The ISO management systems certification process.

The certification process for management systems developed according to ISO standards and obtaining ISO certificates is a key element in an organization's pursuit of operational excellence and increasing credibility in the eyes of customers and business partners.

Here is a detailed overview of this process:

Step 1 - Application submission and certification offer acquisition

The first step is to submit an ISO certification application, presenting essential information that allows the certification body to prepare an offer. The type and detail of the required data depend on the ISO standard, the scope of the certified management system, and the individual requirements of the certification body. This information is crucial for accurately determining the duration and cost of the audit.

Certiget Tip:

Each accredited certification body should estimate the approximate audit time based on the same data, as this is done according to strict and normative rules. In justified situations, the basic calculated audit time can be shortened or extended. All factors affecting the audit time must comply with the calculation methodology of the specific ISO standard and be described in the internal documentation of the certification body.

Example of a factor that may extend the required ISO 9001 audit time:

+10% of the audit time due to complex logistics involving more than one building or location where external work is conducted, e.g., a separate project center needs to be audited.

Example of a factor that may shorten the required ISO 9001 audit time:

-10% of the audit time because there is a very small location relative to the number of personnel (e.g., only an office complex).

Audit time requirements often allow for a reduction in audit time, typically not exceeding 30%. There are also regulations that completely prohibit such reduction or significantly limit it. Therefore, providing the certification body with accurate information necessary for pricing is very important.

With Certiget, you not only save time but also ensure that all essential information is always properly conveyed. We will handle the entire process for you—from application submission to obtaining offers, which we then present to you in a clear comparison.

Useful link: collection of ISO certification bodies

Step 2 - Preliminary audit (Gap Audit) as an Optional Step

Although not mandatory, the preliminary audit can be extremely helpful, especially for organizations that are preparing for certification on their own or have doubts about their system's compliance with the ISO standard. This stage allows for an initial assessment of the management system's readiness for the certification process. The preliminary audit identifies strengths and potential areas for improvement or adjustment to ISO standards. It is a valuable opportunity to receive feedback from the auditor, allowing the organization to better prepare for the main certification audit and minimize the risk of non-conformities during the main certification process.

Step 3 - Certification audit

The certification audit is a two-stage process.

Stage 1: System Analysis

In the first stage of the audit, auditors review the organization's management system documentation to check if the basic requirements of the standard, which is the audit criterion, have been met. During this stage, they verify if the system is appropriately developed and implemented. They also check whether the basic system mechanisms are in place and functioning. As a result of this audit stage, auditors may report any areas needing improvement before proceeding to the second stage.

During this time, auditors:

• Review and evaluate the system documentation.
• Check the results of management reviews and internal audits.
• Assess whether the management system is mature and ready for Stage 2.

If deficiencies are found, they indicate areas that need improvement before moving to the next stage.

Certiget Tip:

In exceptional situations, it is possible to combine Stage 1 (system analysis) and Stage 2 (system audit). However, it is generally recommended to maintain a time gap between these stages. Separating the stages allows for adjustments to the management system after Stage 1 before proceeding to the more detailed assessment in Stage 2.

Combining both stages may be considered in specific circumstances, such as when an organization demonstrates a high level of management system maturity or for other practical reasons for a faster audit. This approach carries certain risks:

• If significant non-conformities with ISO standards are identified during the combined audit, Stage 2 may be blocked. This means auditors will not be able to assess the practical application and effectiveness of the management system, possibly resulting in the inability to issue a certificate.
• The organization may incur additional costs due to the need for a re-audit.

Therefore, it is recommended to carefully consider the decision to combine stages, considering potential risks and consequences. Maintaining a gap between stages allows for better preparation and minimizes the risk of non-conformities, increasing the chances of successfully obtaining the certificate.

Stage 2: System Audit

The second stage is the main part of the certification, where the auditor directly verifies the effectiveness and compliance of the system with the standard's requirements. The auditor conducts interviews with employees, observes processes, and analyzes documentation and records.

During this time, auditors:

• Visit the production or service delivery site to directly observe the system's operation.
• Conduct interviews with employees.
• Analyze processes, procedures, and their compliance with ISO standards.

Reporting Results

Auditors prepare a report after each stage, presenting their conclusions, non-conformities, and recommendations regarding certification. In case of non-conformities, the organization must implement appropriate corrective actions within a specified time to obtain the certificate.

Certiget Tip:

Currently, the audit in the ISO management systems certification process can take various forms, tailored to specific needs, standards, the type of organization's activity, and accreditation requirements. Depending on these factors, the audit can be conducted in a stationary, hybrid, or entirely remote form.

• Stationary Audit: This traditional form of audit involves auditors physically visiting the organization's site, allowing direct observation of processes and interactions with employees.
• Hybrid Audit: In this format, part of the audit is conducted on-site, and part remotely, combining the benefits of both methods—direct contact and the flexibility and convenience of remote assessment.
• 100% Remote Audit: In response to the growing need for flexibility and situations where external conditions (e.g., travel restrictions) hinder stationary audits, audits can be conducted entirely remotely using video conferencing, document sharing, and other remote communication technologies.

During the certification offer acquisition or audit planning stage, the organization will be informed about the audit's form. The organization has the right to express its needs in this regard, which should be analyzed by the certification body.

Step 4 - Technical review

After the audit and the auditor's recommendation for certification, a technical review is conducted by an appropriately authorized person within the certification body, who performs a detailed analysis of the results.

At this stage:

• All audit documents prepared by the auditor and other participants in the process, such as the valuation application, are checked.
• It is assessed whether the audit was conducted in a timely manner.
• The final decision to grant the certificate is made.

If non-conformities are identified, actions will be taken that may extend the certificate issuance process.

Step 5 - Certificate issuance

Following the auditor's recommendation and a positive technical review, the certificate is issued, typically valid for three years.

This certificate:

• Confirms the management system's compliance with the audit criteria.
• Serves as visible proof to customers and business partners of the organization's commitment to continuous improvement.

Step 6 - Surveillance audits and recertification

To maintain the certificate's validity, regular surveillance audits and recertification are necessary:

• Surveillance Audits: Conducted annually to verify the continuous compliance and effectiveness of the management system.
• Recertification: Before the certificate's expiration date, the organization must undergo recertification to maintain the ISO certificate. This stage starts a new validity cycle for the certificate and requires the certification body to prepare a new offer.

Certiget Tip:

While operating under a certified management system, the organization has the option to withdraw from this process or transfer the ISO certificate to another certification body.

Important aspects to consider:

• ISO Certificate Transfer: Transferring the certificate is done according to the accreditation procedure, requiring adherence to specific rules and guidelines.
• ISO Certificate Withdrawal: The decision to withdraw should comply with the terms of the agreement with the current certification body.

Before deciding on certificate transfer or withdrawal, especially during contract negotiations, it is crucial to thoroughly understand the terms. Understanding these details helps avoid misunderstandings and potential issues.

If you are wondering what criteria to consider when choosing the right ISO certification body for your company, be sure to read our article: ISO Certification: An Investment in Your Company's Future - Goals and Benefits or simply contact us directly - contact.