaning of ISO specific terms and expressions related to conformity assessment, as well as information about ISOs adherence to the World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT) see the following URL: www .iso .org/iso/foreword .html.This do

37、cument was prepared by Project Committee ISO/PC 302, Guidelines for auditing management systems.This third edition cancels and replaces the second edition (ISO 19011:2011), which has been technically revised.The main differences compared to the second edition are as follows: addition of the risk-bas

38、ed approach to the principles of auditing; expansion of the guidance on managing an audit programme, including audit programme risk; expansion of the guidance on conducting an audit, particularly the section on audit planning; expansion of the generic competence requirements for auditors; adjustment

39、 of terminology to reflect the process and not the object (“thing”); removal of the annex containing competence requirements for auditing specific management system disciplines (due to the large number of individual management system standards, it would not be practical to include competence require

40、ments for all disciplines); expansion of Annex A to provide guidance on auditing (new) concepts such as organization context, leadership and commitment, virtual audits, compliance and supply chain. ISO 2018 All rights reserved vBS EN ISO 19011:2018ISO 19011:2018(E)IntroductionSince the second editio

41、n of this document was published in 2011, a number of new management system standards have been published, many of which have a common structure, identical core requirements and common terms and core definitions. As a result, there is a need to consider a broader approach to management system auditi

42、ng, as well as providing guidance that is more generic. Audit results can provide input to the analysis aspect of business planning, and can contribute to the identification of improvement needs and activities.An audit can be conducted against a range of audit criteria, separately or in combination,

43、 including but not limited to: requirements defined in one or more management system standards; policies and requirements specified by relevant interested parties; statutory and regulatory requirements; one or more management system processes defined by the organization or other parties; management

44、system plan(s) relating to the provision of specific outputs of a management system (e.g. quality plan, project plan).This document provides guidance for all sizes and types of organizations and audits of varying scopes and scales, including those conducted by large audit teams, typically of larger

45、organizations, and those by single auditors, whether in large or small organizations. This guidance should be adapted as appropriate to the scope, complexity and scale of the audit programme.This document concentrates on internal audits (first party) and audits conducted by organizations on their ex

46、ternal providers and other external interested parties (second party). This document can also be useful for external audits conducted for purposes other than third party management system certification. ISO/IEC 17021-1 provides requirements for auditing management systems for third party certificati

47、on; this document can provide useful additional guidance (see Table 1).Table 1 Different types of audits1stparty audit 2ndparty audit 3rdparty auditInternal audit External provider audit Certification and/or accreditation auditOther external interested party auditStatutory, regulatory and similar au

48、ditTo simplify the readability of this document, the singular form of “management system” is preferred, but the reader can adapt the implementation of the guidance to their own situation. This also applies to the use of “individual” and “individuals”, “auditor” and “auditors”.This document is intend

49、ed to apply to a broad range of potential users, including auditors, organizations implementing management systems and organizations needing to conduct management system audits for contractual or regulatory reasons. Users of this document can, however, apply this guidance in developing their own audit-related requirements.The guidance in this document can also be used for the purpose of self-declaration and can be useful to organizations involved in auditor training or personnel certification.The guidance in this document is intended to be flexib