ReadSafety.com
Home/Glossary
Knowledge Library · Reference

The ISO & audit glossary.

Every term you'll meet in a standard, an audit, or a certification quote — defined in plain language by the certified auditors at USQC. Terms marked Full entry link to complete explanations with worked examples.

A

AccreditationFull entry
Formal recognition by a national accreditation body (ANAB, UKAS, DAkkS…) that a certification body is competent to audit and certify. See the full entry under Certification vs Accreditation. Read more →
AI Impact AssessmentFull entry
Structured analysis of an AI system's consequences for people and society, required by ISO 42001. Read more →
Annex A (ISO 27001)
The reference catalog of 93 information security controls in ISO 27001:2022, organized into organizational, people, physical, and technological themes. Applied via the Statement of Applicability.
Audit Criteria
The set of requirements — standard clauses, policies, procedures, legal obligations — that audit evidence is compared against.
Audit Evidence
Records, statements of fact, or other verifiable information relevant to the audit criteria. Findings must rest on evidence, not impressions.
Audit Programme
The planned set of audits for a period (typically a year), scheduled by process importance and past results — not one giant annual audit by default.
Audit Scope
The boundaries of a given audit: locations, processes, activities, and time period covered.

C

CAPAFull entry
Corrective and Preventive Action — the legacy acronym for the corrective action process, still standard in FDA-regulated and medical device contexts. Read more →
CertificationFull entry
Third-party attestation, after audit, that an organization's management system meets a standard. Issued by an accredited certification body such as USQC. Read more →
Certification BodyFull entry
The independent organization that audits and certifies management systems, itself accredited against ISO/IEC 17021. Read more →
Competence
The demonstrated ability to apply knowledge and skills to achieve intended results. Standards require determining, achieving, and evidencing it — the training record is evidence, not the competence itself.
Compliance Obligations
ISO 14001's term for the legal requirements and voluntary commitments an organization must honor — maintained in a legal register and periodically self-evaluated.
Context of the Organization
Clause 4's requirement to determine the internal and external issues, and the needs of interested parties, relevant to the management system — the foundation everything else builds on.
Continual Improvement
The recurring activity of enhancing performance — the 'Act' in PDCA. 'Continual' (repeated cycles), not 'continuous' (unbroken), is the deliberate word choice.
Corrective ActionFull entry
Action that eliminates the cause of a nonconformity so it cannot recur — as opposed to correction, which fixes only the instance. Read more →

D

Documented Information
The 2015-generation umbrella term replacing 'documents and records': information the organization must control and maintain (documents) or retain as evidence (records).

E

Environmental AspectFull entry
An element of activities, products, or services that interacts with the environment. Paired with 'impact' — the change it causes. Read more →

G

Gap Analysis
The pre-implementation comparison of current practice against a standard's requirements, producing the work list for implementation. Not mandatory, but where every sensible project starts.

H

HazardFull entry
A source with the potential to cause injury or ill health. Distinct from risk — the likelihood and severity of that harm. Read more →
Hierarchy of ControlsFull entry
The mandated order of preference for reducing OH&S risk: eliminate, substitute, engineering controls, administrative controls, PPE last. Read more →

I

Integrated Management System
One management system satisfying multiple standards (e.g., 9001 + 14001 + 45001) with shared documents, audits, and reviews — enabled by the common high-level structure.
Interested Party
Anyone who can affect, be affected by, or perceive themselves affected by the organization: customers, workers, regulators, neighbors, suppliers. Their relevant needs feed the system's planning.
Internal AuditFull entry
The organization's own mandatory, planned, impartial check of its management system — the certification auditor's first stop. Read more →
ISMS
Information Security Management System — the managed framework of policies, risk processes, and controls defined by ISO 27001.

L

The maintained catalog of laws, regulations, permits, and commitments applying to the organization — central to ISO 14001 and 45001, and the requirement small firms most often underestimate.
Life Cycle Perspective
ISO 14001's requirement to consider environmental aspects across a product's life — raw materials to end-of-life — without mandating a full quantitative LCA.

