Category
Audit Preparation
Auditor expectations, nonconformities, stage 1/2 tips, surveillance readiness
ISO 37001 “Reasonable and Proportionate”: Why Uniform Controls Fail the Standard’s Own Test
Quick Answer: ISO 37001:2025 requires every anti-bribery control to be calibrated to documented bribery risk — not applied uniformly. “Reasonable and proportionate” is a design instruction: risk assessment…
Read article →
ISO 42001 Statement of Applicability and Impact Assessment: Two Errors That Survive Audit Preparation
Organisations building their first ISO/IEC 42001:2023 AI Management System are importing assumptions from ISO 27001 that do not transfer. Two structural errors reach Stage 2 audit preparation uncorrected:…
Read article →
ISO 22301 Clause 8.4: Why Plan-Centric BCMS Implementations Fail Under Exercise Testing
ISO 22301 Clause 8.4 requires business continuity plans built on BIA outputs and selected strategies. Organisations that start with the plan bypass the Clause 8 dependency chain and produce documents that fail under exercise testing.
Read article →
ISO 27001:2022 Clause 6.1.2: Why Your Carried-Forward Risk Assessment Methodology Is an Audit Liability
**Excerpt:** ISO 27001:2022 removed asset/threat/vulnerability as a normative prerequisite for risk identification. Organisations that carried their methodology forward without documenting the choice under Clause 6.1.2 now face a Major nonconformity risk at their next audit. (42 words)
Read article →
ISO 45001 Clause 4.2: Why Your Interested Parties Register Isn’t What the Standard Requires
Most ISO 45001 Clause 4.2 registers list workers and generic needs but never feed into objectives. This article traces the structural dependency from Clause 4.2 through worker consultation under 5.4 to objective-setting under 6.2 — and shows how to close the gap before auditors do.
Read article →
ISO 14001 Clause 6.1.2: Why Your Aspect Register’s Life Cycle Perspective Probably Stops Too Soon
Most ISO 14001 aspect registers cover site-boundary operations but omit upstream and downstream life cycle stages without documented rationale. Clause 6.1.2 requires documented consideration of every stage — exclusion needs written evidence, not silence.
Read article →
Your Risk Register Doesn’t Satisfy ISO 9001 Clause 6.1 — Here’s What Does
Most ISO 9001 risk registers list risks without changing anything downstream. Clause 6.1 conformance requires traceable integration into process controls and quality objectives — a gap ISO DIS 9001:2025 will make structurally visible.
Read article →
Your Internal Audit Programme Isn’t Risk-Based — And ISO 9001’s Revision Will Prove It
Most ISO 9001 audit programmes run fixed-rotation schedules with no risk-based frequency rationale. ISO DIS 9001:2025 adds defined per-audit objectives — exposing the structural gap. Here's how to rebuild before transition.
Read article →
IATF 16949 Clause 10.2.3: Why the #1 Nonconformity Keeps Coming Back
Clause 10.2.3 is the #1 IATF 16949 major nonconformity because root cause analyses stop at symptoms. Learn what audit-defensible submissions require — mechanism-level causes, objective evidence, systemic reviews, and updated pFMEAs.
Read article →
Why Your ISO 14001 Legal Register Fails Surveillance Audits
Static ISO 14001 legal registers generate linked nonconformities across Clauses 6.1.3 and 9.1.2. This article diagnoses why registers go stale, what auditors actually probe during surveillance, and how to rebuild before the next audit cycle.
Read article →
Your Hazard Analysis PRP Baseline Is Wrong — FSSC 22000 V7 Will Expose It
ISO 22002:2025 replaces the PRP baseline underpinning most ISO 22000 hazard analyses. When FSSC 22000 V7 mandates the new reference, every unreconstructed hazard analysis faces scope invalidation at the PRP–oPRP–CCP categorisation interface.
Read article →