Getting ISO certified involves putting a formal management system in place and having it independently audited against a recognised ISO standard. While the detail varies by standard, the overall process is structured, repeatable, and the same for organisations of all sizes.
This page explains the typical steps involved, what is required at each stage, and how organisations usually approach ISO certification.
Step 1: Choose the right ISO standard
The first step is identifying which ISO standard (or standards) are relevant to your organisation. This depends on your activities, risks, and objectives.
Common examples include:
- ISO 9001 for quality management
- ISO 14001 for environmental management
- ISO 27001 for information security
- ISO 45001 for occupational health and safety
Some organisations choose to implement multiple standards together using an integrated management system.
Step 2: Understand the requirements
Each ISO standard contains a set of clauses that describe what your management system must include. These typically cover:
- Leadership and accountability
- Risk identification and control
- Documented policies and procedures
- Operational controls
- Performance monitoring and review
- Continual improvement
At this stage, organisations usually carry out a gap analysis to compare existing processes against the standard’s requirements.
Step 3: Develop documentation and policies
ISO certification requires documented information to show how your organisation operates and controls risk.
This commonly includes:
- Policies and objectives
- Procedures and work instructions
- Risk assessments and registers
- Records of training and competence
- Monitoring and measurement records
The documentation must reflect how your organisation actually works. Overly complex or generic documents are a common cause of audit issues.
Step 4: Implement the management system
Once documentation is in place, the management system must be implemented across the organisation.
This includes:
- Communicating policies and procedures
- Training staff on their responsibilities
- Applying controls consistently in daily operations
- Keeping records as evidence of compliance
Auditors will look for proof that the system is being used in practice, not just written down.
Step 5: Carry out an internal audit
Before certification, an internal audit must be completed. This is a requirement of all major ISO standards.
The internal audit:
- Checks whether processes meet ISO requirements
- Identifies gaps or weaknesses
- Provides evidence of system effectiveness
Internal audits can be carried out by trained staff or by an external consultant, provided they are independent of the activities being audited.
Step 6: Management review
Senior management must formally review the management system before certification.
A management review typically considers:
- Audit results
- Performance against objectives
- Customer or stakeholder feedback
- Risks, issues, and improvement opportunities
This step demonstrates leadership involvement, which is a core requirement of ISO standards.
Step 7: Choose a certification body
Certification bodies are independent organisations that carry out external audits and issue ISO certificates.
When choosing a certification body, organisations typically consider:
- Accreditation status
- Experience with the chosen ISO standard
- Sector knowledge
- Audit approach and availability
ISO certificates are not issued by the International Organization for Standardization itself, but by these independent bodies.
Step 8: Stage 1 audit (readiness review)
The Stage 1 audit is an initial review of your management system. It focuses on:
- Whether required documentation exists
- Whether the organisation is ready for full assessment
- Identifying major gaps or concerns
Any issues identified at this stage must usually be addressed before proceeding.
Step 9: Stage 2 audit (certification audit)
The Stage 2 audit is the main certification assessment.
During this audit, the auditor will:
- Review documentation and records
- Interview staff
- Observe processes in operation
- Assess compliance with the ISO standard
If non-conformities are identified, corrective actions must be completed before certification can be granted.
Step 10: Certification and ongoing compliance
Once requirements are met, an ISO certificate is issued, typically valid for three years.
To maintain certification, organisations must:
- Continue operating the management system
- Carry out internal audits
- Hold management reviews
- Pass regular surveillance audits
At the end of the cycle, a recertification audit is required to renew the certificate.
Can you get ISO certified without a consultant?
Yes. Many organisations prepare for ISO certification internally, particularly smaller or less complex businesses.
Using a consultant can:
- Reduce preparation time
- Provide structure and expertise
- Help avoid common mistakes
However, it also increases costs. The right approach depends on internal resources, experience, and deadlines.
How long does it take to get ISO certified?
Timeframes vary depending on:
- The chosen ISO standard
- Organisational size and complexity
- Existing processes and controls
- Availability of internal resources
Some organisations complete certification in a matter of weeks, while others take several months to fully implement and embed the system.
Next steps
To move forward with ISO certification:
- Confirm which ISO standard applies
- Assess current readiness
- Decide whether to prepare internally or use external support
- Plan realistic timescales and resources
ISOcertified.net provides detailed guides for individual ISO standards, along with practical advice on costs, audits, and choosing certification support.