remote-audit-header-blog-dqs-digital networking worldwide

How Multi-Site Sampling Works in ISO Audits and What It Means for Your Business

Brad Fabiny

DQS Product Manager - Cyber Security and ISO 27001, ISO 9001 auditor

Mar 13 , 2026

If your organisation operates across multiple office locations, one of the first questions you’ll likely ask when considering ISO certification is:

“Do all our sites need to be audited?”

The short answer is: not always.

Under certain conditions, certification bodies can apply multi-site sampling, which means only a selection of your locations are audited—rather than every site. This can significantly reduce audit time, cost, and disruption.

Note, organisations can have sites which are not included within the scope of ISO certification and are not included on the certification.

In this article, we explain how multi-site sampling works, when it applies, and what decision makers in Australia and New Zealand should consider before relying on it.

What Is Multi-Site Sampling?

Multi-site sampling is an internationally recognised approach used in ISO certification audits (including ISO 9001, ISO 14001, ISO 27001, and others).

Instead of auditing every location, the certification body audits:

Your head office / central function, and
A sample of operational sites

The results are then used to determine whether your entire organisation meets the standard.

This approach is governed by international accreditation rules and is closely monitored by accreditation bodies such as JAS-ANZ in Australia and New Zealand.

When Is Multi-Site Sampling Allowed?

Not every multi-site organisation qualifies for sampling. To be eligible, your organisation must usually meet these key conditions:

1. A Centralised Management System

You must have:

One integrated management system
Centrally controlled policies and procedures
Consistent processes across all locations

For example:

One quality manual
One information security policy suite
One risk management framework

Local sites can have minor variations, but the core system must be the same.

2. Central Control and Oversight

Your head office must have authority over:

Internal audits
Management reviews
Corrective actions
Policy updates
Performance monitoring

If each site operates independently, sampling is usually not allowed.

3. Similar Activities Across Sites

All locations should perform substantially similar work.

Sampling works well when sites:

Deliver the same or substantially similar services
Use the same systems
Follow the same processes

It is less suitable when sites operate differently.

4. Proven System Maturity

Certification bodies look for evidence that your system is:

Implemented consistently
Well documented
Actively monitored
Internally audited

Organisations with immature or fragmented systems may be required to undergo full-site audits.

How Is the Sample Size Calculated?

The number of sites audited is not random. It follows a defined formula.

In most cases, certification bodies use:

Square root of the number of sites which is then rounded up

For example

If you have:

16 sites with central office included

Sample size ≈ √16 = 4 sites

So the audit may include:

Head office
4 operational sites

Total: 5 locations audited

Real-World Example (Australia)

A facilities management company with:

Head office in Sydney
25 service locations nationwide

Calculation:

√25 = 5

The audit scope may include:

Head office
5 randomly selected sites

Instead of auditing all 25 locations.

How Are Sites Selected?

Certification bodies usually control site selection to maintain independence.

They may:

Select sites randomly
Rotate sites between audit cycles
Include high-risk or high-volume locations
Target sites with past issues

You cannot simply choose “easy” sites for every audit. Over time, most locations will be audited.

How Sampling Works Across the Certification Cycle

ISO certification is typically a three-year cycle:

Year 1: Certification Audit (Stage 2)

Head office is audited
An initial sample of sites are audited
System effectiveness is verified

Year 2 & 3: Surveillance Audits

New sample of sites are audited for each surveillance audit
Focus on changes and performance
Problem or higher risk sites are often prioritised

Year 4: Recertification Audit

Larger sample
Full system reassessment

Across the cycle, certification bodies aim to build confidence that all sites remain compliant.

Example: ISO 27001 Multi-Site Certification

Consider an IT services company with:

Head office in Auckland
12 regional support centres
Centralised security controls

They implement:

One ISMS
Central SOC
Central incident management
Uniform access controls

They may qualify for sampling.

Calculation:

Using the square root methodology:

√12 = 3.46 which when rounded up ≈ 4

The audit may include:

Auckland head office
4 support centres

If those sites demonstrate strong compliance, the certification extends to all locations. However, if major gaps are found, then sampling may be withdrawn.

When Sampling Is Not Allowed

Multi-site sampling will usually be rejected when:

❌ Sites Operate Independently

Where each branch or location manages its own systems, policies, and risks

❌ Different Services or Risks

Each location or office conducts very different services and hence risks. An example structure is:

Manufacturing at some sites
Warehousing at others
R&D at head office

These situations and setups require full coverage.

❌ Poor Past Performance

If nonconformities are repeatedly found at different locations, auditors may expand the scope to gain confidence that the head office has sufficient oversight of the management system rollout.

❌ Outsourced or Franchise Models

Franchise networks often struggle to qualify unless strong central control exists.

Risks and Responsibilities for Decision Makers

Sampling reduces audit effort—but it increases responsibility.

When you accept sampling:

You accept shared risk

A major failure at one site can affect certification for all sites.

For example:
A serious information security breach at one branch may trigger wider investigation.

You Must Maintain Consistency

Senior management must ensure:

Policies are enforced everywhere
Training is consistent
Audits cover all sites internally
Issues are escalated centrally

Sampling only works when governance is strong.

You Must Be “Audit-Ready” Everywhere

Even if a site is not selected this year, it must still comply.

Certification bodies can expand samples at any time if concerns arise.

Questions to Ask Before Pursuing Multi-Site Certification

Before committing, decision makers should ask:

Do we truly operate one system, or many different systems?
Can head office enforce compliance across all sites?
Are our internal audits covering all sites effectively?
Do we have consistent training and onboarding?
Can we demonstrate central risk management?

If the answer is “no” to several of these, sampling may not be realistic yet.

Final Thoughts: Is Multi-Site Sampling Right for You?

Multi-site sampling can make ISO certification more accessible for growing organisations with multiple locations.

It works best for businesses that have:

Strong central leadership
Mature systems
Consistent operations across sites
Effective internal auditing

For these organisations, sampling can deliver real value. For others, it can expose weaknesses that ultimately increase scrutiny and cost.

Key Takeaway for Decision Makers

Multi-site sampling is not a shortcut—it is a recognition of good governance.

If your organisation operates as one cohesive system, sampling can significantly reduce certification effort. If it doesn’t, the audit process will quickly reveal that

Author

Brad Fabiny

DQS Product Manager - Cyber Security and auditor for the ISO 9001, ISO 27001 standards and information security management systems (ISMS) with extensive experience in software development.