The ISO Certification Process

While the ISO certification process can vary depending on the scheme, generally management systems such as ISO 9001, ISO 14001, ISO 27001 or ISO 45001 follow a Two Stage Process, with the certificates lasting for a period of 3 years before renewal.

Pre-Certification Services

You may be offered some optional pre-certification services by the certification body, and it is up to you to decide if you feel these would be of benefit.

Pre-Audit or Gap Analysis

Some certification bodies offer a Pre-Audit or Gap Analysis prior to starting the ISO certification process.

UKAS Accredited Certification Bodies will not advise or provide consultancy, however during a pre-audit/gap analysis missing and weak areas of you management systems will be highlighted and reported. As this is not part of the formal certification process it is not a pass or fail audit, however leaving pre-audit findings unresolved could lead to non conformances during the certification process.

Stage 1 – Document Review

The stage 1 audit signals the start of the ISO certification process, and is used as an opportunity for the certification body to review the structure of your management system, through the available documentation.

They will seek to verify that any mandatory requirements have been addressed within the documentation.

This is usually conducted On-Site and is also used to plan for the stage 2 audit, allowing the auditor to tour your site and assess any special circumstances that could affect the audit.

It’s often said that the stage 1 audit is not ‘pass or fail’, however the auditor can raise non-conformances that must be addressed by the stage 2 visit, and they can recommend the stage 2 date be postponed if they feel the management system will not be ready in time.

There is a maximum timeline between stage 1 and stage 2 audits, after which you will need to re-do stage 1.



Stage 2 – Certification Audit

The stage 2 audit will cover all aspects of the management system, sampling records to obtain objective evidence that the system is operating effectively.

For this reason, there needs to be a minimum of 3 months of records and evidence for the auditors to review.

The stage 2 audit will again be held on-site and will need to include all business areas and locations referenced in your certification scope statement.

Stage 2 audits are generally considerable longer than the stage 1 audit.

There are several categories of audit finding at stage 2, the most serious of which, a major non-conformance can delay the certification. Find out more about Categories of Audit Findings.

Surveillance Audits

A programme of surveillance audits will usually be created at the end of the stage 2 audit.

Intervals can vary depending on the complexity of your management system and your preference, but usually these fall either annually or 6-monthly.

Surveillance audits are booked just as the other audits are, so there is no spot-checks or surprise visits.

In practice, these audits take a similar form to the stage 2 audits above, however they will focus on smaller sections of the management system each visit. Therefore these visits are generally shorter than the stage 2 process.