The SQMC Library | Learn. Quality. Simply.

ISO 14001:2026 Clause 9.1.2

Written by SQMC Technical Faculty | May 28, 2026 9:15:20 AM

ISO 14001:2026 for Auditors > Clause 9.1.2

Explained: Evaluation of Compliance

Clause 9.1.2 of ISO 14001 asks an organisation to evaluate fulfilment of its compliance obligations. In plain English, this means the organisation must check whether it is meeting the environmental legal, customer, contractual and other requirements it has identified — and take action where needed.

What is ISO 14001 Clause 9.1.2 trying to achieve?

Clause 9.1.2 is about checking compliance in a planned and reliable way.

Earlier in the EMS, the organisation identifies its compliance obligations. Clause 9.1.2 asks the organisation to evaluate whether those obligations are actually being fulfilled.

The purpose is to make sure compliance is not assumed.

Evaluation of compliance should help the organisation:

  • understand its compliance status;
  • identify compliance gaps;
  • take action where needed;
  • reduce legal and operational risk;
  • provide evidence to top management;
  • support corrective action and continual improvement.

Why evaluation of compliance matters in an EMS

Compliance obligations can carry serious consequences if they are missed.

Poor compliance evaluation can lead to:

  • missed permit conditions;
  • incomplete waste documentation;
  • uncontrolled discharges or emissions;
  • failure to meet customer environmental requirements;
  • missed reporting deadlines;
  • contractual non-compliance;
  • regulatory enforcement;
  • loss of certification confidence;
  • reputational damage;
  • environmental harm.

Evaluation of compliance gives the organisation a structured way of asking: are we meeting the requirements we said apply to us?

What does ISO 14001 expect?

ISO 14001 expects the organisation to establish, implement and maintain processes needed to evaluate fulfilment of its compliance obligations.

The organisation should:

  • determine the frequency of compliance evaluation;
  • evaluate compliance and take action if needed;
  • maintain knowledge and understanding of its compliance status;
  • retain documented information as evidence of the evaluation results.

This means the organisation should not simply keep a list of legal requirements. It should actively check whether those requirements are being met.

Evaluation of compliance starts with compliance obligations

Evaluation of compliance depends on a good understanding of compliance obligations.

Compliance obligations may include:

  • environmental legislation;
  • permits and licences;
  • planning conditions;
  • waste requirements;
  • discharge consents;
  • emissions limits;
  • customer environmental requirements;
  • contractual environmental clauses;
  • corporate or group environmental standards;
  • voluntary commitments the organisation has chosen to adopt.

If the compliance obligations register is incomplete or poorly understood, the evaluation process will also be weak.

Read the detailed SQMC guide to compliance obligations.

Evaluation of compliance is more than checking for fines

A common mistake is to treat compliance as acceptable simply because the organisation has not been fined, prosecuted or contacted by a regulator.

That is not enough.

Evaluation of compliance should be proactive. The organisation should check whether it is meeting the obligations that apply.

Simple example

If waste transfer documentation must be retained, the organisation should sample records to check whether they are complete, accurate, available and retained for the required period. Waiting for a regulator to ask for them is not a compliance evaluation strategy.

Determining the frequency of compliance evaluation

ISO 14001 expects the organisation to determine how often compliance evaluation will take place.

The frequency should be proportionate to risk and importance.

Some obligations may need frequent checks, such as:

  • permit limits;
  • emissions monitoring;
  • waste documentation;
  • storage inspections;
  • contractor controls;
  • customer reporting deadlines;
  • operational checks linked to legal requirements.

Other obligations may be evaluated less often, such as annual reporting duties, policy commitments or periodic legal register reviews.

The organisation should be able to explain why its evaluation frequency is suitable.

How evaluation of compliance may be carried out

Evaluation of compliance can be carried out in different ways depending on the organisation and the obligation.

