Who ultimately decides the outcome of the audit?

The ultimate decision regarding the outcome of the audit is made by the certification body. This entity is responsible for evaluating the audit findings and determining whether the organization meets the necessary standards and requirements for certification according to ISO/IEC 27001.

The certification body reviews the evidence gathered during the audit and assesses the overall compliance of the organization with the established criteria. This process involves analyzing reports prepared by the audit team, including their observations and any non-conformities identified during the audit. Based on this thorough assessment, the certification body makes the final call on whether the organization is awarded the ISO/IEC 27001 certification.

While the audit team leader, audit committee, and management of the auditee play significant roles during the audit process—such as leading the team, overseeing the audit, and addressing findings—they do not have the authority to decide the ultimate outcome. The independence of the certification body ensures an impartial and objective conclusion regarding the audit's results.