Lead Implementer or Lead Auditor? Which ISO Path Fits You

Ever since PECB began offering its Lead Implementer and Lead Auditor programmes for ISO/IEC 42001 as well, one question keeps coming up: "Lars, should I become an Implementer or an Auditor?" Both sound similar, both are five-day courses with a genuine personnel certification, yet they lead into two completely different roles.

The difference in one sentence

A Lead Implementer builds the management system and keeps it running. A Lead Auditor checks whether it actually works. One constructs, the other verifies.

The Implementer is the architect and site manager. The Auditor is the structural engineer who, at the end, decides whether the building will stand.

What a Lead Implementer really does

A Lead Implementer establishes an AI management system (an AIMS to ISO/IEC 42001) or an information security management system (an ISMS to ISO/IEC 27001) from the ground up. They translate the requirements of the standard into something that genuinely works in operation, not into a binder gathering dust on a shelf.

• Clarify context and scope: what exactly should the management system cover?
• Assess risks and produce the Statement of Applicability
• Select, design and implement the controls
• Build up documented information, communication, competence and awareness
• Run ongoing operations, conduct internal audits and improve continuously
• Prepare the organisation for the external certification audit

PECB teaches this with its own step-by-step methodology (IMS2), from initiation through to certification readiness. It is the role for anyone who wants to build something, whether internally or as a consultant.

What a Lead Auditor really does

A Lead Auditor assesses whether an existing management system meets the standard, following the rules for auditing (ISO 19011) and for certification bodies (ISO/IEC 17021-1). They plan the audit, gather and verify evidence, formulate findings, write the report and lead an audit programme.

Auditing means checking, not consulting. Whoever has built a system is not allowed to certify it externally themselves, and it is precisely this separation that makes the whole system credible. The auditor looks at it from the outside and says what holds and what does not.

Which path fits whom?

• Lead Implementer if you want to BUILD: as a project lead, consultant, member of an AIMS/ISMS team, or as the person responsible for implementing the standard in-house.
• Lead Auditor if you want to CHECK: as an internal auditor, as an auditor for a certification body, or to assess suppliers and partners in a defensible way.

Both are genuine personnel certifications to ISO/IEC 17024, both run for five days (four training days plus an exam day) and both earn 31 CPD points. Neither path is "higher" than the other; they simply point in different directions.

Why both together are strongest

The most compelling option is not either-or, but both. Anyone who can build a management system AND audit it understands both sides of the table, and that shows in every project. This dual qualification is rare.

PECB even rewards it formally: hold both Lead Implementer and Lead Auditor within one scheme, pass four additional Foundation exams, and you qualify for the PECB Master credential.

My own starting point was the audit side: Senior Lead Auditor ISO/IEC 42001 and Lead Auditor ISO/IEC 27001, built on more than 1,200 documented audit hours across five European countries. Those who come from implementation travel the opposite route, and both meet in the middle.

How you get in, and what really matters

The formal entry is similar for both: ideally start with the Foundation course (the fundamentals of the standard), then take the five-day Lead course with its exam. For personnel certification, PECB additionally requires experience, graded from Provisional (no proof of experience required) through Implementer or Auditor up to Senior Lead (around ten years and roughly 1,000 documented hours).

The certificate is the entry ticket. You turn it into a profession only through real hours: project hours for the Implementer, audit hours for the Auditor.

In practical terms: start with the course that matches your direction and gather experience alongside it. For the Implementer, in real implementation projects; for the Auditor, in internal and supplier audits. Each builds on the other, and the two can be combined later on.