Methods may include:

  • legal register reviews;
  • permit condition checks;
  • site inspections;
  • record sampling;
  • waste documentation reviews;
  • monitoring data reviews;
  • contractor or supplier checks;
  • regulator correspondence reviews;
  • internal audits focused on compliance obligations;
  • management review of compliance status;
  • third-party compliance audits;
  • consultant or specialist reviews.

The method should be strong enough to give the organisation confidence in its compliance status.

Maintaining knowledge of compliance status

The organisation should maintain knowledge and understanding of its compliance status.

In practical terms, this means the organisation should know whether it is:

  • fully compliant;
  • partially compliant;
  • non-compliant;
  • awaiting evidence;
  • working through corrective action;
  • monitoring a potential compliance risk;
  • uncertain and needing further investigation.

“We think we’re probably fine” is not a strong compliance status. It is a shrug wearing a hard hat.

Taking action when compliance gaps are found

ISO 14001 expects the organisation to take action if needed.

If a compliance evaluation identifies a gap, the organisation should decide what action is required.

Actions may include:

  • correcting missing or incomplete records;
  • updating procedures;
  • training relevant people;
  • notifying a regulator where required;
  • changing operational controls;
  • reviewing supplier or contractor performance;
  • investigating root cause;
  • raising a nonconformity;
  • taking corrective action;
  • reviewing whether similar issues exist elsewhere;
  • updating the compliance obligations register.

Serious or recurring compliance issues should normally be escalated to top management and considered during management review.

Evaluation of compliance and internal audit

Evaluation of compliance and internal audit are related, but they are not exactly the same.

Evaluation of compliance focuses on whether the organisation is fulfilling its compliance obligations.

Internal audit checks whether the EMS conforms to ISO 14001, conforms to the organisation’s own requirements, and is effectively implemented and maintained.

An internal audit may include compliance-related sampling, but the organisation should still be able to show a planned process for evaluating compliance obligations.

Simple example

An internal audit may check whether the compliance evaluation process exists and is followed. The compliance evaluation itself may check whether waste records, permit conditions and customer reporting duties are being fulfilled.

Evaluation of compliance and management review

Compliance status should feed into management review.

Top management should understand:

  • whether compliance obligations are being fulfilled;
  • whether compliance risks are increasing;
  • whether action is needed;
  • whether resources are sufficient;
  • whether incidents, complaints or audit findings suggest compliance weaknesses;
  • whether changes in compliance obligations affect the EMS.

Management review should not simply note that “compliance was discussed”. It should record useful decisions and actions where needed.

Documented information for evaluation of compliance

The organisation should retain documented information as evidence of compliance evaluation results.

Evidence may include:

  • completed compliance evaluation records;
  • legal register review records;
  • permit condition checklists;
  • waste documentation reviews;
  • inspection records;
  • monitoring reports;
  • records of regulator communication;
  • customer environmental reporting records;
  • contractor or supplier compliance checks;
  • records of identified gaps;
  • actions taken following non-compliance or potential non-compliance;
  • management review records covering compliance status.

Records should be clear enough to show what was evaluated, what evidence was checked, what conclusion was reached and what action was taken.

Practical implementation guidance

A practical evaluation of compliance process should answer:

  • Which compliance obligations apply?
  • How does each obligation apply to the organisation?
  • How often will each obligation be evaluated?
  • Who is responsible for evaluation?
  • What evidence will be checked?
  • What criteria will be used to decide compliance status?
  • How will results be recorded?
  • What action will be taken if a gap is found?
  • How will top management be informed?
  • How will the organisation maintain knowledge of its compliance status?

The process should be practical, repeatable and specific to the organisation’s real obligations.

What auditors typically look for

Auditors look for evidence that the organisation has evaluated compliance in a planned and meaningful way.

Evidence may include:

  • compliance obligations register;
  • evaluation of compliance procedure or schedule;
  • completed evaluation records;
  • permit and licence reviews;
  • waste transfer or consignment documentation;
  • monitoring and inspection records;
  • records of legal updates being reviewed;
  • records of action taken after compliance gaps;
  • management review minutes;
  • interviews with people responsible for compliance activities.

