THE ISO CERTIFICATION PROCESS

ISO Certification

For many organisations, their first contact with ISO certification comes when they are trying to deal with a new client, or move into a new sector or country.  The client  may operate an approved suppliers list and in order to get on the list suppliers must  hold one or more specified ISO certifications to show that their business is managed to a certain standard. 

Essentially, the client is looking for reassurance.

If you don’t have the right ISO certification then it can be frustrating.  You’ve got a great product, you’ve grown your business, but you don’t even get to tell your story because you don’t have the right pieces of paper.

What’s even more frustrating is that you’re probably already 70-80% of the way towards certification because of the management systems that you’ve developed to get your business to where it is. 

Morton McCann specialises in working with small and medium sized businesses to achieve ISO certification with a minimum of fuss by leveraging and evolving their existing management systems.

What are ISO standards?

ISO is the International Organisation for Standards.  It works with industry, professional, and government bodies across the world to define the standards that support trade by ensuring consistency, sustainability, quality, and safety in product and service provision.

Some standards cover specific industries such as aerospace, automotive, medical, and food safety.  However, the standards that most people will recognise apply across all sectors and can be applied to organisations of all sizes.

ISO 9001 Quality Management Systems

A Quality Management System (QMS) enables you to identify, measure, control and improve your core business processes, improving business performance and customer satisfaction.

A QMS is certified to the ISO 9001 standard. QMS for medical device manufacture is certified to ISO 13485. Read more about ISO 9001

ISO 14001 Environmental Management Systems

An Environmental Management System (EMS) enables you to identify measure, control, and improve the significant environmental aspects of your business. This makes compliance with environmental regulations easier, and helps to reduce costs associated with travel, fuel, resource use, and waste disposal. An EMS is certified to the ISO 14001 standard. Read more about ISO 14001

ISO 13485 Quality Management Systems for Medical Devices

ISO 27001 Information Security Management Systems

An Information Security Management System (ISMS) manages an organisation’s sensitive data (digital AND physical), reducing the risk and limiting the impact of a data breach. An ISMS supports compliance with data protection legislation, as well as with your customers’ own information governance requirements. An ISMS is certified to the ISO 27001 standard. 

The standards do not dictate a one-size-fits-all specification for a management system.  Certification to a standard means that an organisation’s management system has been independently assessed, and is considered suitable and adequate for the organisation’s requirements.  Most importantly, it means that the system is considered to be effective.

When organisations are looking at a new relationship, perhaps a new partner or supplier, or maybe to invest in a business they need to understand their risk.  Is the candidate organisation;

• financially stable?

• consistent in its quality of product and service delivery?

• managing information security effectively?

• prepared for and protected against potential disruption?

• improving its environmental performance and minimising its impact?

• protecting and enhancing the safety and wellbeing of its workers?

Independently audited accounts will demonstrate the financial stability of an organisation.  For the other aspects, independent audit of the relevant management system against a recognised standard is required.  This is where ISO certification is valuable; with over 1.5m certificates issued, having an ISO certified management system provides assurance to organisations around the world.

What is a management system?

A management system is a set of policies, procedures, standards, and guidelines that enable an organisation to meet its objectives.  These objectives cover different aspects of an organisation but will integrate with most, if not all, of an organisations activities.  All staff will have roles and responsibilities in all management systems.

Quality Management System (QMS)

Enables an organisation to coordinate its activities to deliver customer satisfaction and legal & regulatory compliance

Environmental Management System (EMS)

Enables an organisation to improve its environmental performance and reduce its environmental impact

Business Continuity Management System (BCMS)

Enables the organisation to continue operating during a disruption and to recover from the disruption

Information Security Management System (ISMS)

Enables an organisation to protect the confidentiality, availability, and integrity of the information it manages from threats and vulnerabilities

All management systems should be monitored, measured and analysed to ensure that:

• they are adequate for the requirements of the organisation and its stakeholders

• they are suited to the strategy and operations of the business

• they are effective in meeting their purpose

Why should we certify to an ISO standard?

ISO standards are internationally recognised by businesses and governments.  The standards capture best-practices for implementing a management system in organisations of any size.

Certification following an independent audit helps you to ensure that your management system follows best-practices and that your plans are maintained, appropriate, and effective.  Certification makes it easier for organisations to access preferred supplier lists and procurement frameworks, win business in new markets, and to assure investors that they are effectively managed.

Who can provide ISO certification?

ISO does not grant certification itself.  A registrar or certifying body will audit a system and grant certification.

