What is ISO?

‘ISO’ is the acronym applied to the International Organization for Standardization. Because ‘International Organization for Standardization’ would have different acronyms in different languages (IOS in English, OIN in French for Organisation internationale de normalisation), the founders decided to use ‘ISO’. ISO is derived from the Greek word ‘isos’, meaning equal.

ISO is an independent non-governmental coalition representing 165 countries through their national standards bodies. ISO brings together experts to share knowledge and develop voluntary, consensus-based international commercial, industrial and technical standards.

ISO has developed over 24 000 International Standards, a small sub-set of which are Management System Standards (MSS).

ISO does not offer certification, registration or accreditation against these standards. Nor does it commercially provide audit, training or consulting services. It does however, work to help raise public awareness of standards and standardization.

Which ISO standard?

ISO standards are compiled using the collective wisdom of experts representing their field of speciality and the needs of their organisation. These may include, for example, manufacturers, sellers, buyers, customers, trade associations, users or regulators.

Management System Standards (MSS), unlike technical standards, help organisations improve their performance by setting out principles and requirements to manage their policies and processes. They are all based on a common set of governance requirements and each MSS typically brings focus on a particular issue, discipline or topic.

The better known examples include:

ISO 9001 is the primary document in the ISO 9000 family of standards. The ISO 9000 series of standards comprises four documents that include

  • ISO 9000:2015 Quality management systems – Fundamentals and vocabulary
  • ISO 9001:2015 Quality management systems – Requirements
  • ISO/TS 9002:2016 Quality management systems — Guidelines for the application of ISO 9001:2015
  • ISO 9004:2009 Quality management systems – Managing for the sustained success of an organization – A quality management approach

The ISO 9001 Standard defines requirements for management arrangements of an organization that wants to show its ability to provide product and/or services that meet customer and applicable regulatory requirements on a consistent basis, and have a desire to drive customer satisfaction through the effective application of management arrangements.

ISO 9001 is a conformance based standard. Therefore, this standard does not set the level of quality performance for the organisation’s production of products or delivery of services.  It instead, sets the requirements for the management arrangements needed to deliver the quality of product or service, as agreed between the organisation and its customer or defined in law (for regulated products).

The series of standards has been developed using seven Quality Principles. These are listed in ISO 9000 as follows:

  • Customer focus
  • Leadership
  • Involvement of people
  • Process approach
  • Continual improvement
  • Factual approach to decision making
  • Mutually beneficial supplier relationships


When using the documents that make up the series of standards it is important to note that the main focus for conformity is ISO 9001. ISO 9000 provides background and additional information relating to quality management systems as well as definitions of the vocabulary and concepts used in ISO 9001.

ISO 9004 expands on the basic requirements of ISO 9001 and integrates the ‘thinking’ of Business Excellence and maturity modelling alongside the traditional approach to Quality Management Systems.

ISO/TS 9002 may be used for guidance when implementing a Quality Management System.

ISO 14001:2015 defines requirements for an environmental management system.

With increasing demand for sustainable development and reporting on the triple bottom line, more and more organisations are seeking to introduce credible environmental management systems.

The content of ISO 14001:2015 provides a convenient framework to achieve legal compliance whilst simultaneously managing business processes for sustainability. The standard may be used by any type of organisation, irrespective of size or type.

Gaining certification to the requirements of ISO 14001 is achieved through third party audit. Benefits of certification to this standard include assurance and demonstration of conformance to shareholders, customers and other interested parties. The environmental management system drives responsible environmental performance.

By adopting the requirements of ISO 14001 an organization creates a system that provides top management with information to build long term success. This includes compliance to applicable legislation and other requirements that are voluntarily adopted as part of its self-imposed management arrangements. The standard is not intended to increase or change an organisation’s legal requirements but instead to create a structured approach to acquire, control, maintain and disseminate legal information to its people to ensure compliance.

The ISO 14000 series of standards also offers a range of practical tools to manage environmental responsibilities.

The aim of an environmental management system is to assist organizations to introduce management arrangements that help contribute to sustainable development. It does this by setting out requirements that provide a structured approach to environmental protection under ever changing conditions.

The organization’s management are therefore able to consider how they will deal with the changing circumstances, such as rising sea levels, climate change, increasing population and their need for employment, fluctuating economics in the context of existing and new activities, products and services.

