Audit Focus Areas Under ISO 28000 for 2026 (and Beyond)

-by Dr. IJ Arora

In this article on ISO 28000:2022, “Security and resilience—Security management systems—Requirements,” I want to emphasize the audit focus areas for the standard, based on what 2025 revealed and what auditors must prioritize in 2026 and beyond. This focus will allow organizations registered to the standard to go from mere compliance to resilience, leading to more secure supply chains.

The year 2025 can be seen as a watershed moment for supply chain security management systems. Global supply chains were subjected not to one dominant crisis, but to a convergence of pressures, geopolitical instability, regulatory fragmentation, cyber intrusion, logistics disruption, and heightened stakeholder scrutiny. For organizations certified to ISO 28000, and for auditors charged with assessing conformity, this past year exposed an uncomfortable truth: Many supply chain security management systems were compliant in form, but brittle in practice.

As we look toward 2026 and beyond, ISO 28000 audits must evolve to meet these challenges. Organizations should not wait for audits to ensure continual improvement, act on risks, and explore opportunities for improvement. However, the fact of the matter is that nonconformities drive corrective actions. As such, audits play a minor part in providing inputs at the check stage of the plan-do-check-act (PDCA) cycle. The question is no longer whether organizations have established a supply chain security management system, but whether that system is capable of sensing change, absorbing shocks, and adapting under stress. ISO 28001, as the supporting guidance standard, provides a valuable lens through which this shift can be framed, particularly in relation to risk assessment, security planning, and operational controls.

Lessons learned

Audits in 2025 outlined the audit focus areas that will define credible, value-adding ISO 28000 audits going forward. Following are four key audit lessons learned.

Lesson 1: Risk assessments were static in a dynamic threat environment

Audits conducted during 2025 repeatedly identified a reliance on periodic, document-driven risk assessments. Although these assessments were often well-structured and aligned with ISO 28000’s clause 4, “Security risk assessment and planning,” they frequently failed to reflect rapidly changing threat conditions.

ISO 28001 emphasizes that risk assessment should be an ongoing process, responsive to changes in threat, vulnerability, and consequence. In practice, however, many organizations treated risk reviews as annual or biennial events, disconnected from real-time intelligence, incident trends, or geopolitical developments.

The lesson for auditors was clear, conformity to the process was present, but the intent of continual risk awareness was not fully realized.

Lesson 2: Limited visibility beyond tier 1 suppliers

A second consistent audit finding in 2025 was the narrow scope of supplier security controls. Organizations could demonstrate security requirements for direct suppliers yet had little understanding or assurance of security practices deeper within the supply chain.

ISO 28001 explicitly recognizes the need to consider the full supply chain, including subcontractors and service providers, when establishing security plans and controls. Despite this guidance, audits revealed that supplier evaluation mechanisms often stopped at contractual clauses, with minimal follow-up, verification, or performance monitoring.

Security incidents originating in tier 2 or tier 3 suppliers highlighted the inadequacy of superficial supplier controls and reinforced the need for more robust assurance mechanisms.

Lesson 3: Cyber risks were poorly integrated into supply chain security

Although ISO 28000 is not a cybersecurity standard, 2025 audits increasingly revealed that cyber vulnerabilities were among the most significant enablers of supply chain disruption. Cargo tracking systems, access control platforms, vendor portals, and logistics planning tools were all identified as potential attack vectors. The use of the harmonized structure presumed that an integrated management system approach could answer this, but organizations did not generally integrate ISO 27001 and ISO 28001 with ISO/IEC 27001:2022, “Information security, cybersecurity and privacy protection—Information security management systems—Requirements.”

ISO 28001 encourages organizations to consider all relevant threats to the supply chain, including those affecting information and communication systems. Yet audits frequently found a disconnect between physical security management and information security governance, with limited coordination between security and IT functions.

This gap did not necessarily result in formal nonconformities, but it raised serious questions about the effectiveness of the overall security management system.

