How to Get ISO Certified: A Step-by-Step Process for Your Organization

Why Pursue ISO Certification?

ISO certification demonstrates that your organization meets internationally recognized standards for quality, safety, security, or environmental performance. It can unlock new markets, build customer trust, satisfy regulatory requirements, and drive internal efficiency improvements.

While certification is not legally mandatory in most cases, it is increasingly expected — particularly for organizations supplying to government bodies, large enterprises, or regulated industries.

Step 1: Choose the Right ISO Standard

Before anything else, identify which standard is most relevant to your organization's goals and industry. Common choices include:

• ISO 9001: Quality management — suitable for almost any organization.
• ISO 14001: Environmental management — for organizations managing environmental impact.
• ISO 27001: Information security management — essential for IT and data-driven businesses.
• ISO 45001: Occupational health and safety — for organizations prioritizing worker wellbeing.
• ISO 22000: Food safety management — for the food supply chain.

Step 2: Conduct a Gap Analysis

A gap analysis compares your existing processes, documentation, and practices against the requirements of your chosen standard. This identifies what is already in place and what needs to be developed, modified, or formalized.

You can conduct a gap analysis internally or hire an external consultant with expertise in the relevant standard. The output should be a prioritized action plan.

Step 3: Build Your Management System

Using your gap analysis results, develop or improve your management system. This typically involves:

1. Writing or updating policies, procedures, and work instructions.
2. Defining roles, responsibilities, and authorities.
3. Implementing risk management processes.
4. Setting measurable objectives and KPIs.
5. Training staff on the new or updated system.

Step 4: Run the System for a Period of Time

Certification bodies will expect evidence that your management system has been operating effectively — typically for at least three months. During this period, collect records, monitor performance against objectives, and begin conducting internal audits.

Step 5: Conduct an Internal Audit

An internal audit is a formal review of your management system against the requirements of the standard. It should be conducted by someone who is trained in auditing and who is independent of the processes being audited.

Document any non-conformances found and ensure corrective actions are taken and verified before proceeding to certification.

Step 6: Hold a Management Review

Top management must formally review the performance of the management system. This review considers audit results, customer feedback, objective performance, and opportunities for improvement. Document the outcomes and any decisions made.

Step 7: Select a Certification Body

Choose an accredited certification body (also called a registrar or third-party auditor). Accreditation by a recognized national accreditation body — such as UKAS (UK), DAkkS (Germany), or ANAB (USA) — ensures the certification will be widely recognized and credible.

Request quotes from multiple certification bodies and evaluate their experience in your sector.

Step 8: Stage 1 Audit (Documentation Review)

The certification process typically involves two stages. In Stage 1, the auditor reviews your documentation to ensure your management system is adequately designed to meet the standard's requirements. They will highlight any areas of concern to address before Stage 2.

Step 9: Stage 2 Audit (On-Site Assessment)

Stage 2 is an on-site audit where the certification body verifies that your management system is fully implemented and effective. Auditors will interview staff, review records, and observe processes. Any major non-conformances must be resolved before certification is granted.

Step 10: Receive Your Certificate and Maintain It

Upon successful completion of Stage 2, your organization is issued a certificate — typically valid for three years. During this period, you will undergo annual surveillance audits to confirm continued conformance, followed by a full recertification audit at the three-year mark.

Key Tips for a Successful Certification

• Secure genuine buy-in from senior leadership from the start.
• Involve employees at all levels — not just the quality team.
• Focus on building a practical, usable system — not just documentation.
• Address non-conformances promptly and thoroughly.
• Treat certification as a journey of continual improvement, not a one-time event.