MedDeviceGuideMedDeviceGuide
Back
Quality SystemsISO 13485FDA QMSRRisk ManagementStandards & TestingGlobal

ISO 19011:2026: What the Updated Audit Standard Means for Medical Device Manufacturers

ISO 19011:2026 embeds hybrid auditing, digital evidence management, and updated auditor competence across the audit lifecycle — what ISO 13485 and QMSR programs need to update.

Ran Chen
Ran Chen
Global MedTech Expert | 10× MedTech Global Access
Published 2026-06-08Last reviewed 2026-06-0818 min read

Why a New ISO 19011 Matters for Medical Device Audit Programs

On May 27, 2026, ISO published the fourth edition of ISO 19011 — Guidelines for auditing management systems, replacing the 2018 edition that has guided internal and supplier audit programs for nearly eight years. For medical device manufacturers operating under ISO 13485, the EU MDR/IVDR, or the FDA's new Quality Management System Regulation (QMSR), this revision deserves close attention — not because it rewrites audit fundamentals, but because it formally codifies how audits are actually conducted in 2026.

Since the COVID-19 pandemic accelerated the adoption of remote auditing, cloud-based quality systems, and digital evidence workflows, the gap between the 2018 guidance and real-world practice had grown wide. ISO 19011:2026 closes that gap. It embeds hybrid and remote auditing across the entire audit lifecycle, strengthens digital evidence and information security guidance, updates auditor competence expectations for a technology-enabled profession, and aligns terminology with the concurrent revisions of ISO 9001:2026, ISO 9000:2026, and ISO 14001:2026.

This article walks through what changed, what stayed the same, and — most importantly — what medical device QA managers, internal auditors, and regulatory affairs professionals need to do about it.

What ISO 19011 Is and How It Relates to ISO 13485 and QMSR

A Guidance Standard, Not a Requirement

ISO 19011 is a guidance standard, not a requirements standard. No organization is certified to ISO 19011, and no auditor audits against it directly. Instead, it provides internationally recognized best practices for planning, conducting, managing, and improving audits of management systems. It applies to first-party (internal) audits and second-party (supplier) audits in particular. Third-party certification audits are governed primarily by ISO/IEC 17021-1, which references ISO 19011 for technique and competence guidance.

The ISO 13485 Connection

ISO 13485:2016 does not mandate ISO 19011 compliance. Clause 8.2.4 (Internal Audit) references "audit principles" and requires organizations to define audit criteria, scope, frequency, and methods — but it does so in its own language. ISO 19011 appears in a note, not a normative requirement. That said, Notified Bodies, certification bodies, and experienced auditors widely regard ISO 19011 as the authoritative reference for how to structure an effective audit program. If your internal audit SOPs cite ISO 19011:2018, your Notified Body will expect those procedures to reflect current guidance.

The FDA QMSR Angle

Since February 2, 2026, the FDA's Quality Management System Regulation (QMSR) has incorporated ISO 13485:2016 by reference, replacing the former Quality System Regulation (QSR). FDA inspections are conducted under Compliance Program 7382.850, not under ISO 19011. However, the QMSR's internal audit requirements (drawn from ISO 13485 Clause 8.2.4) mean that the quality of your internal audit program is now directly visible to FDA inspectors — the former confidentiality safe harbor for internal audit reports under old 21 CFR 820.180(c) has been removed. A well-structured audit program aligned with current ISO 19011 guidance is a practical defense during inspection.

MDSAP and EU MDR/IVDR Relevance

Medical Device Single Audit Program (MDSAP) auditing organizations use ISO 19011 as a methodological reference. Under the EU MDR and IVDR, Article 10(9) requires manufacturers to maintain a QMS that includes reporting audit results to management. While neither framework mandates ISO 19011 directly, both expect audit programs to follow recognized good practice — and ISO 19011:2026 now defines what that looks like.

The Six Key Changes in ISO 19011:2026

The 2026 edition is a technical revision — an evolution, not a rewrite. The overall clause structure, the PDCA-style audit program model, and the fundamental approach to managing programs, conducting audits, and evaluating competence are all preserved. The changes are targeted at modernizing how audits are designed, delivered, and documented. Here are the six that matter most for medical device manufacturers.

