The first step in is certifying that your business is ISO compliant is recognising that there is no single right pathway to get there. While there are multiple pathways for preparing for certification, there is only one pathway for achieving certification.
Certification processes can be as unique and individual as a set of company goals or mission statements. There are many industry-specific certifications within the ISO constellation, including those for quality management, environment management, health & safety management, information security management and business continuity. The most widely applicable ISO standards are the 9001 series, which verifies that your products or services meet quality specifications.
Certification is simply the process of verifying that your company has met globally accepted standards in your field. The ISO itself does not certify any businesses. Their role is in the development and agreement on international standards. It is third parties that conduct certification processes and issue the final certificates.
The ISO does provide guidance to a limited number of certification bodies through the Committee on Conformity Assessment (CASCO). Documents produced by this organization guide the certification process for specific businesses.
The ISO currently consists of 162 national standard bodies, only one per country. These organizations provide accreditation for certification bodies, which conduct ISO audits, through the International Accreditation Forum (IAF).
Accreditation by the IAF is not required for a company to conduct audits, and lack of accreditation is not an indication that the company is not reputable, but it does matter. A properly accredited organization is one that meets and follows the guidelines set down by CASCO.
The ISO recommends three steps in choosing the certification body that is right for your company:
The comparison steps can be the most time-consuming and complex, but you can simplify it by charting out your top criteria. The cost will certainly be a factor, but make sure the certification body is forthcoming will all the costs, including the initial assessment, the surveillance visits, transfer of certificate fees, additional hourly management fees, and any miscellaneous costs.
There are two essential stages that all companies go through: gap analysis and audit. For the sake of efficiency, it makes sense to choose a certification body that can consult on how to implement systems, provide suggestions on improvements and issue the certification documents at the end of it all.
Most companies choose to have their management systems designed and audited by the same independent third party, known as a Conformity Assessment Body (CAB), which is registered with the IAF. A CAB can only conduct the third-party certification audit. They aren't allowed to consult or assist with the development of a management system. A management system template can be purchased through ISO Templates or they can look at engaging a consultant to manage the process on their behalf. Compliance Council, ISO Templates sister company, is one of those consultancies.
When the audits are complete, the CABs can issue a registered certificate of compliance to the specified ISO standards.
Stage 1 - Document Review
The purpose of the stage one assessment is to evaluate your management system documentation, including policies, processes, management review records, scope and context as well as system implementation. It sets the foundation for the stage two audit.
Stage 2 - Implementation Audit
The stage two assessment is the final step of the initial certification process. To achieve certification against your systems, auditors will need to verify that the documented requirements of the standard are implemented across the business. They will visit your offices and premises as well as partake in discussions with relevant individuals in your business. The aim of the stage two assessment is to verify that you are doing what your system documentation says you do. Your management system is assessed and verified as being implemented.
The most important outcome is that you will be issued a certificate confirming the scope of certification, date of issue, name of standard that the organisation is certified to, expiry date etc.. This certification can help your business compete more effectively and opensup the possibility of partnering with government organisations or larger enterprises. The business improvements driven by the certification process will also have ripple effects on your performance metrics.
At this point, you will need an effective change management program to communicate with workers about how critical it is to document their processes and avoid creating shortcuts without a formal process around changing task definitions. This implies having a robust version control system in place to record old procedures but keep them far from workers currently needing references for doing their jobs or learning new ones. If not, you could lose certification at the next surveillance audit.
Once a year for the first three years after you are ISO certified, your chosen certification body will conduct a surveillance audit to assure that systems are working as designed and in compliance with ISO standards.
The surveillance audit is shorter than the initial duration of Stage 1 plus Stage 2 combined, as it involves only auditing some sections of the standard. Over the three years the whole standard will be covered incrementally again through the surveillance audits.
At the end of three years, you will be required to go through a recertification audit to reassess your growth and past performance. The recertification audit is longer than a surveillance and involves going through all clauses again. This should be planned and conducted at least three months before the certification end date to give you time to address any non-conformities that may arise.
After the recertification audit a new certificate is issued to cover you for another three years, then the surveillance cycle starts again with annual audits. This cycle will continue for as long as the company has certification.
In a world where disruption can literally come from anywhere - around the world and cross-industry - ISO certification can serve as defence against the storms. Customers are looking for ISO certified businesses because it indicates the company has achieved a certain level of proactive planning and attention to continual improvement. Customers control the information flow today, which also puts them in control of the sales cycle. The companies that have realigned their processes around a customer-centric value chain are taking the lead in every industry. It all starts here.