How to Get ISO Certified: A Step-by-Step Guide
Getting ISO certified follows a well-defined ten-step process: choose the right standard (most often ISO 9001, ISO 14001, ISO 45001, ISO 27001 or ISO 22000), perform a gap analysis against its requirements, prepare your documented information, train your team, conduct internal audits and select an accredited certification body. The certification audit itself happens in two stages — Stage 1 is a document review confirming your management system addresses every clause on paper, followed two to four weeks later by Stage 2, an on-site assessment verifying that the system is genuinely implemented and effective. Once nonconformities are closed, the certification body issues a certificate valid for three years. Annual surveillance audits maintain that certification, with a full recertification audit at the end of the cycle. Most organisations achieve certification within three to six months, with costs varying from a few thousand dollars for small businesses to significantly more for multi-site operations.
Getting ISO certified can feel overwhelming when you are looking at it for the first time. There are standards to choose from, documentation to prepare, audits to pass and costs to budget for. But the process is well-defined, and thousands of organisations complete it successfully every year. This guide walks you through exactly how to get ISO certified, step by step, so you know what to expect at every stage.
Step 1: Choose the Right Standard
ISO publishes hundreds of management system standards, but only a handful can be certified against. The most common choices are ISO 9001 (quality management), ISO 14001 (environmental management), ISO 45001 (occupational health and safety), ISO 27001 (information security) and ISO 22000 (food safety). Your choice depends on your industry, your customers' expectations and your regulatory environment. Many organisations start with ISO 9001 because it applies universally and provides a solid foundation.
Step 2: Perform a Gap Analysis
Before building anything, assess where you stand. A gap analysis compares your current processes, documentation and practices against the requirements of your chosen standard. This tells you exactly what you already have in place and what needs to be created or improved. You can conduct a gap analysis internally or bring in a consultant. The output should be a clear action plan with priorities.
Step 3: Prepare Your Documentation
Every ISO management system requires documented information. This includes your management policy, objectives, procedures, work instructions, forms and records. The amount of documentation varies by standard and organisation size, but the trend in modern ISO standards is toward less paperwork and more focus on process effectiveness. Write documents that people will actually use — not shelf-fillers.
Step 4: Train Your Team
Certification is not just a management project. Everyone in your organisation needs to understand the management system, know their role within it and be able to demonstrate competence during audits. Conduct awareness training for all staff and provide targeted training for process owners, internal auditors and management representatives.
Step 5: Conduct Internal Audits
Internal audits are a mandatory requirement of every ISO management system standard. They verify that your processes work as documented and that you meet the standard's requirements. Plan your internal audit programme to cover all processes and clauses at least once before the certification audit. Address any nonconformities with corrective actions and verify their effectiveness.
Step 6: Select an Accredited Certification Body
Your certification body must be accredited by a recognised national accreditation body. Check their accreditation scope to ensure it covers your standard and your industry sector. Get quotes from at least two or three bodies. Factors to consider include cost, auditor expertise in your sector, scheduling flexibility and reputation. Remember, cheaper is not always better — you want auditors who add value.
Step 7: Stage 1 Audit (Document Review)
The certification audit happens in two stages. In Stage 1, the auditor reviews your documentation to confirm that your management system addresses all the standard's requirements on paper. They will also assess your readiness for the Stage 2 audit and identify any areas of concern. There is typically a gap of two to four weeks between Stage 1 and Stage 2 so you can address any findings.
Step 8: Stage 2 Audit (On-Site Assessment)
Stage 2 is the main event. The auditor spends time on-site observing your processes, interviewing staff, examining records and verifying that your management system is not just documented but actually implemented and effective. They will raise nonconformities for any gaps they find. Minor nonconformities can usually be resolved with a corrective action plan. Major nonconformities may require a follow-up audit.
Step 9: Receive Your Certificate
Once you clear Stage 2 and close any nonconformities, the certification body issues your certificate. This is typically valid for three years, subject to ongoing surveillance.
Step 10: Maintain Through Surveillance Audits
Certification does not end with the certificate. The certification body will conduct surveillance audits — usually annually — to verify that your management system continues to operate effectively. After three years, a full recertification audit is required. Treat these as opportunities to demonstrate improvement, not just compliance.
Timeline and Cost Factors
Most organisations achieve certification within three to six months, depending on their starting point, size and complexity. Smaller organisations with simpler processes can move faster. Cost factors include consultant fees (if used), documentation tools, training, internal audit time and certification body fees. A small business might invest a few thousand dollars in total, while a large multi-site organisation could spend significantly more.
Tips for success: Start early, involve top management from day one, keep documentation practical, train your internal auditors well and treat the process as a genuine improvement opportunity rather than a box-ticking exercise.