M

Major NonconformityFull entry
The absence or total breakdown of a required system element, or a systemic pattern of failures. Blocks certification until resolved. Read more →
Management ReviewFull entry
Top management's mandatory periodic review of the system's performance, with prescribed inputs and decision outputs. Read more →
Management System
The set of interrelated elements — policies, objectives, processes — by which an organization directs and controls itself with respect to quality, environment, safety, security, or AI.
Minor NonconformityFull entry
An isolated lapse in an otherwise functioning system. Requires corrective action but does not block certification. Read more →

N

NonconformityFull entry
Non-fulfilment of a requirement — from the standard, your own system, or external obligations. The basic unit of audit findings. Read more →
NCRFull entry
Nonconformity Report — the documented finding: requirement, evidence, statement of nonconformity, and grade. Read more →

O

Objective Evidence
Verifiable data supporting a conclusion: records, observations, measurements. The currency of auditing.
Observation
An auditor's note of a situation that isn't a nonconformity but merits attention — often an early warning of one.
OFI
Opportunity for Improvement — auditor-identified potential to do better without any requirement being breached. Never mandatory to accept, usually wise to consider.
Operational Control
The planned measures — procedures, criteria, maintenance, contractor rules — that keep processes within their intended conditions. Clause 8 in every standard.

P

PDCA
Plan-Do-Check-Act: the improvement cycle underlying every ISO management standard's structure — clauses 4–7 plan, 8 does, 9 checks, 10 acts.
Process Approach
Managing work as interrelated processes with inputs, outputs, owners, and measures — rather than as departments or documents. Core ISO 9001 philosophy.

Q

QMS
Quality Management System — the ISO 9001 flavor of management system.
Quality Objectives
Measurable goals, consistent with the quality policy, set at relevant functions and levels, with plans for achieving them. 'Improve quality' is not one; 'reduce warranty returns 20% by Q4' is.

R

Recertification AuditFull entry
The full-system audit at the end of each three-year cycle that renews the certificate — broader than surveillance, usually lighter than the initial Stage 2. Read more →
Residual Risk
The risk remaining after controls are applied. It is explicitly accepted by accountable management — or treated further. Never zero.
Risk AssessmentFull entry
The systematic evaluation of what could go wrong, how likely, and how severe — feeding risk treatment decisions. Formal process required in 45001, 27001, 42001; proportionate approach in 9001/14001. Read more →
Risk-Based ThinkingFull entry
The 2015-generation requirement to identify and address risks and opportunities in planning — prevention built in up front, replacing 'preventive action'. Read more →
Root Cause AnalysisFull entry
Structured investigation past symptoms to the process condition that allowed a problem — 5 Whys, fishbone, Pareto. Read more →

S

Scope (of Certification)
The precise boundary of what a certificate covers — activities, products, sites. Read it before trusting any supplier's certificate; enterprises always do.
Significant AspectFull entry
An environmental aspect that, by the organization's own consistently applied criteria, has or can have a significant impact — the targets of the EMS. Read more →
Stage 1 AuditFull entry
The readiness review preceding certification: documentation, scope confirmation, and areas of concern. Read more →
Stage 2 AuditFull entry
The full on-site/remote audit of the operating system on which initial certification is decided. Read more →
Statement of ApplicabilityFull entry
ISO 27001's control-by-control declaration of what applies, why, and its status — the most examined document in an ISMS audit. Read more →
Surveillance AuditFull entry
The annual between-cycle audit verifying the certified system still operates and improves. Read more →

T

Top Management
The person or group directing the organization at the highest level. The standards assign them personal, non-delegable accountability for the management system.
Transition Period
The defined window (historically three years) after a standard's new edition during which old-edition certificates remain valid while organizations upgrade.

W

Worker Participation
ISO 45001's requirement for genuine involvement of non-managerial workers in safety decisions — consultation before decisions, participation in hazard identification, investigation, and policy.

Something missing?

This glossary grows with reader questions. If a term confused you in an audit or a quote, it belongs here.

Suggest a term