The standard also enables organisations to achieve their own requirements for environmental performance. Providing a means to achieve their vision for a better future, despite pressure to perform at ever-higher levels of profit.

ISO 22000 provides the requirements for a food safety management system where organisations operating within the food chain desire to demonstrate their ability to control food safety hazards. It applies equally to organizations of any size, which are involved in any aspect of the food chain and related services.

It should be recognised that food safety intrinsically considers the protection of consumers against food-born infectious agents and other hazards.

ISO 22000 combines and supplements the main parts of ISO 9001 and Hazard Analysis and Critical Control Point (HACCP) management to provide a framework for a Food Safety Management Systems (FSMS). It also shares common principles with other management systems, such as ISO 14001.

ISO 22000 is developed for certification purposes, which once achieved, will provide added confidence and assurance of food safety to customers.

Although most consumers are interested only in those organisations with direct impact on the food preparation, this standard deals with the entire food supply chain, from growers and producers to processors, packaging, transport and point of sale.  It extends also to suppliers of non-food products and services, like cleaning, label printers and equipment manufacturers.

By implementing an ISO 22000 compliant food safety management system the organisation is best positioned to anticipate, manage and mitigate food safety risks, prevent recall of products and the associated potential liability whilst simultaneously protecting the value of the brand.

ISO/IEC 27001 contains requirements for an information security management system. This member of the ISO 27000 family of standards enables organisations to manage the security of information assets such as financial information, intellectual property or employee details. An Information Security Management System is a framework of policies and procedures that includes all legal, physical and technical controls involved in an organisation’s information risk management.

Whilst organisations generally have some information security controls, without an information security management system, these controls may be disparate or somewhat disorganised. Security controls typically only address certain aspects of information technology; leaving non-IT information assets, such as hardcopy, less protected on the whole. Moreover, business continuity planning and physical security may be managed quite independently of IT while Human Resources practices may not address information security roles and responsibilities at all.

ISO 27001 uses a top down, risk-based approach and is technology-neutral. The specification includes details for documentation, management responsibility, internal audits, continual improvement, and corrective and preventive action.

The 27001 standard does not mandate specific information security controls, instead ISO 27002 provides a checklist of controls for consideration. This second standard describes a comprehensive set of information security control objectives and a set of generally accepted good practice security controls.

Management determines the scope of the Information Security Management System to be certified and may limit it to, say, a single business unit or location.

Other standards within the ISO 27000 family of standards provide additional guidance on certain aspects of designing, implementing and operating an Information Security Management System, for example on information security risk management ISO 27005.

ISO 45001 is an ISO management system standard for occupational health and safety (Oh&S). The intent of this standard is to reduce workplace risks and prevent occupational injuries and ill health, including the promotion of improved physical and mental health.

It is applicable to the OH&S risks under the organization’s control, taking into account factors such as the context in which the organization operates and the needs and expectations of its workers and other interested parties.

ISO 45001 does not state specific criteria for OH&S performance, nor is it prescriptive about the design of an OH&S management system.

ISO 45001 does not address issues such as product safety, property damage or environmental impacts, beyond the risk to workers and other relevant interested parties, such as contractors or visitors.

An ISO 45001 compliant management system will ensure that an organisation’s reputation as a safe place to work will be promoted, and can have more direct benefits, such as:

  • Improving its ability to respond to legal compliance requirements
  • Reducing the costsassociated with incidents
  • Reducing OH&S related downtimeand operational interruption
  • Reducing the cost of insurance premiums
  • Reducing absenteeism, managing presenteeismand employee turnover rates

ISO45001 offers businesses of all sizes access to a single framework that provides a clear pathway to developing better and more robust occupational health and safety measures.

How we use energy today has consequences for our children and future generations.

Deploying new technologies can take time, but organisations can derive immediate benefits by managing their energy consumption more efficiently. Improved energy efficiency can cut costs and conserve resources as well as contribute to a reduction in the causes of global warming.

The ISO 50001 International Standard aims to help organizations continually reduce their energy use, and therefore their energy costs and their greenhouse gas emissions. This standard for energy management systems can assist in the safeguard of mankind’s future by immediately making a positive difference.