Lesson 4: Business continuity planning lacked supply chain realism

Many organizations could demonstrate alignment with business continuity frameworks and, in some cases, certification to ISO 22301:2019, “Security and resilience—Business continuity management systems—Requirements.” However, audits in 2025 showed that supply chain-specific disruption scenarios were rarely tested.

ISO 28001 stresses the importance of preparedness and response planning based on realistic threat scenarios. Yet exercises involving port closures, border restrictions, supplier insolvency, or regulatory intervention were the exception rather than the rule. The result was a gap between documented preparedness and demonstrated capability, one that became increasingly visible to experienced auditors.

Actions to consider

Based on these lessons from 2025 I think the audit focus areas for 2026 and beyond should consider the following five actions.

Action 1: Going from risk identification to risk intelligence

From 2026 onwards, auditors will need to place greater emphasis on how organizations maintain the ongoing validity of their risk assessments. Clause 4 of ISO 28000, supported by ISO 28001 guidance, implicitly requires organizations to monitor changes that could affect supply chain security risks. Audits should therefore examine:

  • The use of internal and external intelligence sources
  • Defined triggers for risk reassessment
  • Evidence that changes in risk lead to timely management action

The audit question is shifting from “Do you have a risk assessment?” to “How do you know your risk assessment reflects today’s reality?”

Action 2: Supplier security assurance, not just evaluation

ISO 28001 provides detailed guidance on supplier security planning, including differentiation based on criticality and risk exposure. In 2026, audits will increasingly probe how supplier security requirements are implemented, monitored, and enforced. Key audit considerations will include:

  • Supplier segmentation and prioritization
  • Proportionate security controls
  • Evidence of supplier audits, self-assessments, or performance reviews
  • Corrective action and escalation when requirements are not met

Supplier security must be demonstrable and sustained, not assumed.

Action 3: Integration of cyber and physical security controls

Auditors should expect to see clearer alignment between ISO 28000 systems and information security frameworks such as ISO/IEC 27001. ISO 28001 supports this integration by recognizing information flow and system integrity as essential elements of supply chain security. Audit focus areas will include:

  • Identification of cyber-enabled supply chain risks
  • Coordination between security and IT incident response
  • Protection of logistics data, tracking systems, and access controls

Although ISO 28000 audits will not become cyber audits, unmanaged cyber dependencies will increasingly undermine audit confidence.

Action 4: Testing, exercises, and demonstrated preparedness

In 2026 and beyond, documented plans will carry less weight without evidence of testing. ISO 28001 places strong emphasis on preparedness, response, and recovery capabilities. Therefore, auditors should look for:

  • Scenario-based exercises relevant to the organization’s supply chain
  • Participation by relevant internal and external stakeholders
  • Lessons learned and system improvements following exercises

Preparedness is best demonstrated through practice, not paperwork.

Action 5: Governance and leadership accountability

A notable trend emerging from late 2025 audits was increased attention to top management involvement. ISO 28000 requires leadership commitment, and ISO 28001 reinforces the importance of governance in sustaining effective security management. Audits in 2026 will increasingly examine:

  • Management review outputs related to supply chain security
  • Resource allocation decisions
  • Evidence of board or senior leadership awareness of key risks

Implications and conclusions

Supply chain security is no longer solely an operational concern; it is a matter of organizational governance. Therefore, implications for auditors and organizations are twofold.

First, for auditors, the coming years will demand deeper understanding of risk dynamics, supply chain complexity, and the convergence of physical and digital threats. Checklist-based auditing will be insufficient where resilience and adaptability are the true measures of effectiveness.

Second, for organizations, ISO 28000 should be repositioned as a strategic risk management framework. Investment in intelligence, supplier assurance, and realistic testing will not only support certification outcomes but also strengthen operational resilience.

In conclusion, I would say 2025 taught us that supply chain security management systems fail not because organizations lack procedures, but because those procedures are not designed for volatility. As we move into 2026 and beyond, ISO 28000 audits must therefore measure more than conformity—they must assess resilience.

