ISO 19011

If you run internal audits at a food plant, you are already using ISO 19011, whether you have read it or not. It is the international standard behind every credible audit program, yet almost everything written about it speaks to generic quality managers in factories that could be making anything from bolts to insurance policies. None of it tells you how the standard applies when the thing you are auditing is a food safety system with allergens, CCPs, and an FDA inspector who might show up next week.

This guide fixes that. You will get a clear definition, what changed in the brand-new 2026 edition, the seven audit principles in plant-floor terms, the audit process step by step, and a direct mapping from ISO 19011 to your SQF, BRCGS, and FSSC 22000 internal-audit requirements. By the end, you will know how to run your internal audits the ISO 19011 way and why doing so keeps you ready for both your GFSI certification body and FSMA verification.

What Is ISO 19011?

ISO 19011 is the international standard that provides guidance on how to audit a management system. It covers how to plan and run an audit programme, conduct individual audits, and judge whether an auditor is competent. Think of it as the playbook for auditing, not a checklist of things your facility must do.

The most important thing to understand is that ISO 19011 is guidance, not a requirement. You are never certified to ISO 19011, and no auditor will issue you a certificate against it. Instead, it is the method your team uses to run the internal audits that standards like SQF, BRCGS, and FSSC 22000 require, and the same method that prepares you for the external audits those schemes put you through. It comes from the same global standards-setting world that gives food manufacturers the FAO/WHO Codex Alimentarius food standards, so the rigor it asks for will feel familiar to anyone inside a GFSI scheme.

Is ISO 19011 a Certification? (No, and Why That Matters for Food Plants)

There is no such thing as "ISO 19011 certified," and any vendor or consultant who tells you otherwise has misunderstood the standard. Because it is guidance, it carries no requirements you can be audited against and no certificate to earn. ASQ's overview of ISO 19011 makes the same point: it is a how-to document that sits alongside the certifiable standards rather than competing with them.

For a food plant, that distinction is freeing. You do not have to "comply" with ISO 19011. You use it as the recognized method for making your required internal audits mean something, so your findings hold up when a certification body or the FDA looks at them.

What's the Current Version? ISO 19011:2026

The current version is ISO 19011:2026, the current edition of the standard, published in May 2026 as the fourth edition. It supersedes the 2018 version, and because the standard is guidance rather than a certifiable requirement, there is no transition period. It takes effect on publication. Any audit program you build or refresh from here on should reference the 2026 edition, not the older PDFs still floating around the web.

What's New in ISO 19011:2026 (and Why Food Auditors Should Care)

The 2026 release is a technical revision rather than a rewrite. The seven audit principles, the plan-do-check-act audit-programme model, and the overall structure all stay the same, so if you already run audits the 2018 way, you are not starting over. The revision modernizes the parts of auditing that have changed most in practice.

For food manufacturers, two updates stand out, and both point where your industry has already been moving: digital, remote, evidence-driven auditing.

Remote and Hybrid Auditing Is Now the Default

The 2026 edition expands its guidance on remote and hybrid auditing, drawing on the technical specification ISO/IEC TS 17012 and a broader Annex A. Remote auditing is now treated as a normal mode of working, not an emergency workaround, with clearer direction on auditing "virtual locations," verifying evidence you cannot physically touch, and combining on-site and remote activities into one audit.

For a multi-site processor or anyone running a supplier audit program, this matters. You can credibly audit a co-manufacturer's documentation, records, and CAPA system remotely, then reserve on-site time for what genuinely requires eyes on the floor, such as sanitation, segregation, and pest control.

Digital Evidence and Information Security

The second headline change is the formal recognition of digital and electronic evidence. The 2026 edition addresses auditing through collaborative platforms, videoconferencing, cloud systems, and electronic records, and raises the bar on auditor competence to include digital-tool fluency and information-security awareness. An auditor now needs to assess an electronic record's integrity, not just flip through a binder.

This is exactly where food manufacturing has been heading. When your monitoring logs, CCP records, and corrective actions live in a system rather than on paper, your auditor needs to trust they are complete, time-stamped, and tamper-evident. The 2026 edition assumes that world, which makes the case for getting your records out of spreadsheets and inboxes stronger than ever.

2018 to 2026 at a Glance

For the official scope of the prior release, see the 2018 edition, and for a plain-language breakdown of the revision, the CQI's summary of the 2026 revision is a useful reference.

ISO 19011:2026 makes digital, electronic evidence the new normal for auditing. If your audit records still live in binders and inboxes, that shift is a lot harder. See how Allera keeps every audit record controlled, versioned, and instantly retrievable.

