Are there “secret” requirements in ISO?

Yes and No.  There are no secret requirements in ISO.  The standard itself is well written and very clear.  Obviously there is the question of different people’s interpretation/perception but technically its the perception of your own management that is important.  Of course, perception is less important if a requirement has been misinterpreted – but these instances are far and few between these days.

There are “secret” requirements that registrars impose.  For instance, you are expected to have completed a full round of internal audits each year.  Technically this should be defined in the registrars contract but they don’t always do a good job of communicating these things.

Worse still is that some registrars have checklists and other auditing tools that they don’t tell you about in advance but expect you to comply with.  In the extreme this will lead to nonconformances.

Be sure to ask your registrar to point out additional requirements (and give the annual audit requirement as an example) and to provide you with copies of all tools, checklists, etc. that their auditor will use.  This provides some protection if their auditor shows up with other requirements.