What are you looking for?
ISO 9001 Certification Process
ISO 9001, the world's best known and most popular quality management standard, can be implemented quickly with minimal investment. This 5-step guide explains how to get certified in a meaningful way. We reveal how to make ISO easy on you and how to improve your business at the same time.
This browser does not support the video element.
Step 1: Preparation
The first step addresses the preparation needed to achieve ISO 9001 certification at your small or midsize company – including making a decision on your implementation approach. Don't cut corners during this phase! Preparing well not only affects the immediate success of your certification project but also the sustainability of the quality management system.
Set Your Goals
ISO 9001 can bring numerous benefits, both operational and marketing. But your company won't just "automatically" achieve them. How you benefit from ISO depends not only on your organization's circumstances but most importantly on the goals you set. So start your ISO certification project by defining the benefits you want to gain. Focus on operational rewards. Then convert them into tangible objectives.
Define the Scope
Rather than applying ISO 9001 to every part of your organization, you could exclude specific departments, products or locations. Or you could roll out your certification gradually, starting with the most critical functions. The pros and cons of limiting the scope of ISO, though, need to be carefully considered. There is much to be gained by uniformly applying ISO 9001 to the entire organization.
Which Implementation Approach Is Best For You?
There are different ways to get ISO 9001 certified but most companies either outsource their ISO 9001 certification to a consultant or do it by themselves in-house using a toolkit. Some companies create a custom solution by combining both approaches. For example, a Do-It-Yourself certification project could be kick-started through initial consultancy. And companies that want to leverage their internal ISO expertise could save time through documentation templates and video training. Consider factors like urgency, budget, and staff availability to determine the best implementation approach for your company. No matter how you choose to achieve certification, nowadays the entire process can be done remotely.
Who Is Responsible?
No matter how you pursue certification, your company needs an ISO 9001 point person (often called "ISO 9001 Management Representative") who is responsible for achieving and maintaining certification. It's often a quality manager or executive, but could be anybody with sufficient authority to implement and change operational processes. We also recommend that companies with multiple locations apply a decentralized approach and appoint additional local management reps. Done right, you'll gain flexibility and simplicity from this setup.
If you are in charge of getting your company ISO 9001 certified and manage the quality system thereafter, you'll need to be familiar with the ISO 9001:2015 standard, understand its requirements and how to apply them at your own company. You'll also need to be able to plan and execute the certification project.
If you are using a consultant to get certified, you could learn enough by working side-by-side with the expert without getting formal training. Otherwise, smaller companies might prefer an online implementation course, while larger companies with an implementation team benefit most from a remote or on-site custom course that combines training with hands-on implementation activities.
Gain Executive Support
Don't take this lightly. Top management plays an important role in ISO 9001. It's critical that they not only support the ISO project but also "walk the talk". The first step in achieving active support is providing management with the needed knowledge and teach them about their own role in ISO 9001.
Given the typical time constraints of top managers, we recommend a concise online course. An even better alternative for a team of executives is targeted on-site or remote training that's customized to their needs.
This must not be delayed. Inform your staff about ISO before rumors start. Show them how ISO 9001 certification will not only benefit your company but also each employee. Explain the positive effects on work processes, employee satisfaction, and job security. Get them motivated to take part in the ISO project.
The easiest way to generate buy-in is to present a short motivational video. A more personal – yet inexpensive – option is a customized live course that can be conducted on-site or via video conference.
Conduct a Gap Analysis
Many companies will find a gap analysis useful to judge the extent to which their organization is already ISO 9001 compliant and where gaps exist. The results will help you determine where implementation efforts should be concentrated. You'll be able to prepare a better project plan with more accurate milestones and target dates. ISO 9001 consultants use the gap analysis to familiarize themselves with your company.
But the gap analysis is not mandatory. Particularly small and medium sized businesses implementing ISO 9001 in-house will find it more efficient to conduct several targeted "mini gap analysis" during the documentation and implementation phases.