1. Hybrid and Remote Auditing Embedded Across the Lifecycle

The single most significant change in ISO 19011:2026 is the formal integration of remote and hybrid auditing throughout the standard. In the 2018 edition, remote auditing was treated as a complementary approach — a special case acknowledged but not deeply integrated. The 2026 edition treats it as a structured and established audit methodology, woven into every stage:

  • Audit program design — Decisions about on-site, remote, or hybrid methods are made at the program level, based on risk, complexity, digital maturity, and the nature of activities being audited — not improvised per individual audit
  • Audit planning — Technology readiness, confidentiality, time zones, bandwidth, language requirements, and platform security are explicit planning inputs
  • Audit conduct — Guidance covers video walkthroughs, screen-sharing reviews of electronic records, remote interviews, and asynchronous evidence exchange
  • Audit reporting — Reports must now state which methods were used (on-site, remote, or hybrid) and any limitations on evidence collection

For medical device companies, this has direct implications. Many already conduct supplier audits of remote contract manufacturers using video conferencing. Internal audits of cloud-hosted document control systems, electronic batch records, or complaint handling databases are inherently remote activities. ISO 19011:2026 now provides structured guidance for making these decisions deliberately and documenting the rationale.

2. Virtual Locations and Digital Evidence Management

The 2026 edition strengthens the concept of virtual locations — environments where audited activities occur without a traditional physical presence, such as cloud-based QMS platforms, digital workflow tools, and online collaboration systems. The standard clarifies that the audit location is wherever information is available to the audit team, whether physical or virtual.

This is directly relevant for medical device manufacturers who increasingly run their quality systems on platforms like MasterControl, Veeva Vault, Greenlight Guru, or similar electronic quality management systems (eQMS). When your design history files, CAPA records, and management review minutes live in the cloud, the audit location is virtual by default.

The standard also expands guidance on digital evidence management:

  • Verifying the authenticity and integrity of electronic records (versioning, access logs, edit history)
  • Sampling strategies appropriate for large electronic datasets rather than paper-based records
  • Confidentiality and data protection when evidence crosses borders or is shared via collaboration platforms
  • Retention and disposal of audit evidence collected digitally, including screenshots and recordings
  • Recognizing that remote evidence collection may introduce additional limitations and uncertainties that auditors must consider when reaching conclusions

3. Information Security and Privacy

With remote access comes elevated information security risk. ISO 19011:2026 places significantly greater emphasis on protecting audit information in technology-enabled environments:

  • Remote access controls — How auditors connect to systems, what credentials they use, and how access is revoked after the audit
  • Privacy during video calls — Ensuring that confidential conversations and proprietary information visible in virtual walkthroughs are protected
  • Secure management of screenshots and recordings — Treating digital audit evidence with the same protection and control as traditional physical records
  • Data security across jurisdictions — Addressing cross-border data transfer implications when auditing multi-site organizations

For medical device companies handling patient data, proprietary design information, or trade secrets during audits, these requirements intersect with existing obligations under data protection regulations (GDPR in the EU, HIPAA in the US) and information security standards (ISO 27001, where applicable).

4. Updated Auditor Competence Requirements

Clause 7 of ISO 19011 has been refreshed to reflect what auditors actually need to do well in 2026. Alongside the long-standing expectations around discipline knowledge, audit principles, and behavioral skills, the 2026 edition adds:

  • ICT proficiency — Competence in using video conferencing, screen-sharing, secure file exchange, and evidence capture tools
  • Digital evidence judgment — Knowing when remote evidence is sufficient and when on-site verification is required
  • Cultural and contextual awareness — Navigating communication challenges when auditing across geographies and time zones remotely
  • Information security awareness — Understanding data protection requirements when handling digital evidence
  • Continuing professional development — CPD must explicitly include new audit methods and digital techniques, not only technical updates to the management system standard being audited

The standard also references a broader range of technologies that auditors should be aware of, including cloud platforms, data analytics tools, and even drones and automated systems for certain types of observation.

5. Strengthened Risk-Based Audit Program Design

Risk-based thinking was introduced as an audit principle in ISO 19011:2018. The 2026 edition makes its application more concrete across three levels:

  • Audit program level — Risk inputs should demonstrably shape scope, frequency, depth, and method selection across the annual or multi-year audit program
  • Individual audit level — Each audit's plan should reflect a documented risk assessment that justifies the chosen approach
  • Audit technique level — The choice between on-site observation, remote document review, virtual interview, or hybrid combination should be a risk-informed decision, not a default

For medical device manufacturers, this reinforces the expectation that your audit program should prioritize high-risk processes — sterile manufacturing, software lifecycle activities, complaint handling, CAPA effectiveness, supplier oversight of critical components — and allocate audit resources accordingly. It also means that the decision to audit a sterile manufacturing process on-site while reviewing document control remotely should be documented and justified, not assumed.