ISO 28001 provides the guidance needed to make this transition. The challenge for both auditors and organizations are to apply that guidance with realism, discipline, and strategic intent.

Above article was recently featured in an Exemplar Global publication – ‘The Auditor’.

Procedure, Work Instruction, or Flowchart?

-by Dr. IJ Arora

The choice between writing a procedure or a work instruction is an essential decision when designing a management system. Clause 4.4.1 of ISO 9001:2015 (as well as all the ISO management system standards using the harmonized structure) requires the establishment and implementation of a management system. This management system will have procedures and work instructions and further down the hierarchy, checklists and forms.

Processes can be actualized in many forms. Today, mapped processes make it easy to visualize the functioning of the process. This is an important distinction in quality management systems based on ISO 9001—or for that matter any sector-specific standard like those dedicated to management within maritime, aerospace, etc. Many organizations struggle with when to write a procedure, when to write a work instruction, and how and when a flowchart should be used.

I think the core difference between a procedure and a work instruction is that a procedure answers the question, “What happens and who does it?” A procedure defines the process, its purpose, its sequence (clause 4.4.1b), and who is responsible for the work, perhaps as process owners (clause 4.4.1e). It answers what is to be done, when it must be done, who is responsible, and why it matters. The flowchart then helps visualize the inputs and outputs that flow between the steps.

What is a procedure and how it is used?

A procedure does not tell someone how to do a task; it simply describes the steps or stages necessary to accomplish it. I think of the procedure as the blueprint of the workflow. Therefore, I would recommend using the procedure when multiple people or departments are involved, when there is decision-making or sequencing, when the process crosses functional boundaries, and when documenting the process supports consistency, audits, or training. The procedure is also best when regulatory bodies expect clearly defined processes.

What is a work instruction and how is it used?

On the other hand, a work instruction shows stakeholders how exactly a task is to be accomplished. A work instruction “goes into the weeds” to the extent required by the workforce (depending on their confidence, competence, knowledge, and so on). It describes specific methods, often at a deep level of detail. It answers questions such as:

  • “How do I perform this task?”
  • “What tools, equipment, settings, forms, and/or software steps are required?”
  • “What are the acceptance criteria?”
  • “What do I check and how do I measure performance?”

Remember, work instructions are intended to be simple, direct documents for use by the workforce. Use them when:

  • A task requires technical, step-by-step details
  • Training new personnel
  • Incorrect execution can create quality or safety risks
  • Standardization is essential
  • Variation in execution must be eliminated

What is a flowchart and how is it used?

Flowcharts can technically be used to support both procedures and work instructions, but I generally recommend their use in conjunction with procedures. This helps make the procedure visual by mapping the 50,000-foot view of a process. A flowchart is ideal when the process has multiple decision points, parallel paths, several departments interacting, and inputs/outputs that must be made clear. The flowchart helps avoid the confusion that can come when procedures are described in long paragraphs. Flowcharts make complex processes easy to understand immediately. I therefore believe in flowcharting a procedure when the process needs high-level clarity, the sequence matters, when an organization wants to show interactions between departments, when it supports risk-based thinking, and when you want to simplify training for new personnel.

Flowcharts work best for document control, non-conformances, and corrective action processes, purchasing and supplier management, production scheduling, quality inspection, and testing flows and change management processes (as seen in clauses 5.3e, 6.3., 8.2.4, 8.3.6, and 8.5.6). Flowcharts do not replace work instructions; they complement them.

Final thoughts

To sum up how these tools work together, the practical document hierarchy an organization could consider starting with policy (and why that policy exists), move into documenting the procedure (preferably supported by a flowchart) to convey what happens and in what order, and then crafting work instructions to clarify how to carry out specific tasks. Finally, document everything through records and forms to provide evidence that the work was performed.

All this should connect as a system where a flowchart procedure should describe the process, a work instruction explains each critical task, and the documented information provides traceability. Performance monitoring (clause 9) can be documented via procedures, work instructions, and flowcharts.