ISO 50001 is based on similar concepts to those used in ISO 9001 and ISO 14001 and certainly supports the focus of ISO 14001 which defines the requirements for an environmental management system.

The standard defines requirements for establishing, implementing, maintaining and improving an energy management system, the purpose of which is to ensure an organization can follow a systematic approach to continually improving energy performance. This includes energy use, energy consumption, energy efficiency and energy security.

Where funding is made available by donors that are promoting the reduction in energy consumption, it is not uncommon for them to demand conformance to this standard as a means to their assurance of reliable reporting.

How do I get started with developing an ISO Management System?

There are several avenues towards successful development and implementation of a management system. These range from ‘doing it yourself’, to employing a consulting firm to assist.

A sound foundation is important and therefore the point of departure best starts with establishing which of your current work practices and business controls already satisfy the requirements of your chosen standard. By doing so one is able to make use of what already works and is able to prevent duplication. This ‘Gap Analysis’ may be performed by a specialist, or you may wish to attend training and conduct the assessment yourself.

Either way, training of some sort is going to be important to understand how to deal with the outcomes of the Gap Analysis.

Consulting and training organisations that offer services to build capacity and knowledge, typically offer both contact and online environments to understand and interpret an ISO standard, build competency in tools and techniques for implementation, and learn how to audit according to ISO guidelines (ISO 19011). Wynleigh International Certification Services works with a number of experts that offer these services.

Specialised software is also available, whilst some firms configure your existing software to accommodate the requirements of your chosen standard, others have bespoke solutions independent from the big software brands.

Developing a management system will require a sound understanding of your organisation’s business processes and how these must be managed to achieve the outcome of your selected ISO standard.

Risk-based techniques are used to bring focus on issues that must be addressed. Once determined, these become the focus of top management who are required to demonstrate their leadership and commitment toward the required outcome of the management system standard.

Much time and effort is required to develop and implement a management system before the rewards become evident. However, once the investment has been made, tangible benefits may be derived.

Am I ready for ISO certification?

It is advisable to determine the status of an organisation’s management system before going ahead with the certification audit. Typically, a consulting firm can conduct a pre-certification/readiness audit and use the results to advise on corrective actions needed to achieve certification.

A Certification Body can also perform such an audit but may not consult on how to correct the management system without compromising their independence.

A third option is for the organisation to ensure it has internal audit competence and conduct the pre-certification audit itself. Internal audits of the management system are a common requirement across all Management System Standards. This third option is therefore most often used to generate the evidence needed to demonstrate conformity to this requirement and to establish the readiness for certification.

Accreditation versus certification?

Various terms are used to indicate that an organisation has satisfied an ISO Management System Standard (MSS), such as ISO 9001, ISO 14001 or ISO 45001. The correct term, in regard to conformance to these standards is ‘certification’. Some people refer to the process of certification as ‘registration’ or ‘accreditation’.

So what do these terms mean and how is certification/registration awarded?
Certification is the process of independent, third party, assessment of conformity to an ISO Management System Standard, concluded by awarding of a certificate to demonstrate such conformance.

Certification Bodies need to provide their certified clients with the confidence that the certification processes they apply adheres to the requirements of ISO 17021-1:2015 (Conformity assessment — Requirements for bodies providing audit and certification of management systems — Part 1: Requirements). Certification Bodies, more correctly named Conformity Assessment Bodies (CAB), are accredited in accordance with the requirements of this standard by an Accreditation Authority/Body.

The application of ISO 17021-1 regulates the certification process to ensure:

1. The Certification Body is substantially free from conflict of interest.

It should be obvious, for example, that the same organisation cannot consult or guide the client toward conformity of their management system, and then also be the entity that confirms and certifies that same management system, because of a conflict of interest.

To retain accreditation, the processes of a Certification Body are regularly audited by an Accreditation Body to ensure such impartiality permeates every part of the certification process.

2. The Certification Body must demonstrate the use of competent people to perform the activities within the certification process. ISO 17021 is divided into various parts. ISO 17021-2, for example, specifies competence requirements for auditing and certification of environmental management systems, whilst ISO 17021-3 specifies competence requirements for auditing and certification of quality management systems and ISO 17021-10 specifies competence requirements for auditing and certification of occupational health and safety management systems.

