What Is the ISO 9001 Certification Process?


ISO 9001:2015 Standard and PDCA CycleCertifying your company’s compliance with the ISO 9001 standard is done via an assessment performed by an independent organization. That certifying agency is called a registrar. A registrar is also referred to as a Certification Body (CB).

The registrar determines whether your organization’s quality management system (QMS) meets the requirements of the current ISO 9001 standard.

The diagram at the top of this post (click here for a larger version) shows how the Plan-Do-Check-Act model of implementation can also be used to implement the standard and continuous improvement processes.

At the time of this writing, that standard and version is ISO 9001:2015. Your company will choose your registrar. The registrar will assign you an auditor.

New to Certification? Here’s Where to Start

  1. Prepare by developing an understanding of ISO 9001 standard:
    • Purchase copies of the standard and distribute to appropriate staff, including company management, who will be more involved than they might have been during the certification for the previous version.
    • Have relevant staff attend webinars, classes, and workshops.
    • Research the standard and its implementation: web sites, industry magazine articles, etc.
  2. Develop your QMS implementation plan with a timeline.
    • Perform assessment of your current QMS system.
    • Identify where your system does and doesn’t meet the standard’s requirements.
    • Identify resources needed and their availability. Be realistic; your business needs to continue to operate.
    • Define and document system as needed.
    • Implement system, including staff training
  3. Select registrar: Evaluate 2-4 registrars. Check their accreditation, reputation, industry experience, auditor competence, etc. For information on registrar costs, please read What Does It Cost to Become ISO 9001:2015 Certified?
  4. Begin the initial certification process described below.

ISO 9001 Certification Process Overview

Initial certification is done in two stages:

  • Stage 1: The registrar confirms that your QMS has been established and determines your company’s readiness for Stage 2. This is typically done as a “desk audit,” a review of key business and quality documents to confirm that your QMS meets the ISO 9001 requirements. Other pertinent information such as company size, facilities, etc., are also confirmed.
  • Stage 2: The auditor works to confirm that your practices and documented information meet the ISO 9001 requirements and your practices are consistent with your documentation. The auditor typically starts with the management of your company. They request documented information, e.g., procedures, records, data, etc. The auditor may observe processes and talk with/ask questions of your employees.

Upon completion of the audit, the auditor provides a report and makes one of the following recommendations based on findings:

  • Compliance with the standard is confirmed. The registrar issues the certificate. Certification is valid for three years with two annual surveillance audits.
  • If nonconformances are found, your company must create a corrective action plan and submit it to the auditor. Once the auditor approves the plan, the certificate can be issued. The auditor will follow up on the corrective plans during subsequent annual surveillance audits.

What Your Company Is Responsible for During Certification

  1. Sign a contract between registrar and your company. Any nondisclosure agreements required by the company are signed by the registrar/auditor.
  2. Prior to audit, provide information requested by the auditor. Notify the registrar of significant changes to the organization.
  3. During the audit:
    • Provide an escort for the auditor, ensuring the appropriate people are available within the scope of the audit. Notify staff that the auditor is allowed to speak with anyone within scope of audit and to walk around the facility.
    • Provide the auditor access to relevant information.
    • Provide the auditor working space and light lunch when appropriate.

Recertifying for ISO 9001:2015

  • The ISO 9001:2008 standard expires in September 2018. All 9001:2008 certificates expire at that time, which means your company will no longer be ISO 9001-certified unless you have certified for 9001:2015 before that deadline. Talk to your registrar about their timeline for transitioning. Often the transition can be done as part of a surveillance audit.
  • The certification / re-certification process is the same as it was for the 2008 version of the standard.
  • There are new and “enhanced’ requirements in the 2015 standard. Also, the ISO document itself has been significantly reorganized to follow a structure that allows the ISO organization to coordinate across standards.
  • The new and enhanced requirements require management to be more involved in the audit. They likely will not be able to delegate all involvement to the company’s quality manager or reputation.

What Happens After ISO 9001 Certification?

Your registrar remains involved with your company as follows:

  1. After the initial certification, surveillance audits will occur at the agreed upon frequency for the remainder of the 3-year cycle.
    • The purpose of the surveillance audit is to ensure your company’s QMS continues to meet ISO requirements.
    • This audit takes less time than the initial certification audit.
  2. The auditor reviews key processes and specific requirements each time. They may also audit other processes such as customer satisfaction, performance metrics, corrective action plans, etc.