THE THIRD-PARTY CERTIFICATION PROCESS

ISO certification is an attestation by a third-party certification body (CB) that an organization's management system meets specific international standards developed by ISO. The process is systematic, ensuring independent verification of compliance and competence. ISO itself does not issue certificates.

The CBs are crucial in the ecosystem, operating under the rules set by ISO's Committee on Conformity Assessment (CASCO) and being formally recognized by national accreditation bodies (ABs), which are members of the recognized International Forum or Federations. This multi-layered structure ensures credibility and global acceptance of the certification.

The process of obtaining and maintaining certification involves several distinct phases, each with specific requirements for both the organization seeking certification and the CB performing the audit.

1

Phase 1: The Foundation and Preparation (Organization's Responsibility)

The journey to ISO certification begins internally, with the organization preparing its management system (e.g., Quality Management System for ISO 9001, Environmental Management System for ISO 14001 etc.) to meet the standard's criteria. This phase is the most time-consuming and critical for success.

Key Activities for the Organization:

  • Commitment and Resources: Top management must show strong leadership and commitment to the process. An implementation team, often led by a designated Management Representative, is established with adequate resources (time, budget, personnel).
  • Understanding the Standard & Defining Scope: The organization purchases and studies the relevant ISO standard to understand all its requirements. They then define the scope of the management system, determining which departments, locations, and processes will be included.
  • Gap Analysis and Planning: A gap analysis compares the organization's existing processes against the standard's requirements to identify areas of non-compliance. An action plan is developed to close these gaps.
  • Documentation and Implementation: The organization documents its policies, procedures (Standard Operating Procedures or SOPs), work instructions, and necessary forms as required by the standard. This documented information is then implemented across the organization, with all employees receiving appropriate training and awareness sessions.
  • Internal Audits and Management Review: The organization conducts internal audits using trained internal auditors to evaluate the effectiveness and compliance of the newly implemented system. Findings are addressed with corrective actions. A formal management review meeting assesses the overall performance of the system and readiness for external audit.
  • Selecting a Certification Body: The organization researches and selects an accredited third-party CB to ensure the certification will be recognized internationally.
2

Phase 2: The External Audit Process (Certification Body's Role)

Once the organization determines it is ready (often after completing a "readiness review"), it engages the chosen certification body for the formal certification audit. The CB follows a structured audit methodology, typically outlined in standards like ISO/IEC 17021, to ensure a thorough and impartial assessment.

Stage 1 Audit: Documentation Review and Readiness Assessment

  • Purpose: To assess the client's documented management system, evaluate site-specific conditions, and determine preparedness for the Stage 2 audit.
  • Review of the ISO Manual, policies, procedures, and scope of the management system.
  • Discussion with key personnel to understand the organization's processes and the status of implementation.
  • On-site visit (usually) to evaluate the location and relevant infrastructure.
  • The auditor confirms the audit objectives and develops a surveillance audit plan.
  • Outcome: The CB provides a report highlighting any areas that need improvement or are not ready for Stage 2. If significant gaps exist, the Stage 2 audit may be delayed until they are addressed.

Stage 2 Audit: On-site Implementation and Effectiveness Assessment

  • Purpose: To evaluate the actual implementation and effectiveness of the management system.
  • A comprehensive on-site visit where auditors sample processes and activities.
  • Auditors interview employees, observe operations, and review records (objective evidence) to verify compliance with all requirements of the standard and the organization's own documented procedures.
  • Assessment of process controls, performance monitoring, measurement, analysis, and overall system effectiveness.
  • Identification of non-conformities (major or minor deviations from the standard) or opportunities for improvement.
  • Outcome: If non-conformities are found, the organization must implement corrective actions to address the root causes within a specified timeframe. Once the CB verifies the actions are effective, the process moves to the next stage.
3

Phase 3: Certification, Maintenance, and Beyond

The audit process culminates in the certification decision, which is not made by the auditor but by an independent technical committee within the CB to ensure impartiality.

Certification Decision and Issuance

  • Review: The CB's independent reviewer (not the audit team member) examines the entire audit package, including the audit reports, evidence of corrective actions, and auditor recommendations.
  • Issuance: If all criteria are met and compliance is confirmed, the CB grants certification and issues a formal ISO certificate. The certificate typically includes the organization's name, the scope of certification, the standard achieved, and the CB's accreditation mark(s).
  • Validity: The certificate is valid for a period of three years, provided the organization maintains compliance through ongoing surveillance.

Maintenance and Continual Improvement

Certification is not a one-time event; it is a commitment to continuous improvement.

