Home/Glossary
Knowledge Library · Reference
The ISO & audit glossary.
Every term you'll meet in a standard, an audit, or a certification quote — defined in plain language by the certified auditors at USQC. Terms marked Full entry link to complete explanations with worked examples.
A
- AccreditationFull entry
- Formal recognition by a national accreditation body (ANAB, UKAS, DAkkS…) that a certification body is competent to audit and certify. See the full entry under Certification vs Accreditation. Read more →
- AI Impact AssessmentFull entry
- Structured analysis of an AI system's consequences for people and society, required by ISO 42001. Read more →
- Annex A (ISO 27001)
- The reference catalog of 93 information security controls in ISO 27001:2022, organized into organizational, people, physical, and technological themes. Applied via the Statement of Applicability.
- Audit Criteria
- The set of requirements — standard clauses, policies, procedures, legal obligations — that audit evidence is compared against.
- Audit Evidence
- Records, statements of fact, or other verifiable information relevant to the audit criteria. Findings must rest on evidence, not impressions.
- Audit Programme
- The planned set of audits for a period (typically a year), scheduled by process importance and past results — not one giant annual audit by default.
- Audit Scope
- The boundaries of a given audit: locations, processes, activities, and time period covered.
C
- CAPAFull entry
- Corrective and Preventive Action — the legacy acronym for the corrective action process, still standard in FDA-regulated and medical device contexts. Read more →
- CertificationFull entry
- Third-party attestation, after audit, that an organization's management system meets a standard. Issued by an accredited certification body such as USQC. Read more →
- Certification BodyFull entry
- The independent organization that audits and certifies management systems, itself accredited against ISO/IEC 17021. Read more →
- Competence
- The demonstrated ability to apply knowledge and skills to achieve intended results. Standards require determining, achieving, and evidencing it — the training record is evidence, not the competence itself.
- Compliance Obligations
- ISO 14001's term for the legal requirements and voluntary commitments an organization must honor — maintained in a legal register and periodically self-evaluated.
- Context of the Organization
- Clause 4's requirement to determine the internal and external issues, and the needs of interested parties, relevant to the management system — the foundation everything else builds on.
- Continual Improvement
- The recurring activity of enhancing performance — the 'Act' in PDCA. 'Continual' (repeated cycles), not 'continuous' (unbroken), is the deliberate word choice.
- Corrective ActionFull entry
- Action that eliminates the cause of a nonconformity so it cannot recur — as opposed to correction, which fixes only the instance. Read more →
D
- Documented Information
- The 2015-generation umbrella term replacing 'documents and records': information the organization must control and maintain (documents) or retain as evidence (records).
E
- Environmental AspectFull entry
- An element of activities, products, or services that interacts with the environment. Paired with 'impact' — the change it causes. Read more →
G
- Gap Analysis
- The pre-implementation comparison of current practice against a standard's requirements, producing the work list for implementation. Not mandatory, but where every sensible project starts.
H
- HazardFull entry
- A source with the potential to cause injury or ill health. Distinct from risk — the likelihood and severity of that harm. Read more →
- Hierarchy of ControlsFull entry
- The mandated order of preference for reducing OH&S risk: eliminate, substitute, engineering controls, administrative controls, PPE last. Read more →
I
- Integrated Management System
- One management system satisfying multiple standards (e.g., 9001 + 14001 + 45001) with shared documents, audits, and reviews — enabled by the common high-level structure.
- Interested Party
- Anyone who can affect, be affected by, or perceive themselves affected by the organization: customers, workers, regulators, neighbors, suppliers. Their relevant needs feed the system's planning.
- Internal AuditFull entry
- The organization's own mandatory, planned, impartial check of its management system — the certification auditor's first stop. Read more →
- ISMS
- Information Security Management System — the managed framework of policies, risk processes, and controls defined by ISO 27001.
L
- Legal Register
- The maintained catalog of laws, regulations, permits, and commitments applying to the organization — central to ISO 14001 and 45001, and the requirement small firms most often underestimate.
- Life Cycle Perspective
- ISO 14001's requirement to consider environmental aspects across a product's life — raw materials to end-of-life — without mandating a full quantitative LCA.
