ISO Certification Process

What is ISO Certification?

ISO certification is the process by which an organisation has its management system assessed by an independent third party and, if it passes, receives a certificate confirming that the system conforms to a specific ISO standard. The certificate lasts for three years before it has to be renewed, and the certification body carries out surveillance audits each year to confirm the system continues to be maintained.

Certification is not a legal requirement. Organisations pursue it for commercial reasons: customers increasingly ask for it in tenders, regulators see it as evidence of responsible management, insurers may reduce premiums for certified organisations, and internally it provides an external check on whether the management system is working as intended.

Crucially, ISO itself does not issue certificates. ISO writes and publishes the standards, but the certification activity is carried out by independent certification bodies that operate under accreditation from a national accreditation body. In the UK that is UKAS. The distinction between accredited and unaccredited certification matters and is covered in more detail below.

Accredited vs Non-accredited Certification

ISO certification can be obtained from two types of certification body: accredited and non-accredited. Both issue certificates, both conduct audits, and both can provide value - but they serve different commercial needs, and picking the right one is a business decision.

An accredited certification body has itself been assessed by a national accreditation body - UKAS in the UK, ANAB in the United States, JAS-ANZ in Australia and New Zealand, and so on - which confirms the certifier is competent and operates to international rules (ISO/IEC 17021). These national accreditation bodies are signatories to the International Accreditation Forum (IAF), giving accredited certificates formal recognition across borders.

A non-accredited certification body operates outside that framework. The body may be as rigorous as an accredited one, or less so - there is no external check either way. The certificate does not carry the IAF mark and will not automatically be accepted where accreditation is specified.

Why Accredited Certification Costs More and Takes Longer

The time and cost difference between accredited and non-accredited certification is not about the ISO standard itself - it is about the rules UKAS-accredited certification bodies have to follow.

Mandatory minimum audit days. IAF Mandatory Documents (MD 5 for QMS/EMS, MD 9 for other standards) set minimum audit durations by number of employees and complexity. Even a one-person organisation pursuing ISO 27001 requires a minimum of around 5 days of audit time across Stage 1, Stage 2 and surveillance. Accredited bodies cannot reduce these figures - they would lose their accreditation if they did. Non-accredited bodies are not bound by the tables and can scale the audit to the actual size of the organisation.

Management system maturity. Accredited certification bodies typically require evidence that the management system has been operating for at least three to six months before the Stage 2 audit - long enough to produce a full cycle of internal audits, a management review, and records that show continual improvement is working. Non-accredited bodies are not bound by this, so a non-accredited certificate can be achieved much faster.

Separation of certification and consultancy. Accredited certification bodies are required by ISO/IEC 17021 to be independent of their clients and cannot provide consultancy to the organisations they certify. That means an organisation pursuing accredited certification usually needs a separate consultant, in-house expertise or a toolkit to prepare the management system. Non-accredited certification bodies are not bound by this separation - some offer combined consultancy and certification packages. This can be commercially convenient, but it introduces a conflict of interest: the same body is helping build the system and then judging whether it meets the standard.

The combined effect is that an accredited route for a small organisation can easily take six to twelve months from start to certificate and cost several thousand pounds in audit fees alone. A non-accredited route to the same ISO standard can be a fraction of the time and cost.

When Accredited Certification Is the Right Choice

Accredited certification is worth the extra time and cost where the market demands it:

Public sector tenders that specify UKAS-accredited certification
Large corporate procurement that requires IAF-recognised certificates
Regulated sectors where accreditation is part of the regulatory expectation (aerospace, medical devices, some food and rail)
International trade where customers need cross-border recognition
Insurance or investor requirements that stipulate accredited certification

When Non-accredited Certification Is the Better Choice

Non-accredited certification can be the smarter business decision when:

Customers want evidence of a working management system but do not specify accreditation
The organisation is pursuing ISO for internal discipline rather than external compliance
A smaller business would face disproportionate audit days and fees under accredited rules
Speed to certificate matters and the organisation cannot wait out the maturity requirement
The system is new and not yet mature, and the organisation wants to test it through a real audit before committing to the accredited route - going into a UKAS Stage 2 audit under-prepared is expensive and demoralising, and a non-accredited audit is a lower-risk way to shake out issues first
The certificate is being used as a stepping stone - demonstrating the system works, with the intention of moving to accredited certification at a later recertification if commercial needs change

For many SMEs whose customers do not specify UKAS, paying for accredited certification is a cost without a corresponding commercial return. Choosing a non-accredited route in that situation is a sensible use of limited resources.

Avoiding the Scams

Not all non-accredited providers are legitimate. A growing number of companies sell fake-accredited certificates - claiming accreditation from bodies that are not IAF members, charging fees similar to UKAS-accredited certification, and pushing businesses into long lock-in contracts of five to ten years. These certificates are worth nothing: not recognised by UKAS, not recognised internationally, and in many cases not even checked by the certification body against the ISO standard.