 

Note – The above article was recently featured in an Exemplar Global publication ‘The Auditor’. 

Hope Is Never A Plan

Wishful thinking is fine, but it rarely achieves positive results in professional settings. The best path to reach a desired outcome is to implement a structured, process-based management system. It is not a guarantee of success, but if implemented by competent and motivated teams, such a system allows the organization to produce conforming products and services and embrace continual improvements.

I often hear from leadership about their faith in the power of hope, but my experience tells me that hope is never a plan. For those who believe in hope, my advice is to base it on a well-designed management system. There is no need to re-invent the wheel. ISO standards exist for management teams to use.

In organizations of every size, across industries and borders, there is often an invisible reliance on hope. Leaders hope customer complaints will decline. Managers hope processes will perform as intended. Teams hope risks won’t materialize.

Hope can inspire, but it cannot control outcomes. It is not a strategy, and it is certainly not a plan. In contrast, a good management system transforms that hope into structured action, measurable results, and continual improvement.

A Better Way

At my organization, we have long stressed (and said) “Hope is never a plan.” The plan—the real plan—is embedded in the process-based management approach that underlies ISO 9001 and other international standards. This approach replaces uncertainty with understanding and reactivity with resilience.

The problem with hope as a strategy is there is no plan. In times of uncertainty—economic shifts, market volatility, supply chain disruptions—many organizations fall back on hope as a substitute for planning.

However, in my experience, success is built upon the foundation of a process-based management system. Remember the wise words of Deming: “A bad system will beat a good person every time.” The process approach, central to ISO 9001 and mirrored in ISO 14001, ISO 45001, and numerous other ISO standards, recognizes that results come from well-managed processes.

The journey from wishful thinking to structured management is embodied in the process approach, which was first formalized in ISO 9001:2000 and reinforced in ISO 9001:2015. The standard recognizes that consistent, predictable results arise from well-defined and managed processes, not from chance. In particular, sub-clause 4.4 of ISO 9001:2015 requires organizations to establish, implement, maintain, and continually improve a management system, including the processes needed and their interactions.

Where hope says, “Let’s see how it goes,” a process-based system asks:

  • What inputs are required, and what outputs are expected?
  • Who is responsible for the process?
  • What resources and controls are necessary?
  • How will we measure performance?

This thinking moves an organization from reacting to problems to controlling the variables that create success. Rather than managing departments or reacting to problems, organizations use the process approach to:

  • Define interrelated processes that deliver outputs valuable to customers and stakeholders (sub-clause 4.4.1).
  • Identify inputs, activities, and controls within each process (sub-clause 4.4.1).
  • Establish measurable objectives and performance indicators (sub-clauses 6.2 and 9.1.3)
  • Use data and analysis to drive decisions.

This approach replaces hope with evidence, accountability, and continual improvement.

Plan, Do, Check, Act (PDCA) and the Importance of Leadership

The PDCA cycle implies planning as the basis for turning vision into reality. Clause 6 emphasizes “Planning,” i.e., the transformation of organizational context (subclauses 4.1 and 4.2) and risks (sub-clause 6.1) into actionable objectives and opportunities for improvement:

  • Risks and opportunities (not just reacting to issues)
  • Resources and competence needed to achieve results
  • Process interactions that maintain flow and consistency
  • Measurable outcomes that guide continual improvement

In this framework, hope is replaced by proactive thinking, i.e., identifying what could go wrong and preparing responses before it happens. This is far superior to a reactive approach. Of course, in the initial functioning of the management system, any non-conformances (NCs) found will drive corrective action. However, once data accumulates (based on closed NCs and other monitoring and analysis) then those data will drive risks and trends and enable proactive system.

Leadership plays a very important part in the success of an organization. From slogans to systems, true leadership is not about motivational statements but about embedding systems that work even when leaders aren’t watching.