M
- Major NonconformityFull entry
- The absence or total breakdown of a required system element, or a systemic pattern of failures. Blocks certification until resolved. Read more →
- Management ReviewFull entry
- Top management's mandatory periodic review of the system's performance, with prescribed inputs and decision outputs. Read more →
- Management System
- The set of interrelated elements — policies, objectives, processes — by which an organization directs and controls itself with respect to quality, environment, safety, security, or AI.
- Minor NonconformityFull entry
- An isolated lapse in an otherwise functioning system. Requires corrective action but does not block certification. Read more →
N
- NonconformityFull entry
- Non-fulfilment of a requirement — from the standard, your own system, or external obligations. The basic unit of audit findings. Read more →
- NCRFull entry
- Nonconformity Report — the documented finding: requirement, evidence, statement of nonconformity, and grade. Read more →
O
- Objective Evidence
- Verifiable data supporting a conclusion: records, observations, measurements. The currency of auditing.
- Observation
- An auditor's note of a situation that isn't a nonconformity but merits attention — often an early warning of one.
- OFI
- Opportunity for Improvement — auditor-identified potential to do better without any requirement being breached. Never mandatory to accept, usually wise to consider.
- Operational Control
- The planned measures — procedures, criteria, maintenance, contractor rules — that keep processes within their intended conditions. Clause 8 in every standard.
P
- PDCA
- Plan-Do-Check-Act: the improvement cycle underlying every ISO management standard's structure — clauses 4–7 plan, 8 does, 9 checks, 10 acts.
- Process Approach
- Managing work as interrelated processes with inputs, outputs, owners, and measures — rather than as departments or documents. Core ISO 9001 philosophy.
Q
- QMS
- Quality Management System — the ISO 9001 flavor of management system.
- Quality Objectives
- Measurable goals, consistent with the quality policy, set at relevant functions and levels, with plans for achieving them. 'Improve quality' is not one; 'reduce warranty returns 20% by Q4' is.
R
- Recertification AuditFull entry
- The full-system audit at the end of each three-year cycle that renews the certificate — broader than surveillance, usually lighter than the initial Stage 2. Read more →
- Residual Risk
- The risk remaining after controls are applied. It is explicitly accepted by accountable management — or treated further. Never zero.
- Risk AssessmentFull entry
- The systematic evaluation of what could go wrong, how likely, and how severe — feeding risk treatment decisions. Formal process required in 45001, 27001, 42001; proportionate approach in 9001/14001. Read more →
- Risk-Based ThinkingFull entry
- The 2015-generation requirement to identify and address risks and opportunities in planning — prevention built in up front, replacing 'preventive action'. Read more →
- Root Cause AnalysisFull entry
- Structured investigation past symptoms to the process condition that allowed a problem — 5 Whys, fishbone, Pareto. Read more →
S
- Scope (of Certification)
- The precise boundary of what a certificate covers — activities, products, sites. Read it before trusting any supplier's certificate; enterprises always do.
- Significant AspectFull entry
- An environmental aspect that, by the organization's own consistently applied criteria, has or can have a significant impact — the targets of the EMS. Read more →
- Stage 1 AuditFull entry
- The readiness review preceding certification: documentation, scope confirmation, and areas of concern. Read more →
- Stage 2 AuditFull entry
- The full on-site/remote audit of the operating system on which initial certification is decided. Read more →
- Statement of ApplicabilityFull entry
- ISO 27001's control-by-control declaration of what applies, why, and its status — the most examined document in an ISMS audit. Read more →
- Surveillance AuditFull entry
- The annual between-cycle audit verifying the certified system still operates and improves. Read more →
T
- Top Management
- The person or group directing the organization at the highest level. The standards assign them personal, non-delegable accountability for the management system.
- Transition Period
- The defined window (historically three years) after a standard's new edition during which old-edition certificates remain valid while organizations upgrade.
W
- Worker Participation
- ISO 45001's requirement for genuine involvement of non-managerial workers in safety decisions — consultation before decisions, participation in hazard identification, investigation, and policy.
Something missing?
This glossary grows with reader questions. If a term confused you in an audit or a quote, it belongs here.
Suggest a term