The ISO Certification Process

Before you read on regarding certification cycles it is really important that you check the Certification Bodies you use have been assessed and accredited by national accreditation body, see here for a list of worldwide accreditation bodies approved by IAF.

External certification bodies conduct audits in various stages to ensure an organisation's compliance with the ISO standard. The certification cycle stages include Stage 1 Audit, Stage 2 Audit, Surveillance Audits, and Re-certification Audits. Here's an overview of each stage:

Stage 1 Audit (Readiness Review): The Stage 1 Audit is a preliminary assessment of an organisation's documentation, policies, and procedures. The main objective of this stage is to evaluate the organisation's readiness for the Stage 2 Audit. The auditor will review the chosen ISO standard documented management system to ensure it aligns with the standard's requirements. They will also assess the scope of the certification, verify that processes are in place, and identify any significant gaps or areas of non-compliance that need to be addressed before moving to the Stage 2 Audit.

Stage 2 Audit (Certification Audit):

The Stage 2 Audit is a comprehensive evaluation of an organisation's compliance with the chosen ISO standard. During this stage, the auditor will assess the implementation and effectiveness of the management system by reviewing records, conducting interviews, and observing processes in action. The auditor will identify any non-conformances and provide a report outlining their findings. The organisation must address any non-conformances and demonstrate corrective actions before certification can be granted.

Stage 1 & Stage 2 are usually done within weeks or months of each other. The time really depends on availability and preparedness.

Surveillance Audits

Surveillance Audits are periodic assessments conducted by the certification body to ensure ongoing compliance with the ISO standard. These audits typically occur annually or biannually, depending on the certification body's requirements and the organisation's risk profile. Surveillance Audits are less extensive than Stage 2 Audits, focusing on specific areas of the management system and ensuring that the organisation maintains its commitment to continual improvement. Any non-conformances identified during a surveillance audit must be addressed and appropriate corrective actions taken.

Re-certification Audits

A Re-certification Audit is conducted by the certification body at the end of the certification cycle, typically every three years. The purpose of this audit is to confirm the organisation's continued compliance with the ISO standard and evaluate the overall effectiveness of the management system. Records for critical parts of this standard will be reviewed to ensure continual improvement is evident.

A successful Re-certification Audit will result in the renewal of the organisation's certification for another three-year cycle and continuation of surveillance audits during this cycle.

In summary, the certification cycle stages include the Stage 1 Audit to assess readiness, the Stage 2 Audit for an in-depth evaluation, regular Surveillance Audits to maintain compliance, and a Re-certification Audit to renew the certification.

These stages are designed to ensure that an organisation remains committed to the ISO standard's requirements and demonstrates ongoing improvement in its processes and systems.

Our team at Armour have decades of experience working as consultants and auditors covering a wide range of sectors and we are always on hand to help. Click here to explore the Armour platform. To get in touch simply drop us an email at info@armour.ai or fill in the form on our website here.

Previous
Previous

Step-by-Step Guide to Conducting an Information Security Risk Assessment

Next
Next

How long does it take to implement ISO 27001 for Organisations?