See how Allera handles document control

The 7 Principles of Auditing, Translated for the Plant Floor

ISO 19011 is built on seven principles that define good auditing. Most explainers list them as abstract virtues. Here is what each one actually means when the system you are auditing is a food safety plan and the evidence is a sanitation record.

Why the Risk-Based Principle Matters Most in Food

The seventh principle, the risk-based approach, maps most naturally onto how food safety already works. It tells you to direct audit effort toward where the risk is greatest rather than auditing everything with equal intensity. That is the exact logic behind hazard analysis: you put your controls where the hazards are.

If you already think in terms of HACCP principles, risk-based auditing will feel like home. You schedule more frequent, deeper internal audits around allergen control, CCP monitoring, and sanitation, and lighter touches on lower-risk areas.

The ISO 19011 Audit Process, Step by Step

ISO 19011 organizes auditing into a clear sequence: manage the overall programme, plan and conduct each individual audit, report and follow up on findings, and maintain auditor competence. Here is how each stage looks in a food facility.

Managing the Audit Programme

The audit programme is your annual plan for all internal audits across the plant. Using the risk-based principle, you decide what gets audited, how often, and in what depth, then schedule it across the year so nothing falls through the cracks. A good programme covers every element of your food safety system at least annually, with high-risk areas hit more frequently. This is also where you assign auditors, define scope and criteria, and keep the program aligned with your certification scheme. Building it well is the foundation of how to build and run a food safety internal audit program that holds up under scrutiny.

Planning and Conducting an Individual Audit

Each individual audit follows a recognizable arc. You open with a brief meeting to confirm scope and logistics, gather objective evidence through three methods (observing the operation, interviewing the people doing the work, reviewing records), then close with a meeting to summarize what you found before anything is written up.

The discipline here is objectivity: you collect evidence against defined criteria, not hunting for people to blame or rubber-stamping a line because it looked busy. This is the methodology that powers all food safety audits (all types), from a quick GMP walkthrough to a full system audit.

Reporting Findings, Corrective Action, and Follow-Up

Findings get classified, usually as conformities, nonconformities, or opportunities for improvement. Each nonconformity then moves through a structured response: identify the root cause, define corrective action, implement it, and verify it actually closed the gap before you mark it done. Closed-out findings feed your management review so leadership sees the real state of the system.

This loop is where most paper-based programs fall apart. A finding gets written on a form, the form gets filed, and three months later nobody can prove the corrective action was ever verified. ISO 19011 expects you to track findings to genuine close-out, which is far easier when the trail is digital.

Auditor Competence and Evaluation

The standard puts real weight on auditor competence. A qualified internal food-safety auditor needs knowledge of your products and processes, familiarity with the applicable standards, the personal skills to interview people and reach evidence-based conclusions, and independence from the area they audit.

The 2026 edition adds a new dimension: digital-evidence skills. An auditor now needs to be comfortable assessing electronic records and using remote-audit tools, not just reading paper. Evaluating and developing your auditors against these criteria is part of running the programme, not an afterthought.

ISO 19011 vs ISO 9001 vs ISO 22000 (Clearing Up the Confusion)

These three standards get mixed up constantly, partly because they share the "ISO" prefix and partly because they all touch auditing. The difference is simple: one tells you how to audit, and the other two set requirements you can be certified against.

ISO 19011 is the auditing method, while ISO 9001 and ISO 22000 are things you audit against. For food manufacturers, the certifiable standard that matters most is ISO 22000, the food safety management standard, which forms the base of FSSC 22000 Version 6. You would use ISO 19011 to run the internal audits that ISO 22000 and FSSC 22000 require.

ISO 19011 and Your GFSI Scheme (SQF, BRCGS, FSSC 22000)

Every Global Food Safety Initiative (GFSI) scheme requires you to conduct internal audits, but none tell you in detail how to run them well. That is the gap ISO 19011 fills. The scheme tells you that you must audit; ISO 19011 tells you how to audit in a way that produces credible, defensible results.

This is the connection almost no one writes about, and it is where ISO 19011 becomes genuinely practical for food teams. Here is how the standard lines up with the major schemes.

Whichever scheme you certify to, the pattern is the same. The scheme sets the obligation, and ISO 19011 gives you the credible way to meet it. If you are preparing for a specific scheme, our guides on the SQF audit, the BRC audit, SQF certification, and BRCGS certification walk through how those requirements play out in practice.

ISO 19011 and FSMA Verification

ISO 19011 is not US regulation, and following it is not legally required. But the way it runs an audit lines up neatly with what the FDA expects under the Food Safety Modernization Act, which makes it a practical compliance tool.