Organisations selecting a certifying body should ensure that they themselves have been accredited by their national accreditation body.  This ensures that they carry out their audits in a consistent fashion (detailed in ISO 19011) and that their certification process is competent, consistent, and impartial (detailed in ISO 17021).  The accreditation of certifying bodies enables certificates issued in one country to be acceptable in another country.

In the UK the accreditation body is UKAS who are members of the International Accreditation Forum.

How do we implement a management system?

Firstly, you already have a management system.  It’s the policies, procedures, and general ways of working that you use to run your business, day-to-day.  So, it’s not so much a matter of implementing a system as it is understanding the gaps between your current system, and the best practices that make up the relevant ISO standard.

The relevant ISO standard outlines the requirements for an appropriate, effective management system.  In all standards there are some policies and procedures that are mandatory, and others which an organisation may decide to include to provide a more robust and resilient system. For most of the popular ISO standards, there are twelve steps to implementing and maintaining a system:

Understand your organisation

In order for your system to be appropriate and effective, it must be shaped to your organisation.  Defining your organisation requires an understanding not only of its products and services, but also of the internal and external influences that shape it, and what risks and opportunities it faces.  In ISO language this is referred to as understanding the context of the organisation.

Customers and other stakeholders (employees, partners, investors, and neighbours for example) have requirements and expectations.  Legal and regulatory bodies will also influence how an organisation goes about its business.  Understanding these needs, expectations, and obligations and how they influence your organisation help you to define the scope of your system. 

NOTE: in ISO terminology, customers and other stakeholders are referred to as the interested parties.

Define the scope of your system

Which activities, locations, and departments are going to be covered by the system?  You may not want to cover the entire organisation at first, but you will need to consider interfaces and dependencies between different parts of your organisation before excluding anything.

The scope should consider:

• the external and internal influences on the organisation

• the expectations of your interested parties

• The goals and objectives of the organisation

If you decide to exclude any areas of the business, you will need to justify the decision and establish that the exclusion will not create any business continuity issues in the event of a disruption.

Get commitment from top management

The success of the system will depend on the commitment of the top management of the organisation.  They will need to define the policy (quality policy, information security policy, etc), communicate it with the organisation, define roles and responsibilities, and ensure that the system is properly resourced.

Top management will also be responsible for reviewing the effectiveness of the system on a regular basis.  This means that time must be made available for reviews.

Set objectives

To understand the effectiveness of a system it must have some objectives.  You will need to assign responsibility for these objectives and agree how they will be monitored, measured, and analysed.

Objectives are more likely to be achieved when they follow the SMART model.  That is when they are specific, measurable, achievable, relevant, and time-bound.  When setting an objective, ask yourself:

• Is it specific?

  It should be obvious when an objective has been achieved.  “Increase sales” is not a specific objective.  “Increase sales of product X by 15% by the end of the business year” is specific, so everyone has a clear understanding of what needs to be achieved by when.

• Is it measurable?

  You can’t improve something if you can’t measure it (to paraphrase Lord Kelvin, and others). Everyone needs to understand - and ideally agree - what success looks like so they can collaborate to achieve it.  Agree what your baseline measure is, and how you’re going to monitor and measure the objective.

• Is it achievable?

  Few things are more demoralising than setting objectives that everyone knows are unachievable from the start.  An objective that is commonly held to be unachievable will quickly fall away and may even cause conflict as the deadline for achieving it approaches.  Realistic, agreed objectives have a better chance of being achieved, and this can boost the confidence of the team.

• Is it relevant?

  If you’re going to invest time and money in achieving an objective, it has to help you to get where you want to be.  Objectives should be aligned to the strategy of the organisation and to the needs and expectations of interested parties; “If we can satisfy this need for this group of customers we can increase sales by X%” for example.

• Is it time-bound?

  Objectives should have a target date for their achievement.  This provides a focus, and prevents drift.  The target date should be realistic for the objective, rather than being tied to an arbitrary date like the end of the calendar year.

Manage your risks

You’ll already have identified some risks and opportunities when considering the context of the organisation.  Some standards require you to go deeper into risk assessment.

ISO 27001 and 22301 (information security management and business continuity management, respectively) require you to assess the risks posed to the organisation by information security incidents (like cyber attacks or data breaches) and business disruptions (like fires or pandemics).  Having established and rated the risks, the standards require that you apply controls and response plans to reduce the likelihood and impact of their occurrence.

