We’ve achieved ISO Certification… So, what now?
Achieving ISO Certification for your business is not an easy task. Anyone who has gone through this process before can relate to this, as it can be very demanding and time consuming. If you’re not familiar with the ISO Standard(s) and the Certification process, this process can require a huge learning curve and become a monstrous endeavour.
However, in saying that, when you achieve your Certification, you feel that the task is accomplished and that you can move on and focus on the next project. But is this true? Can we just forget about the Certification and wait until the next audit? The answer is a resounding “No!” – If you want to gain the full benefits, achieving Certification is just the beginning.
Upon achievement of ISO Certification, people tend to want to take a break from the project, and then inadvertently forget about the management system, leaving their management system without updates for months, with the first Surveillance Audit creeping up on them sooner than they think. Often a number of non-conformances, complaints and other issues are being left unidentified or open without addressing them, and the documented information is not keeping pace with operational changes and improvements in the business.
The lack of understanding of the ongoing activities required by the ISO Standard(s) can ultimately result in the loss of Certification at the first Surveillance Audit (12 months after initially achieving Certification), which is likely to cause a big headache for the organisation, as well as additional expenses (both directly and indirectly) in getting it back on track.
How can you prevent this scenario in your business?
Let’s run through what you need to do once your business has achieved ISO Certification.
Maintaining ISO Certification is subject to successful annual audits
The most common ISO Management System Certifications (i.e. ISO 9001, ISO 45001, ISO 14001, ISO 27001 etc.) are issued for a period of three years.
Certification is achieved upon successful completion of the initial Certification Audits (also known as External Audits) conducted by an Accredited Conformity Assessment Body (CAB), consisting of Stage 1 and Stage 2 Audits:
You will be required to address any adverse findings from these audits in order to achieve Certification. Once this is done, the auditor will assess if the issues have been appropriately addressed. If there are no further gaps, the CAB will issue your organisation with your ISO Certificate(s).
12 months after your initial Certification Audits, the CAB will conduct your first Surveillance Audit. The same process is followed for two consecutive years after your initial Certification.
Surveillance Audits are less intensive than your initial Certification audits. They are a “snapshot” in time of the auditor’s review to ensure the management system still meets the main elements and intent(s) of the ISO Standard(s). Not every element will be reviewed during a surveillance audit. If there are any gaps, a non-conformance is raised and the organisation is responsible for addressing such issues to ensure ongoing Certification.
At the end of year three, your management system will have to undergo a Recertification Audit. This process is similar to the initial Certification Audits (but a bit shorter and only one audit visit), and the aim is to verify that your management system continues to fully conform to all requirements of the Standard(s). Upon a successful outcome, the CAB will provide you with a newly issued certificate, and the 3-year Certification Cycle continues.
Ongoing management activities required by your business
To maintain your Certification and conform with the requirements of the ISO Standard(s) (in order to achieve successful annual audit results), you need to conduct a few activities on a regular basis.
Any identified gaps in your system can result in major or minor non-conformances OR improvement opportunities raised by the auditor. Depending on the severity of the identified issue, your organisation can be at risk of losing your ISO Certification as a consequence .
Below is a summary of the base-line activities you should conduct to meet the ongoing ISO management requirements:
1. Management Review & Business Planning Update
Management review meetings are required to be conducted and documented on a regular basis (at least annually). In this meeting you should revisit your business planning such as company objectives & targets, and other strategic and essential documentation such as interested parties analysis, SWOT/PESTLE analysis, as well as your business risk and opportunity assessment etc. You should ensure these documents are not only reviewed but also up-to-date.
2. Regular Internal Audits
The ISO Standards state that internal audits have to be conducted by an individual who is independent of the business process being audited, and who has been trained and deemed competent in conducting effective management systems internal audits. Ensuring the internal auditor isn’t usually involved in the processes being audited maintains the objectivity and impartiality of the internal audit process.
Internal audits are useful to find out if your management system processes and documents are up to date, relevant and reflecting how the actual activities, services and operations are conducted in the organisation. It is essential to conduct your internal audits regularly, for example, on a quarterly basis or as specified otherwise in your internal audit schedule.
Your internal audit schedule needs to cover your system requirements as well as the requirements of the ISO Standard(s) and take a risk-based approach.
If you need assistance with your internal audits, we have qualified and competent auditors ready to conduct your internal audits for your organisation. Check out this page for more information about our Auditing Services, or just call us on (+61) 1300 614 007.
3. Checkup on Open Issues
This should be a time for your team to check on any “open” and/or “work in progress” issues raised in your previous external and internal audits, and plan actions to address and close them out. When doing so, you have to take special attention in relation to issues reported in your previous external audits, such as Non-Conformances (NC), Opportunities for Improvement (OFI), or Observations (OBS).
For example, if the auditor finds that a previously-raised minor NC has not been effectively addressed by the time of the next audit it may turn into a major NC. A major system non conformity can jeopardize your ongoing Certification.
Here’s an overview of the entire 3-Year Certification Cycle with more detail, outlining the areas we can assist you with vs the activities your chosen CAB needs to conduct:
Planning is the key
Conducting regular internal audits, management reviews, business planning updates and checking on your open issues is an excellent way to start with your system ongoing management activities.
However, there is more to it and if you feel like you need a more structured approach you can schedule the necessary activities in your calendar. For example, conducting the employee performance reviews, documented team meetings, completion of records of Safe Work Method Statements, regular site safety inspections etc.
You can download a Certification Management Calendar tool by completing the form below, which can be used as a template for your regular ISO activities each day/week/month etc. You can adjust this to suit your individual needs (e.g. you can multiply the items you need to conduct more often or delete those you only need to conduct a few times a year). Of course, you can add as many new activities/tasks as you like based on your system requirements.
Get your FREE Certification Management Calendar today!
Benefits of a well-managed Business Management System
It’s important to highlight that conducting these ongoing activities is not only crucial to conform with the ISO Standard(s) requirements and maintain your Certification(s), but it also brings a number of benefits to your business, such as:
We hope that this blog has clarified how to manage your business system on an ongoing basis after achieving ISO Certification, resulting not only in successful ongoing ISO Certification but also business improvement.
We understand that without a dedicated and trained team, it can be difficult to conduct all of these activities on a regular basis. This is why we’re here to help, to take care of these for you, and you’ll have the peace of mind of knowing your ISO Certification is safe and your management system is well managed by qualified and experienced professionals.
About the author
Andressa (alias Andy) is the General Manager of ISO Certification Experts and ICExperts Academy, heading our Marketing department and coordinating the internal improvement initiatives and projects. With an MBA in Project Management, and over 10 years of experience in customer service and project management across many industries, she brings valuable knowledge to the business and our operations. Alongside her professional expertise, Andressa holds a genuine passion for sustainability and the environment.
All information on this blog site is for informational purposes only. As this information is based on our professional experience, opinion, and knowledge, we make no representations as to the suitability of this information for your individual business circumstances. Especiality Pty Ltd trading as ISO Certification Experts and all related businesses and brands will not be liable for any errors, omissions, legal disputes or any damage arising from its display or use. All information is provided as is, with no warranties and confers no rights.
We will not be responsible for any material that is found at the end of links that we may post on this blog site. The advice, ideas, and strategies should never be used without first assessing your own personal business situation or seeking professional and/or legal advice. Information may also change from time to time to suit industry and business needs, requirements and trends.