Welcome back to the second part of this short series on Quality Management System certification for small businesses and start-up companies.
In this 4 part series, I will explain precisely what third-party certification involves, and how you can level up your business through this process.
The standard we will be focussing on is ISO9001:2015, as this is the most popular certified Quality Management System standard worldwide, with an estimated 1 million+ certifications.
In this article, I will discuss the certification process, including explaining why and how to appoint a Certification Body to independently certify your system.
Missed Parts 1 and 2? Read them here and here.
What is certification?
In the series so far we have been exploring the how and why of Quality Management System (QMS) implementation. Whilst I am a strong believer that a good QMS can significantly improve customer satisfaction and reduce costs, the bottom line is that for many companies the key driver is simply that they need to obtain the certification.
Holding a Management System certification such as ISO9001:2015 is a mark of confidence for you as a business, and it is often a pre-requisite for getting access to many tender opportunities, particularly with large primes and governments.
To get certified, an independent group known as a Certification Body will need to conduct an audit of your QMS to verify compliance with the standard and establish some confidence that the system you have implemented is effective in meeting the expected outcomes.
Certification is big business and is forecast to reach a market size of $40.53 billion USD by 2030 (see: Polaris Market Research). This hasn’t gone unnoticed, and in the past few years, there have been several high-profile mergers and acquisitions in the industry. In addition to this, there are also a number of smaller, boutique Certification Bodies popping up each year due to the relatively low barriers to entry as a professional services business.
Finding the right one to work with for your company is crucial, so in the first part of the article I am going to outline some important considerations and what I think makes some Certification Bodies better than others.

Who checks the checkers? Accredited and Non-Accredited certification explained
First and foremost it is important to understand the meaning of accredited certification, and the importance of working with an Accredited Certification Body.
An ‘Accredited’ Certification Body is one that is subject to oversight by an accreditation body. These accreditation organisations are typically appointed by the government or work on a not-for-profit basis, and oversee the Certification Bodies that deliver conformity assessment services – for example, UKAS are the sole national accreditation body for the United Kingdom and oversee the activities of most UK-based Certification Bodies.
The work of UKAS and others is very important, as it provides independent oversight to make sure that Certification Bodies are operating with integrity and delivering a fair and competent service to their clientele. Their oversight activities include things such as:
- Riding along with auditors and witnessing the delivery of audits – making sure the right questions are being asked, and auditors are professional and impartial in their approach.
- Reviewing audit reports for the Certification Body’s certified clients and making sure there is a sufficient amount of evidence to support a fair certification decision.
- Checking training records for auditors to make sure they actually have an appropriate level of competence or relevant previous experience to work with their clients.
All of this ensures there is a level of competence within the certification industry itself and the auditors working at ground level. There are many Non-Accredited Certification Bodies out there that claim to offer certification services for ISO series standards and others. However, as a Non-Accredited Certification Body, they would not be subject to any of the oversight I have described above. I would also note that many organisations at the top of the supply chain have become wise to this, and may not even recognise a non-accredited certification.
Working with an accredited Certification Body would be my #1 criterion for the selection of a certification partner, and I strongly advise that it is for you too. This information can usually be checked online through the accreditation body’s website. I have linked the UKAS-accredited organisations’ database here for convenience.

Deciding on a Certification Body to work with
As you start to work with prospective Certification Bodies on obtaining quotes for initial certification, it is crucial to understand what they are offering and whether that works for you.
Here are my top 4 considerations that you should have when going through this search process:
- Brand Credibility: How does their brand image come across?
Think about the brand and how it sits with your organisation. Perhaps the Certification Body has a strong reputation in certain industries or markets. For example, the Certification Body I worked for previously was a subsidiary of a maritime classification society, so had a very strong standing in anything related to shipping, offshore oil and gas, and wind technology. - Audit Personnel: Who are their auditors and where are they based?
Don’t be afraid to ask for resumes for the prospective auditors that may be utilised, and ask about their previous experience to check for best fit with your business. It is also worth asking about locality, as many Certification Bodies work on a ‘day rate + travel expenses’ basis. Engaging a Certification Body that doesn’t have local resources could significantly increase the total cost of your audit! - Customer Service: Can you get hold of someone when you need to, and are the office responsive to calls and emails?
Scheduling audit dates can be a stressful experience when you need certain people in the business to be available at certain times/dates, so having a reliable point of contact and great customer service definitely goes a long way. - Fees and Charges: What are you actually paying for?
Make sure to scrutinise the fees and charges in the contract. Beware of excessive charges for things like “licence fees” and “account management fees” as these can quickly offset a lower day rate. Whilst these fees are sometimes necessary for more admin-intensive specialist schemes such as AS9100 and IATF, I would certainly query why they are being added on for more general ISO series certifications.

The initial certification audit process
Once you have registered with your chosen Certification Body, it will be time to commence the initial certification process. For ISO9001:2015, this involves the completion of 2 audits known as the Stage 1 audit and Stage 2 audit.
Stage 1 is a high-level review of your Quality Management System and is primarily to make sure that the fundamental requirements of the standard have been addressed. It typically involves a review of key procedures and documents, and a site tour. In some cases, the Certification Body may elect to do this audit remotely via video call, as it is mostly documentation focussed and tends to be much shorter than the Stage 2 audit in duration. At the end of the audit, you will receive a report outlining any issues that need to be addressed prior to Stage 2. In some cases, the Stage 1 audit may need to be repeated if there are a significant amount of issues and the time until Stage 2 is not deemed sufficient to fix them.
Stage 2 happens next and is the deep dive audit that will cover all of the Quality Management System in detail, including the sampling of operational processes for compliance. This is the sharp end of the process, which will involve spending time with each operational function to evaluate how effectively the standard has been implemented. Any areas of major non-conformance will need to be fixed and closed prior to issuing the certificate of approval. However, in most cases, a recommendation to issue the certificate of approval with minor non-conformances can still be made (subject to an agreed corrective action plan that will be followed up at the first surveillance audit).
Closing thoughts
So that was a quick summary of the initial certification process and appointing a suitable Certification Body to come in and verify your system.
For many, this is one of the most critical and costly steps of the process. It can also be the most uncomfortable as it involves inviting a third party into your business to complete an audit. Although, hopefully, the guidance I provided in this article and previous instalments based on my experiences will help alleviate some of the stress for you!
Getting through the initial certification process and obtaining the ISO9001:2015 certificate of approval will certainly be a milestone event for your small to medium-sized company. It will be a great feeling when you are able to share this achievement with customers and potentially land a spot on even more tender lists.
However, in the subsequent weeks and months that pass after this milestone event, it is vital that you don’t take your eye off the ball. Getting the certification is just the beginning and running an effective Quality Management System should be a continual pursuit of improvement. Many organisations that sail through the initial certification process face an increased number of issues at their first-year surveillance (12 months later) from dropping the ball on maintaining the systems and processes that they set up.
Stay tuned for the fourth and final article in this series, where I will discuss maintaining your accreditation and continuing to improve your processes and operations.
As always, thanks so much for reading and feel free to reach out to me on LinkedIn.
#AssuranceWithAndrew
Connect with Andrew Milner on LinkedIn and find out more about Conflux Technology, the pioneering additive manufacturing and thermal technology company that he works for, by visiting their website: www.confluxtechnology.com