ISO certification is a much-discussed topic, there are several variables for understanding the subject, and several intrinsic subjects. In this post there is all the information you need to know about ISO certification of management systems.
What is ISO Certification?
The definition of ISO certification, according to ISO 17021-1 is a process carried out by an audit organization independent of the customer and certification stakeholders, for the purposes of ISO management system certification.
Basically, it is a process whereby an ISO Registrar performs an audit against a reference (an ISO Standard) on an organization, thereby certifying that said organization complies with the requirements of said reference.
This process can involve any ISO Standard of requirements, that is, standards that are subject to certification such as those already well-known, ISO 9001, ISO 14001, ISO 45001, ISO 37001, ISO 37301, among others.
What is an ISO Registrar?
An ISO Registrar, also known as a certification body, is an organization/company that has an accreditation/authorization, which we call accreditation, which thus allows it to certify other companies in ISO standards.
Accreditation is a basic requirement for hiring an ISO Registrar, since technically, an ISO Registrar without accreditation does not have the technical qualification to operate. Accreditation is obtained from accreditation bodies such as IAS (United States), UKAS (England), CGCRE/INMETRO (Brazil) among other signatories of an international forum on the subject, the IAF – International Accreditation Forum.
Accreditation is granted by scope of ISO Standards, so in order to be complete, an ISO Registrar needs to have accreditation for each ISO standard in which it operates. QMS CERTIFICATION SERVICES, for example, has one of the largest scopes of accreditation in the world, accredited to audit ISO 9001, ISO 14001, ISO 45001, ISO 37001, ISO 37301, ISO 27001, ISO 20000-1, among others.
It is also important to emphasize that the international expertise of the ISO Registrar is a very big differential as the performance of the ISO Registrar in several countries and different jurisdictions proves its technical capacity in various scenarios.
What are the main ISO certifications?
The main ISO certifications meet the main themes of B2B markets in the world, they are:
ISO 9001 – Quality Management Systems, which proves that the certified organization has implemented and maintains a quality management system focused on the customer and meeting the customer’s requirements;
ISO 14001 – Environmental Management Systems, which means that the certified organization has implemented and maintains an environmental management system focused on reducing environmental impact and managing its environmental aspects;
ISO 45001 – Occupational Health and Safety Management Systems, which means that the certified organization has implemented and maintains an Occupational Health and Safety management system focused on reducing accidents and Occupational Health and Safety risks;
ISO 27001 – Information Security Management Systems, which means that the certified organization has implemented and maintains an Information Security management system focused on information security controls;
ISO 37001 and ISO 37301 – Anti-Bribery and Compliance Management Systems, respectively, which means that the certified organization has implemented and maintains an Anti-Bribery and Compliance management system focused on preventing bribery and meeting Compliance obligations.
What is ISO certification for?
ISO certification serves to attest to the credibility of an organization on a specific topic, and through a statement of credibility (a certificate) to demonstrate such credibility to one or more specific interested parties.
It is common for customers to require from their suppliers an ISO certificate on a specific topic in order to reduce their own risks in the supply chain.
An ISO 9001 certificate, for example, reduces a customer’s risk of having delays or in satisfactions with a product or service provided to its own customers.
An ISO 37001 certificate, for example, reduces the customer’s risk of having his name involved in any corruption/bribery process due to the performance of his supplier.
The certification process, in addition to credibility, brings impartiality in the evaluation of the requesting interested party, as there is a third party involved, in this case an ISO Registrar, certifying its supplier without any conflict of interest involved.
What is the purpose of ISO certification?
Therefore, complementing the above, the objective of ISO certification is to bring confidence to commercial relationships between customers, suppliers, and society in general.
An ISO certified company, with its valid certificate and its active management system, by itself already has a differential before its competitors, demonstrating its credibility in the specific subject to one or more interested parties.
How to get an ISO certification?
The company needs to implement a management system in accordance with the required Standard. This implementation involves preparing documents, records, training the personnel involved, establishing controls, carrying out an internal audit, and critical analysis by management.
After the management system is implemented, an ISO Registrar must be chosen according to the criteria established in this post, and thus the ISO Registrar will carry out the ISO certification audits.
How do ISO certification audits work?
The initial certification audit is divided into two phases, phase 1 and phase 2:
Stage 1 Audit
It is basically a documentary audit where the documentation of the implemented management system is evaluated to confirm that the company is able to be audited in a Stage 2.
Stage 2 Audit
It is a complete audit that involves document assessment, interviews, visits and interviews with the various areas of the organization, the checking of records, organizational systems, internal controls, monitoring, KPIs, interview with top management, among others factors. At this stage, the auditor will go to the company to carry out this process.
At the end of the stage 2 audit, the auditor will recommend or not the company for certification, in the case of non-recommendation, there are major nonconformities that need to be addressed before finalizing the process. In the case of recommendation, the company will receive its certificate within the specified period.
Validity of the certificate
The certificate is valid for 3 years subject to annual surveillance audits, similar to the stage 2 audit, but with a smaller sampling. Therefore, the certificate cycle includes stage 1 and stage 2 audit, first surveillance audit and second surveillance audit.
At the end of the three years, close to the expiration of the certificate, a new audit is carried out, called a recertification audit, exactly the same as the stage 2 audit with the same workload, however, now at this stage the company’s management system is more mature because it has already gone through 3 years of audits. After the recertification audit, the cycle is renewed with a new certificate issued, going through the surveillance audits again.
Thus, as long as there is an active certificate, there will be periodic audits, which is why a certificate is always active subject to periodic audits.