Warning signs include:

Claims of accreditation from a body not listed on the IAF website (iaf.nu)
High-pressure sales calls offering certification within days with little or no audit
Long lock-in contracts, often multi-year, with substantial early termination fees
Fees close to accredited prices without the accreditation to justify them
Badges or logos that mimic UKAS, IAF or other genuine accreditation marks

A legitimate non-accredited certification body is transparent about its status, charges fees that reflect the lighter audit burden, and does not tie clients into multi-year contracts they cannot exit.

There are sharks in this market and they prey on small businesses who do not know the difference. Certificates turning up in the post after a ten-minute phone call and a card payment. Contracts that lock you in for a decade. Logos that look like UKAS if you squint. If a deal sounds too easy, it is not worth the paper the certificate is printed on.

A real non-accredited certifier will audit you properly, charge a fee that reflects the work, and let you leave when you want. Ask for the ISO/IEC 17021 references they work to, ask how their audit duration is worked out, and ask whether you can move to UKAS-accredited certification later without losing your position. If the answers are vague, walk away.

Checking Accreditation

For accredited certification, UKAS publishes a public register at ukas.com of the bodies it has accredited, by standard. Accreditation for ISO 9001 does not automatically extend to ISO 14001 or ISO 27001 - check the specific standard.

For accredited bodies outside the UK, the IAF maintains a register of its members at iaf.nu. Any claim of accreditation from a body not listed on either register should be treated as unverified.

Switching certification bodies at recertification - accredited to accredited, accredited to non-accredited, or the other way around - is common and legitimate. Organisations often change providers over cost, audit experience or service quality. A new certifier will typically conduct a transfer audit to pick up the existing cycle, not a fresh Stage 1 and Stage 2.

Choosing a Certification Body

There are dozens of UKAS-accredited certification bodies in the UK, from large international names like BSI, SGS, LRQA and Bureau Veritas to smaller specialist providers. The right choice depends on several factors.

Accreditation scope: The first check. Is the body accredited for the specific standard and the specific industry sector? Some smaller bodies hold accreditation for ISO 9001 and ISO 14001 but not for ISO 27001, which has different requirements. Accreditation within a specific industry is also relevant for some standards.

Sector experience: An auditor who regularly audits in the organisation's sector will spot issues a generalist might miss and will usually ask more useful questions. For specialised sectors - medical devices, aerospace, food safety - sector-specific experience matters more than it does for a general manufacturing or service organisation.

Cost: Fees vary significantly between certification bodies for similar scopes. The fee structure usually has a fixed element (initial certification and recertification audits) and a variable element (annual surveillance audits priced by audit days). Larger, more complex organisations require more audit days and therefore more fees.

Relationship style: Some certification bodies are known for being rigorous and thorough; others for being more commercial. Neither is inherently better, but organisations often find they work more effectively with one style than the other. Asking other certified organisations in a similar field about their experience is usually more informative than comparing marketing material.

Geographic reach: For multi-site organisations, it is worth checking whether the certification body can conduct audits at all relevant sites with local auditors, or whether an auditor will need to travel significantly (which adds cost and complicates scheduling).

Once the shortlist is drawn up, requesting formal quotations with agreed scope and audit days provides a direct comparison. Switching certification bodies later is possible but carries some cost and disruption, so the initial choice is worth taking seriously.

The Stage 1 Audit

Certification audits are conducted in two stages. The first, Stage 1, is essentially a readiness check. Its purpose is to confirm that the organisation has a management system documented to the right extent, that the system is in a state where a meaningful Stage 2 audit can be conducted, and that there are no obvious show-stoppers.

Stage 1 typically takes one to two days for a small to medium organisation, either on site or remotely, and focuses on the documented system: the management system manual, the policies, the main procedures, the interested parties, the opportunities and risks register, the objectives, the statement of applicability if applicable, evidence that internal audit has started, evidence that management review has started.

The Stage 1 auditor produces a short report setting out any issues found and the readiness for Stage 2. Common Stage 1 findings are missing or underdeveloped documentation, a scope statement that does not match the operations observed, an internal audit programme that is not yet operating, or a management review that has not yet been held. Most of these are fixable before Stage 2 if identified early enough.

Stage 1 is not a pass or fail event in the same way that Stage 2 is. It is the diagnostic stage where gaps are flagged so the organisation can address them before Stage 2. An unprepared organisation is sometimes advised to delay Stage 2 after a weak Stage 1, rather than proceeding and risking a major non-conformity.

The Stage 2 Audit

Stage 2 is the implementation audit - the assessment of whether the documented system is actually being operated as documented. This is where most certification effort goes. It is longer than Stage 1 (typically two to five days for a small to medium organisation, longer for larger or multi-standard systems), always on site for at least part of the time, and covers every clause of the standard through sampling.

