While there are numerous ISO standards, most organisations choose to get certified to ISO 9001 Quality Management Systems first. At the time of writing this post more than 1.2 million organisations in 195 countries are certified to ISO 9001 (for an explanation of what certification is click here). There are many ISO management system standards, the most common being ISO 9001 Quality Management Systems, ISO 14001 Environmental Management Systems, and ISO 45001 Occupational Health & Safety Management Systems. The certification process is the same for all of them.

Choose your Certification Body

As I said in a previous post once the decision to become certified is made, you’ll need to choose a Certification Body. Choose carefully. You want your relationship to be a long & fruitful one in which your auditor and certification body adds value to your organisation, processes, and people.

Your auditor will complete two visits before the ISO certificate is awarded. The first time is to make sure the ‘documented’ system meets the requirements of the standard/s. The second time is to check whether you have implemented your management system and are following your policies and procedures.

When your ISO certificate is awarded, it is valid for three years as long as you have 2 post certification (also called surveillance audits) at 12 month intervals. At the end of the three-year period, a recertification audit will be conducted to review your entire management system and, if successful, your certificates are reissued for another 3 years.

Certification Audit – Stage 1

Your auditor will review the “documents” (they could also be videos, process maps, information in software, etc.) that make up your management system such as policies, procedures, registers, and forms. The objective of the Stage 1 audit is to:

• Discuss with you the scope of your management system.
• Confirm that your management system has been designed to meet the requirements of the standard and achieve the objectives of your organisation.
• Confirm if the internal audits and management reviews are being planned and performed.
• Check that you have implemented your management system and are ready for the Stage 2 audit.

If applicable, you and the auditor will agree on the time required to address any areas of concern identified during the Stage 1 audit and set or change the Stage 2 audit date accordingly.

Certification Audit – Stage 2

During your Stage 2 audit, your auditor will review records, interview staff, and observe the environment in which you operate (the latter is particularly important if you want to be certified to ISO45001 OHS Management Systems and/or ISO14001 Environmental Management Systems). The objective of the Stage 2 audit is to confirm that:

• Your management system conforms to all the requirements of the Standard/s.
• Your organisation has effectively implemented the management system (are you doing what your management system says you will do?)
• If the auditor finds a “non-conformity” (problem) you will be given time to correct it.

You will need to show evidence that the system has been running for a period of time. How long that time interval is differs amongst certification bodies so it’s worth discussing with them.

At the end of Stage 2 the auditor will tell you whether they recommend certification. A short while after this they will send you their audit report.

Compliance Review

This step is performed by the certification body in their office. One of their suitably qualified employees will conduct an independent and impartial review of the audit report, findings (if any) and the auditor’s recommendations. If they have any queries or concerns, they will discuss these with the auditor.  The reviewer is the person who makes the final decision to grant certification. This is why the auditor can only “recommend” certification.

Certification

You did it! The certification body will officially confirm that you are certified and send you your certificate/s (one certificate for each ISO Standard you are certified to) and the logo/s you can use to promote your new status. They will also register your organisation on the JAS-ANZ directory of certified organisations.

Post Certification Audits

Once certified, regular audits are performed by the certification body and normally these are annual. These are known as post certification audits (or surveillance audits, or follow-up evaluations, or post certification reviews). The intent is the same but different certification bodies call it different things. During post certification audits only some of the requirements of the standard/s will be audited and they will tell you in advance which requirements they will be.

Recertification Audits

Once every 3 years a recertification audit takes place during which the certification body audits your organisation against all the requirements of the standard/s and if you pass your certificate/s are reissued for another 3 years. The its back to 2 years of post certification audits before the next recertification audit, and so the cycle continues.