These standards detail the competence requirements for all members participating in the certification processes. From the point of initial quotation to the point of awarding of certification. However, it is clear that auditor competence is a critical element amongst these activities within the certification process. Whilst some Certification Bodies rely solely on internal arrangements to determine and maintain competence. There are independent auditor certification bodies that not all Certification Bodies make use of. Ideally, Auditors need to be certified by an ISO 17024 accredited organisation. In southern Africa, the Southern African Auditor and Training Certification Authority (SAATCA) is the only entity accredited in this way.


South Africa is represented at the International Accreditation Forum (IAF) by the South African National Accreditation System (SANAS). SANAS is legally mandated through the Accreditation for Conformity Assessment, Calibration and Good Laboratory Practice Act (Act 19 of 2006) to deliver accreditation services.

Wynleigh International Certification Services is accredited by SANAS and only uses auditors correctly certified as described above.

Because SANAS is a full member of the IAF the Certification Bodies that it accredits also have to adhere to IAF Mandatory Documents. These IAF Mandatory Documents set out more specific requirements for both accreditation performed by SANAS and for certification practices performed by Wynleigh International Certification Services. For example,  they specify what duration to apply to a specific audit (IAF MD 5), or what sample size to apply to  certification audits of a multi-site organisation (IAF MD 1).

Certification delivered by Certification Bodies accredited by non IAF members makes transfer of certification between Certification Bodies impossible without starting the certification process from square one. Similarly, Certification Bodies not accredited at all, cannot prove that their certification processes are independent or internationally recognised. For this reason, they will typically run into significant problems when their prospective customers verify their certificates as part of a procurement requirement.

This last point is particularly relevant for cross border trade.

How to select a certification body?

Although price and BBBEE may play a role, selecting a Certification Body should focus on the full value proposition. Key factors to consider should include:

1. Accreditation of the Certification Body Not all accreditation bodies are equally recognised. Choose a Certification Body accredited by an IAF member for most credible results.

2. Independently certified Auditors Accreditation of a Certification Body is sector specific, see IAF MD 17:2019. It is critical that the correct auditors are used and are able to demonstrate relevant competence. By selecting a Certification Body with independently certified auditors, you are offered an additional layer of assurance that the certification process is credible.

3. Seek references from a third party Start by considering who the key stakeholders may be in regard to your chosen ISO Management System Standard.

Using ISO 9001 as an example, we can see that the most important stakeholder is the customer of the certified organisation. If the customer is experiencing poor quality of service or poor quality of products from their supplier. It doesn’t matter what claims are made on the supplier’s ISO 9001 certificate. It is very clear that the Certification Body is not doing their job properly. This might sound like an extreme length to go to when selecting a Certification Body, but consider going to all the effort of achieving certification, only to find the whole process is a farce.

This is why Wynleigh International Certification Services offers a Risk Assurance Service, free of charge, as part of its certification process. We are proud of our brand and fiercely protective over it. Our Risk Assurance Service provides all parties with an interest in our certification process, the confidence of real-world ‘checks and balances’ for a credible certificate.

What is the certification process?

An accredited certification process comprises a three-year cycle that includes a series of audits. ISO 17021-1 requires a two-stage initial audit to award certification.

Stage 1 is conducted to validate the assumptions made when the audit client is initially quoted, as well as to determine the state of readiness for the Stage 2 audit. A report is generated that may be used to guide the Auditee regarding their state of readiness.

The Stage 2 audit is conducted to establish conformity to the requirements of the selected Management System Standard. Following this audit, provided all major nonconformities are closed out, certification is awarded.

During the two-year period succeeding the initial certification, surveillance audits are conducted to confirm conformance of the auditee’s management system. A status report is delivered with each audit.

A recertification audit is needed, prior to the three-year expiry date of the certificate, to maintain the organisation’s certified status.

Each successive three-year cycle follows this same process.

Already certified with an accredited Certification Body?

Provided the Certification Body holding your current certificate is accredited by an Accreditation Body who is a full member of the International Accreditation Forum and you have no unclosed major nonconformities, a Certification Body transfer as guided by IAF MD 2, is as easy as a one-day transfer review. This review is essentially a due diligence conducted on your existing certification process. All being well, we slot into your existing three-year audit cycle and continue with the next audit at the date your previous CB would have visited you.

C107a - IAF SANAS Combined Logo

Newsletter Sign-UP