Plan Your Project
We recommend keeping your project planning simple. Focus on implementation steps, milestones, and target dates, and assign responsibilities. Small and midsize companies, in particular, should try to avoid Gantt charts and the sort of complexities likely to arise from bloated steering committees.
Good certification kits simplify the planning phase. But you could also utilize our handy ISO 9001 implementation checklist to formulate a plan with responsibilities and target dates. Another option is to have a consultant develop a custom plan for you.
Go to Step 2
Step 2: Documentation
Writing the documentation is often considered the most difficult implementation step. For one, documents have to meet the technical requirements of the ISO 9001 standard, which some people find hard to understand, interpret, and apply to their company. But it's also the importance of getting these documents right as they directly impact on your business operations.
It's critical that your ISO documentation is adapted to the needs and circumstances of your business. You can't just copy somebody else's procedures. Customization is key. If you outsource your certification process, allow the consultant to first become sufficiently familiar with your company before he/she starts writing your documentation. If you use templates, pay attention to flexibility and customization instructions.
Which Documents Do I Need?
Though ISO 9001 has become less prescriptive regarding the number of required documents, the following should be part of your quality management system:
Process maps (flowchart)
While there are specific requirements for the quality policy, objectives and scope, you have a lot of flexibility as to the number and content of procedures, work instructions, forms, and process maps.
We recommend you create as many procedures as needed to properly address every 9001 requirement. There's no need to follow the structure of the ISO standard; instead, your procedures may combine or split up ISO 9001 clauses as appropriate to your business.
In addition to the more high-level procedures, you'll need to describe the detailed steps of performing work processes though work instructions. We will address this in Step 3.
Forms and checklists aren't specifically mentioned by the standard. However, they can be considered both work instructions (before they are filled in) and records (after they are filled in) – both of which are addressed by the standard. We recommend creating forms and checklists where they can save time and effort in meeting ISO 9001 requirements.
Process maps are used to provide insights into workflows. We'll cover them in Step 3.
How to Create Documentation
Your ISO documents need to fit your business. They can't be written by somebody unfamiliar with your company. Even a company insider shouldn't do it in isolation.
Larger companies could have a multi-functional team write their high-level documentation. If you work for a small or midsize business, you can develop procedures and supporting forms yourself after obtaining staff input. Proceed as follows:
Tackle one clause at a time – study the requirements and generally accepted interpretations
Determine the organizational functions that are impacted
Establish the current level of compliance (based on gap analysis)
Explain the requirements to affected management and discuss possible ways the requirements could be adopted
Once you reach consensus on the optimal process, put it in writing
The standard doesn't prescribe any particular format, structure or numbering system so choose what works best for you and follow these tips:
DO look for the simplest way to meet a requirement and adapt it to your business
DO use your company's vernacular and avoid "ISO language"
DO use diagrams and illustrations rather than long-winded text
DO use layout that's visually appealing and easy to understand
DON'T include time-consuming references to other documents
DON'T include bureaucratic requirements, requirements that are not suitable for your company's circumstances or culture, or requirements that hinder your business operations and productivity
Where to Start
The requirements on document control in clause 7.5 of the ISO standard affect how you'll write, identify, and approve documents. It's the ideal procedure to start with before addressing the remaining requirements. Whenever you see record keeping requirements, consider if a form or checklist could be useful.
Preparing all ISO documents is quite time consuming, complicated, and prone to mistakes. But don't worry, there's a shortcut – documentation templates. These pre-written documents are designed to be tailored to your company's needs; the included customization instructions show you how.
Templates are a core component of certification toolkits, and consultants use them as well. Since their quality varies widely, due diligence is needed. Base your evaluation on the above documentation tips and pay particular attention to the extent of the customization instructions.
Go to Step 3
Step 3: Implementation
During the implementation phase you will introduce your procedures to affected employees and help them adjust and improve their work processes accordingly.
ISO 9001 implementation requires virtually all employees to change the way they work to some extent (for example, how they use documents). To make your quality management system succeed, there needs to be an incentive to adopt new work processes. It's essential that your new procedures are efficient, non-bureaucratic, and user-friendly.
