The ISO 9001 Certification Process

Choosing a Certification Body

Your certification body (also called a registrar) is the organisation that will audit your QMS and issue your ISO 9001 certificate. This is one of the most important decisions in the certification process, so take the time to choose wisely.

The certification body must be accredited by a recognised national accreditation body. In the United Kingdom, this is UKAS (United Kingdom Accreditation Service). In the United States, it is ANAB (ANSI National Accreditation Board). Other countries have their own accreditation bodies, all operating under the International Accreditation Forum (IAF) umbrella.

When evaluating certification bodies, check that they have experience in your industry and can cover your specific scope. Compare quotations from at least two or three providers, but do not choose solely on price. Consider their reputation, auditor availability, turnaround times, and the support they offer throughout the certification cycle. An accredited certificate from a respected body carries more weight with customers and procurement teams.

Stage 1 Audit (Documentation Review)

The Stage 1 audit is your certification body's first formal assessment of your QMS. Its primary purpose is to evaluate whether your documentation meets ISO 9001:2015 requirements and whether your organisation is ready for the full implementation audit.

During Stage 1, the auditor will review your quality manual (if you have one), quality policy, quality objectives, scope statement, process documentation, and key procedures such as internal audit, management review, and control of nonconforming outputs. They will also confirm that your organisation has conducted at least one full cycle of internal audits and a management review.

Stage 1 is typically conducted on-site and lasts around one day for small to medium organisations. At the end, the auditor will produce a report highlighting any gaps or areas of concern that must be addressed before Stage 2. Think of Stage 1 as a readiness check — it gives you a clear list of actions to complete before the implementation audit.

Stage 2 Audit (Implementation Audit)

Stage 2 is the main certification audit. This is where the auditor verifies that your QMS is not only documented but genuinely implemented and effective across your organisation. It typically takes place four to six weeks after Stage 1, giving you time to close any gaps identified in the readiness review.

The auditor will spend two to three days on-site (longer for larger organisations or complex scopes). They will interview staff at all levels, observe processes in action, examine records and evidence of conformity, and trace activities from start to finish to verify that your processes work as documented.

The auditor will assess conformity against every applicable clause of ISO 9001:2015. They pay particular attention to evidence of the process approach, risk-based thinking, management commitment, customer focus, and continual improvement. Be prepared for questions about how you measure process performance, how you handle nonconformities, and how management reviews drive improvement.

Audit Findings

After the Stage 2 audit, the auditor will present their findings. These are categorised into three levels:

Major nonconformities indicate a significant failure to meet a requirement of the standard. A major nonconformity must be resolved and verified by the certification body before your certificate can be issued. Examples include the complete absence of an internal audit programme or a failure to conduct management reviews.

Minor nonconformities are isolated lapses that do not represent a systemic failure. You will need to submit a corrective action plan with root cause analysis and planned actions. The certification body will verify closure, usually at the next surveillance audit. Examples include a single missing calibration record or an incomplete training log.

Observations (also called opportunities for improvement) are not nonconformities. They are suggestions from the auditor about areas where your QMS could be strengthened. You are not required to act on them, but addressing observations demonstrates a mature approach to continual improvement.

Receiving Your Certificate

Once all major nonconformities (if any) have been resolved and verified, the certification body's review panel will approve your certification. You will receive an ISO 9001:2015 certificate that is valid for three years from the date of issue.

The certificate will state your organisation's name, the scope of your QMS, the applicable standard (ISO 9001:2015), and the certification body's accreditation mark. You can use the certificate in marketing materials, on your website, and in tender responses to demonstrate your commitment to quality.

Keep in mind that the certificate is only as valuable as the system behind it. Maintaining an effective QMS is essential — not only for passing future audits but for delivering the genuine business benefits that ISO 9001 is designed to provide.

Surveillance Audits

Your certification body will conduct surveillance audits at regular intervals — typically annually, though some bodies audit every six months. The purpose is to confirm that your QMS continues to conform to ISO 9001:2015 requirements and that you are maintaining the system effectively.

Surveillance audits are shorter than the initial certification audit. The auditor will not cover every clause at each visit. Instead, they will sample different processes and areas over the three-year cycle, ensuring full coverage by the time re-certification is due. They will always check your internal audit programme, management review records, corrective action status, and customer complaint handling.

If the surveillance audit reveals major nonconformities, your certification may be suspended until they are resolved. This is rare for organisations that take their QMS seriously, but it underscores the importance of treating ISO 9001 as an ongoing commitment rather than a one-off project.

Re-certification Audit

At the end of the three-year certification cycle, you will undergo a full re-certification audit. This is similar in scope to the original Stage 2 audit and covers all clauses of the standard. The auditor will evaluate the overall effectiveness of your QMS, review performance trends over the three-year period, and verify that continual improvement is genuinely taking place.

Plan for re-certification well in advance — ideally six months before your certificate expires. This gives you time to schedule the audit, resolve any outstanding issues, and avoid a gap in certification. A lapse in certification can affect your ability to bid for contracts and may require you to start the certification process from scratch.

Many organisations find that re-certification audits are smoother than the initial certification because the QMS has matured, staff are familiar with the audit process, and there is a solid track record of performance data and improvement activities to demonstrate.