ISO 9001 Certification Process
The final few articles in the EBS DIY ISO 9001 series will provide guidance through the ISO 9001 certification process. We’ll start with an overview of the entire process in this post, then delve deeper into the topic in future articles.
ISO 9001 Certification Audit Timing
Let’s look at the general process for completing an ISO 9001 certification assessment. In fact, this is the basic approach for certification to all similar ISO management system standards such as ISO 13485 (medical device), IATF 16949 (automotive), or ISO 14001 (environmental management). The basic steps to completing your certification include:
- Evaluating and selecting an ISO registrar
- Scheduling and planning your ISO audits (stage 1 and stage 2)
- Completing any needed audit readiness activities and tasks
- Completing your stage one audit
- Completing your stage two audit
- Addressing and responding to any audit findings
- Receipt and management of your ISO certification
For an organization that is well prepared, the ISO 9001 certification process, start to finish, can easily take 12 weeks or longer. If you have established tight deadlines to complete your registration activities and receive your ISO 9001 certificate, then you will need to manage this process closely and work to keep project tasks on track. The biggest time constraint during certification is scheduling and getting time with the auditor. Most auditor’s calendars are booked out 30-60 days, especially for audits that require several days to complete. Consider the following schedule scenario:
- Evaluate, select, and execute an agreement with you registrar (2-3 weeks): March 1 – March 15
- Schedule time for your stage one audit (let’s assume 1 audit day): 1st available day is 30 days out (March 16 – April 15)
- Schedule stage two audit – this cannot be scheduled until stage one audit is successfully completed (here we’ll assume 2.5 audit days): 1st available time is 45 days out (April 16 – May 1).
- Complete stage two audit and respond to all sited nonconformances (1 week): May 1 – May 8
- Review, rework, and approval of corrective actions by auditor (10 days): May 9 – May 19
- Registrar certificate approval and issuance (30 days): May 20 – June 19)
As you can see this isn’t a quick process and while there might be some opportunities to shorten the above scenario, you should plan for the worst and allow at least 12-15 weeks to get through this process. You certainly can move forward with the identification and execution of an agreement with your registrar in parallel with your management system development work, but you really can’t schedule the stage one audit until you have the majority of the system established. You must also have completed your first internal audit and management review meeting prior to your stage one audit activity. These tasks alone can take several weeks to plan, schedule, and execute.
Three Year Audit Cycle
Most registrars issue an ISO 9001 certificate with a three-year expiration which includes the following audit activity:
- Year 1 – Initial Certification Audit: Full system audit which includes the stage 1 and stage 2 assessments. This is probably the most expensive and time consuming audit you will experience.
- Year 2 – Annual surveillance audit: Partial system audit which covers only select aspects of the organization and management system. This is usually about 1/2 the cost of the initial audit.
- Year 3 – Another surveillance audit covering core business processes and areas of the system not addressed the previous year. Again, about 1/2 the cost of the initial audit.
- Year 4 – Full re-certification audit covering the entire system. Since the stage 1 assessment isn’t required, the cost is usually about 2/3 that of the initial year 1 audit.
- Rinse and repeat.
Management System Maturity
Also consider that you must provide a reasonable amount of time for the management system processes to operate after system launch and generate the records which provide objective evidence that the processes and system are performing in a compliant manner. You can’t just turn the system on day one and expect an auditor to assess it on day two without any documented evidence to review.
The duration of this maturation period will really depend on how active your system is and how quickly records are produced. With this said, auditors will have some level of grace with newer management systems and understand that records for certain processes are limited. They will audit what is available and take note to review those processes in greater detail at the next audit. We would certainly recommend that you allow your management system to operate for a month or two before completing your stage two audit. Remember that you can certainly use records that existed prior to your official system launch if they fully demonstrate compliance to your established processes and procedures.
Ok, so how much is this ISO 9001 certification process going to cost us? We have found that most of the reputable, accredited registrars charge approximately the same amount, give or take a few hundred dollars. Rather than worry about a few dollars, focus on finding a registrar that best fits your organization. With that said, go ahead and request quotes from each of the finalists on your list to get a firm understanding of their costs. If there are significant differences in price, inquire about these differences to verify quote accuracy and address discrepancies.
Each registrar will have certain fees and add-on costs, and these are sometimes negotiable, especially if they are hungry for your business, but again, don’t get too focused on trying to save $50 rather than picking the right provider. Be wary of registrars with exceptionally high or low costs. Don’t pay for unnecessary or unusual costs and remember that you generally get what your pay for. Many of the low-cost providers are not fully accredited which might impact the credibility of your certification with customers and external stakeholders. In the United States for ISO 9001, I only work with registrars that have ANAB (ANSI-ASQ National Accreditation Board) accreditation.
The biggest cost is the actual audit time with the auditor and the associated travel costs, especially if an auditor must fly to your location. Audit days are generally billed at rates around $1,000 to $1,200/day per auditor. The number of days required to complete an audit is generally dictated by the number of employees within the organization or site and defined in IAF (International Accreditation Forum) document IAF MD 5:2015 (IAF Mandatory Document for Determination of Audit Time of Quality and Environmental Management Systems). Annex A of this document provides a table defining the required audit days based on the number of employees. Note that this table provides a baseline for determining audit duration and resources, and that additional audit time may be added by the registrar to account for product, service, or organizational complexity, significant number of processes, etc. In our experience, the numbers provided in the IAF document are fairly accurate for most organizations. If your registrar is adding audit days to your quote beyond what IAF recommends, challenge the registrar to justify the additional audit time.
Below is an example of the certification costs for a general manufacturing company with 20 employees. Based on IAF document, 20 employees equates to approximately three audit days for both stage 1 and stage 2 assessments:
- Stage 1 Assessment (1 day) – $1,100
- Stage 2 Assessment (2 days) – $2,200
- Additional Fees – $400
- Travel Expenses (2 trips) – $750
- Initial Certification Cost = $4,450
- Year 2 Surveillance Audit = $2,000
- Year 3 Surveillance Audit = $2,000
- Year 4 Re-Certification Audit = $3000
Your mileage may vary depending on many different factors, however this should give you a ballpark estimate of what to expect.
Receipt of ISO Certification
Once you implement acceptable corrective actions for any audit findings and provide the auditor with supporting evidence of the corrective actions, your auditor will recommend your organization for ISO 9001 certification. Your registrar will complete their internal reviews of the audit results and if everything is acceptable, they will issue your ISO 9001 certificate. This process usually takes anywhere from ten to thirty days and you will generally receive your certificate electronically in PDF format unless other arrangements have been made.
Your certificate should be valid for three years, assuming that you successfully maintain the management system and complete your annual surveillance audits. Please don’t be like many organizations we have seen over the years that ignore their management system for months, then two weeks before an audit, rush through to update records and sweep everything under the rug. There is no value in this approach and it will catch up to you sooner or later. Maintain, utilize, and constantly improve your management system daily and it will return the investment in time and resources through improved performance and effectiveness at all levels of the organization.
While the ISO 9001 certification process can seem a bit overwhelming and daunting, it really isn’t too bad once you break it down into bite-size chunks. Having a knowledgeable resource on your side can certainly help provide guidance along the way. Just remember to plan ahead and allow enough time for your new system to mature and for scheduling the various tasks and activities.