How to achieve ISO certification – the twoSB ISO certification guide
If you’re new to the world of ISO you may be feeling confused about the process and asking yourself ‘how do I get ISO certified!?’ – This guide is designed to provide you with a clear understanding of everything you need to know about achieving certification (without the jargon), to help you take the first steps in the right direction. The same approach applies regardless of whether you are implementing ISO 9001, ISO 14001, ISO 45001, ISO 27001, ISO 42000 or any other core ISO standard (or combination of them).
Understanding the key players in certification
Before diving into the implementation and certification process, it’s important to very briefly understand the roles of the main players involved: ISO, UKAS, certification bodies and consultants.
ISO (International Organization for Standardization)
ISO is a globally recognised organisation that develops and publishes international standards across various industry sectors. They are the ones who decide the content of the standards such as ISO 9001, ISO 14001, ISO 27001 and ISO 42000.
UKAS (United Kingdom Accreditation Service)
UKAS is the sole national accreditation body in the UK (there are equivalents in each country). UKAS ensures that certification bodies operate to the highest standards by accrediting them. UKAS accreditation is essential for certification bodies to demonstrate their competence and credibility. Choosing a UKAS-accredited certification body ensures that your certification is recognised and respected globally.
Certification bodies
These organisations, including for example DNV, NQA, ISOQAR and BSI, are responsible for auditing businesses to verify compliance with ISO standards. They are the ones who actually come and visit you for the certification audit (or do it remotely if you are a remote first business). With 100+ UKAS-accredited certification bodies, you have the flexibility to choose one that aligns with your organisation style, industry and budget.
Consultants
Consultants, like twoSB (although we are definitely not the only good consultants), are specialists who guide businesses through the process of implementing management systems. You definitely do not need to use a consultant, however engaging a consultant to support you can be beneficial as they have knowledge and experience in streamlining the certification journey, implementing fit for scale systems and giving you confidence you are ready for the external audit.
Steps to achieving certification
Embarking on the journey to certification involves several key steps. Here’s a breakdown of the process:
Step 1 – Start the implementation
Begin by implementing the specific management system you aim to certify against. This involves organising your processes, creating necessary policies, procedures and registers, and setting up mechanisms for continuous improvement and other organisational tasks. While you don’t need to have the system fully implemented before contacting certification bodies, having a clear plan and timeline helps set a target date for your audits.
For more information about what is involved in the implementation see our detailed guides:
Step 2 – Contact certification bodies for quotes
Reach out to at least two certification bodies to request quotes. Provide detailed information about your business, such as the nature of your work, the number of employees and their roles, and the number of operational sites. This information helps certification bodies estimate the duration and cost of the audit. Comparing quotes allows you to make an informed decision based on your specific needs and budget. Prices do vary!
Step 3 – Choose the right certification body
Based on the quotes received, evaluate the options and select the most suitable certification body for your business. Consider factors such as industry specialisation, reputation, and cost. Once you’ve made your choice, schedule your Stage 1 and Stage 2 audits, setting fixed dates for these critical assessments.
Step 4 – Finish implementing your management system
Before the external audits, ensure your management system is fully implemented. This includes conducting internal audits, holding a management review and addressing any identified gaps. A good consultant can provide valuable assistance in optimising your system, ensuring it’s robust and ready for the audits.
Step 5 – Undergo external audits
On the agreed dates, undergo the Stage 1 and Stage 2 audits conducted by the certification body. These audits assess your system’s compliance with ISO standards. Successful completion of these audits leads to certification, marking a significant milestone in your business’s journey.
Understanding Stage 1 and Stage 2 Audits
Stage 1 Audit
The Stage 1 audit is an initial visit from the assessor. Its primary purpose is to evaluate your readiness for the full Stage 2 audit. During this stage, the assessor gains an understanding of your business processes and identifies any major gaps that need to be addressed. While you can’t ‘fail’ a Stage 1 audit, being well-prepared is crucial to ensure a smooth transition to Stage 2.
A typical question at a Stage 1 audit could be “do you have documented processes that outline how you deliver each major step of your delivery” – the auditor will be looking to check you have the documentation only at this stage.
Stage 2 Audit
The Stage 2 audit is a more in-depth assessment of your business processes. The assessor examines whether your processes are well-implemented and compliant with ISO standards. For most small and medium businesses, this audit will last from 2 to 10 days, depending on factors such as the size of your business, the complexity of your work, and the number of standards being certified. The audit results in one of three outcomes: recommendation for certification, minor nonconformances to address, or the need for another close out audit if major nonconformances are found.
A typical question at the stage 2 could be “let’s take your processes and follow a recent project from the sales stage through to delivery of the product/service” – the auditor will be looking to gather objective evidence that you are following your own processes and key requirements of the ISO standard(s).
Maintaining your certification
Once you’ve achieved certification, it’s important to maintain it through regular audits:
Internal audit
Each year you will need to complete a fresh round of internal audits during which you check that you are still operating your system and procedures in the way you have defined. These can be done in house or using a consultant (there are benefits to both).
Surveillance Audits
After gaining initial certification, you’ll undergo annual surveillance audits. These slightly lighter audits ensure that your system continues to function as intended. They focus on higher-risk business functions and areas where nonconformances were previously observed. Addressing any minor nonconformances before the next audit is essential to maintain your certification.
Re-certification Audit
The re-certification audit occurs every three years and is more comprehensive than surveillance audits. Successfully passing this audit renews your certificate for another three-year cycle, ensuring your business remains compliant and competitive.
How we can help
At twoSB, we’re dedicated to guiding businesses through the certification process with expertise and care. We help businesses build management systems that fit the scale and resources they currently have. We can help by:
- Setting timeframes for ISO standard implementation
- Selecting the right shortlist of certification bodies for your business
- Making applications to certification bodies and analysing quotes with you
- Conducting gap analyses of your business practices against standards
- Implementing robust, value-adding management systems
- Representing your system during Stage 1 and Stage 2 audits
- Providing ongoing management system support
We’re here to make your certification journey smooth, efficient, and successful – or just to provide impartial advice so don’t hesitate to reach out if you require more clarity on the ISO certification process.
