ISO audits and certification are important steps towards improving any business, so it is vital to learn more about ISO and the benefits your company can reap from a standardized quality and management review. Let’s explore how to prepare and pass an ISO certification audit and fulfill ISO requirements.
Table of contents:
6.1. Plan and prepare
What is an ISO audit?
Depending on which industry you work in, you likely have seen at least one ISO standard before. If you are wondering what an ISO standard is and what ISO audits entail, we have you covered.
There is no single ISO audit or standard. Being ISO-certified means that your organization has been found to align with industry standards. ISO standards and certifications carry a lot of authority, as the ISO (International Organization of Standardization) organization is an independent, non-governmental body. ISO was founded in 1947 and unites regulatory bodies from 167 different countries.
Some of the most common ISO standards that businesses seek to meet are ISO 50001, which audits a company’s energy usage, ISO 27001, which addresses information security, and ISO 9001, which ensures strict quality management.
The international standards that ISO publishes are carefully developed and evolve along with their ever-changing industries, as well as the public landscape. In response to the COVID-19 pandemic, for example, the organization released a guideline for the development of safer COVID testing methods in 2022.
ISO certifications ensure the quality and safety of products and services within a wide range of sectors. Covering industries from food safety to environmental or risk management, ISO is first and foremost a network that aspires to “make lives easier, safer and better”.
Successfully completing an ISO audit is your first step towards ISO certification. Use an ISO internal audit to check whether your strategies meet the required standards and either get certified from there or continue working on your objectives.
Why are ISO audits important?
ISO certifications are invaluable assets to any organization as they help promote a positive brand image. Proving that your product or service adheres to industry standards builds consumer trust and help you obtain market recognition.
In order to get ISO certified, you need to perform ISO internal audits to ensure
- the quality of your products or operations, for example by implementing a quality management system (QMS)
- that your workplace practices are compliant with ISO standards
- there are management strategies regarding global challenges, such as environmentalor data security challenges, in place
ISO audits have a clear purpose: they help assess your progress and evaluate your internal procedures. An internal audit process is valuable not only to ensure ISO compliance but also to keep track of your operations. This way, you can continuously figure out what does and doesn’t work, undertake corrective actions, and optimize your workflow. Implementing standardized systems and making sure they are maintained will save you time and money in the long run, and create an efficient business.
Depending what your business is trying to achieve, you will seek out different ISO standards. For example, if you want to reassure business partners of your data security measures, you’ll want to pass an ISO 27001 audit. And if, like many businesses, you are beginning to pay more attention to sustainability, ISO 50001 would be the standard to meet.
What types of ISO audit are there?
There are several types of ISO audits, and most play a role in every ISO certification process. There are three common types of audits that you need to know about: internal, supplier, and certification. They all serve different purposes and are relevant in their own right.
Before you start conducting your ISO internal audit, it is important to focus on the implementation of ISO standards first. Getting ISO certified is rewarding and beneficial, but it’s also a lengthy process that should be conducted carefully. You can work towards ISO certification internally or get in touch with a consultant for expert advice. Ask questions, set a system in motion to fulfill the requirements, and make a plan.
Once you have completed this step, it is time to get familiar with the audit types that await you.
The first-party audit
The first-party audit is widely known as the internal audit. During a first-party ISO audit, it is common to evaluate practices relating torisk management, varying operation processes, quality control, objectives, and documentation or resources.
ISO internal audits need to be scheduled and performed by an internal auditor. This auditor is usually part of a designated department within your company, however, the position can also be filled by an external auditing team.
First-party audits are especially important for the standards ISO 9001:2015, ISO 45001 or ISO 14001, but are used in other certifications as well. These audits help you establish and maintain healthy internal processes.
Often, internal audits can also function as gap analyses, which identify operational weaknesses within your company. Internal audits are incredibly useful and can highlight structural problems that you otherwise may not have uncovered on time.
The second-party audit
The second-party, or supplier audit, is important for manufacturers or retailers when assessing new potential suppliers. In a supplier audit, auditors evaluate health and safety strategies and appropriate processes. Generally speaking, as long as your operations involve a purchasing phase, supplier audits are necessary.