6. Alignment with the 2026 Standards Family and Climate Context

ISO 19011:2026 has been edited to align cleanly with ISO 9001:2026, ISO 14001:2026, and the refreshed vocabulary in ISO 9000:2026. Terms used across the audit lifecycle now match the language of the requirements standards, which reduces interpretation drift between auditor and auditee. This alignment also supports combined and integrated audits across multiple management system disciplines.

The standard also reflects the climate change considerations introduced through the 2024 ISO Climate Action Amendment, which added climate context requirements to several management system standards. While climate change is not a dominant theme in ISO 19011 itself, auditors may now encounter it as a contextual issue when auditing organizations certified to ISO 14001:2026 or ISO 9001:2026.

Additionally, the new Annex A.16 provides expanded guidance on remote auditing methodology, drawing on content from ISO/IEC TS 17012:2024, which addresses conditions, opportunities, limitations, feasibility assessment, platform security, and contingency planning for technology failure during remote audits.

Recommended Reading
Root Cause Analysis for Medical Devices: RCA Methods, Tools, and CAPA Integration
Quality Systems ISO 134852026-04-17 · 15 min read

What Has NOT Changed

Understanding what remains the same is as important as understanding what changed. ISO 19011:2026 preserves:

  • The seven principles of auditing — Integrity, fair presentation, due professional care, confidentiality, independence, evidence-based approach, and risk-based approach are all retained. The wording has been tightened and clarified, but the principles themselves are unchanged
  • The overall clause structure — Scope, principles, managing an audit program (Clause 5), conducting audits (Clause 6), and evaluating competence (Clause 7) remain in place
  • Its status as guidance — ISO 19011 is still not a certifiable standard and does not contain auditable requirements
  • Its applicability to first-party and second-party audits — With third-party certification audits continuing to be governed by ISO/IEC 17021-1
  • Core audit methodology — Planning, opening meetings, evidence collection, closing meetings, reporting, and follow-up remain the fundamental activities

Organizations running disciplined audit programs based on ISO 19011:2018 do not need wholesale redesign. The foundation is intact; the modernization sits on top of it.

Actionable Impact Assessment: What to Update in Your Audit SOPs

Based on the changes above, here is a practical breakdown of what medical device manufacturers should and should not change in their quality system documentation.

No Changes Needed

  • Your overall internal audit process structure and reporting workflows
  • Core audit program methodology (risk-based scheduling, nonconformity grading, CAPA linkage)
  • High-level auditor qualification frameworks (education, experience requirements)
  • Your ISO 13485 quality manual references to internal auditing

Updates Worth Making

If your internal audit and supplier audit SOPs reference ISO 19011, consider these five practical modifications:

1. Update the ISO 19011 edition reference in your SOPs

Change any citation of ISO 19011:2018 to ISO 19011:2026. This is a simple documentation update that signals your program follows current guidance.

2. Add remote and hybrid audit method selection criteria

Update your audit planning procedure to include explicit criteria for selecting on-site, remote, or hybrid approaches. Define when each method is appropriate, what risks must be considered, and who approves the method selection. For medical device companies, this typically means:

  • On-site is expected for: sterile manufacturing verification, physical product inspection, warehouse and storage area walkthroughs, calibration laboratory observation
  • Remote may be appropriate for: document review, training record verification, management review output assessment, complaint trending analysis, supplier questionnaire follow-up
  • Hybrid is appropriate for: multi-site audits where some locations are cloud-operated, supplier audits of primarily document-driven processes, re-audits following corrective action verification

3. Update audit report templates

Add fields to your audit report template that capture:

  • The audit method used (on-site / remote / hybrid) for each audited process
  • The virtual locations accessed (eQMS platforms, cloud systems)
  • How digital evidence was obtained and its integrity verified
  • Any limitations encountered due to the audit method

This is especially important under the QMSR, where FDA inspectors may now request and review your internal audit reports.