Leaders demonstrate commitment by:

  • Integrating the management system into business strategy (sub-clause 5.1.1c)
  • Promoting process ownership and accountability
  • Ensuring alignment of policies (sub-clause 5.2), objectives (sub-clause 6.2), and actions

A strong system outlives individual personalities—it ensures the organization runs effectively on principles, not just people. What employees learn during their work life at the organization is captured as lessons learned and forms the organization’s corporate knowledge (sub-clause 7.1.6).

Continual improvement (sub-clause 10.3) is the antidote to complacency. Even good systems fail if they stop evolving. ISO’s process-based model ensures continual improvement through:

  • Audits and reviews that identify gaps and inefficiencies
  • Corrective actions that prevent recurrence
  • Performance metrics that inform decision making

Hope says, “Things will get better.” A good management system says, “Here’s how we’ll make them better—and how we’ll know it worked.”

Conclusion

My advice to leaders is to replace hope with a system. Every organization faces uncertainty, but those that succeed do not count on hope—they rely on structured management, clear processes, and evidence-based decisions. Leadership is responsible for maintaining customer focus (sub-clause 5.1.2), understanding customer requirements and associated risks, having thorough knowledge of their products, and carefully selecting vendors.

Uncertainty and hazards must not be passed to employees, users, or other stakeholders. Instead, they should be converted into manageable and low-impact risks. Those risks can then be addressed and/or converted into opportunities for improvement.

In an uncertain world, replacing hope with a system is a must. Hope may be emotionally comforting, but it is operationally dangerous. A good management system, based on ISO 9001’s process approach, gives structure to intention and reliability to performance. It enables organizations to anticipate risks, seize opportunities, and deliver consistent value. It creates confidence among customers, regulators, and employees that the organization is not merely hoping for success—it is planning, executing, and improving toward it.

The above article was recently featured in ‘The Auditor’, an Exemplar Global publication

About the Author

This article was written by Inderjit “IJ” Arora, Chairman, Board of Directors at QMII. With more than 30 years’ experience spanning military service, merchant marine and civilian industries, he is an Exemplar Global-certified lead auditor and member of the U.S. TAG to ISO/TC 176 (the ISO 9000 family of standards). IJ holds an MBA from The College of William & Mary and an MSc in Defense Studies, and he brings a unique leadership and crisis-management background into quality systems consulting. He specialises in transforming management-system certification into a strategic advantage for organisations.

Cost-Benefit Analysis: ROI of ISO 9001 Registration for U.S. Manufacturers

For some U.S. manufacturers, registration to ISO 9001 raises one question: “Is it worth the investment?” In other words, how can an organization maximize the benefits of ISO 9001 registration and convert them to a solid return on investment (ROI)?

Analyzing ROI

A consideration of costs and benefits must be included in an ROI analysis to allow manufacturers to make good decisions about ISO 9001 registration. Calculating the value of an effective quality management system (QMS) must include integrating quality and the overall management of the organization (as seen in clause 5.1.1 of ISO 9001). This would include the costs and payoffs that create the real ROI of ISO 9001 registration.

Mere compliance to the language of the standard is not enough; what is required is that ISO 9001 registration leads to competitive advantage. The intent for any manufacturer is to boost efficiency and revenue. In this new environment, where a considerable amount of manufacturing is being re-shored to the United States, ISO 9001 registration matters more than ever. Registration to ISO 9001 is worth it if it brings a clear ROI, such as cash in the bank in the form of cost savings or revenue increases. The answer lies in understanding the ROI that comes from building a strong QMS based on ISO 9001 or other relevant industry-specific standards such as AS9100, etc.

There is no free lunch. In other words, there are costs associated with ISO 9001 registration. Therefore, manufacturers should budget for:

  • Consulting and training. Staff must be prepared to align processes with the requirements of ISO 9001.
  • System development. This may include documenting procedures, implementing software, and updating workflows.
  • Certification audits. Certification bodies (CBs) require fees for initial certification and surveillance audits.
  • Time and resources. These may include employee hours spent on training, process improvements, and audits.