In ISO 14001 (environmental management), the standard requires that you understand the environmental aspects and impacts of your organisation’s activities and apply operational controls to reduce your environmental impact and improve environmental performance.

Understand your processes

When an organisation starts up the core team are very familiar with what they need to do, and why they need to do it.  You’re all committed to a vision and a way of working, and don’t really feel the need to document anything; you just want to get on and do it.

As the organisation grows, you take on more staff and they need to be trained.  You need to start to share the knowledge to ensure that everyone knows what to do in their day to day roles, and equally importantly, what to do in abnormal or emergency situations.

You need to document your procedures, and in some cases you need to back the procedures up with policies.

The different ISO standards have different policy and procedure requirements, but these can largely be grouped as Operational Procedures and Supporting Procedures.  The listings here are not exclusive:

Operational Procedures

The procedures are involved in the creation and delivery of the product or service that the customer experiences.

• Sales & Marketing

• Design and development

• Product/Service Delivery

• Customer Support

The procedures are involved in the creation and delivery of the product or service that the customer experiences.

Supporting Procedures

The back-office procedures that support and enable the effective delivery of the operational procedures.

• Human Resources

• Finance

• Governance, Risk, and Compliance

• IT Operations

• Supply Chain & Procurement

• Logistics

The documentation, communication, and management of these procedures and the policies that support them will enable the sustainability and continual improvement of your organisation.

Monitor and measure

Implementing and managing policies and procedures for an organisation isn’t a one-size-fits-all exercise.  The management system and its components need to be right for the organisation and need to meet the needs and expectations of its stakeholders (interested parties in ISO language).  Moreover, they need to be effective.

The suitability and adequacy of a system will change over time.  Customer expectations will evolve. Laws and regulations will be introduced, amended, and revoked or replaced.  New risks and opportunities will emerge and recede.

In order to keep pace with change, the system and its components must be monitored and measured.

Monitoring

Observing a system or an element of a system in order to record or detect changes in its performance or characteristics.

Measuring

Taking a metric of the performance or characteristics of an element of a system at a moment in time.

When you create policies and procedures you should consider how they will be monitored and measured.  Certainly they should be reviewed on a regular basis; at least annually and also whenever there is a significant change in the organisation or the factors that influence it.

Monitoring and measuring has two mandatory components:

• Internal Audit
  

  You must audit your policies and procedures on a regular basis to ensure that they are appropriate and effective.  Internal audit should be carried out by designated staff members who are appropriately trained, and have been allocated the responsibility and resources to carry out the tasks.

An audit programme should be developed, and audit reports retained as records.

If your business does not have sufficient internal resources to allocate to internal audit, you can contract with Morton McCann to develop and conduct the  programme for you.

• Management Review
  

  Management should carry out a complete review of the system on at least an annual basis.  In practice, if your management system is to become embedded in your business, the review of the system should be a part of regular management and board meetings.

The mandatory inputs and outputs of management reviews are detailed in the ISO standards.  Records of agendas and outputs should be retained as records.

Note that it is not mandatory to discuss the entire system at every meeting.  It may be far more effective to consider a subset of items at each meeting, to ensure that sufficient time is available for discussion.  Some items may be discussed more frequently than others, but it is important that all mandatory agenda items are discussed at least once per year.

Continually improve

The continual improvement of the management system is critical to the success of your organisation.  Over time, the requirements of your customers will increase, new laws and regulatory frameworks will come into force, and the expectations of your staff will evolve.

Opportunities for improvement can come from many different sources; nonconformities, staff or customer feedback, internal audit, or formal innovation processes.  These should be captured, considered, and prioritised into a continual improvement plan.  This isn’t a plan for the improvement of the system, it's a plan for improving the way that the organisation operates, and continues to satisfy its stakeholders.

Why should we certify our business to ISO standards?

ISO works with governments, regulators, trade associations, and their subject-matter experts around the world to capture best-practices for implementing management systems.  Certification following an independent audit helps you to ensure that your system follows best-practices and that your policies and procedures are suitable, adequate, and effective.

Certification also provides assurance to your customers, service-users, and other interested parties that you are a reliable, sustainable, resilient organisation, capable of providing the services that they need to an internationally recognised standard.

How do we achieve ISO certification?