Introduce the Procedures
Introduce staff to one procedure at a time, starting with document control. Depending on the size of your company, you could explain the requirements in staff meetings, or use a trickle-down approach where you leave the explanations to department managers.
Achieve Process Improvement
Implementing the procedures creates opportunities for process improvement. Empower staff to redesign their work processes along the new ISO 9001 requirements. This will create motivation, lead to improved processes, and the ISO procedures will be adopted almost automatically.
Teams start by visualizing their existing work processes through process maps on a white board. These flowcharts will help to identify how different functions interconnect, and where bottlenecks, repetition, and delays occur. Once there is consensus on improvements, the redesigned workflows should be documented.
Have Them Do Their Work Instructions
Work instructions are step-by-step directions on how to perform an activity. The ISO standard requires them where they add business value. This could be in the case of rarely-performed or high-risk activities, or work carried out by temporary or untrained staff.
Work instructions should be written by staff who actually perform the work. Any format will do if it's useful to the user, including text, flowcharts, pictures, screenshots and even videos. At least initially, you should review work instructions to verify compliance with ISO 9001 and your new procedures.
ISO 9001 includes numerous record-keeping requirements. As ISO requirements are gradually incorporated into daily business activities, records should be generated. Auditors will review records when verifying compliance with the standard.
Reap Early Marketing Benefits
You aren't certified yet – but ISO could already pay off in marketing. You might even be able to satisfy potential customers who made accreditation a prerequisite.
Inform your customers now of your pending accreditation. Add substance by describing your QMS, summarizing your procedures, and announcing your planned certification date. Users of our certification system simply use our special quality manual template for this purpose.
Go to Step 4
Step 4: Internal Audit
Internal audits are self-inspections to check if your ISO 9001 system is effectively implemented. During the audit, work processes are observed, management and staff interviewed, and records examined. The objective is to verify compliance with ISO 9001, as well as with your procedures and work instructions. Internal audits are conducted prior to achieving certification, as well as periodically thereafter.
Internal audits are typically performed by employees who take on the auditor role as an additional responsibility. Some companies prefer to outsource the audit program.
Set Up the Audit Program
When setting up your audit program, you develop an audit schedule and methods to plan and prepare your audits. You'll also prepare documents, forms and checklists that support your audits. It's easy with an audit toolkit.
You'll also appoint one or more auditors. Small businesses typically have the ISO 9001 point person, quality manager, or a safety inspector perform internal audits. Larger companies often appoint an audit team. Usually, the auditor role is an additional responsibility to regular job duties.
Provide Auditor Training
Auditors need to be familiar with the ISO 9001:2015 standard, be able to verify if its requirements are effectively implemented, and have otherwise good auditing skills. They also need to be able to report audit findings and follow up on corrective action.
Auditors at small companies could take an inexpensive online auditor course though at least one individual should be trained as lead auditor. Larger companies that appoint a team of auditors benefit most from a remote or on-site custom course that combines lecture with supervised audit activities at your own company.
Start Your Audits Early
Internal audits can be leveraged as a training tool to support the ISO implementation. You can use them to train management and staff in your new processes. Therefore, the best time to start auditing is during Step 3 - Implementationd. Initially, you might focus your audits on particular requirements or procedures. Later, you'll audit entire work processes.
Conduct a Complete Audit
In order to be considered for ISO 9001 registration, you have to successfully conclude one complete internal audit. A complete audit covers your entire ISO quality management system, but not every department needs to be checked for compliance with every requirement. Also, the audit doesn't need to be conducted as a single event but can be split into several partial audits. You could, for example, focus on a particular department or process at a time.
Another alternative is to outsource this audit to our experienced lead auditors. This way you can be confident that each and every issue with your quality management system gets identified. We'll even guarantee that you'll pass your subsequent certification audit.
Once your business has been audited against all ISO requirements and any identified nonconformities have been addressed, your company will be ready for the certification audit.
