Taking on an ISO certification project can be a significant positive step for your organisation. It demonstrates an ambition to grow as you implement a globally recognised framework that helps you operate more efficiently, bolster your reputation and win new business.
By following the specifications of an ISO standard, you’re leaning on guidance from industry experts, government bodies and consumer groups. However, there’s no one-size-fits-all approach to ISO certification, and every organisation is expected to identify its challenges and tailor its implementation process to suit its needs.
Whether you’re preparing for an ISO implementation project or want to know more about how the process works, you’ll have many questions. Our team of experts at Certification Europe have helped more than 4,000 organisations achieve ISO certification, and we’ve drawn on that expertise in this article to answer your queries.
How do we choose the right certification standard?
An ISO certification project is designed to help you manage a particular set of business risks and meet objectives. There are more than 80 management system standards, each supporting a unique objective. Your first task is to find the right ISO standard for you.
The most common certification standards are:
- ISO 9001 – Quality Management Systems.
- ISO 14001 – Environmental Management Systems.
- ISO 45001 – Occupational Health and Safety Systems.
- ISO 50001 – Energy Management Systems.
- ISO 27001 – Information Security Management Systems.
- ISO 22301 – Business Continuity Management Systems.
Find the right ISO certification for your organisation.
What are the first steps when starting your ISO certification journey?
To ensure your ISO certification project succeeds, you should first create a well-structured plan that guides you through the process. Start by clearly defining what you intend to achieve with ISO certification – whether that’s enhancing product quality, improving environmental practices or strengthening your information security practices.
From there, you should outline your journey towards certification, which you can do by summarising the standard’s requirements.
Next, you should seek top-level support for your certification project. Implementing an ISO standard will take time and require additional resources, so you need to get a sign-off from senior decision-makers. You can use the plan you’ve created as a business case, explaining the benefits of ISO certification and an estimate of the costs.
Learn more with our certification services.
What’s the difference between ISO implementation and certification?
Although ISO ‘implementation’ and ‘certification’ are closely related, they are distinct processes with different goals.
Implementation refers to steps you take to adopt the standard’s specifications. The process involves assessing your procedures, policies and controls, and identifying areas that need to be improved.
You might be expected to write new policies, develop or update processes, train employees and create a system for documentation.
In short, implementation is an internal effort that’s designed to improve your operations according to the relevant ISO standard.
By contrast, certification is an external process in which an independent third party verifies that your management system meets the standard’s specifications.
You can seek ISO certification once you’ve implemented the standard and are confident that it functions as intended.
Is the implementation process the same for every ISO standard?
The ISO implementation process is consistent across various management system standards. Most use the same HLS (high-level structure), which breaks down the implementation project into ten steps:
- Scope – the boundaries and applicability of the management system.
- Normative References – external standards or documents referenced in the management system.
- Terms and Definitions – definitions of key terms used in the standard.
- Context of the Organisation – the organisation’s internal and external context, including stakeholder needs.
- Leadership – top management’s commitment and involvement in the system.
- Planning – setting objectives and planning actions to achieve goals.
- Support – resources, competence, awareness, communication and documentation.
- Operation – implementing processes and controls to meet requirements.
- Performance Evaluation – monitoring, measurement, analysis and assessment of performance.
- Improvement – corrective actions, continual improvement and responding to nonconformities.
This HLS provides a structured approach to implementation. Each step should be completed in order, starting with tasks that help you understand the implementation project before moving on to more complex activities.
Only once you’ve completed each step of this structure are you ready to begin the certification process.
Want to know more about the implementation process? Read our guide on implementation challenges for ISO 9001.
How do I prepare for ISO certification?
You should be confident that your management system meets the standard’s specifications before you book a certification assessment.
If the assessor discovers nonconformities, you’ll have to rework your framework before you continue. This will delay the project, creating more work for your implementation team and increasing the project’s cost.
To prevent that, you should conduct an internal audit of your management system before attempting to certification. This is effectively a trial run of the certification assessment to identify and correct any errors.
Take a close look at your documentation and look at your processes in action to ensure everything aligns with the standard’s specifications. You should also interview relevant employees to know that they understand their roles and responsibilities. This is something the certification assessor will do, so you need to be confident that your staff can answer questions clearly and confidently.
One of the most important parts of the internal audit is choosing who will complete the process. Although your implementation team will have the strongest knowledge of the standard and your management system, they shouldn’t be part of the internal audit.
That’s because you’re looking for mistakes they didn’t spot. A fresh set of eyes is crucial, so if anyone in your organisation has the skills to complete an assessment who wasn’t part of the implementation project, they would be a perfect choice.
If that’s not possible, you should consider a third-party consultant. They won’t be as rigorous as a certification assessor, but they can help you spot any nonconformities that could hold up the certification assessment.
Why is ISO certification important?
Organisations that achieve ISO certification receive a range of benefits, such as:
- New business opportunities – suppliers and third parties are more likely to work with ISO-certified organisations. In some industries, it’s a contractual requirement.
- Greater credibility – ISO management system standards are globally recognised, and when an organisation obtains certification it demonstrates a commitment to excellence.
- Better risk management – every ISO standard is designed to manage business risk, from the threat of data breaches with ISO 27001 to health and safety hazards with ISO 45001.