4. Strengthen information security provisions in your audit procedures

Add guidance on:

  • How auditors connect to electronic systems (VPN, secure portals, temporary access credentials)
  • Handling of screenshots and recordings (when permitted, how stored, when destroyed)
  • Confidentiality agreements for remote auditors accessing proprietary systems
  • Data protection requirements when audit evidence crosses borders

5. Revise auditor competence and training requirements

Update your auditor competency matrix to include:

  • ICT proficiency requirements (specific tools your organization uses for remote audits)
  • Digital evidence evaluation skills
  • Remote interviewing techniques
  • Cultural awareness for global audit teams
  • CPD requirements that explicitly include remote and hybrid audit training

Remote and Hybrid Auditing: Practical Considerations for Medical Device Audits

Feasibility Assessment

Before selecting a remote or hybrid approach, assess the following:

Factor Questions to Ask
Nature of the process Does this process require physical observation (e.g., manufacturing floor) or can it be verified through documented information (e.g., document control)?
Digital maturity Are the auditee's records fully electronic? Can the auditor access the eQMS remotely with appropriate permissions?
Evidence reliability Can digital evidence be authenticated? Are there version controls, access logs, and audit trails in the system?
Information security Are there data protection constraints (patient data, proprietary designs) that limit remote access?
Technology readiness Do both parties have adequate bandwidth, hardware, and software? Is there a contingency plan if the technology fails?
Regulatory expectations Does the applicable regulatory framework (FDA, MDR, MDSAP) impose any constraints on remote auditing for this type of audit?

What Works Well Remotely in Medical Device Audits

  • Document and record review (SOPs, work instructions, forms, completed records)
  • Training record and competency file verification
  • Management review input and output assessment
  • Complaint and CAPA trending analysis
  • Supplier questionnaire follow-up interviews
  • Design control documentation review (design plans, inputs, outputs, reviews, verification/validation reports)
  • Software documentation review (IEC 62304 lifecycle artifacts)

What Usually Requires On-Site Verification

  • Sterile barrier and packaging process observation
  • Cleanroom environmental monitoring verification
  • Manufacturing equipment calibration and maintenance status
  • Physical product inspection and traceability walkthroughs
  • Warehouse, storage, and handling area verification
  • Receiving inspection activities involving physical goods
  • Any process where the auditor needs to observe operator technique directly

Contingency Planning

ISO 19011:2026 Annex A.16 emphasizes the need for contingency plans when technology fails during a remote audit. For medical device manufacturers, this means your audit planning should address:

  • What happens if the video connection drops during a critical process walkthrough
  • How to reschedule or convert to on-site if digital evidence cannot be adequately verified
  • Backup communication channels (phone, alternative video platform)
  • Documented criteria for aborting a remote session and escalating to on-site
Recommended Reading
UK MHRA International Reliance Pathway: Draft Regulations 2026 Analysis
Regulatory Policy & Legislation2026-06-07 · 11 min read

Auditor Competence: What to Add to Your Training Program

For Internal Auditors

Update your internal auditor training curriculum to include:

  • Remote audit methodology — How to plan, conduct, and close a remote audit, including opening and closing meeting formats
  • Digital evidence techniques — How to request, receive, verify, and store electronic evidence; how to use screen-sharing to walk through an eQMS
  • Remote interviewing skills — How to conduct effective interviews via video conference, manage time zone differences, and read non-verbal cues through a screen
  • Information security basics — Understanding VPN, secure file transfer, access controls, and data protection requirements applicable to audit evidence
  • Technology platform proficiency — Hands-on practice with the specific tools your organization uses (Zoom, Teams, Webex, secure file portals)

For Lead Auditors and Audit Program Managers

In addition to the above, lead auditors and program managers should receive training on:

  • Risk-based method selection — How to assess which processes can be audited remotely and which require on-site presence
  • Hybrid audit design — How to structure an audit that combines remote document review with on-site verification across multiple locations
  • Audit program governance — Updated expectations for ensuring program integrity, preventing undue influence, and engaging in continual professional development
  • Cross-cultural auditing — Awareness of communication differences when auditing international suppliers or remote teams

CPD Expectations

ISO 19011:2026 recommends that all auditors undertake continuing professional development that includes new audit methods. The Chartered Quality Institute (CQI) and International Register of Certificated Auditors (IRCA) have confirmed that ISO 19011 underpins all their auditor training and certification schemes, and that certificated auditors are expected to update their knowledge in line with the 2026 revision. For medical device internal auditors, this is a good benchmark to adopt in your own training program.

Timeline: When to Transition Your Audit Program

Unlike management system requirements standards such as ISO 9001 or ISO 13485, ISO 19011 does not have a formal transition period. As a guidance standard, organizations and auditors may begin applying the new guidance immediately upon publication. There is no grace period and no certification deadline.

