ISO Certification Process and What You Need to Know
Are you considering ISO certification for your organisation? Perhaps you’re already certified and looking to deepen your understanding of the process. This blog post speaks about each phase of the ISO Certification process, from initial audits to ongoing surveillance visits. It also speaks to the importance of working with an Accredited Certification Body.
What is a Stage 1 Audit?
The Stage 1 Audit, also called the ‘readiness audit’, is the first step in the ISO Certification process. It provides an initial assessment of your organisation’s preparedness for ISO certification.Â
Stage 1 assesses whether the management system has been ‘established’ in conformance with the requirements of the ISO Management System Standard.
This phase involves a documentation review. It serves as an opportunity to understand the certification process and build a rapport with auditors. While some may question its necessity after a gap analysis, ISO 17021-1 mandates a two-stage certification audit process.
The Certification Body will confirm that they have employed the correct profile of competency within the audit team. They will verify that the workload aligns with their expectations and will assess the organisation’s risk profile.
What do auditors assess in a Stage 1 Audit?
Some Key Activities will take place in every Stage 1 Audit conducted by an Accredited Certification Body:
- Documentation Examination: The auditor will scrutinise your organisation’s policies, procedures, and processes to assess compliance with your chosen ISO Standard/s.
- High-Level Review: This audit involves obtaining a broad overview of your ISO Management System. This allows the auditor to understand the organisation’s management system and its use of it.
- Assessment Method: Stage 1 involves conducting audits on-site, remotely, or through a hybrid approach. The assessment approach and duration depend on your organisation’s size and industry.
- Identification of Nonconformities: The auditor identifies any areas of nonconformity or potential improvements in the ISO Management System. Nonconformities fall into two categories: major or minor. These represent deviations from the expected norms documented in your Management System. Major nonconformities demand immediate attention, whereas minor ones may undergo re-evaluation in subsequent assessments.
What happens if you have Non-Conformances at Stage 1?
The Audit Team will raise a request for corrective actions, if they find any nonconformities at Stage 1. They will ask you for evidence to prove that these issues have been resolved, before proceeding to the Stage 2 Audit. Many organisations choose to tackle these issues immediately.
Special Note: Some certification bodies don’t issue nonconformities at a stage 1 audit. They only make remarks as to where improvements can be made.Â
Wynleigh International Certification Services has chosen to adopt the approach used at every subsequent phase of the certification process. This allows the auditee to familiarise themselves with the real working arrangements of certification, from the get-go.
DOWNLOAD OUR FREE RESOURCE
A GUIDE TO MANAGE NONCONFORMANCE
Learn how to effectively manage nonconformities in your organisation with our comprehensive guide. Explore the importance of Nonconformance Reports (NCRs) and Corrective Action Requests (CARs) in maintaining a robust management system.
What is a Stage 2 Audit?
After concluding the Stage 1 audit, the audit team will proceeds onto the Stage 2 Audit. This is a thorough evaluation of your organisation’s ISO Management System. Commonly, people refer to the Stage 2 Audit as the ‘certification audit.’
The Stage 2 audit assesses the ‘implementation’ of the management arrangements contained in the organisation’s documentation as well as the relevant ISO Management System Standard.
What do the auditors assess in a Stage 2 Audit?Â
Key Activities will take place in every Stage 2 Audit conducted by an Accredited Certification Body:
- Opening Meeting: This allows your organisation to meet the audit team in person. The main purpose is to discuss the audit plan and arrangements needed for the audit.
- Comprehensive Assessment: The Stage 2 audit involves an on-site evaluation. The aim is to verify the conformance of your organisation’s ISO Management System against your chosen ISO standard/s.
- Review of Activities and Procedures: The auditor will review activities and procedures supporting your ISO Management System.
- Meetings and Interviews: The Audit Team will interview managers and key staff members. This will ensure that your activities align with the specifications of the ISO standards and your documented management system.
- Evidence Review: The auditor verifies the implementation of documented procedures and requests evidence of internal audits and management reviews.
- Closing Meeting: This meeting is used to present the audit findings while they are still fresh in everyone’s minds. They will logically explain the strengths and weaknesses of the Management System. They will identify corrective actions required. The Audit Team will inform you if you are going to be recommended for ISO Certification.
- Recommendation for Certification: If everything meets the ISO standard/s requirements, the auditor will recommend your organisation for certification. The final decision about you certification is subject to a review by the Certification Body’s internal team. Accredited Certification Bodies typically require this set up.
- Audit Report & Review: The Audit Team will present the Audit Report to an Independent Approvals Board. This board will review the case and either confirm or refute the recommendation for ISO Certification.
- Certificate Issuance: A certificate is issued to your organisation once the review process has been completed. This certificate affirms that your organisation is compliant with your chosen ISO standard/s. This certificate is valid for 3 calendar years.
What happens if we have nonconformities at Stage 2?
Major nonconformities are a primary reason why an organisation may not receive immediate certification. However, they have 90 days to implement corrective actions and provide evidence of appropriate resolution. Once the Certification Body reviews and approves the submitted evidence, the certification process progresses according to the outlined steps.
Minor nonconformities don’t prevent recommendations for certification – irrespective of how many there are.Â
What is a Surveillance Audit?
During the 3-year validity of your ISO Certification, your organisation will undergo surveillance audits. These visits ensure ongoing compliance with ISO standards and provide insights into your system’s functionality. They offer an opportunity to address emerging issues.
