Guide for after achieving ISO Certification - maintaining ISO Certification

Achieving ISO Certification for your business is not an easy task. Anyone who has gone through this process before can relate to this, as it can be very demanding and time consuming. If you’re not familiar with the ISO Standard(s) and the Certification process, this process can require a huge learning curve and become a monstrous endeavour. 

However, in saying that, when you achieve your Certification, you feel that the task is accomplished and that you can move on and focus on the next project. But is this true? Can we just forget about the Certification and wait until the next audit? The answer is a resounding “No!” – If you want to gain the full benefits, achieving Certification is just the beginning.

Upon achievement of ISO Certification, people tend to want to take a break from the project, and then inadvertently forget about the management system, leaving their management system without updates for months, with the first Surveillance Audit creeping up on them sooner than they think. Often a number of non-conformances, complaints and other issues are being left unidentified or open without addressing them, and the documented information is not keeping pace with operational changes and improvements in the business. 

The lack of understanding of the ongoing activities required by the ISO Standard(s) can ultimately result in the loss of Certification at the first Surveillance Audit (12 months after initially achieving Certification), which is likely to cause a big headache for the organisation, as well as additional expenses (both directly and indirectly) in getting it back on track.

How can you prevent this scenario in your business? 

Let’s run through what you need to do once your business has achieved ISO Certification.

Maintaining ISO Certification is subject to successful annual audits

The most common ISO Management System Certifications (i.e. ISO 9001, ISO 45001, ISO 14001, ISO 27001 etc.) are issued for a period of three years. 

Certification is achieved upon successful completion of the initial Certification Audits (also known as External Audits) conducted by an Accredited Conformity Assessment Body (CAB), consisting of Stage 1 and Stage 2 Audits:

  • Stage 1 Audit: The auditor conducts a review of the documented information that makes up your management system, and verifies that you have effectively addressed every clause of the relevant ISO Standard(s), checking that you are ready for the entire Certification process.

  • Stage 2 Audit: The auditor verifies via sampling across your management system and operational practices that you are actually doing what your management system says you do. i.e. the auditor verifies that the management system is implemented in the business and that it’s effective for your organisation.

You will be required to address any adverse findings from these audits in order to achieve Certification. Once this is done, the auditor will assess if the issues have been appropriately addressed. If there are no further gaps, the CAB will issue your organisation with your ISO Certificate(s). 

12 months after your initial Certification Audits, the CAB will conduct your first Surveillance Audit. The same process is followed for two consecutive years after your initial Certification.

ISO Certification External audit cycle

External Audits (Conducted by CABs)

Surveillance Audits are less intensive than your initial Certification audits. They are a “snapshot” in time of the auditor’s review to ensure the management system still meets the main elements and intent(s) of the ISO Standard(s). Not every element will be reviewed during a surveillance audit. If there are any gaps, a non-conformance is raised and the organisation is responsible for addressing such issues to ensure ongoing Certification.

At the end of year three, your management system will have to undergo a Recertification Audit. This process is similar to the initial Certification Audits (but a bit shorter and only one audit visit), and the aim is to verify that your management system continues to fully conform to all requirements of the Standard(s). Upon a successful outcome, the CAB will provide you with a newly issued certificate, and the 3-year Certification Cycle continues.

Ongoing management activities required by your business

To maintain your Certification and conform with the requirements of the ISO Standard(s) (in order to achieve successful annual audit results), you need to conduct a few activities on a regular basis.

Any identified gaps in your system can result in major or minor non-conformances OR improvement opportunities raised by the auditor. Depending on the severity of the identified issue, your organisation can be at risk of losing your ISO Certification as a consequence .

Below is a summary of the base-line activities you should conduct to meet the ongoing  ISO management requirements:

1. Management Review & Business Planning Update

Management review meetings are required to be conducted and documented on a regular basis (at least annually). In this meeting you should revisit your business planning such as company objectives & targets, and other strategic and essential documentation such as interested parties analysis, SWOT/PESTLE analysis, as well as your business risk and opportunity assessment etc. You should ensure these documents are not only reviewed but also up-to-date.