In practice, most medical device manufacturers should aim to update their audit program documentation within the following timeframe:

Activity Suggested Timeline
Obtain and review ISO 19011:2026 June – July 2026
Gap assessment against current SOPs July – August 2026
Update audit procedures and templates August – September 2026
Update auditor competence criteria and CPD requirements September – October 2026
Deliver updated auditor training (internal and lead auditors) October – December 2026
First audits conducted under updated procedures Q1 2027

This timeline aligns well with typical annual audit program cycles. Organizations with MDSAP audits or Notified Body surveillance audits in the second half of 2026 may want to accelerate documentation updates to avoid auditors noting that their ISO 19011 references are outdated.

Notified Body and MDSAP Expectations

While Notified Bodies and MDSAP Auditing Organizations will not audit you against ISO 19011 directly, they may reference it when evaluating the adequacy of your internal audit program. Updating your procedures proactively demonstrates that your quality system follows current best practice.

Summary Checklist

Use this checklist to track your transition to ISO 19011:2026:

Documentation Updates

  • Update all ISO 19011 references in SOPs from 2018 to 2026 edition
  • Add remote/hybrid method selection criteria to your audit planning procedure
  • Update audit report template to capture method, virtual locations, and evidence verification approach
  • Add information security provisions to audit procedures (remote access, screenshots, recordings, data protection)
  • Revise audit program risk assessment to address technology and method risks

Auditor Competence

  • Update internal auditor competency matrix to include ICT proficiency, digital evidence handling, and remote interviewing
  • Add remote and hybrid audit training to your auditor training curriculum
  • Update CPD requirements to explicitly include digital audit methods
  • Train lead auditors and program managers on risk-based method selection and hybrid audit design

Operational Readiness

  • Assess your organization's digital audit readiness (eQMS access, video conferencing, secure file exchange)
  • Develop contingency plans for technology failure during remote audits
  • Review information security controls for audit-related remote access
  • Confirm that supplier audit agreements allow for remote and hybrid approaches where appropriate

Regulatory Alignment

  • Ensure audit reports meet QMSR expectations for documentation and record availability
  • Confirm that remote audit methods are consistent with MDSAP and Notified Body expectations
  • Brief management on the updated standard and its implications for the audit program
Recommended Reading
ISO 13485 Audit Findings: Most Common Nonconformities by Clause and How to Prevent Them
Quality Systems ISO 134852026-06-05 · 21 min read

Sources and Further Reading

  • ISO 19011:2026Guidelines for auditing management systems. Published May 27, 2026. Available from ISO (iso.org/standard/19011) and national standards bodies such as BSI, DIN, and ANSI.
  • ISO/IEC TS 17012:2024Conformity assessment — Guidance on remote audit methods. Referenced in ISO 19011:2026 Annex A.16 for expanded remote audit methodology.
  • ISO 13485:2016Medical devices — Quality management systems — Requirements for regulatory purposes. Clause 8.2.4 establishes internal audit requirements.
  • ISO/IEC 17021-1Conformity assessment — Requirements for bodies providing audit and certification of management systems. Governs third-party certification audits.
  • CQI/IRCA Briefing Note on ISO 19011:2026 — Published by the Chartered Quality Institute, May 2026. Describes implications for IRCA-certificated auditors.
  • BSI Knowledge listing for BS EN ISO 19011:2026 — Summarizes major updates including remote auditing, virtual locations, auditor competence, and data security (knowledge.bsigroup.com).
  • FDA QMSR — 21 CFR Part 820, effective February 2, 2026. Incorporates ISO 13485:2016 by reference. FDA Compliance Program 7382.850 governs inspection methodology.

Related Articles

RegulatoryIVD & Diagnostics

IVD Calibrator Traceability: ISO 17511, EU IVDR, and JCTLM Guide

Metrological traceability for IVD calibrators and control materials under ISO 17511:2020 and EU IVDR Annex I Section 9.3, covering calibration hierarchies, JCTLM resources, and common pitfalls.

2026-06-08·19 min read
Quality SystemsRegulatory

21 CFR Part 4: Combination Product cGMP Quality Systems for Drug-Device Manufacturers

How drug-device combination product manufacturers implement quality systems under 21 CFR Part 4 — streamlined approach, QMSR update, design controls, stability, and EU MDR Article 117.

2026-06-08·16 min read
Regulatory510(k)

FDA 510(k) Fees: MDUFA V User Fee Schedule and Total Cost Breakdown

Complete guide to FDA 510(k) user fees for FY 2026 under MDUFA V, including the $26,067 standard fee, $6,517 small business fee, $11,423 establishment registration, waivers, and total project cost.

2026-06-08·14 min read