  • Surveillance Audits: The CB conducts periodic (typically annual or semi-annual) surveillance audits during the three-year cycle. These are shorter than the initial audit and focus on ensuring the QMS is being maintained, internal audits and management reviews are occurring, and improvements are being made.
  • Recertification Audit: Before the three-year certificate expires, a full recertification audit is conducted. This process is similar in scope to the initial Stage 2 audit and is necessary to renew the certification for another three-year cycle.

ISO THIRD-PARTY CERTIFICATION PROCESS FLOW (ELABORATED)

1
Application Submission

Company submits formal application including: Legal name, scope of operations, employee count; Specific ISO standard (e.g., 9001, 14001, 27001); Existing management system details.

2
Application Review

Certification Body (CB) reviews application for: Completeness & accuracy; CB competence & resources for the scope/industry; Organization's eligibility for chosen standard.

3
Quotation and Agreement

CB provides detailed quotation outlining: Audit costs (days, travel, fees) & terms; Proposed audit timeline & methodology; Formal agreement (signed contract) between parties.

4
Pre-Audit (Optional)

(Optional) Preliminary assessment to: Identify significant gaps/non-compliance *before* formal audit; Assess readiness & allow proactive corrective actions. (Increases chances of successful formal audit)

5
Certification Audit Planning

CB schedules the audit, allocating: Qualified audit team with relevant expertise; Develops comprehensive audit plan (objectives, scope, criteria); Plan is shared for coordination. (Typically includes planning for Stage 1 Documentation Review & Stage 2 On-site Audit)

6
Certification Audit (Stage 1: Documentation Review)

(Typically off-site) Audit team reviews organization's: Management system documentation (manuals, procedures, policies); Ensures compliance with standard & readiness for Stage 2.

7
Certification Audit (Stage 2: On-site Audit)

(Core, on-site audit) Audit team systematically evaluates system through: Document & record review, interviews with personnel; Observation of processes, facility tours; Gathering objective evidence of compliance & effectiveness.

8
Audit Report Generation

Audit team compiles report detailing findings: Positive findings (strengths); Nonconformities (major/minor, where system doesn't meet standard); Opportunities for Improvement (OFIs).

9
Corrective Action (If Necessary)

If Nonconformities Identified, Company must: Determine root cause of nonconformities; Implement actions to correct & prevent recurrence; Provide evidence of actions to CB within agreed timeframe; CB reviews evidence for effective closure.

10
Certification Decision

Impartial Decision Committee (independent of audit team) reviews: Full audit report & all collected evidence; Effectiveness of corrective actions (if applicable); Makes final decision based on objective evidence of compliance.

11
Issuance of Certificate

If decision is positive, CB issues: ISO certification certificate; Includes organization's name, certified scope, standard, effective date, and 3-year expiry date. (Formal recognition of management system compliance)

12
Ongoing: Surveillance Audits

Periodic audits (e.g., annually/semi-annually) conducted by CB to ensure: Continuous compliance & effectiveness of management system; Follow-up on previous findings, review internal audits & management reviews. (Shorter than initial audit, focused on specific areas)

13
Every 3 Years: Recertification Audit

Comprehensive audit conducted before certificate expires to: Renew certification for another 3-year cycle; Similar in scope to initial certification (often includes Stage 1 & 2); Confirms continued relevance, effectiveness, and improvement of the system.

KEY PLAYERS AND THEIR ROLES

Understanding the ecosystem of ISO certification requires clarity on the different bodies involved and the standards that govern them.

International Organization for Standardization (ISO)

Develops the international standards (e.g., ISO 9001, ISO 14001, ISO 45001 etc.) but does not certify organizations or individuals.

Accreditation Bodies (ABs)

Formal, independent bodies that assess and formally recognize the competence and impartiality of Certification Bodies. They operate according to ISO/IEC 17011 standards.

Certification Bodies (CBs) / Registrars

Third-party organizations accredited by an AB to audit and issue ISO certificates to companies. They operate according to ISO/IEC 17021-1 standards.

Organization Seeking Certification

The company implementing the management system to meet the standard's requirements.

GOVERNING STANDARDS & DOCUMENTATION REQUIREMENTS

Governing Standards
  • ISO 9001, ISO 14001, etc.: The specific management system requirements the organization must meet.
  • ISO/IEC 17021-1: The standard setting requirements for the competence, consistency, and impartiality of bodies providing auditing and certification of management systems.
Documentation Requirements (for the Organization)

Organizations must maintain documented information, including:

  • Scope of the management system.
  • Quality/Environmental/Safety Policy.
  • Objectives and planning information.
  • Evidence of competence (training records).
  • Records of non-conformities and corrective actions.
  • Internal audit reports and management review minutes.
SUBSCRIBE TO OUR NEWSLETTER
© 2025 BRI AMTIVO SERVICE (M) SDN BHD. All Rights Reserved.