Systematically identify, evaluate, treat & monitor risks and opportunities across management systems

Apply evidence-based audit reasoning, materiality-focused prioritisation & structured audit test planning

Plan and conduct effective audit interviews, use structured questioning, and guide conversations to obtain reliable audit evidence

Formulate evidence-based audit findings, structure clear audit reports, and verify the effective closure of agreed actions

Design & govern risk-informed audit programmes, decide when audits should be combined or kept separate across standards, harmonise group-level structures, and structure programme-level reporting

Plan and conduct supplier audits using contract-based criteria, defined evidence targets & disciplined audit documentation

Navigate accreditation, the certification ecosystem, the audit lifecycle, impartiality boundaries & certification decision interfaces

Core concepts in preventive controls, including access management, cryptography, secure configuration & protective design

Core concepts in detective & corrective controls, including logging, monitoring, incident response, backup & recovery

Core AI concepts, AI system types, AI agents, and the technical building blocks behind modern AI-enabled products and services

AI uncertainty, limitations & common failure modes across predictive and generative AI systems

Privacy roles, obligations & controls in organisations, aligned with common national and international data protection requirements

Assess whether organisational context, interested parties, scope and system boundaries credibly reflect how the organisation operates

Assess whether leadership commitment, policy direction & governance structures credibly steer the management system

Assess whether risk and opportunity management credibly informs organisational decisions and priorities

Assess whether documented information is fit for use, internally consistent and credible as audit evidence

Assess whether objectives and KPIs credibly measure and steer organisational performance

Assess whether operational controls and process interactions work reliably in day-to-day practice

Assess whether supplier and outsourced process controls manage risk effectively and achieve intended outcomes across organisational boundaries

Assess whether internal audit and related assurance mechanisms cover risk credibly and provide meaningful assurance

Assess whether management review credibly steers organisational priorities, risks & improvement

Assess whether corrective action addresses nonconformities effectively and whether continual improvement strengthens performance beyond nonconformity response

Evaluate whether customer requirements are defined, agreed, controlled and traceable from commitment through delivery in an ISO 9001 QMS

Assess controls, validation and effectiveness in product and service design & development against ISO 9001 requirements

Assess whether production & service provision are controlled, monitored and capable of delivering consistent outcomes in an ISO 9001 QMS

Evaluate asset-threat-vulnerability logic, risk treatment decisions, and traceability to controls and the Statement of Applicability

Evaluate control applicability, implementation evidence & common failure patterns across ISO/IEC 27001 Annex A control themes

Evaluate harm, impact & risk reasoning, intended use alignment, and decision traceability in ISO/IEC 42001

Evaluate lifecycle and data governance controls across data sourcing, training, validation, deployment, monitoring, and change in ISO/IEC 42001

Assess whether environmental aspects are identified, significance is judged credibly, and lifecycle perspective is applied in an ISO 14001 EMS

Assess whether environmental operational controls and emergency preparedness work effectively within an ISO 14001 management system

Assess whether business impact analyses produce credible recovery priorities and recovery objectives in an ISO 22301 BCMS

Evaluate whether continuity strategies, operational readiness and exercising provide credible recovery capability in an ISO 22301 BCMS

Evaluate whether privacy risk assessments and DPIAs produce credible risk understanding and prioritisation in an ISO/IEC 27701 PIMS

Evaluate whether privacy controls are implemented effectively and applied consistently across personal data processing activities