Costs vary depending on company size and can run from tens of thousands of dollars for small factories to much more for large, multi-site operations. The good news is that the benefits of working systematically using a process-based management system (as per clause 4.4.1 or ISO 9001) drive the ROI as the system implementation reduces waste and other production inefficiencies.

Although there can be significant upfront costs, the benefits of ISO 9001 registration often compound over time. These can include operational efficiency with streamlined processes which reduce waste, downtime, and rework, leading directly to lower production costs. Customer confidence and market access improve as the manufacturer consistently produces confirming products and services. Many U.S. manufacturers find ISO 9001 and/or relevant industry-specific standards to be a “ticket to entry” for bidding on contracts, especially in sectors such as automotive, aerospace, and military/defense.

Reducing Risk

Documented processes and corrective action systems reduce the likelihood of costly failures or recalls. Employee engagement improves, resulting in highly motivated teams working within clearly defined roles. Appropriate training oriented toward competency (as seen in clause 7.2 of ISO 9001) reduces errors and boosts productivity. Continual improvement is an added benefit of ISO 9001 as the implementation of the standard promotes a culture of ongoing improvement, helping companies stay competitive in fast-changing markets.

Calculating the ROI of ISO 9001 registration can be assessed by comparing costs against measurable gains such as:

  • Reduced scrap/rework = cost savings
  • Improved on-time delivery = fewer penalties and more repeat orders
  • Access to new markets/contracts = increased revenue
  • Enhanced reputation = long-term customer retention

Example: If a manufacturer spends $50,000 on registration but reduces rework costs by $80,000 and gains $200,000 in new contracts, the ROI is clear and compelling.

Then there is the real-world impact. Studies consistently show manufacturers that achieve ISO 9001 registration experience:

  • 5–15% cost savings from efficiency gains
  • Revenue growth due to market access
  • Improved customer satisfaction scores, leading to stronger long-term partnerships
Final Thoughts

Initially, ISO 9001 registration may seem like a simple expense. But when viewed as an investment, the ROI to be found in ISO 9001 registration becomes clear. It brings definite improved efficiency, stronger customer trust, and measurable financial gains. For U.S. manufacturers competing in global markets, the payoff often far outweighs the cost.

The above article was recently published in an Exemplar Global publication ‘The Auditor’.

About the Author

This article was written by Inderjit “IJ” Arora, Chairman, Board of Directors at QMII. With more than 30 years’ experience spanning military service, merchant marine and civilian industries, he is an Exemplar Global-certified lead auditor and member of the U.S. TAG to ISO/TC 176 (the ISO 9000 family of standards). IJ holds an MBA from The College of William & Mary and an MSc in Defense Studies, and he brings a unique leadership and crisis-management background into quality systems consulting. He specialises in transforming management-system certification into a strategic advantage for organisations.

Internal vs External Audits: What Every Business Owner Should Know

The Strategic Importance of Audits for Business Owners

Audits are more than compliance checks; they are strategic tools that provide insights into performance, risk, and improvement opportunities. Engaged business leaders use audit results to drive better decision-making and long-term success. When conducting well, they provide leadership insights into where they may have to re-prioritize or allocate resources, where policies may be in conflict, what may be working well and where the system needs their leadership intervention.

What Are Internal and External Audits?

Internal Audits: Performed by or for the organization to check its own processes. These may be process audits or full system audits.

External Audits: These could be supplier audits (second party) or certification regulatory audits (third party). Third party audits are conducted by a third-party or certification body to verify compliance with standards.

Internal and external audits differ in breadth and depth of the audit based on scope and objective.

  1.  
  1.  

Why External Audits Should Be Taken Seriously?

External audits affect certification, reputation, and client confidence. A successful external audit demonstrates credibility and reliability.

Tip: Be prepared, be honest, and see auditors as partners in your improvement journey.

How to Prepare for Both Audits?