The auditor works from an audit plan provided in advance. They will interview staff at different levels - top management, process owners, operational staff - to verify that the system is understood and followed. They will sample records: training records, risk assessments, supplier evaluations, internal audit reports, management review minutes, non-conformity records, corrective action records. They will trace specific cases through the system from input to output, for example following a customer complaint from logging through investigation to resolution and verification.

The Stage 2 audit is where the honest test happens. A well-documented system that no-one follows will fail Stage 2 even if it sailed through Stage 1. Conversely, a system that has genuinely embedded into how the organisation works will pass Stage 2 even if some of the documentation is less polished than an auditor might like.

At the end of Stage 2, the auditor holds a closing meeting with top management to summarise findings. Any non-conformities identified are formally recorded. The audit report is then written up and submitted to the certification body's independent decision-making process.

Audit Findings and the Certification Decision

Findings from a certification audit fall into four categories.

Major non-conformity: A significant failure of the management system to meet a requirement of the standard. Examples include no internal audit programme at all, no management review having taken place, a policy that is not communicated or understood, or systemic failure of a key control. A major non-conformity must be addressed before certification can be granted.

Minor non-conformity: A specific, isolated failure to meet a requirement that does not indicate a systemic problem. Examples include a single training record missing from otherwise complete files, a risk assessment that is out of review date, or a procedure that does not fully reflect current practice. Minor non-conformities typically need to be addressed within a set timescale (often 90 days) but do not prevent certification.

Observation: A matter raised by the auditor that is not a non-conformity but may become one if not addressed, or an area where the system could be strengthened. Observations do not require a formal response but many organisations choose to treat them as improvement opportunities.

Opportunity for improvement: A positive suggestion made by the auditor, drawing on experience from other organisations, about how a particular part of the system could be enhanced. These are optional to act on.

The certification decision itself is made by the certification body, not by the audit team. A separate decision-maker (or panel) reviews the audit report, the findings, the evidence and any corrective actions the organisation has already taken, then decides whether to grant, maintain, suspend or withdraw certification. This separation is a requirement of accreditation and is intended to protect against the auditor and the organisation becoming too close.

The Three-Year Certification Cycle

Once initial certification is granted, the organisation enters a three-year cycle with two surveillance audits in between.

Year 1 surveillance audit: Typically takes place around 12 months after initial certification. Shorter than Stage 2 (often one to two days), it focuses on a selected subset of clauses and processes, with particular attention to any findings from the initial audit and any significant changes to the organisation or its processes since then.

Year 2 surveillance audit: Similar in structure to the year 1 audit, but covering a different subset of clauses and processes so that over the three-year cycle all requirements of the standard are re-sampled at least once.

Year 3 recertification audit: A full re-examination of the whole system, similar in scope to the original Stage 2, leading to a decision on whether to renew the certificate for a further three years. Some certification bodies combine this with Stage 1 review of any documentation changes in advance.

The timing matters. A missed surveillance audit can lead to the certificate being suspended, which is damaging commercially and usually more disruptive to recover from than simply running the audit on schedule. Most certification bodies schedule well in advance and work with the organisation to agree dates that suit both sides.

Changes during the three-year cycle - significant scope changes, new sites, mergers, acquisitions - usually need to be notified to the certification body promptly, and may trigger an additional transfer audit or extension audit rather than waiting for the next surveillance visit.

What Certification Does and Does Not Prove

ISO certification is sometimes misunderstood, both by certified organisations and by those who rely on certificates from their suppliers.

Certification proves that, at the time of the audit, an accredited certification body judged that the organisation's management system met the requirements of the specified ISO standard. It is evidence of a working management system and of a commitment to continual improvement.

Certification does not prove that every product is defect-free, every service is perfect, every worker is competent or every risk has been eliminated. An ISO 9001 certificate does not mean no customer will ever complain. An ISO 45001 certificate does not mean no accidents will ever happen. Certification confirms that the management system is in place to identify and respond to these issues when they do occur.

Certification also does not transfer responsibility. A certified organisation still owns its own outcomes. The auditor is an observer and a verifier - not a consultant, not an extension of the management team, and not responsible for the organisation's performance. That is why accredited certification bodies operate at arm's length and do not offer consultancy services to organisations they certify.

I spend a lot of time telling clients that certification is not the goal - a working management system is the goal. Certification is the external confirmation that the system works. If you chase the certificate, you can end up with a paper system that looks fine to an auditor but does not help you run the business. If you focus on the system, the certificate follows almost as a by-product.

The other thing I see regularly is panic in the weeks before the first Stage 2 audit. It is usually unfounded. Stage 2 auditors are not trying to catch you out. They are looking for evidence that the system is working. If your system is genuinely in use, an auditor will find that evidence quickly. If it is not, no amount of pre-audit tidying will hide the problem.

