ISO stands for the International Organization for Standardization. ISO is responsible for developing and publishing international standards.
ISO is responsible for the development of 23,573 international standards covering almost every industry. ISO establishes technical committees to develop these standards.
ISO standards are voluntary, but are often required by customers in order to do business with them.
Any ISO standard is meant to be a set of best practices for companies to follow. ISO standards are meant to provide ways to get the same outcome every time, whether it’s for quality, environmental performance, employee health and safety, cyber security, etc.
ISO standards are generally not prescriptive. This means that they state what the company needs to achieve, but not how they need to achieve it. This allows a company to establish a management system that is effective for them.
ISO standards were created by committees who identify and approve best practices for various industries, including quality, environmental, health & safety, medical, laboratory, It Security and many more.
The ISO standards set out to identify methods for controlling and improving elements for any company in any industry.
ISO certification is way to show your customers and the world that you adhere to industry best practices. ISO certification is achieved by an independent company, known as a certification body or registrar, who verifies / audits your management system to ensure you are meeting the standard requirements.
The initial certification happens in two stages:
Documentation review of your ISO management system to ensure you meet the ISO standard requirements. Basically, it’s a pre-check to ensure you have the ISO system in place and that you’re ready for the Stage 2 audit.
This is the main audit. In the Stage 2 audit, an independent auditor will verify that you are doing what you said you would do in the ISO management system reviewed during the Stage 1 audit. The Stage 2 audit is focused on evidence that you are meeting the ISO standard requirements. This evidence is obtained through employee interviews, observations, and review of records / data generated through operational processes.
The outcome of the Stage 1 and Stage 2 audit is Certification. ISO audits are not a pass or fail type of audit. Findings identified during these audits will need to be corrected before a certificate can be issued. In most cases, you will only need to provide the auditor with the corrective action plan that details how you will fix the issue and how you will prevent the issue from happening again.
Once all corrective actions are approved, you will be approved for ISO certification.
An ISO Certificate is typically good for three years. However, companies need to have an annual audit, at a minimum. In some cases, companies may have semi-annual audits.
The two years following your initial certification audit, your company will have a partial system annual audit, known as a surveillance audit.
This audit covers core processes, changes since the last audit, areas of findings from the last audit, etc.
On the third year, the year of the ISO certificate’s expiration, your company will have a recertification audit. This is a full system audit where all processes are once again audited. Following a successful completion of your recertification audit, your ISO certificate will be issued for another 3 years and the surveillance / recertification audit cycle continues.
The biggest regression that companies general face is between the initial certification audit and the first annual surveillance audit. Many companies will let out a sigh of relief once they pass their certification audit. This is when they typically stop following the requirements they laid out in their management system.
Then just prior to their first surveillance audit, companies panic as they are not ready to be audited.
The most important thing you can do is to treat your management system as your way of living. You need to live and breath or management system as if your business depends on it, because it should. Companies should ultimately build a management system that makes their company better, not build a management system to meet the requirements of a standard.
Ensure you have someone qualified to manage your system. It’s important to ensure you have a way to keep company accountable. If you don’t have that person, we can help.
We work with many companies as their ISO management system representative. We can customize a plan to ensure your system remains effective.