The first significant milestone within the ISO certification process is to undertake a stage one audit, or assessment. The stage one audit is an opportunity for you and the auditor to gain an understanding of whether you are managing and complying with your proposed scope of services and the targets you have set for your company within your management system (a management system is a set of procedures, policies and processes that enable and organisation to achieve its objectives, such as maintaining quality or managing security risks). The majority of organisations will have many of these elements already in place, but they may not have formally documented them.
The assessment completed by the auditor is an opportunity to highlight areas of improvement within your system in preparation to undertake a successful stage two audit.
Following completion of the stage one audit, all of the findings are presented in a short but detailed audit report. The report will show what are known as ‘non-conformities’. There are two classes of non-conformities:
As a whole, the report will help you to easily identify and focus on the areas requiring improvement and the processes that may need strengthening in order to achieve certification.
In summary, the stage one audit is designed to be constructive so that the transition through to stage two and achievement of your certification can be smooth and successful for you and your business.
The stage two audit is the next vital stage in achieving certification. Typically held within the months soon after your stage one, this is the audit that will evaluate and confirm your management system in its entirety.
Through thorough review and analysis of your processes, conducting interviews and evaluation of performance, the auditor will confirm the efficiency of your management system. Ultimately, the stage two audit will have two possible outcomes:
Following completion of the assessment, an audit report will be produced detailing the audit findings. If there are no findings, you will have achieved certification and therefore the report will be accompanied by your certificate. However, should the assessment identify areas that require further improvement as a result of identified non-conformities, a Corrective Action Plan will need to be completed and submitted before certification can be awarded.
The aim of a Corrective Action Plan is to encourage you to evaluate the root causes of the non-conformities in order to facilitate and plan the actions you will take to overcome these. As with the stage one audit, the non-conformities will be classified in two different ways – minor non-conformities or major non-conformities. Should there be major non-conformities identified, supporting evidence will also need to be submitted alongside your Corrective Action Plan.
Through continuous communication and support following your audit, we will endeavour to assist you, where we can*, in order to achieve timely certification.
* As a UKAS-accredited certification body, we are required to remain impartial and therefore there are limitations as to the levels of support/guidance we can provide. Should you need further support, beyond the guidance we are able to offer, we can introduce you to third-party providers who can provide these additional services.
One of the central pillars of the ISO methodology is a deliberate focus on continual improvement. One way of verifying that companies are adhering to the standards set out by certification is through annual surveillance audits. With larger organisations, the audit may need to be completed through a multi-stage approach to ensure that all of the individual units meet the required standards.
During the surveillance audit, all the elements covered in the original stage two audit are re-assessed with a view to ensuring that all of the systems and processes are operating as specified and producing the correct outcomes.
The surveillance audit will always review these areas:
The surveillance audit will be conducted by your auditor who will check any previous non-conformities from previous inspections, the effectiveness of your systems within the context of your audits, new activities and previous results. Whilst these surveillance audits are essential for ensuring that your company stays on track, they have a deeper benefit – surveillance audits are an essential step in preparing your company for recertification which happens at the end of each three-year cycle.
Once achieved, your certificate is valid for three years (subject to the outcome of your annual surveillances). At the end of the three years, a recertification audit is undertaken. This audit will be similar in detail and intensity to the pre-certification stage two audit.
This audit explores the same areas as surveillance audits but looks more deeply into the holistic and global implications of your implementation strategy. It reviews the whole of your processes and systems from beginning to end, as well as investigating your continued commitment to continual improvement.
The auditor will perform a thorough examination of every aspect of implementation before issuing your certificate, with a potential outline for the next certification cycle.
As with the stage two audit, the recertification will have two potential outcomes: