AboutStandardsBlog ✦ AI AssessmentGet a Quote →

Remote ISO Audits — Best Practices for a Successful Certification

Remote and hybrid audits have become a permanent feature of ISO certification. This guide covers practical preparation strategies, technology requirements, and tips for ensuring a smooth audit experience.

CERTIFICATION 6 min read

The Rise of Remote Audits

The COVID-19 pandemic forced a rapid shift to remote auditing across the certification industry. What began as an emergency measure has since become an established and widely accepted practice. The International Accreditation Forum (IAF) formalised remote auditing through IAF MD 4:2018 (updated in 2021), which provides guidance on the use of information and communication technology (ICT) for audit and assessment activities.

Today, certification bodies routinely offer remote, on-site, and hybrid audit options. According to industry data, a significant proportion of ISO management system audits now include a remote component, and fully remote audits are common for organisations that operate primarily in digital environments.

For organisations seeking certification to standards such as ISO 27001, ISO 9001, ISO 22301, or ISO 42001, understanding how to prepare for a remote audit is essential to achieving a successful outcome.

IAF Guidance on Remote Auditing

The IAF's mandatory document MD 4 sets out the conditions under which remote auditing can be used. Key principles include:

  • Remote auditing is a valid method when it can achieve equivalent audit objectives to on-site methods
  • The decision to use remote methods must be risk-based, considering factors such as the complexity of the management system, the maturity of the organisation, and the nature of the activities being audited
  • Certain activities may still require on-site presence, such as the observation of physical processes, site tours, or verification of physical security controls
  • The auditor must be able to interact effectively with auditees and access all necessary evidence
  • Confidentiality and information security must be maintained throughout the remote audit process

Certification bodies assess on a case-by-case basis whether a full remote audit, a hybrid audit, or an on-site audit is appropriate. Organisations should discuss this with their certification body early in the planning process.

Preparing Documentation for a Remote Audit

Documentation preparation is arguably more critical for remote audits than for on-site audits, because the auditor cannot simply walk to a filing cabinet or ask to see a screen in person. Best practices include:

  • Centralise documentation: Ensure all policies, procedures, records, and evidence are accessible through a single platform or document management system. Cloud-based tools such as SharePoint, Confluence, or dedicated GRC platforms work well.
  • Organise by clause: Map documents to the relevant clauses of the standard being audited. Provide the auditor with an evidence matrix that links each requirement to the corresponding document, record, or screenshot.
  • Ensure version control: Auditors will check that documents are current and approved. Ensure version histories, approval signatures, and review dates are clearly visible.
  • Prepare screen recordings or screenshots: For evidence that is difficult to demonstrate live (such as system configurations, access control settings, or monitoring dashboards), prepare annotated screenshots or short recordings in advance.
  • Grant read-only access: Where possible, provide the auditor with read-only access to relevant systems so they can verify evidence independently. This speeds up the audit and demonstrates transparency.

Technology Requirements

Technical failures are one of the most common causes of disruption during remote audits. Invest in the following:

  • Reliable video conferencing: Use an enterprise-grade platform (Microsoft Teams, Zoom, or Google Meet) with screen-sharing capability. Test the connection, camera, and microphone before the audit.
  • Stable internet connection: Ensure bandwidth is sufficient for sustained video calls with screen sharing. Consider a wired ethernet connection rather than Wi-Fi for key participants.
  • Backup communication channel: Have a secondary platform or phone dial-in available in case of technical issues with the primary platform.
  • Secure file sharing: Use encrypted file-sharing mechanisms to transfer sensitive documents. Avoid emailing confidential records as unencrypted attachments.
  • Quiet, professional environment: Participants should join from a quiet space with appropriate lighting and minimal background distractions.

Common Pitfalls to Avoid

Based on our experience supporting organisations through hundreds of remote audits, these are the most frequent mistakes:

  • Insufficient preparation of evidence: Scrambling to find documents during a live video call wastes audit time and creates a poor impression. Pre-stage all evidence.
  • Too many participants in one session: Remote meetings become unwieldy with large groups. Limit attendance to the auditee, the relevant process owner, and a note-taker.
  • Failure to test technology: Do not assume that the conferencing platform and screen sharing will work flawlessly. Conduct a full technical rehearsal at least 48 hours before the audit.
  • Neglecting time zones: For multinational organisations, coordinate audit schedules across time zones early. Auditors and auditees who are fatigued or working at inconvenient hours produce suboptimal outcomes.
  • Ignoring information security: Remote audits involve sharing sensitive management system documentation over digital channels. Ensure that the platforms and methods used are consistent with your own information security policies.

The Hybrid Audit Approach

Many certification bodies now recommend a hybrid approach that combines remote and on-site activities. This model offers several advantages:

  • Document reviews, management interviews, and policy verification can be conducted remotely, saving travel time and cost
  • Physical site inspections, observation of operational processes, and verification of physical security controls are conducted on-site
  • The hybrid model reduces the overall on-site audit duration while maintaining the rigour of evidence collection

For ISO 27001 audits, a hybrid approach is particularly effective. The majority of ISMS documentation review and process interviews can be conducted remotely, while physical controls (server rooms, access control systems, clean desk compliance) are verified during a shorter on-site visit.

Tips for Audit Day

When the audit day arrives, these practices will help ensure a professional and efficient experience:

  • Open with an orientation: Brief the auditor on how the virtual audit room is set up, where documents are stored, and who will be available for each session.
  • Designate a coordinator: Appoint one person to manage the schedule, facilitate transitions between sessions, handle technical issues, and track any audit findings or observations in real time.
  • Be concise and direct: In a remote setting, clear and focused communication is more important than ever. Answer the auditor's questions directly and provide supporting evidence promptly.
  • Take notes: Document the auditor's questions, observations, and any areas flagged for follow-up. This will be invaluable when addressing nonconformities or opportunities for improvement.
  • Allow buffer time: Build 10–15 minutes of buffer between sessions to handle overruns, technical issues, or document retrieval.
  • Close with a summary: At the end of each day, confirm the status of the audit plan, review any open items, and agree on the schedule for the following day.

BALTUM's Remote Audit Process

BALTUM has extensive experience preparing organisations for remote and hybrid ISO audits. Our approach includes:

  • Pre-audit readiness assessment to identify documentation gaps and technical risks
  • Evidence matrix preparation, mapping all required evidence to standard clauses
  • Mock remote audit sessions to familiarise staff with the format and identify improvement areas
  • Technical setup verification, including platform testing and fallback planning
  • On-the-day support, with a BALTUM consultant available to assist with evidence retrieval and coordination

Whether you are approaching your first certification audit or preparing for a surveillance or recertification cycle, BALTUM can help ensure your remote audit runs smoothly. Contact us to discuss your audit preparation needs.