Go to Step 5
Step 5: Certification
In order to gain ISO 9001 certification, your company needs to undergo a certification audit conducted by an independent, third-party auditor. This assessment is similar to your internal audits but scope and number of audit days are regulated. Once your company successfully completed the audit and addressed any identified nonconformities to the satisfaction of the auditor, the ISO 9001 certificate with 3-year validity can be issued.
Before the certification audit can be conducted, it is necessary for your company to complete a full internal audit and accumulate enough records for the auditor to verify effective implementation of your quality management system and adherence to all ISO 9001 requirements. Often 1-2 months worth of records are enough.
Select Your Registrar
The ISO 9001 registrar is the independent entity that sends the auditor or audit team and issues your 9001 certificate. Reputable registrars are accredited by a national accreditation board.
Start your search on the internet or get several custom quotes through our free registrar finder service. Compare the candidates and evaluate them against your company's criteria. A good DIY toolkit or consultant will help with the selection process.
Prepare Company and Staff
Preparing for the certification audit is a good opportunity to check work areas and tidy up. Be particularly wary of outdated or uncontrolled documents floating around. It's also important to prepare your staff to face the auditor.
Reduce anxiety and explain what to expect from the audit and the auditor
Explain how to interact with auditors and answer their questions truthfully without volunteering additional information
Rehearse typical auditor questions and how to answer them, including:
"How do you know that you perform your work correctly?" – – the auditor wants to know about performance criteria and measurements
"How do you contribute to the objectives of your company's quality policy?" – – checking understanding of the quality policy and its application in daily work
Preparation activities should be conducted during the day(s) leading up to the audit. Good consultants can help with the preparation. If you are implementing ISO 9001 by yourself, consider showing your staff a short explanatory video; also, a good certification kit should include preparation instructions and tips.
Pass the Stage 1 and Stage 2 Audits
The certification audit is divided into two stages: the first is a review of your documentation, the second is the actual audit of your work processes. The stage 1 audit is conducted remotely, while the stage 2 audit can be conducted on-site or remotely depending on your registrar and your choice.
Most audits uncover at least a few minor issues. Unless the nonconformities a severe, you'll only need to correct them and inform your registrar before your ISO 9001 certificate can be issued. If major nonconformities are encountered, your registrar will likely conduct a follow-up audit before deciding whether your company can be certified.
Market Your Certification
Your ISO certificate can provide numerous marketing benefits, ranging from access to new customers and markets to increased prestige.
Start leveraging 9001 registration with a press release, targeted customer notifications, and by adding the certification mark to business cards, stationary and advertisements. Local customers can be informed of your success by flying a flag or banner outside your premises. Last but not least, keep motivation up and reward your employees for the hard work they put in.
Accreditation is not a one-off event after which you can close the chapter on ISO 9001. In fact, losing focus after the certification audit is a common mistake.
To verify continued implementation and continual improvement of your ISO system, your registrar will perform periodic surveillance audits, usually once or twice a year. If you implemented your quality management system correctly, an automatic improvement mechanism is built in. Just make sure your ISO processes remain implemented, continue your internal audits, and you'll see your company's performance improvements reflected at the bottom line.
ISO 9001 for small businesses and midsize companies can be straightforward and rewarding – if done right. No matter if you opt for a full-service consultancy, the Do-It-Yourself approach, or a combination of both, we've got you covered. Either way your company will benefit from our uniquely simplified approach to ISO 9001.
Contact us anytime and let our experts evaluate your situation and give you thoughtful advice.
Go Back to Step 1
To find out more if and how to get ISO 9001 certified, consider the following additional resources:
Our Learning Center
Our free resources are packed with information and practical tips, including advice on how to avoid the most common mistakes.
Effective and time-saving ways to fill any knowledge gaps can be found through our training recommendations.
The ISO 9001:2015 standard is something you will need to get. You may buy the standard as hard copy or downloadable PDF version.
If you enjoyed this article, subscribe for updates
Stay in touch with our free resources on ISO 9001
We won't send you spam. Unsubscribe at any time.
Thanks. Your message has been sent. We'll get back to you as soon as possible.
We'll reply ASAP