The standards and regulations vary per industry and supplier audits should be conducted every two years on average. This way, you can be sure your suppliers remain compliant. Supplier audits are usually carried out by a third-party inspector, but they can also be performed by a company’s internal team.
There are three different types of supplier audits.
- Announced audits; in an announced audit, the company is aware that an inspection is happening ahead of time. This means that they were given time to prepare, which can influence the authenticity of the audit.
- Unannounced audits; as the name suggests, unannounced audits occur spontaneously and without warning. Since there have been no preparations made, results provide a more accurate picture of day-to-day operations.
- Desktop audits; unlike announced and unannounced site inspections, desktop audits are conducted remotely. They check documentation or certifications in order to make sure suppliers are meeting the required standards.
The third-party audit
Also known as a certification audit, the third-party audit is carried out by an officially recognized certification body. Certification audits are performed every three years to oversee standard compliance. They are divided into two steps, and are generally only done if your organization can prove that it has implemented a management system for 2-6 months.
In the initial step, documents collected during a desk audit are checked for completeness. In the second step, ISO auditors conduct a compliance audit to examine procedures, instructions, and records.
These two steps are crucial, and if your company passes them without complaints, the inspectors of the certification body will recommend your company for an ISO certification. However, this isn’t the end – ISO certificates are usually valid for three years before they need to be renewed. In the time leading up to renewal, your company will be regularly evaluated and audited. In the fourth year, inspectors will perform a re-certification audit.
What are ISO standards and requirements?
Since it was founded, ISO has published over 24,000 standards which seek to achieve 17 sustainability goals, including eliminating poverty, improving education, climate action, and more. Since ISO standards are all quite different, it is impossible to create a general list of requirements. However, ISO themselves encourage you to view the standards regardless, as they are self-described as a “formula that describes the best way of doing something”.
The most popular standards fall into one of six categories.
- Quality Management Standards
- Environmental Management Standards
- Health and Safety Standards
- Energy Management Standards
- Food Safety Standards
- IT Security Standards
ISO 9001: “The world’s favorite standard”
One of the most-used standards is ISO 9001, a general quality management standard and part of the “ISO 9000 family”. This standard is often a prerequisite for many others, which is why ISO 9001 audits are quite common. The IATF 16949 audit, for example, defines guidelines for a QMS in the automotive industry and can be largely understood as an addition to ISO 9001:2015. Other standards, such as ISO 13485, which addresses quality management for medical devices, also use ISO 9001 as their baseline.
ISO 9001 is a powerful and versatile standard that can be used by any kind of organization, no matter its size. According to ISO, one million organizations across the globe adhere to ISO 9001 guidelines.
As with most standards, ISO 9001 has several levels of requirements that inspect a company’s management structure, customer relationships, and daily processes, so it’s a good idea to use an ISO 9001 audit checklist to keep track of everything. Since it is the world’s leading quality management standard, passing an ISO 9001 audit helps you to build trust, offer great quality services and products, and forge strong business relationships.
ISO/IEC 27001: Information security
ISO 27001 details requirements for information security management systems (ISMs) and is part of the ISO 27000 Family. Passing an ISO 27001 audit means that your organization practices good data security, and companies of any size benefit from these audits.
Organizations can effectively minimize security risk as well as prevent data loss and misuse by implementing ISO 27001. Even if you don’t obtain an ISO 27001 certification (which is not obligatory), meeting requirements by following an ISO 27001 checklist is beneficial to your organization.
How can you obtain an ISO certification?
What is ISO certification?
Before we get into the details about ISO certifications, their processes and benefits, it is important to note that the ISO network itself does not perform certifications. The institution develops and publishes the standards upon which certifications are based, but the certifications themselves are issued by an external certification body. Also, because there are so many different types of standards, there is no one set of ISO certification requirements.
An ISO certification is an endorsement for you and your organization. It proves to third parties that you have passed your ISO audit, comply with industry standards, and have implemented structures that ensure your business is stable and trustworthy. Depending on your industry and exact certification, this means that your services are outstanding, your products are high quality, and your customers are well taken care of. Such an endorsement is valuable for every organization.
In order to find the perfect certification body for you, ISO recommends that you
- evaluate several certification bodies and decide which you would like to work with.