  • Keep documentation current
  • Review and close previous findings
  • Train staff on audit processes
  • Conduct mock audits
  • Engage leadership in the audit process

Conclusion:

ISO audit and their findings are not to be feared. They are valuable tools for identifying weaknesses and driving continuous improvement. With the right mindset and preparation, audits can move beyond mere compliance and become a core part of your strategic growth. Organizations that stay audit-ready show that they are not only compliant but also committed to excellence.

About the Author

Dr. Julius is a Senior Consultant at QMII with over 25 years of experience in ISO and aerospace quality systems. He has trained and guided hundreds of U.S. defense contractors on AS9100 and compliance, turning certification into a competitive advantage.

How to Retain Auditor Training Knowledge When You Can’t Apply It Immediately 

Completing an auditor training course is an exciting milestone. You walk away with frameworks, methodologies to create checklists, audit question techniques, and—if you’re like most professionals-a head buzzing with new knowledge. Ideally, you’d jump right into an audit and apply your skills, reinforcing what you’ve learned while it’s still fresh. But what if that opportunity doesn’t come right away? 

At QMII, we recognize this common challenge among our alumni. Let’s explore effective strategies to bridge the gap between training and practice—so that knowledge doesn’t fade but instead becomes a solid foundation for your future audit work. 

1. Simulate Real-World Scenarios 

Action: Design mock audits for yourself or with peers. 

Even without access to an organization’s system, you can simulate an audit process by reviewing publicly available quality manuals, environmental reports, or sample procedures including your own. Pretend you’re preparing for an audit: write an audit plan, create checklists, additional documentation you would request and practice conducting document reviews. 

Tip: Use scenarios from your training or past experience and ask yourself: 

  • What would I ask as an auditor? 
  • What evidence would I seek? 
  • What risks could be present? 

2. Start a Learning Journal 

Action: Reflect on key concepts, standards clauses, and audit techniques by writing them down in your own words. 

Journaling isn’t just for reflection, it’s a brain-anchoring technique. When you write out what you remember and how you would apply it, you’re reinforcing neural pathways tied to that knowledge. 

Include: 

  • Summaries of ISO clause requirements. 
  • How you would handle nonconformities. 
  • Sample non-conformities within your organization and write down your assessment of them as also the effectiveness of corrective actions. 

3. Teach Others What You Learned 

Action: Participate in knowledge-sharing sessions. 

There’s no better way to solidify your understanding than teaching others. Reach out to other auditors in your organization and discuss applicability and interpretation of a clause. Participate and contribute to discussions on LinkedIn forums. Search the web for interpretation of clauses and see the differences as opined by various different personnel. 

Bonus: You’re also building your credibility and visibility as an auditor. 

4. Stay Active in the QMII Alumni Network 

Action: Engage with blog articles, LinkedIn posts, ask questions, and share insights. 

QMII’s alumni network offers a treasure trove of experience. Staying engaged keeps you in the loop on best practices and might even lead to mentoring or shadowing opportunities. React to blogs written by QMII, contribute articles for QMII blog, comment on QMII posts and connect to QMII alumni. 

Don’t hesitate to: 

  • Ask others how they’re maintaining their skills. 
  • Request mock audit partnerships. 
  • Share resources and templates you’ve created. 

5. Continue the Learning Loop 

Action: Sign up for webinars, read audit case studies, and revisit your course materials regularly. 

Audit skills are built not just on knowledge, but on judgment, observation, and communication. You can sharpen these even while waiting for your first official audit assignment. 

Suggested activities

  • Attend QMII webinars or ISO updates. 
  • Subscribe to quality-focused newsletters. 
  • Read ISO audit case studies and identify what went wrong—and why. 

6. Request to Observe Internal Audits 

Action: If you’re part of an organization, ask to shadow an experienced auditor. 

Even if you’re not leading, observing an audit helps you internalize the structure, flow, and behavioral nuances of auditing. Jot down observations on auditor behavior, techniques, and interaction styles. Create your own checklists and then compare it to that prepared by the lead auditor. Discuss the differences after the audit. 

