ISO Certification Process
The process of management systems certification is straightforward. It follows a generic approach that is consistent for all the ISO management systems' standards — ISO 9001:2015, ISO 14001:2026, ISO 45001:2018, ISO 50001, ISO/IEC 27001:2022, ISO 22301:2019, and more.
The ISO Certification Process
Step-by-Step Overview
Application
Submit your application to initiate the certification process.
Certification Agreement
A formal agreement will be shared for your review and signature prior to commencement.
Stage 1 Audit
A thorough review of your documentation, processes, and overall readiness against the applicable standard.
Stage 1 Audit Report
A detailed report outlining findings, observations, and recommended actions will be shared with you.
Stage 2 Audit
An on-site or remote assessment evaluating the implementation, effectiveness, and conformity of your management system.
Final Report & Certification
Upon completion of the Stage 2 audit, a comprehensive report will be issued. Any identified nonconformities must be addressed before certification is formally granted.
Receive Inquiry
You will need to fill the inquiry form on our website to understand your requirement. We will use this information to accurately define the scope of audit and provide you with a proposal for certification.
Also you can reach us via phone, WhatsApp, or by sending an email with your requirements, and our team will contact you within 12 hours only.
After which they will send you a detailed proposal outlining the cost and duration for the ISO certificate to be issued.
Audit
Once you've agreed on your proposal, our team will contact you to book an audit schedule. Your audits will be booked with a UCS Auditor. This audit consists of two mandatory audits that form the initial certification audit (stage 1 and stage 2 audits).
Please note that you must be able to demonstrate that your company is fully operational and your management system is in compliance with the required ISO standard requirements, and the management system has been subject to a management review and a full cycle of internal audits.
Note: There may be additional requirements for some of the more technical standards — we will advise you of the same.
ISO Certification
Following a successful two stage audit, a certification decision is made, and if positive, a certificate will be issued by UCS showing conformity with the related ISO standard.
The certificate will be valid for 3 years upon passing the annual surveillance audits. A re-certification audit is done every 3 years.
All UCS certificates can be validated through the validation page.
Details
ISO Certification Audit
Documentation Review Audit
The purpose of this audit is to confirm that your organization is ready for the certification audit. This audit will take place at your organization where the management system is applied (normally head office), and it will be a documentation review audit.
During stage 1 audit, the auditor will review the internal audit reports and management review process. Certification may not be issued until there is sufficient evidence to demonstrate that arrangements for management reviews and internal audits have been implemented, are effective and are well maintained.
Full Conformity Audit
The purpose of this audit is to confirm that the management system fully conforms to the requirements of the chosen standard in practice. If you undertake site work or have more than one location that you would like to include in the scope of certification, the auditor will also need to audit these activities / locations.
During stage 2 audit, the auditor will:
- Document how the system complies with the standard by using objective evidences
- Undertake sample audits of the processes and activities defined in the certification scope
- Visit any remote locations, additional sites or remote activities to evaluate the effectiveness of the management system off site
- Report any non-conformities or opportunities for improvement
- Produce a surveillance audit plan and agree on a date for the first annual surveillance visit
If the auditor identifies any major non-conformity, certification cannot be issued until corrective action is taken and verified. Accreditation requirements stipulate that if this is not completed within 6 months, then certification cannot be recommended without a further stage 2 audit.
Surveillance Audit
Once the certification is obtained, a certificate will be issued and will be valid for 3 years only upon the successful completion of annual surveillance audits (partial audits) and a 3 yearly re-certification audits (full system audits).
Surveillance audits are undertaken annually to ensure that compliance to chosen standard(s) is maintained throughout the three-year certification cycle.
The frequency and duration of surveillance audits is dependent on the following factors:
- Size and structure of organization
- Complexity and degree of risk related to the activities
- Number of management system standards included in the certification scope
- Number of sites listed within the certification scope
During the surveillance audit you must demonstrate continual improvement. This is a fundamental requirement of all the ISO standards.
What Happens If Your Business Changes During This Time?
Don't worry — we are used to organizations of all shapes and sizes changing on a regular basis including additional locations / activities and increase or decrease in head count. We can provide you with all the options to change and adapt your scope / standards / management system to suit your business requirements — we just need you to be honest with us and let us know if anything changes as soon as possible.
