While the certification process may appear complicated at first, it is basically a set of 10 steps starting with a gap assessment and ending with a triennial or recertification audit every three years. Knowing the process in its entirety will help plan for both budgetary and time constraints which may impact your organisation’s certification.

  • How does the certification process work?

    Very few organisations know much about how ISO certification works before they decide that they need to become ISO certified – but it’s really not complicated once it is explained to you.

    Step 1: Gap assessment
    The first recommended step is normally some kind of gap assessment to determine your current level of compliance. What this means is that a consultant or auditor can look at your business system; ask you questions; review documents and determine how well what you are doing fits with the requirements of the ISO standard that you have chosen to be assessed against. You will then get a report describing all the areas where you comply as well as those where you don’t.

    **Insider Tip!**: If you get a consultant to do this gap assessment (as opposed to a certification body auditor), you can request an action plan which describes exactly step-by-step what you would need to do to be ready to get certification. A certification body is not permitted to consult as this would be a conflict or interest they can only point out gaps.

    Step 2: Establishing the system
    Once Step 1 is complete, the next step is to finalise everything you need to do in order to meet the requirements. In the case of many organisations this requires some significant changes in the way they operate. The most common of these are adhering to a system of continuous improvement; management reviewing the system on a regular basis; creation of a system for dealing with and preventing problems; and several compulsory procedures and documents which unfortunately cannot be avoided. You may or may not choose to get a consultant to help you with this part – the extent to which you do this will determine the cost and speed associated with your organisation becoming compliant.

    Step 3: Pre-certification audit
    Once you feel the system has been successfully implemented, a pre-assessment or pre-certification audit has to be conducted by a certification body. The certification body assesses your organisation’s documented and implemented system to ensure adequacy and produces a report.

    **Did you know?**: The pre-certification audit was instituted because so many companies were going for certification without being necessarily prepared. Nowadays the pre-certification audit is short and gives the company a quick answer on whether they are ready and what remains to be done without having to pay for a full certification audit.

    Step 4: Follow up actions
    Out of the pre-certification audit will usually come some improvement suggestions or areas of concern which need to be addressed prior to going for the final audit. This is an appropriate place to get some advice or assistance from a consultant if you choose to do so.

    Step 5: Certification audit
    Once you believe you have addressed these findings in full, you can then request the certification body to come back for the final audit, the certification audit.

    **Insider Tip!**: There is generally a six-month timeframe limit between the pre certification audit and the certification audit. If you go over the six-month timeline, you will need to do the pre-certification audit again, so it’s worth being prepared before you go for the pre-certification audit so you don’t have much to finalise.

    Step 6: More follow up actions
    If your system has been set up properly, especially if you have used a consultant, you should not expect any major non-conformances.

    **Did you know?**: A non-conformance simply means an area of your system which does not comply with the standard.

    A major non-conformance is a problem that must be fixed immediately if you are to achieve certification. You usually get 30 days unless it’s a high risk matter.

    A minor non-conformance means that this is a less serious problem and you will be given more time to fix it.

    An opportunity for improvement is exactly that. Auditors can suggest that you consider an opportunity in between one audit and the next. You can take it or leave it once you have considered its merits and documented your decision.

    In general a certification audit is nothing to be afraid of. However, many companies do still find reassurance in having a consultant present, particularly at the first and second audit.. This allows you adequate time to get used to the language of the ISO auditor and understand how to translate what you have developed to the auditor in a way that they can see how it complies.

    Step 7: Certificate issued
    Once you have successfully passed the certification audit, you will be issued with your certificate which will have the logo of the certification body you have chosen.

    **Did you know?** : There are as many different logos as there are certification bodies (i.e. over 35 in Australia) so when you choose your certification body you are choosing their logo as well. Once certified, this logo can then be displayed on your letterhead and other promotional materials in order to effectively market your ISO certification.

    **Insider Tip!**: You are not obliged to stay with a particular certification body or a particular auditor if you are not happy. Customers are becoming increasingly discerning in this regard and certification bodies are being forced to become more customer-focussed in order to retain customer loyalty in an increasingly competitive marketplace.

    In general, it is important to remember that certification is a service and you are the customer. If you are not happy with the certification body or the auditor’s behaviour, you are fully entitled to complain and to change providers. However, I would caution against changing several times from provider to provider. Once you have found a certification body you respect and have gotten good value from, build a relationship with them as many offer other services apart from certification.

    It is also important to realise that the odd non-conformance or a suggestion for improvement is not a reason to jump ship. Audits and even non-conformances can be tremendous opportunities to learn and improve. Auditors have huge experience on which to draw from. You will get the most value out of your certification, if you use auditor visits to come up with as many ideas for best practice as possible.

    Step 8: Keep it up
    Many companies don’t realise that there is a significant investment of time and effort required on an ongoing basis once you have achieved certification.

    Between audits you will be expected to maintain the habits that you have implemented such as management reviews, internal audits, dealing with customer complaints and non-conformances in a formal way and so on.

    Many companies ask a consultant to help them out with internal audits as this requires the highest level of knowledge and skill of any of the requirements. Having said that, it is quite possible to conduct internal audits using your staff as long as they are appropriately trained.

    **Insider Tip!**: It is always best to maintain most of the system yourself, as using an outside consultant to keep your system ticking over almost guarantees that it will not be as well integrated into your business as you would hope. If the system is set up well from the start, (i.e. based firmly on the foundation of what you are already doing well), then there should not be a huge number of new processes or habits to be implemented.

    At ICS, we believe that there is no need to dramatically change what a business is doing, but rather we simply tweak and improve upon the systems that are already established and working well. This way we enable companies to achieve compliance with a minimum amount of change, disruption and ongoing effort.

    Step 9: Maintenance/surveillance audit
    At the end of six or twelve months you will need to undergo a surveillance or maintenance audit. The frequency of audits is determined by the certification body based on the level of risk and the level of compliance.

    If you are a high risk food manufacturer for example, you can expect audits every six months. If you are an office based professional services organisation, every twelve months is generally the norm. Sometimes a consultant can assist you to question the frequency that the certification body has assigned to the audit if you feel it is excessive.

    During the maintenance audit process, the external auditor will visit your organisation and undertake some sample audits of different areas of your system to ensure that it is still ticking over. If they find that you have allowed areas of the system to lapse, then you will receive non-conformances. As described above, you will get time to fix these depending on how serious they are considered to be.

    **Insider Tip!**: On occasion we come across external auditors who get a bit carried away in issuing non-conformances. As a consultant, we are sometimes put in a position of advocating on a client’s behalf when the client believes that a non-conformance has been issued unfairly. It is most important that the auditor can explain to you exactly where it says in the standard that you must do what he or she is requesting. If they cannot do so, or if you are unsure or not happy, you have every right to question what they have said to you, and follow up with the certification body if you are still not satisfied.

    Step 10: Recertification/triennial audit
    Every three years you will need to go through a recertification audit. This is similar to the initial certification audit where the external auditor goes through your system with a fine tooth comb, basically checking the health of every area and doing some in-depth audits in all the critical areas of your business. The recertification audit always takes longer than the surveillance audit. Then once you have gone through that successfully, your certification is approved for another three years and you’re issued another certificate.

    If you would like any more information advice about ISO certification or any other related matter feel free to give us a call on 1300 132 745 or contact us via our website.