Auditor tip

Pick one compliance obligation and follow it. How was it identified? How does it apply? What evidence shows it is being fulfilled? When was it last evaluated? What was the compliance status? Were actions needed?

Common weaknesses in Clause 9.1.2

  • compliance obligations are listed but not evaluated;
  • evaluation frequency is unclear or missed;
  • legal updates are received but not assessed;
  • records show checks happened, but not what conclusion was reached;
  • compliance status is not clearly understood;
  • other requirements, such as customer or contractual obligations, are ignored;
  • evaluation relies only on “no regulator contact”;
  • evidence checked is too limited;
  • non-compliance is found but action is not taken;
  • top management is not informed of compliance risks;
  • compliance evaluation is confused with internal audit and not properly planned.

Weak example

“The organisation reviews environmental legislation annually and has had no enforcement action.”

This is weak because it does not show whether applicable obligations are being fulfilled, what evidence was checked, what compliance status was determined, or what action was taken where needed.

Better example

“The organisation evaluates compliance obligations twice per year using a compliance evaluation checklist. Waste, permit, monitoring, customer and contractor requirements are sampled. Each obligation is marked as compliant, partially compliant, non-compliant or not applicable, with evidence recorded and actions raised where gaps are found.”

This is stronger because it shows a planned process, evidence, compliance status and action.

Real-world example: waste documentation

A site generates several waste streams and must ensure waste is properly classified, stored, transferred and documented.

Evaluation of compliance may involve:

  • checking waste carriers are approved;
  • sampling waste transfer or consignment records;
  • checking waste descriptions are accurate;
  • reviewing storage arrangements;
  • checking retention of waste records;
  • reviewing contractor licences or approvals;
  • raising actions where documentation is missing or incorrect.

An auditor could test this by selecting recent waste movements and checking whether records support the organisation’s compliance status.

Real-world example: customer environmental reporting

A customer contract requires an organisation to provide annual environmental performance data.

Evaluation of compliance may involve checking:

  • what data the customer requires;
  • whether the requirement is included in the compliance obligations register;
  • who is responsible for reporting;
  • whether data was submitted on time;
  • whether the data was accurate and approved;
  • whether records of submission were retained;
  • whether any missed or inaccurate reporting was corrected.

This shows that evaluation of compliance is not limited to legislation. It can include requirements the organisation has agreed to meet.

Auditor questions for ISO 14001 Clause 9.1.2

  • How does the organisation evaluate fulfilment of its compliance obligations?
  • How often is compliance evaluated?
  • How was the evaluation frequency determined?
  • What evidence is checked during evaluation?
  • Who is responsible for evaluation of compliance?
  • How does the organisation determine compliance status?
  • How are legal and other requirements included?
  • How are customer or contractual obligations evaluated?
  • What actions are taken when compliance gaps are found?
  • How is top management informed of compliance status?
  • What documented information is retained?
  • Can the organisation show evidence of its current compliance status?

Related ISO 14001 clauses

  • Clause 4.2 — Interested parties
  • Clause 6.1.3 — Compliance obligations
  • Clause 7.2 — Competence
  • Clause 7.4 — Communication
  • Clause 7.5 — Documented information
  • Clause 8.1 — Operational planning and control
  • Clause 9.1 — Monitoring, measurement, analysis and evaluation
  • Clause 9.2 — Internal audit
  • Clause 9.3 — Management review
  • Clause 10.2 — Nonconformity and corrective action

Continue learning

This page is part of SQMC’s ISO 14001:2026 guidance library for auditors, managers and QHSE professionals.

Ready to put ISO 14001 into practice?

SQMC’s ISO 14001 Internal Auditor course helps you move from understanding the Standard to auditing it with confidence. Over two practical days, you’ll learn how to plan EMS audits, gather evidence, ask better questions, write nonconformities and report findings clearly.

Learn from anywhere in our Virtual Classroom, attend one of our training centres, or arrange private in-company training for your team.

Find out more and get qualified!
View full post