The ISO certification process varies based on the scheme; however, the typical certification procedure for management systems such as ISO 9001, ISO 14001, ISO 27001, and ISO 45001 is a two-stage process, with certification lasting three years before renewal.
This blog outlines the three different stages of the ISO Certification Process.
Looking for an ISO Certification Body?
Certbodies.co.uk provide an impartial guide on all aspects of certification, including choosing a certification body
The first stage of the certification process is stage 1 document review. In this stage, the certification body will review the structure of your management system’s through all documentation available.
They will look to determine whether any mandatory requirements are addressed in the documentation.
This step is often performed on-site and is also used to plan for the stage 2 audit. Your auditor will inspect the location and identify any special circumstances that may interfere with the audit.
Although the stage 1 audit is not a “pass or fail” assessment, your auditor may highlight non-conformances that must be resolved before the stage 2 visit. Auditors might also suggest that the stage 2 date be postponed if they believe the management systems will not be ready on time.
There is a time limit between stage 1 and stage 2 audits, beyond which you must redo stage 1.
Stage 2 is the certification audit and will cover all aspects of the management system. Your auditor will sample records to obtain objective evidence that the system is operating effectively. There must be a minimum of 3 months of records and evidence for the auditors to review to ensure the management system has been successfully operating in the organisation and sufficient sampling can be collected.
The stage 2 audit will be held on-site and will require access to all business areas and locations referenced in your certification scope statement.
The stage 2 audit is generally considerably longer than the stage 1 audit.
There are several categories of audit findings at stage 2, a major non-conformance is the most serious and can delay the certification.
Once the stage 2 audit has been successfully passed your certification will be available a short time after the audit and it will be valid for three years.
During the three years, shorter surveillance audits are undertaken periodically to sample different areas of the management system. These visits will be planned during your stage two audit and the intervals can vary depending on the complexity of your management system and your preference. Usually, however, they either fall annually or 6-monthly.
The surveillance audits are scheduled, so you will know which dates they are coming and roughly what areas they will be auditing, so there are no spot-checks or surprises.
In theory, these audits will take a similar form to the stage 2 audits, however, they will focus on small sections of the management systems each visit. Therefore these visits are generally shorter than the stage 2 process.