During surveillance, we will also:
- Confirm the accuracy of information that you submitted during the application process
- Confirm that the management system conforms to the requirements of the applicable standard
- Confirm the implementation status of your management system(s)
- Confirm the certification scope
- Check the legislative compliance
Our approach to certification is designed to enable the certification programme to suit your business requirements — not the other way around!
Additional Procedures
Special & Short Notice Audits
Special Audits
A special visit may be required to the certified company's premises in the following circumstances:
- UCS has reason to believe that the documented systems are inadequately maintained with major deficiencies in operation.
- In case of any change in the management system standard due to which the certification requirements are going to be changed, clients will be intimated in advance for the transition audit and the audit will be scheduled after the consent of the organization. The audit must be completed before the defined time frame.
- Upon intimation by the certified company of any significant change in the certified documented system — including extension of scope. A visit will decide whether the extension of scope can be granted or not. This may be clubbed with the surveillance audit.
The surveillance audit programme shall include at least:
Short Notice Audit
As a result of a complaint by any party, any adverse publicity, or contravention of the conditions of certification, or other information received involving a suspended client — a short notice audit may be conducted. Special visits will be undertaken after due notice has been given and details agreed between UCS and the certified company.
Due care is taken of the following:
- Information is given to the client in advance regarding the purpose of the visit with full details.
- Due care is taken to select the auditor to safeguard against lack of reason for the client to object to the auditor.
Certification Status
Suspension, Withdrawal, Extension & Reduction of Certification
Suspension — Grounds for Suspending a Certificate
- If the certified organization is not getting the surveillance audit conducted as per the certification agreement.
- If the client is found to misuse the logo of the Certification Body or is using any kind of misleading statement which might affect the reputation of the certification body and the accreditation board.
Objective
Criterion
UCS suspends certification in cases when:
- The client's certified management system has persistently or seriously failed to meet certification requirements, including requirements for the effectiveness of the management system.
- The certified client does not allow surveillance or recertification audits to be conducted at the required frequencies.
- The certified client has voluntarily requested a suspension.
- The client does not follow the agreed terms and conditions for certification services.
Responsibility
Execution
When information is received from either the customer or auditor regarding a suspension, UCS sends a suspension of certification letter to the client for a period of one month.
- Issue a suspension letter to the client stating the reason, suspension period, etc.
- Under suspension, the client's management system certification is temporarily invalid. UCS ensures the client refrains from further promotion of its certification during this period. UCS publishes the suspended status on its website to make it publicly accessible.
- If within the given period of time the customer resolves the issue and requests reassessment, the operations manager arranges the assessment.
- Failure to resolve the issues within the maximum period (four weeks) results in withdrawal or reduction of the scope of certification.
- Communication is sent to all relevant parties to stop the use of the Certification Logo.
- The client is informed not to use the certification status during the suspension period.
- If the client does not respond within the suspension period, the matter is put before the certification committee. Upon approval, the Director of Certifications authorises withdrawal of the certificate and the client's status on the UCS website is changed to 'withdrawn'.
- The withdrawn certificate is collected and destroyed (by shredding/tearing) to avoid misuse.
- UCS reduces the client's scope of certification to exclude any part not meeting the requirements, when the client has persistently or seriously failed to meet certification requirements for those parts.
- UCS has enforceable arrangements with certified clients concerning conditions of withdrawal, ensuring the client discontinues all use of advertising matter referencing certified status upon withdrawal notice.
- Upon request by any party, UCS will correctly state the status of a client's management system as suspended, withdrawn, or reduced.
Multi-Location Organisations
Procedure For Audit of Multi-Site Organisations
Purpose & Scope
To document, establish, implement and maintain the system for conducting the audit of a multi-site organisation, in accordance with requirements ISO/IEC 17021-1:2015 and IAF Mandatory Document for the Certification of Multi-Sites Based on Sampling, IAF MD 1:2007.
This procedure is applicable to the audit of a multi-site organisation and does not apply to organisations that have multi-sites where fundamentally different processes or activities are used at different sites, even though they may be under the same management system. This procedure applies to all types of audits — initial, surveillance and re-certification.