What do the auditors assess in a Surveillance Audit?
Your Certification Body monitors your Management System through surveillance visits. This allows them to delve deeper into specific areas that the initial audits may not have explored.
Risk Assurance Service
Wynleigh International offers a free and voluntary additional service during our Surveillance Audits, which we call our Risk Assurance Service. It’s a value-adding service that can promote your certified status to both your key accounts as well as your insurers.
- We ensure that our Audit plan includes inputs from your key accounts and your insurer. We use feedback from your top B2B customers to plan our audits. This removes the need for a customer audit, saving time and the hassle of duplicated activities.
- Input from your insurer provides us with a risk-focused audit plan and produces an audit report that speaks to your their needs.
- Not all of our clients chose to adopt this service, even though the benefits are abundantly clear.
DOWNLOAD OUR FREE RESOURCE
A GUIDE TO MANAGE NONCONFORMANCE
Learn how to effectively manage nonconformities in your organisation with our comprehensive guide. Explore the importance of Nonconformance Reports (NCRs) and Corrective Action Requests (CARs) in maintaining a robust management system.
Can I lose my ISO Certification?
Achieving ISO Certification is a notable achievement, but requires ongoing maintenance of your Management System. The Certification Body must withdraw ISO Certification when an organisation inadequately maintains its Management System.
If issues arise after certification, they can undermine the credibility of the certificate. The Certification Body typically suspends certificates rather than revoking them. In such cases, we encourage the organisation to take corrective actions to address the underlying issues causing the suspension.
How To Check If An ISO Certificate Is Valid
The International Accreditation Forum (IAF) is a good place to check if an ISO certificate is valid. If a Certification Body is accredited, they will be registered with an IAF member. You can usually find the name of an accredited Certification Body on the IAF website.
If the Certification Body is staying on top of their admin, they will in turn register their certified clients on the IAF website – allowing you to utilise the CertSearch to confirm the status.
Visit IAF CertSearch, start typing the business name in the search bar and, if the business is certified, they will show up.
What is a Re-Certification Audit?
As your certificate approaches its expiration date, your Certification Body will conduct a Re-Certification Audit. This Audit will prepare your organisation for the next certification cycle. Any major nonconformities discovered during this period must be promptly addressed to maintain the validity of your ISO Certification.
Typically, a Re-Certification Audit occurs three months before your ISO Certificate expires. This timeframe allows sufficient time to resolve any issues before the expiration date.
In the event of major nonconformities, this period serves to revalidate the certificate. This ensures that your organisation maintains continuous certification, avoiding any gaps in certification status. This also eliminates the need to restart the Certification process from Stage 1, all over again!
Once your organisation successfully revalidates its Management System, the Certification Body will issue a new certificate with an updated validity period.
Can I transfer my ISO Certification to another Certification Body?
You can transfer your ISO Certification at any time you decide feels right. This can be midway through your certification cycle or before you start another surveillance audit. The structured process outlined by the IAF ensures uninterrupted ISO Certification.
The process is straightforward if you already hold accredited certification. Your Certification Body will conduct a pre-transfer review. The Certification Body will then conduct a one-day Transfer Audit, to assess your existing certification process.
Your new Certification Body will issue a new certificate, provided there are no major nonconformities. This new certificate will continue with your current certification cycle but contain the branding from the new Certification Body.
The new Certification Body will integrate its services into your existing Audit Cycle. You can even maintain the same audit schedule you had with the previous body.
What if my Certification Body is not Accredited?
Using an accredited Certification Body ensures that your ISO Certification counts for something. Your ISO Certificate is unfortunately not technically recognised if the Certification Body is not Accredited.
You probably have a well-set-up Management System that conforms to the ISO standards of your choosing. You now need to re-enter the verification process with an Accredited Certification Body.
Conclusion
The ISO certification process consists of two main stages: the Stage 1 Audit and the Stage 2 Audit.
The Stage 1 Audit assesses the readiness of your organisation for ISO certification. The Stage 2 Audit involves a more thorough evaluation of your ISO Management System.
Both stages include various activities like reviewing documentation, conducting high-level assessments, and examining evidence. Auditors recommend ISO Certification when they find that the organisation meets the ISO standards and identify no major nonconformities. Once approved by the Certification Body, a certificate is issued.
Here are some key points to remember:
- ISO Certification is valid and internationally recognised only if the Certification Body is accredited and registered with the IAF.
- Major nonconformities must be addressed promptly to maintain certification validity. Failure to do so may result in certificate suspension.
- Upholding the credibility of your organisation, brand, and certificate is crucial.
- Adhering to established rules ensures that major nonconformities are resolved in a timely manner.
A note from the Wynleigh Team:
If you’re eager to kickstart your Certification Journey, we recommend reaching out to Christina Moodley, our Operations Manager. Christina is equipped to address any lingering questions you may have and will smoothly navigate you through the process.
There’s no need to rush if you aren’t ready. We encourage you to subscribe to our newsletter and connect with Tony Cunningham and Wynleigh International on LinkedIn.
Regardless of where you stand in your Certification Journey, you can reach us at info@wynleigh.com or by calling us on +44 (0) 203 926 6507 or +27 (0) 31 941 4790.
Access our Industry Directory to find service providers who can assist in preparing you for your Certification Journey.