Going through an ISO certification is about proving to an external auditor that your management system meet the requirements of the standard (s) you certify against. Before certification, you must have built a management system that meets the requirements of the current standard, the certification itself is the last step you take in the process.
When you are done with the big part of the job, i.e. building up your management system, it's time to go through the certification process itself.
Regardless of which ISO standard you have chosen to certify your management system against, the certification process consists of the following steps:
In the first step of the certification process, you will find out if you are really ready for certification.
-Did you think about it when you were working on the management system?
Have you started implementing the management system?
Do you have a clear plan of action before the Phase 2 audit?
At stage 1 of the audit, the focus is on reviewing the documentation and interviewing the management and possibly key personnel.
‍
The auditor asks questions such as:
-Do you have a process map of your business?
-Have you carried out a thorough risk analysis in which you have taken into account all your processes?
-Have you started recording customer feedback, deviations and suggestions for improvement?
The auditor interviews key employees and reviews the documentation
The auditor also looks at what could potentially become an anomaly if it is not addressed before the Step 2 audit. It's a great way to get input and feedback on work done so far from a certification perspective.
To put it in context, for example, a large deviation during step 2 of the audit means that the auditor has to come out again, which means an additional cost for you as a customer. For minor deviations, in most cases it is sufficient that you report what actions you are carrying out and that you remedy them within a deadline that you agree with the auditor. Usually between 30 and 60 days.
The auditor checks that there is an action plan and that you are well on your way with the implementation of the management system so that you have not just made a “paper tiger” to the management system, which the majority of your employees are not familiar with and involved in. In the latter case, the schedule for the step 2 audit and the certification itself are usually postponed so that the company has time to do the things that are actually required.
Please note that if the time between Stage 1 and Stage 2 audits exceeds 6 months, the certification body will need to redo part or all of the Stage 1 audit, which also entails additional costs.
Staff are also being interviewed. The interviews with the staff aim to ensure that the management system is well implemented i.e. that the reality is in line with how the management and management system say it should be.
In step 2, the staff is interviewed
The auditor performs sample tests in each area of responsibility and selects people to interview. The number of people interviewed varies depending on the size of company.
Often, the auditor usually interviews 1 — 3 people in each area of responsibility. If any of the answers are not in line with what has been said, someone or a few more people are often interviewed. If the auditor then notices that there are several that give a different picture of reality or that there is other evidence, such as record keeping, you risk getting an observation or a discrepancy depending on the area in question.
In step 2, the auditor also checks that deviations detected in step 1 of the audit have been remedied.
Once the stage 2 audit has been completed, you report indirect and corrective actions to the auditor of the certification body for the discrepancies found. You normally have 60 days to report these.
Any observations will be followed up by the auditor at the next audit, which will be carried out within 12 months.
Once the discrepancies are reported, you will receive either a yoke from the auditor or a feedback with points that need to be supplemented further.
After you have received the approval from the auditor on the report, the chief auditor of the certification body or equivalent enters and reviews the auditor's work, to make sure that the auditor has done the right thing. If the auditor has missed something, they may need to come back with a request for supplements.
After that, a decision is made that you will be certified.
After everything is approved, a certificate is issued.
The time period from completing the Step 2 audit to receiving your certificate depends on how quick you are to report indirect and corrective actions.
After reporting is completed, the certification body takes 2-4 weeks to do its work.
‍