General Requirements
A multi-site organisation is defined as an organisation having an identified central function (central office) at which certain activities are planned, controlled or managed, and a network of local offices and branches (sites) at which such activities are fully or partially carried out.
Examples of possible multi-site organisations:
- Organisations operating with franchises
- Manufacturing companies with a network of sales offices
- Service organisations with multiple sites offering a similar service
- Companies with multiple branches
A multi-site organisation need not be a unique legal entity, but all sites shall have a legal or contractual link with the central office and be subject to a common management system. The central office must have rights to ensure that sites implement corrective actions when needed. All the sites shall be in the same country.
The organisation's management system shall be under a centrally controlled and administered plan and be subject to central management review. All relevant sites including the central office shall be subject to the organisation's internal audit programme, and all sites must have been audited prior to the certification audit.
Audit Process
For a multi-site organisation, the application review and agreement are conducted as per procedure. At this stage, the review shall identify:
- The complexity and scale of the activities covered by the management system and any differences between sites, as a basis for determining the level of sampling.
- The central function of the organisation with which UCS has a legally enforceable agreement for the provision of certification.
- The extent to which sites of an organisation operate substantially the same kind of processes according to the same procedures and methods.
- Whether all sites included in the certification are ready to be submitted for certification at the same time. Sites not ready shall be excluded from the scope of certification.
The audit of the multi-site, including stage 1 and stage 2, is performed as per the procedure for initial audit. If more than one audit team is involved, UCS shall designate a unique audit leader responsible for consolidating the findings from all audit teams and producing a combined report.
At the time of the decision-making process, if any site has a nonconformity pending, certification shall be denied to the whole network pending satisfactory corrective action. Exclusion of a problematic site from the scope is not permitted at this stage.
Certification Document
- The certification documents shall identify the central office and a list of all sites to which the certification relates, indicating clearly the certified activities performed by the network.
- Certificates may be issued to the organisation for each site, provided they contain the same scope or sub-scope and make clear reference to the main certification document.
- UCS shall withdraw the entire certificate if the central office or any of the sites does not fulfil the necessary provisions for the maintenance of certification.
- UCS shall inform the organisation about additional requirements for granting multi-site certification. This document shall also be made publicly available on the UCS website.
Sampling
At least 25% of the sample should be selected at random. Site selection may include among others the following aspects:
- The sizes of the sites and the number of employees (e.g. more than 50 employees on a site)
- The complexity or risk level of the activity and of the management system
- Variations in working practices (e.g. shift working)
- Variations in activities undertaken
- Records of complaints and other relevant aspects of corrective and preventive action
- Any multinational aspects
- Results of internal audit and management review
Minimum number of sites to be visited per audit:
Square root of the number of sites, rounded up to the next whole number.
Square root of the number of sites with 0.6 as a coefficient, rounded up.
Same as initial audit. Where the management system has proved effective, may be reduced to y = 0.8vx.
Audit Times
- UCS shall justify the time spent on multi-site audits in an Audit Time Estimation Sheet. The number of man-days per site, including the central office, shall be calculated as per procedure.
- UCS may apply reduction in auditor time taking into account clauses not relevant to the central office and/or local sites, and shall record the reasons for such reductions. Sites which carry out most or critical processes shall not be subject to reductions.
- The total time spent on initial assessment and surveillance is the total sum of the time spent at each site plus the central office, and should never be less than that which would have been calculated if all the work had been undertaken at a single site.
Temporary Sites
A temporary site is one set up by an organisation in order to perform specific work or a service for a finite period of time and which will not become a permanent site (e.g. a construction site).
- Temporary sites covered by the organisation's management system may be subject to audit on a sample basis to provide evidence of the operation and effectiveness of the management system.
- If the organisation desires to include temporary sites within the scope of certification, UCS shall do so under an agreement with the client organisation. Where included in the scope, such sites shall be identified as temporary.
Additional Sites
- An additional site is a new site or group of sites that will be added to an existing certified multi-site network.
- On application of a new group of sites to join an already certified multi-site network, each new group of sites should be considered as an independent set for the determination of the sample size.
- After inclusion of the new group in the certificate, the new sites should be cumulated to the previous ones for determining the sample size for future surveillance or re-certification audits.
Ready to Start Your ISO Certification?
Get a free proposal in 3–4 hours. Our team will guide you through every step.