- ensure that the body is accredited.
- asses whether the chosen body adheres to the appropriate CASCO standard.
It also helps to remember that not every ISO standard needs to be certified to be implemented successfully. Some ISO standards require a certification, while others are voluntary.
How much does ISO certification cost?
As there are so many different ISO standards, ISO certification costs vary greatly. They generally depend on the size of your organization and on how much or how little work you have already invested. Additionally, it may be that you want to get certified for more than one standard at a time, which can also drive up costs. Depending on your certification body, it can also lead to discounts. Some things which influence your expenses are
- organization size
- sector/industry in which you operate
- annual revenue
- number of employees
- surveillance audits
- cost of internal audits
- maintenance costs
Overall, it is best to request quotes from several certification bodies and choose the one that best suits your needs and budget.
How long does it take to get ISO certified?
As with costs, it is difficult to predict how long it will take for your organization to be fully ISO certified. The general timeframe is 3 to 6 months. If your business is particularly large, the certification process may take up to a year.
Some standards also take more time to be certified than others; it depends how well your existing systems meet ISO certification requirements and how extensive your documentation is.
In general, ISO certification audits are fairly long processes where
- you begin with an ISO internal audit. After you have completed this in accordance with your consultant’s advice, they will set up a review meeting with you in order to go forward.
- you remain in contact with your consultant to prepare all the necessary documents and procedures.
- documents are reviewed in the stage one assessment.
- an external auditor conducts the stage two assessment to observe the workings within your company in order to make sure that everything is in accordance with the standard.
How can you prepare for, plan, and conduct ISO audits?
As previously mentioned, becoming ISO certified can be a lengthy process that requires attention and careful planning in order to be successful. But with said planning, you can conduct ISO audits effortlessly and reap the benefits – whether you choose to actually get certified or not.
1. Plan and prepare
The first step to success is to prepare and plan appropriately. The more you anticipate, the more issues you can prevent. The best way to ensure you receive a certification is with an ISO audit checklist , and the most commonly used checklists are ISO 9001 audit checklists, ISO 50001 audit checklists, and ISO 27001 audit checklists.
These are the key steps of an ISO audit process.
- Review the ISO standard
It should go without saying that you need to review your chosen ISO standard extensively. Do so with a selected ISO management team and learn the standard inside and out in order to be able to fulfill requirements later.
- Implement management structures
In order to successfully pass an external examination, you need to ingrain an ISO mindset into the company culture. An ISO audit is never complete; you can always optimize or at the very least maintain the standards you have set out to achieve. If you implement a structured management schedule, review operations regularly, and address issues with an open mind, you are well on your way to certification.
- Perform internal audits regularly
Regular internal audits help identify issue, streamline your processes, and prepare you for your ISO audit. Be as diligent as possible so that your certification runs smoothly.
- Implement corrective actions
As soon as you identify problems, figure out their root cause and address them. Develop strategies to prevent them from occurring in the future. By regularly checking for problems, you are never left surprised.
It is equally important that you prepare your employees and inform them of the steps you are taking so that the whole organization can work as one to implement ISO standards and work towards a safer, higher quality business.
In order to successfully conduct an ISO internal audit, you need to first schedule a date and prepare your team for the audit. Give them all the necessary details regarding the standard and the audit so that they are aware of what to expect.
Strategize with your managers about the best timing for the audit and choose auditors to carry out the inspection. You can, of course, also assign more than one auditor, depending on the size of your organization.
Make sure that auditors pay attention to everything when conducting their audit. Give them an ISO audit checklist so they know what to look for. Let them suggest corrective actions and point out areas for improvement.
After the audit, the auditors will summarize their findings in a detailed report and discuss the inspection findings with you and your management team. Figure out how improvements can be made together, and develop strategies.
Once the audit is complete, it is important to circle back and review it once in a while. ISO audits are an ongoing process and optimization is always possible. ISO internal audit documents are great tools for reflecting on how far you’ve come, if you’re happy with the path you chose, and if there is anything that still needs improvement.
Preparing your organization for an audit in the most time and energy-efficient way possible is easy with Lumiform. After deciding which ISO certification you want, use one of our templates to check what is required, and make sure your business meets those requirements.