2. Regular Internal Audits

The ISO Standards state that internal audits have to be conducted by an individual who is independent of the business process being audited, and who has been trained and deemed competent in conducting effective management systems internal audits. Ensuring the internal auditor isn’t usually involved in the processes being audited maintains the objectivity and impartiality of the internal audit process.

Internal audits are useful to find out if your management system processes and documents are up to date, relevant and reflecting how the actual activities, services and operations are conducted in the organisation. It is essential to conduct your internal audits regularly, for example, on a quarterly basis or as specified otherwise in your internal audit schedule. 

Your internal audit schedule needs to cover your system requirements as well as the requirements of the ISO Standard(s) and take a risk-based approach. 

If you need assistance with your internal audits, we have qualified and competent auditors ready to conduct your internal audits for your organisation. Check out this page for more information about our Auditing Services, or just call us on (+61) 1300 614 007

3. Checkup on Open Issues

This should be a time for your team to check on any “open” and/or “work in progress” issues raised in your previous external and internal audits, and plan actions to address and close them out. When doing so, you have to take special attention in relation to issues reported in your previous external audits, such as Non-Conformances (NC), Opportunities for Improvement (OFI), or Observations (OBS). 

For example, if the auditor finds that a previously-raised minor NC has not been effectively addressed by the time of the next audit it may turn into a major NC. A major system non conformity can jeopardize your ongoing Certification.

Here’s an overview of the entire 3-Year Certification Cycle with more detail, outlining the areas we can assist you with vs the activities your chosen CAB needs to conduct:

3-Year Certification Cycle Diagram

Planning is the key

Conducting regular internal audits, management reviews, business planning updates and checking on your open issues is an excellent way to start with your system ongoing management activities. 

However, there is more to it and if you feel like you need a more structured approach you can schedule the necessary activities in your calendar. For example, conducting the employee performance reviews, documented team meetings, completion of records of Safe Work Method Statements, regular site safety inspections etc. 

Click here to download an ISO Management Calendar tool, which can be used as a template for your regular ISO activities each day/week/month etc. You can adjust this to suit your individual needs (e.g. you can multiply the items you need to conduct more often or delete those you only need to conduct a few times a year). Of course, you can add as many new activities/tasks as you like based on your system requirements.

planning for after achieving iso certiifcation

Benefits of a well-managed Business Management System

It’s important to highlight that conducting these ongoing activities is not only crucial to conform with the ISO Standard(s) requirements and maintain your Certification(s), but it also brings a number of benefits to your business, such as:

  • continual improvement of your business operations and your management system which can result in improved customer satisfaction, cost reduction, improved system control and evidence-based decision making;

  • being up-to-date with business, legal and industry changes through regular review of your legal and industry requirements, the business’ strategy, trends, objectives and targets, risks and opportunities;

  • leadership commitment and involvement of top management in the management system implementation;

  • reduced number of injuries, incidents, accidents, near misses, non-conformances through a documented risk-based approach and improved processes;

  • employee satisfaction and commitment to achieve the best results they can through a systemised and documented approach;

  • engagement of people at all levels through ongoing communication, seeking and implementing their feedback, documented lessons learned and more…

We hope that this blog has clarified how to manage your business system on an ongoing basis after achieving ISO Certification, resulting not only in successful ongoing ISO Certification but also business improvement.

We understand that without a dedicated and trained team, it can be difficult to conduct all of these activities on a regular basis. This is why we’re here to help, to take care of these for you, and you’ll have the peace of mind of knowing your ISO Certification is safe and your management system is well managed by qualified and experienced professionals.

If you’d like our assistance with ongoing management activities to keep your ISO Certified Management System working for your organisation, call us now on 1300 614 007, email us, or book your FREE strategy session.

About the author

Project Coordinator at ISO Certification Experts

Andressa supports all of our Client and Internal Projects and keeps us on track. She holds an MBA in Project Management and has more than 10 years’ experience in customer service and in the interior design industry. She’s also passionate about sustainability and the environment.