To achieve ISO certification your management system must be audited by an independent Certifying Body.  Your system will need to have been demonstrably operational for at least three months prior to audit (best evidenced by monitoring and measuring data), and you should have completed a round of internal audits and at least one management review.  The certification process can be divided into four stages:

Gap Analysis - Understand where you’re starting from

This is an optional, but valuable stage.  The objective of the gap analysis (sometimes referred to as a pre-assessment audit, or readiness review) is to assess your policies and procedures against the requirements of the standard. 

Each ISO standard has specific requirements to be met: policies and procedures that need to be in place; training and awareness exercises to be completed; evidence of the effectiveness of the system from performance monitoring activities.

Your certifying body will probably offer a Gap Analysis or Readiness Audit as part of your certification programme.  This is a valuable exercise as it gives you and your auditor time to understand each other and build a rapport.  It also acts as a “mock” stage 1 audit, so you’ll feel more comfortable when the real thing happens.

What happens in a Gap Analysis?

The gap analysis is very similar to a Stage 1 audit, but without the pressure.  The assessor will:

• Review the current state of the system against the relevant ISO standard

• Identify where your system does and does not comply with the standard

• Discuss how the system can be improved to meet tech requirements of the standard

The findings of the Gap Analysis will be documented to:

• Confirm where your system confirms to the relevant standard

• Clearly identify areas of concern prior to the Stage 1 Audit

The report will assist you to implement the system to an ISO certifiable standard.

Implementation

When we talk about implementation, we’re not talking about building a new system from scratch.  You have a management system already.  Implementation refers to the process of bringing your system up to the relevant ISO standard(s).

The findings of the Gap Analysis will guide you in your implementation.  You will need to address any areas of concern raised by the assessor, and also ensure that appropriate controls are in place to address the findings of your risk assessment.

For each standard there are certain mandatory documents that must be in place.  You will not achieve certification without these.  Acquainting yourself with the standard and searching for mandatory phrases such as “The organisation shall…” will guide you on what is mandatory.

In addition to the mandatory documentation most organisations will implement other documents to support their certification, and to ensure that their system is sustainable as they move from implementation mode to business-as-usual.

It is not mandatory to produce a discrete document for each clause.  In some cases a single document may be created that relates to a number of clauses.

You should also bear in mind that some of the clauses may already have been addressed if you have implemented other standards. 

Produce the documentation that the standard demands, and whatever additional documentation you require to implement a sustainable system.

Test your system

For standards such as ISO 27001 (information security management), ISO 14001 (environmental management), and ISO 22301 (business continuity management) you will be required to document procedures to be followed in the case of a disruption; this could be a data breach, a chemical spill, or an infectious disease outbreak for an example.  Writing your response procedures is one thing, but you also need to assure yourself, your staff, and your interested parties that they’re effective.  If you wait for a real disruption to occur before you invoke a plan for the first time, you’re asking for trouble.

You should have an exercising and testing programme in place to ensure that everyone knows what to do in the case of a disruption.

The chances are that you already have one exercise in place; your fire drill.  You test that your alarms work on a regular basis, and at least once per year you have a full drill to ensure that everyone knows how to behave in the case of a real fire.  Your exercise and testing plan should address all of the other disruption scenarios that you identified in your risk assessment.

Your programme should ensure that all scenarios are tested at least once during a three-year audit cycle.  You will have identified that some scenarios carry a higher risk than others; they may be more likely to occur and/or they may have a greater impact on the business.  These scenarios should be prioritised, and you may consider it prudent to exercise them more frequently.

After each exercise you should conduct a review of the suitability, adequacy, and effectiveness of the plan, and identify areas where the plan could be improved.  If the plan was not effective, you will need to identify the root cause and implement corrective actions.  Once implemented, the effectiveness of the corrective actions should be tested in a new exercise.

Conduct an Internal Audit

Internal audit is one of the tools that you will use to verify not only that your system meets the ISO standard, but (maybe more importantly) that your business is adhering to its own system.

A good internal audit will make your certification process easier by picking up nonconformities and identifying opportunities for improvement while you still have time to remedy them.  A well conducted internal audit will also give your external auditor confidence in your overall approach to your system.

Selecting your internal auditors

Depending on the size of your business you may need more than one internal auditor.  An audit background is not essential, but you do need to look for team members who combine good organisational skills with an analytical approach and good personal skills (some people do find the idea of taking part in an audit irritating and even intimidating).

You should ensure that your internal auditors are familiar with the ISO best practices for audits in ISO 19011.  You should also provide or organise training at least to Internal Auditor standard either through online or classroom training. 

Remember to keep a record of your auditors’ competence.  This may be via training, education, or experience; a formal qualification is not required.