- Improved efficiency – an ISO-compliant management system standard offers an all-in-one framework for optimising organisational processes.
- Enhanced regulatory compliance – the ISO’s best practices often overlap with common legal mandates. By achieving certification, organisations reduce the risk of non-compliance and associated penalties.
Who should oversee the ISO certification process?
An ISO certification project requires input from individuals across the organisation. It begins with top management, such as the CEO or other senior decision-makers, who have the authority to approve the project and provide resources.
But you also need someone to manage the project on a day-to-day basis. In some standards, you need to appoint a management representative who oversees the project and reports back to senior personnel. Recent versions of standards such as ISO 9001:2015 have removed the requirement for a management representative, but it can be a good idea to adopt this requirement anyway.
Even when this isn’t explicitly required, it’s a good idea to appoint a project leader to oversee the project. They should work with a small team (typically between two to six people) to implement the management system and prepare for the certification assessment.
Do we need to take a training course?
Whether you need to take a training course when preparing for ISO certification depends on several factors, including your organisation’s existing expertise, the complexity of the implementation project and your available resources.
Some management system standards, such as ISO 27001 and ISO 22301, contain technical specifications. Your implementation team would benefit from formal training if you don’t have experienced in-house personnel.
Please note that these requirements are different from broader staff awareness training exercises, which are mandated by most ISO management system standards. Anyone using the framework after it has been implemented should receive training to ensure they understand how it works and what’s expected of them.
Gain the expertise for your implementation project with our range of ISO training courses.
What is an ISO assessment?
An ISO assessment (also known as an ISO audit) systematically examines your organisation’s management system to test whether it meets the standard’s specifications.
There are four types of ISO assessment, which should be performed at different stages during the certification process.
- Internal audit – performed by the organisation or a consultant to evaluate the success of the implementation project.
- Certification assessment – performed by an independent third party to verify that the management system meets the ISO’s specifications and to award a certificate.
- Surveillance assessment – an annual internal assessment performed by the organisation to ensure that the management system continues to meet the standard’s requirements.
- Recertification assessment – an external assessment conducted every three years to renew the organisation’s ISO certificate.
What’s the timeline for ISO certification?
The time it takes to gain an ISO certificate depends on several factors, including the size of your organisation, your available resources and the particular standard that you’re implementing.
In general, the larger your organisation is, the longer the certification process will take. Small businesses might expect to complete the process in six months, whereas larger firms can spend over a year.
Similarly, organisations can expect to take longer to implement standards with more complex requirements. ISO 27001 is arguably the most technical and can take the longest – particularly if you process vast amounts of valuable data or rely heavily on IT equipment.
By contrast, ISO 50001 is one of the least complex and usually has the shortest timeline for ISO certification.
Speak to our experts to learn more about the ISO certification timeline.
How do we gain ISO certification?
Once you’ve implemented your management system standard and completed an internal audit, you’re ready to gain ISO certification.
If you’ve adequately addressed any nonconformities, this should be a relatively straightforward process – you contact an ISO certification body and hire them to complete an external assessment.
The external assessment is comprised of two stages. First, the assessor performs a documentation review, determining whether your policies and processes align with the standard’s specifications.
Once they’re satisfied, they’ll move on to the second stage – an on-site assessment – where they look at the management system in practice. If everything works as intended, the assessor awards an ISO certificate.
The total assessment time depends on your organisation’s size and activities involved and will be calculated by the Certification Body following multiple guideline documents. The total days are split proportionally between the Stage 1 and Stage 2 assessments, and there can be a gap between these staged assessments of, typically, six months, to allow for any amendments/corrections to be made to your management system.
But the assessment process can be a lot more complicated if you’re not prepared adequately. While certification bodies rarely fail an assessment instantly if they spot nonconformities, nonconformities in ISO certification assessments are addressed through identification, classification, root cause analysis, implementation of corrective actions, verification and closure of the nonconformity at the next assessment.
This won’t have a detrimental effect on the certificate you receive – once the necessary changes have been made and assessed, your management system will still be verified. But it will create more work for your implementation team and could increase the cost of the project.
How do we choose an ISO certification provider?
When choosing an ISO certification provider, you must look for accreditation. This proves that the provider has the necessary skills to perform certification assessments and is officially authorised to issue ISO certificates.
For example, Certification Europe is accredited to perform ISO certification assessments by the INAB (Irish National Accreditation Board), UKAS (United Kingdom Accreditation Service) and APMG International. There are many other accreditation bodies, ANAB or Confrac in France, for example.
How can Certification Europe help?
Certification Europe is accredited to perform certification services across a range of standards, and we’ve been leading the way in ISO certification, inspection and training since 1999. We’ve helped more than 4,000 organisations in over 40 countries meet their compliance requirements, from SMEs and public sector bodies to multinationals.
We’re a trusted and respected provider of ISO certification and one of Europe’s leading ISO certification bodies. We’re also part of Amtivo Group, which means our global reach and international expertise is further enhanced with related companies in the UK, USA, Norway, South Korea, Mexico and China. Together, Amtivo Group offers a range of ISO specialist businesses offering certification, training, support and technology to help businesses succeed in their certification journey.