Telephone : 01908 041 464 | Email :
Quick Jump

Getting Certification to ISO Standards

Getting your ISO Management System Certified

You’re probably in the position that you’ve either got an ISO Management system in place, or you are in the process of developing one. It might even be that you have one in place already, but you want to add another Standard to it.

Either way, you’re going to need a Certification Body to come and do the audits, and, if you pass those audits, then you get the big reward, the ISO certificate.

There are many benefits of getting that ISO Certificate. Firstly, you can show all your Customers that you’ve got standards in place for your processes. In addition, you’re also saying that you’re committed to the process of continual improvement. That opens up the channels for them to talk to you. Quite often, your customers will accept that because you’ve had an audit from a Certification Body, then they don’t need to come and do any audits of their own –  and that saves you all a lot of time and money!

How do I choose a Certification Body

First thing to say is that it is important to get a recognised Certification Body to come and do the audits. The Certificate that you get at the end of the process has to show you’ve been through an internationally recognised process otherwise, it’s going to be worthless.

For a Certification Body to get recognised, they themselves need to be audited to their own version of a ‘Quality Standard’ – that means ISO 17021. ISO 17021 sets out the processes they need to follow to manage auditors and allocate them to the right Clients, and also the processes they use to review audit reports, manage issues and ensure that only valid certificates are in circulation.

To reassure yourself that the Certification Body you use has been ‘approved’ themselves, you can check the United Kingdom Accreditation Service (UKAS). UKAS are appointed by the UK Government and part of an international agreement. UKAS has peers in other countries such as ANAB in America, and JAS-ANZ in Australia. Visit for more information.

On the UKAS website, you can search for a Certification Body and review further details such as the Standards and the Industries that they have been approved to audit. It might take a few minutes, but it’s best to be sure every time otherwise you can spend a lot of money and get nothing for it!

What audits do I need to do to get a Certificate?

Once you have got your management system all set up, and you have completed a Management Review and some internal auditing, you can then get a Certification Body to start the Certification Process.

This will comprise the following audits

  • Stage 1: An audit of the documented system that is in place
  • Stage 2: An audit of the system processes that are in operation.

Once the Stage 2 is complete, the Certificate will be issued. This will be valid for 3 years on the proviso that you maintain an annual surveillance audit. Therefore, you will have the following audits on the anniversary of the Stage 2 audit:

  • Surveillance Audit 1 (the year after Stage 2)
  • Surveillance Audit 2 (two years after Stage 2)
  • Recertification: three years after Stage 2)

(some CBs start the surveillance programme 9 months after Stage 2, so you have time to close out any issues before the Certificate expires)

Getting a quote

When you get in touch with a Certification Body, you’ll need to give them a certain amount of information for them to give you a quote. This will include:

  • Your organisations name and address.
  • The number of people employed at the organisation
  • Processes operated by the organisation

They will then use this information to build a quote. The quote will provide a day rate and set out an audit programme that details how long all the audits in the programme will be.

All Certification Bodies have different billing arrangements, so check before you sign up to them. A sign that your chosen certification body is not recognised by UKAS is that they sign you up to 5 or 10 year arrangements.

We always recommend getting 3 quotes so you can at least compare and choose the best option for you.

Multi-site organisations

A quick word about organisations with multiple sites; the Head Office will be visited each year, and typically, a sample of the sites. Depending on the scope of activity at each site, it may be visited more than once in the audit programme.

Preparing for an ISO Audit day

Audits can be a nervy or stressful time so it is best to be prepared.

Prior to the audit, you should always get a confirmation from the Certification Body about the event. This will include details of the Auditor and the intended timings and duration. If the CB does not send you a detailed plan of the audit (i.e what the auditor wants to see), then we always recommend getting hold of the auditor prior the day.

If you get this detailed plan, it’s much easier to line people up in the organisation and to ensure that you have all the information to hand to show the auditor.

Stage 1 audits will review documented information and provide the auditor the opportunity to develop a detailed plan for the Stage 2 audit. Have ready key documents such as any manuals or processes that you have written, organisation charts, policies and examples of training records etc. Together, this will give the auditor confidence that you are good to go for the Stage 2.

Stage 2 audits will review the operational processes that you have in place. The auditor is now really testing that you have implemented the ‘continual improvement’ cycle into your operations. You will need to show supporting evidence such as calibration records, training records and other records relevant to your processes.

Surveillance Audits are a mix of auditing documented information and a sample of the operational processes. Across the two surveillance audits, the auditor should see all the operational processes at all the sites you operate.

Recertification Audits will cover a larger sample of operational processes and take account of the progress over the period of certification as well as focusing on the objectives that are set for the forthcoming period of certification. At a recertification audit, it’s good to show the auditor how the system has worked (and hopefully improved) over the past three years, as well as show them the intentions for the next three years!

Managing Non-conformances and other findings from Certification Bodies

During an audit, an auditor from the Certification Body may identify some findings. The terminology may change but in essence, these are:

  • Major non-conformances
  • Minor non-conformances
  • Opportunities for Improvement

Major non-conformances usually occur because a major requirement has not been fulfilled, or if several minor issues all combine to indicate a systemic failure. Common Major non-conformances are that internal audits or management reviews have not been completed. Other causes can be that significant failures arising from complaints or training have not been addressed.

If you get a major non-conformance, you will need to provide an action plan to the CB within a certain period of time. The chances are that an additional audit will be required to review the findings and check they have been effective. Failure to close the issue may result in suspension of the ISO Certificate.

Minor non-conformances arise when a requirement has not been fulfilled and there is a risk that a major issue could occur. Examples may include a small sample of training records not being kept up to date, or the calibration of a single item being late.

If you get a minor non-conformance, you will need to provide an action plan to the CB within a certain period of time. Typically, minor NCs will be reviewed at the next surveillance audit. However, if the issue is repeated, then it could be escalated to a major NC.

Opportunities for Improvement (OFIs) are just that – an opportunity to improve a process or document that the auditor may spot. You don’t have to act on an OFI, but you should at least show evidence that the suggestion has been reviewed and options discussed.

With all findings, you should record them on your internal non-conformance log and maintain appropriate records. They will be reviewed at the following audit.