The Internal Audit as a Verification Activity

Under FDA's Preventive Controls for Human Food rule, you are expected to verify that your preventive controls are working and to reanalyze your plan periodically. A well-run internal audit, conducted the ISO 19011 way, is one of the most effective verification activities you have. It checks that your controls are not just written down but actually operating, and it generates the objective evidence verification demands.

Tying your internal audit program to your food safety plan means each audit doubles as a verification checkpoint, confirming your preventive controls hold up and documenting that confirmation in a way the FDA recognizes.

The Records the FDA Expects

FSMA is explicit about recordkeeping. 21 CFR Part 117's recordkeeping requirements under Subpart F lay out what you must keep and be able to produce, and verification records sit squarely inside that scope. Your audit findings, corrective actions, and close-out evidence are exactly the records an investigator will ask to see.

This is where ISO 19011's emphasis on evidence and follow-up pays off twice. The same disciplined trail that satisfies your GFSI auditor also satisfies an FDA records request, provided you can retrieve it on demand.

What a Food-Safety Internal Audit Actually Covers

ISO 19011 gives you the method, but the scope of a food-safety internal audit is specific to your operation. A complete program touches every layer of your food safety system across the year.

Prerequisite Programs and GMPs

Your prerequisite programs and good manufacturing practices are the foundation, and they get audited regularly: sanitation, pest control, personnel hygiene, maintenance, and the general condition of the facility. These are also the areas an external auditor scrutinizes hardest, so your internal audits of GMP in the food industry need to be honest and thorough.

HACCP and the Food Safety Plan

The core of the audit is your hazard analysis and the controls built on it. You verify that CCPs are being monitored, that critical limits are correct and respected, and that monitoring records are complete. Auditing your HACCP plan confirms the system you designed on paper is the system actually running on the floor.

Records, Document Control, and the Wider FSMS

Auditors live in the evidence trail. They check that records exist, that documents are current and controlled, and that the whole food safety management system hangs together. Gaps in document control, such as an out-of-date work instruction or a missing record, are among the most common nonconformities, and entirely preventable.

ISO 19011 Audit Checklists and Templates (Where to Start)

A practical, ISO 19011-aligned food audit checklist does five things on every line: it names the scope being audited, states the criteria, captures the objective evidence, records the finding, and links to any corrective action. That structure keeps your audits consistent and your findings defensible, which is the whole point of the standard.

You do not need to build one from scratch. Allera maintains ready-made starting points you can adapt to your facility:

• The GMP audit checklist (free template) for prerequisite and facility audits
• The SQF audit checklist (free template) for SQF-specific internal audits
• A practical walkthrough of how to prepare for an SQF audit (and pass it), where the internal audit is the main prep mechanism

Running ISO 19011 Audits Without the Spreadsheet Scramble

The method ISO 19011 describes is sound. The problem is almost never the method. It is that most teams try to run a risk-based, evidence-driven, fully-tracked audit program out of spreadsheets, email threads, and binders, then scramble every time an audit nears.

Scheduling and Risk-Based Frequency in One Place

The audit programme only works if it is actually managed. When your schedule, scope, and frequency live in one system, risk-based scheduling stops being a once-a-year guess and becomes something you can see and adjust. High-risk areas get the cadence they need, and nothing slips because it was buried in a tab nobody opened.

Digital Evidence, Findings, and CAPA Built for the 2026 Way of Auditing

This is exactly where the 2026 edition is pointing. When findings, evidence, and corrective actions are captured electronically and tracked to close-out, you get the traceable, tamper-evident record that ISO 19011:2026 now expects. Strong document control means a finding can never be written and then quietly lost, and every corrective action has a verified close-out you can produce on demand.

Continuous Readiness vs. the Pre-Audit Panic

The biggest payoff is the shift from panic to readiness. When your audit program runs continuously in a system, you are not assembling evidence the week before your certification body arrives. You are audit-ready every day, which is how a mature food safety and quality assurance (FSQA) function operates.

A good audit methodology is only as good as the system that runs it. Allera schedules your audits, hosts your checklists, captures findings, and tracks every corrective action to close-out, turning the ISO 19011 process into something you actually run rather than rebuild.

Explore Allera's food quality management software

Run Your Internal Audits the ISO 19011 Way, Without the Spreadsheets

ISO 19011 is the closest thing food manufacturing has to a universal method for auditing well, and the 2026 edition only made it more relevant by formalizing remote auditing and digital evidence. Used properly, it turns your required internal audits into genuine verification, keeps your SQF, BRCGS, and FSSC 22000 findings credible, and produces the records FSMA expects.

Allera turns that method into a living program: risk-based scheduling, digital checklists, electronic evidence, and corrective actions tracked to close-out, so you stay audit-ready every day, on the current 2026 standard.

See how Allera keeps you audit-ready