What Is an ISO Audit? Scope, Evidence & Findings
What Is an ISO Audit? Types, Stages, and How to Prepare An ISO audit is…
ISO 18788 certification is a third-party confirmation that an organization’s Security Operations Management System conforms to ISO 18788:2015. The standard applies to organizations that conduct or contract security operations, and it gives them a structured framework for establishing, implementing, operating, monitoring, reviewing, maintaining, and improving those operations. ISO’s current catalog shows the 2015 standard remains current and that Amendment 1:2024 applies to it.
This page is about company certification, not individual training credentials. ISO publishes the standard, but ISO does not issue certificates. Certification is carried out by external certification bodies, and in this market, the credibility of that route matters a lot because accepted and accredited certification is often part of the buyer’s due diligence process.
Why does it matter? Because ISO 18788 is not just about process neatness. The standard ties security operations to risk management, accountability to law, respect for human rights, and consistency with voluntary commitments. That makes it commercially useful for organizations that need to prove operational discipline to clients, procurement teams, and external stakeholders.
ISO 18788:2015 is the standard. A SOMS is the management system that specifies. Certification is the independent audit of the management system. ISO describes the SOMS as the framework used to run security operations in a controlled, reviewable, and improvable way. In other words, the certificate applies to the organization’s system for managing security operations, not to a person and not to ISO itself.
At the practical level, a SOMS is the structure behind how a security organization governs policies, roles, operational controls, incident handling, legal obligations, stakeholder expectations, and continual improvement. That is why the standard matters to buyers. They are not only asking whether security work gets done. They are asking whether it gets done through a system that is governable and auditable. This second sentence is an inference grounded in the standard’s stated scope and management-system design.
ISO 18788 certification is for private security companies, contractors managing security operations, and organizations that either perform security services directly or outsource them and still need auditable governance over how those operations are controlled. ISO’s scope is explicit on that point: it applies to organizations conducting or contracting security operations.
In real buying terms, the strongest fit is usually one of these:
That is where ISO 18788 stops being theoretical and becomes commercially relevant.
Satisfied Clients
Years of Experience
ISO certifications
The standard matters because it helps translate responsible security operations into something a client, regulator, or procurement team can actually assess. ISO’s own abstract links the standard to professional security operations, accountability to law, respect for human rights, and consistency with voluntary commitments. Intertek also positions ISO 18788 alongside PSC.1 as a credible framework for organizations conducting or contracting security operations.
For most buyers, the value shows up in a few places:
Not a wall of theory. Not a slogan. They are looking at whether the SOMS is real, operating, and supported by evidence. In practical terms, the audit usually centers on:
That cluster comes straight from the standard’s purpose and from how certification bodies describe ISO 18788 readiness and audit activity.
What this really means is simple: ISO 18788 does not reward paper-only compliance. A mature SOMS has to show that security operations are being governed in a way that is risk-based, lawful, reviewable, and responsive to stakeholder impact.
Certification follows implementation and an independent audit of the Security Operations Management System. DQS and other certification bodies break the journey into readiness review, Stage 1, Stage 2, corrective action where needed, certification, and ongoing surveillance.
A typical path looks like this:
This part is not optional.
ISO does not certify organizations. External certification bodies do that. And in this space, not every certification body is equally useful. If ICoCA relevance matters to your clients or membership route, the certification body must not only be active but also accepted by ICoCA through one of its recognized mechanisms.
ICoCA explains two accepted routes:
ICoCA is also clear that certifications from bodies not accredited to ISO 17021 by an IAF-MLA member cannot be accepted for ICoCA certification.
That is why the certification body choice is not just admin. It affects whether your certificate is credible in the exact market you care about. Where recognized-standard accreditation is used, ICoCA says those certificates are often visible through the IAF certification database, though not always, because usage of the database is not universal.
ICoCA currently recognizes ISO 18788, PSC.1, and ISO 28007 as recognized standards in its certification program. A private security company must first obtain external certification to one or more of those recognized standards from an accredited certification body accepted by ICoCA before it can apply for ICoCA certification.
PSC.1 is a sibling standard, not a synonym for ISO 18788. ASIS describes PSC.1 as an auditable standard based on the Plan-Do-Check-Act model for third-party certification of private security service providers. ISO 18788, by contrast, is the ISO management system standard for private security operations. They sit in the same governance family, but they have distinct standards.
A simple way to think about it:
That distinction matters because buyers often bundle these terms together when they should not.
If your organization is evaluating ISO 18788 now, the right next step is not a generic sales call. It is a readiness conversation.
That first discussion should usually cover:
That gives you something useful: a realistic certification path, not just a quote with no context. The market-leading service pages in this space push the same logic because it reduces rework later.
Request an ISO 18788 readiness assessment.
It provides a business and risk management framework for organizations conducting or contracting security operations through a Security Operations Management System. ISO says the framework is designed to establish, implement, operate, monitor, review, maintain, and improve the management of security operations.
A Security Operations Management System is the management framework ISO 18788 uses to control and improve security operations. It is the system that gets audited and certified.
Yes. ISO explicitly links the standard to accountability to law and respect for human rights, alongside consistency with voluntary commitments.
DQS states that an ISO 18788 certificate is valid for a maximum of three years, with surveillance audits conducted at least once a year and recertification carried out before expiry.
They are related but separate standards. PSC.1 is an auditable standard for private security company operations, while ISO 18788 is the ISO management system standard for private security operations. They should not be treated as interchangeable terms.
No. This page is about organizational certification. Individual training credentials, such as Lead Auditor or Lead Implementer, belong on separate training pages. PECB’s search visibility for ISO 18788 training is exactly why this distinction needs to be explicit.