If your organization doesn’t have an active program, this is a great opportunity to propose starting one—a value-added initiative from a proactive auditor-in-training. 

Final Thoughts: Don’t Let the Gap Become a Gully 

Skills fade when left idle, but they flourish with even light engagement. Whether it’s through simulation, teaching, journaling, or community interaction, there are numerous ways to keep your audit knowledge sharp and ready. 

At QMII, we believe that continual improvement isn’t just for organizations, it’s a personal practice. Stay connected, stay curious, and keep that audit mindset active until your next assignment arrives. 

Have your own tips for retaining training knowledge? 
Join the conversation by commenting on this blog or drop us a line-we’d love to feature your story! 

About the Author

Dr. Julius is a Senior Consultant at QMII with over 25 years of experience in ISO and aerospace quality systems. He has trained and guided hundreds of U.S. defense contractors on AS9100 and compliance, turning certification into a competitive advantage.

Three Steps to Reducing Human Error in Your System

Reducing Human Error in Your System

As believers in the process-based system approach to management systems, QMII encourages organizations during their root cause analysis to not ask “who” but “how” and “why” the system failed the individual. Human errors primarily occur because the system has failed. Sure, there is a human element to the process, but it is only when the system is assessed that the organisation will look beyond merely training the individual yet again or firing them. This has the added benefit of truly imbibing a no-blame culture because blaming an individual is not going to change the results.

The individual in question may be replaced but unless you assess the system for adequacy, which deemed the person competent, the change of personnel may not lead to improvements.
Where the potential for human error is identified as a risk, the organisation can also choose to put systems in place to mistake-proof in order to reduce the possibility of the individual making errors. In conclusion, when human error occurs, organisations should try to address both aspects of identifying the system failure and mistake-proofing the system.

QMII President & CEO – Dr. IJ Arora presented on the topic “Three Steps to Reducing Human Error in Your System”. The Free Webinar was positively received by participants from various industries.

Click here for the full presentation.

Read more: Implementation of management systems

Follow the official YouTube Channel: QMII

Mapping the sequence and interaction of processes

ISO 9001 training is a great starting point for those that do not have a good understanding of the ISO 9001 standard and are looking to implement it within their organization. The standard provides the framework for implementing a quality management system and defines requirements around the plan-do-check-act framework. ISO 9001 is also the basis for many other ISO standards such as ISO 13485 and IATF 16949.

ISO 9001 places responsibility on the leadership to take accountability for the effectiveness of the system. In order to start the system implementation, the standard ask organizations to define the context of the organization. What is context? It is the business environment within which an organization operates and consists of various aspects that may impact the continuity of operations of an organization. ISO 9001 training will provide inputs into how a SWOT analysis or a PESTLE analysis may be use to define the context. The analysis account for the aspects of economic, technological, legal and others that may impact business if not accounted for and acted against. The context also accounts for internal aspects that may pose a risk such as the non-availability of competent personnel or loss of knowledge.

Once the context and needs of the stakeholders are defined the organization needs to clearly state the purpose of their business and how they achieve it. This includes documenting the sequence and interaction of their processes. This is a great exercise for an organization to bring leadership on board as also for leadership to gain clarity on how the business runs. At QMII, this is referred to as the core process. In order to capture this core process, the leadership and executive team must be present. The top management provides the objective of the process or their vision for the business. ISO 9001 training is a great method to introduce leadership to their role in the system and what is expected of them per the standard.

The remaining executive team helps the leadership map out the remaining processes of the system that enable the organization to meet the vision of the leadership. The team must clearly be able to see where interactions take place between the different departments for each key process to achieve its goal and be successful. Once all the key processes are identified they can be mapped in further detail with the help of the process owners. QMII’s ISO 9001 training includes a lecture on developing a process-based management system that covers how to map the core process of your organization.
Once the different departments can see how they contribute as a team to the goals and vision of the organization the quality management system will be better implemented as working in silos has not helped any organization.