The Three-Year Certification Cycle

Gaining your initial certification: stage one audit

The first significant milestone within the ISO certification process is to undertake a stage one audit, or assessment. The stage one audit is an opportunity for you and the auditor to gain an understanding of whether you are managing and complying with your proposed scope of services and the targets you have set for your company within your management system (a management system is a set of procedures, policies and processes that enable an organisation to achieve its objectives, such as maintaining quality or managing security risks). The majority of organisations will have many of these elements already in place, but they may not have formally documented them.

The assessment completed by the auditor is an opportunity to highlight areas of improvement within your system in preparation to undertake a successful stage two audit.

Following completion of the stage one audit, all of the findings are presented in a short but detailed audit report. The report will show what are known as ‘non-conformities’. There are two classes of non-conformities:

  • Minor non-conformities – these can be resolved with internal action plans and can generally be addressed relatively quickly.
  • Major non-conformities – these are more serious and need to be resolved via a plan that you agree with your auditor. These are likely to take a little more time to resolve than for minor non-conformities.

As a whole, the report will help you to easily identify and focus on the areas requiring improvement and the processes that may need strengthening in order to achieve certification.

In summary, the stage one audit is designed to be constructive so that the transition through to stage two and achievement of your certification can be smooth and successful for you and your business.

A closer look: stage two audit

The stage two audit is the next vital stage in achieving certification. Typically held within the months soon after your stage one, this is the audit that will evaluate and confirm your management system in its entirety.

Through thorough review and analysis of your processes, conducting interviews and evaluation of performance, the auditor will confirm the efficiency of your management system. Ultimately, the stage two audit will have two possible outcomes:

  1. recommendation for, and achievement of, ISO certification
  2. highlighting areas that require further improvement and/or correction in order to achieve certification.

Following completion of the assessment, an audit report will be produced detailing the audit findings. If there are no findings, you will have achieved certification and therefore the report will be accompanied by your certificate. However, should the assessment identify areas that require further improvement as a result of identified non-conformities, a Corrective Action Plan will need to be completed and submitted before certification can be awarded.

The aim of a Corrective Action Plan is to encourage you to evaluate the root causes of the non-conformities in order to facilitate and plan the actions you will take to overcome these. As with the stage one audit, the non-conformities will be classified in two different ways – minor non-conformities or major non-conformities. Should there be major non-conformities identified, supporting evidence will also need to be submitted alongside your Corrective Action Plan.

Through continuous communication and support following your audit, we will endeavour to assist you, where we can*, in order to achieve timely certification.

* As a UKAS-accredited certification body, we are required to remain impartial and therefore there are limitations as to the levels of support/guidance we can provide. Should you need further support, beyond the guidance we are able to offer, we can introduce you to third-party providers who can provide these additional services.

Ongoing checks: surveillance audits

One of the central pillars of the ISO methodology is a deliberate focus on continual improvement. One way of verifying that companies are adhering to the standards set out by certification is through annual surveillance audits. With larger organisations, the audit may need to be completed through a multi-stage approach to ensure that all of the individual units meet the required standards.

During the surveillance audit, all the elements covered in the original stage two audit are re-assessed with a view to ensuring that all of the systems and processes are operating as specified and producing the correct outcomes.

The surveillance audit will always review these areas:

  • Systems performance and maintenance
  • Preventative and corrective actions and processes
  • The effectiveness of your own internal auditing process
  • The implementation of recommendations following your internal audits
  • Regular management reviews of ISO implementation
  • Customer satisfaction rates
  • Updates to the documentation systems.

The surveillance audit will be conducted by your auditor who will check any previous non-conformities from previous inspections, the effectiveness of your systems within the context of your audits, new activities and previous results. Whilst these surveillance audits are essential for ensuring that your company stays on track, they have a deeper benefit – surveillance audits are an essential step in preparing your company for recertification which happens at the end of each three-year cycle.

Recertification audits

Once achieved, your certificate is valid for three years (subject to the outcome of your annual surveillances). At the end of the three years, a recertification audit is undertaken. This audit will be similar in detail and intensity to the pre-certification stage two audit.

This audit explores the same areas as surveillance audits but looks more deeply into the holistic and global implications of your implementation strategy. It reviews the whole of your processes and systems from beginning to end, as well as investigating your continued commitment to continual improvement.

The auditor will perform a thorough examination of every aspect of implementation before issuing your certificate, with a potential outline for the next certification cycle.

As with the stage two audit, the recertification will have two potential outcomes:

  1. recommendation for, and achievement of, ISO certification
  2. highlighting areas that require further improvement and/or correction in order to achieve certification for a further three years.