There can be confusion over what certification means. To be clear, certification can take place only against a standard that specifies requirements. Think about it logically. If something shall be done, either it has or it has not been done. In the case of something that should be done, there can be valid reasons for deviating from the guidance and recommendation. Guidance and recommendations cannot, therefore, be mandatory.
ISO does not undertake certification or issue certificates. Since companies or other organizations cannot be certified by ISO, they cannot use the ISO logo or in any way imply endorsement by ISO. Certification is performed by certification bodies, which are most commonly organizations that have be accredited by a nationally approved body.
Claiming conformity
To claim conformity with a standard, an organization needs evidence that it is meeting its requirements. Evidence gathering is generally achieved by undertaking an audit. There are three types of audit: first-party, second-party, and third-party. First-party audits are internal audits by the organization and can result in self-determination and self-declaration. Sometimes, you might see the term, self-certification, as an alternative way of indicating that the organization is working in conformity with the standard. Note, however, that ISO does not use this term.
Second- and third-party audits are external audits. A second-party audit could be undertaken by, for example, a client or customer. They might then be expected to confirm that the organization is working in conformity with the standard. A third-party audit is usually undertaken by an independent authority, being an organization that is recognized as having the competence to conduct independent audits. They are typically accredited by a national accreditation body. Successful third-party audits can result in certification or confirmation of a current certification.
Certification in the context of ISO international standards refers to the process by which an organization’s compliance with a specific ISO standard is verified by an accredited certification body. Certification provides external validation that an organization’s management system, processes, products, or services meet the requirements set out in the relevant ISO standard.
Certification Process
The following outlines a typical certification process. Note, however, that procedures might vary according to country or sector.
Preparation
The organization prepares for certification by implementing the requirements of the ISO standard relevant to their industry or sector. This may involve developing and documenting processes, procedures, and controls to ensure compliance.
Selection of Certification Body
The organization selects an accredited certification body to conduct the certification audit. Accreditation ensures that the certification body operates according to internationally recognized standards for competence, impartiality, and integrity.
Initial Assessment (Stage 1)
The certification process usually begins with an initial assessment, often called Stage 1 audit. During this stage, the certification body reviews the organization’s documentation, processes, and readiness for the full certification audit. The auditor may identify any gaps or areas for improvement that need to be addressed before proceeding to the next stage.
Certification Audit (Stage 2)
The main certification audit, known as the Stage 2 audit, involves a more in-depth examination of the organization’s management system and practices. The auditor assesses the effectiveness of the implemented processes and controls against the requirements of the ISO standard. They may conduct interviews, review records, and observe activities to verify compliance.
Issuance of Certificate
If the organization demonstrates compliance with all the requirements of the ISO standard, the certification body issues a certificate confirming certification. The certificate typically includes information such as the scope of certification, the standard(s) certified against, and the validity period.
Surveillance Audits
To maintain certification, the organization undergoes periodic surveillance audits, usually conducted annually or semi-annually, depending on the certification body’s requirements. These audits verify that the organization continues to operate in compliance with the ISO standard and monitor any changes or improvements made since the initial certification.
Recertification
After a certain period (usually three years), the organization undergoes a recertification audit to renew its certification. Recertification involves a comprehensive audit process similar to the initial certification audit to ensure ongoing compliance with the ISO standard.
In summary
Certification to ISO standards provides several benefits, including enhanced credibility and trust among stakeholders, improved market access and competitiveness, better risk management, and potential cost savings through increased efficiency and effectiveness of processes. However, it is important to remember that certification does not guarantee product quality or business success but rather demonstrates a commitment to meeting internationally recognized standards for quality, safety, environmental management, or other relevant aspects of organizational performance.