Checklists, tools, and reports

Internal audits work best if they follow an appropriately designed and standardised format.  This makes it easy for a single auditor and provides a consistent approach if a team of auditors are working together.

Designing audit checklists and report forms using standard office tools like Word, or Excel supports consistency.  Tools like iAuditor are now available to organisations of all sizes, allowing checklist templates to be created and shared, and streamlining the reporting process.

Audit the process not the people

As we mentioned earlier, some people do find the audit process intimidating.  At the beginning of each session, it’s important to explain the purpose of the internal audit and make the participants aware that it’s the process/activity that is being audited, not the individuals themselves

Share your findings

You may hold multiple meetings with attendees from different areas of the business.  Holding a closing meeting with all participants gives everyone a better view of the audit process and helps to foster a culture where everyone understands their role in making the BCMS more effective.

Make sure that you highlight the good practices that were observed as well as any opportunities for improvement.  If there any nonconformities have been identified, explain how these should be dealt with via your procedure for nonconformities and corrective actions.

Conduct a Management Review

You may have been conducting management reviews of the system for some time.  If so, you should ensure that all mandatory elements of management review have been discussed and outputs documented prior to the stage 1 audit.  You should also ensure that all of your internal audit findings have been discussed, along with those of the gap analysis.

Stage 1 Audit

Stage 1 and 2 audits are carried out by an assessor (auditor) provided by your certifying body.

The stage 1 audit may be referred to as a documentation audit.  Your assessor will review your system documentation to ensure that it complies with the ISO standard.  The audit will usually take place at your head office, but may also be conducted remotely using a service such as Zoom, Microsoft Teams, or Google Meet.

During the stage 1 audit, your assessor will confirm:

• The accuracy of the information submitted on your application

• The conformity of your documentation to the requirements of the standard

• The scope of the certification

• That your system has been implemented as per the scope

• That you have identified your legal, regulatory, and contractual compliance requirements

At the end of the stage 1 audit, your assessor will provide you with a detailed report of their findings.  The report will document any nonconformities along with opportunities for improvement. 

If nonconformities are identified, the report will identify corrective action plans that are required.

If the assessor is happy that the system complies with the requirements of te relevant ISO standard they will recommend that you progress to the stage 2 audit.  They will schedule the stage 2 audit with you and provide you with an assessment plan for stage 2.

You, your assessor, and your audit

A few thoughts about the audit:

Be prepared
You will have been provided with a plan for the day.  Make sure that you have the relevant people, and documentation ready for each session.  Your assessor has a limited amount of time in which to complete the audit.

Your assessor is not your enemy!

Your assessor is looking for evidence of conformity.  They aren’t trying to catch you out.

A nonconformity is not the end of the world

A nonconformity is an opportunity to improve your organisation’s ability to satisfy its stakeholders. Accept it, and act on it before the stage 2 audit.

Stage 2 Audit

The stage 2 audit may be referred to as the certification audit.  Whereas the stage 1 audit focused on ensuring that your system contained all of the elements required to comply with the ISO standard, stage 2 focuses on the implementation and effectiveness of the system; Are you actually using the system, or is it just a dusty manual on a shelf?

Your assessor will review how your system is implemented and maintained in day-to-day use.  They will review records such as incident reports, internal audits, training records, and management reviews.  They will also ensure that documentation is being reviewed and maintained and that your organisation is making progress towards its objectives.

The audit will usually take place at your head office, but may also be conducted remotely using a service such as Zoom, Microsoft Teams, or Google Meet.

During the stage 2 audit, your assessor will:

• Confirm the scope of the assessment and certification

• Review any findings from the stage 1 audit and assess any corrective actions required

• Review the documentation of policies and procedures against the requirements of the standard and those identified by the organisation

• Review monitoring and measurement activities including management reviews and internal audits

• Review progress towards meeting objectives and key performance indicators

• Establish staff awareness of the management system through interviews and observation

The assessor will identify any nonconformities that will need to be resolved prior to certification being awarded.  If no such nonconformities are found, then your system will be recommended for certification.  Congratulations!

Surveillance and recertification

You’re certified! Congratulations!

Now you have to maintain your certification…

The good news is that you only have to recertify every three years.

That doesn’t mean that you can take your foot off the gas.  Remember continual improvement?

The period between certifications and recertifications is referred to as surveillance.  Your certifying body will confirm a number of surveillance audits to take place over the period.  These will ensure that you stay on track and help towards a successful recertification audit.