We have been certified to ISO 9001 for over a decade and added ISO 14001 and ISO 45001 along the way. The first certification cycle was the hardest because everything was new. After that, the annual surveillance audits became a normal part of the management rhythm.

One thing I would say to anyone approaching their first audit: do not try to tidy up the day before. If there are issues in the system, the audit is the right place to surface them. A minor non-conformity that leads to a real improvement is more valuable than a clean audit that papered over the same issue.

We have also changed certification bodies once, about six years in. It was less disruptive than we feared. The new auditor brought a fresh perspective and asked different questions, which was useful even if the process of transitioning took a few months to complete.

When I audit an organisation for certification, the first thing I look for is whether the management system matches the way the organisation actually runs. If the documented procedures describe one reality and the staff describe another, something is wrong.

The best certification audits are the ones where I learn something from the organisation - where I see a well-designed process and can take it as a good example to share (in general terms) with others. The worst are the ones where the organisation is clearly trying to work out what answer I want to hear. Honesty makes the audit shorter and the outcome more useful.

Practical Compliance Guidance

The alphaZ toolkits are designed to cover what a certification body expects to see: the IMS1 manual plus the correlation documents give the auditor a clear route through the standard, and the supporting forms and registers are the evidence at the operational level.

The documents below are the ones most commonly sampled during certification and surveillance audits, and are all included in the relevant toolkits.

alphaZ document	How to use it
ISO 9001 Management System Toolkit	Complete starting point for ISO 9001 certification. Includes IMS1, correlation document, policies, procedures and registers that a certification body expects to see.
ISO 9001, 14001, 45001 IMS Toolkit	For organisations pursuing combined certification across quality, environmental and health and safety in a single integrated system and a single audit programme.
F-IMS20 Document Register	First document most auditors ask to see. Demonstrates that the organisation controls its documentation centrally rather than leaving it to individual departments.
F-IMS22 Interested Parties Register	Demonstrates the organisation has identified relevant interested parties and their requirements - a required element of Clause 4.2 in every Annex SL standard.
F-IMS23 Opportunities and Risks Register	Central evidence that the organisation addresses risks and opportunities - a requirement of Clause 6.1 that certification auditors always sample.
F-Q3 Management Review	Management review minutes and actions from the last one to two cycles are always sampled. A completed F-Q3 with contributions, decisions and actions is the evidence auditors look for.
ER1 Issues and Actions Register	Demonstrates how the organisation tracks non-conformities, corrective actions and improvement actions. Patterns and closure rates tell the auditor whether the improvement loop is working.
F-IMS26 Statement of Applicability	Mandatory for ISO 27001 certification. Lists each Annex A control, whether it applies, the justification and the implementation status. First item sampled on any ISO 27001 audit.

Note - all the above files can be downloaded with an alphaZ subscription.

Frequently Asked Questions

How long does ISO certification take from start to finish?

For an organisation starting from scratch, a realistic timescale is six to twelve months from commitment to initial certification. The bulk of that is implementing the management system and letting it run long enough to generate records - typically three months minimum before an auditor has enough evidence to sample. An organisation with an existing informal system may reach certification in four to six months. An organisation adding a second or third standard to an existing integrated system may reach certification within three months.

How much does ISO certification cost?

Certification body fees depend on organisation size, the number of standards, the number of sites and the audit days required. For a small organisation pursuing a single standard, initial certification typically costs in the low thousands of pounds, with annual surveillance audits in the hundreds to low thousands. Multi-standard integrated certification is cheaper per standard than certifying each separately because audit days overlap. Additional costs include internal effort to build the system and, if used, consultancy fees for guidance.

Can we transfer an ISO certificate from one certification body to another?

Yes, provided both bodies are accredited for the relevant standard. The usual process is a transfer review by the new body, which examines the current certificate, the audit history and any open non-conformities from the previous body. Transfer does not restart the three-year cycle - the new body takes over at the appropriate point, usually aligning with the existing surveillance schedule. Transferring while a major non-conformity is open is not permitted and may trigger a full recertification audit instead.

What happens if we fail a certification audit?

Outright failure is rare at Stage 2 because Stage 1 is designed to flag readiness issues before they become failures. The more common outcome is major non-conformities that must be addressed before certification is granted. The organisation submits a corrective action plan, implements it, and the certification body verifies the actions have been effective - sometimes remotely, sometimes with a short on-site visit. Once the majors are closed, certification is granted. The process typically adds two to six weeks to the timeline rather than requiring a full re-audit.

UK Legislation

No UK legislation requires ISO certification. It is a voluntary activity pursued for commercial and operational reasons. Some sectors have sector-specific certification or accreditation requirements that sit alongside ISO certification, but the general management system standards are not legally mandated.

Further Resources