Comprehensive Guide to ISO 9000 Certification and ISO 9000 Training

By Andy Marker | August 24, 2017 (updated September 17, 2021)

If you’ve heard anything about ISO 9000, it may well be about the certification and auditing processes. These can seem daunting, but depending on business needs, organizations may have a choice to follow ISO 9000 without being certified. If your company does choose certification, find out how to view this complicated process in manageable steps.

In this guide, we’ll discuss why your organization might choose certification, and look at a timeline of possible steps toward achieving that goal. We’ll consider the different types of training available and which courses suit various roles. You’ll learn how much certification costs, how much time you’ll need to invest, and how to find an accreditation certification company. Finally, experts will offer advice on how to survive the auditing process. 

What Is ISO 9000?

ISO 9000 is a series or family of standards issued by ISO, the International Organization for Standardization, that describes best practices for quality management. The standards cover all aspects of organizations including facilities, people, training, services, and equipment. When organizations follow the standards, they demonstrate that they can consistently provide real and transactional deliverables that meet customer needs and adhere to regulatory requirements. The standards can also help organizations improve the quality of deliverables, and thereby increase customer satisfaction. 

ISO 9000 standards are intended for profit and nonprofit organizations both large and small. Although its roots are in manufacturing, the most recent revision in 2015 particularly addresses its usefulness in other industries, including service and transactional sectors. 

ISO 9000 names both the series and the introductory standard, which covers fundamentals of what a quality management system should look like, defines vocabulary, and describes the seven quality management principles of ISO 9000. Other documents in the current 9000 series include:

  • 9001: A description of the requirements framework for creating a quality management system. Particularly in its most recent revision, ISO 9001 is generic to accommodate all types of endeavors and businesses. Organizations are certified only in 9001 because it is the only standard with requirements. 
  • 9004: A less commonly discussed document, 9004 describes ways to sustain quality improvements.
  • 19011: This document provides guidance on conducting internal and external audits to ensure that quality systems conform to 9000 guidelines.

Representative ISO organizations in over 70 countries contribute to creating and revising ISO standards, including ISO 9000. (In the United States, the organization is ANSI, the American National Standards Institution, and in Canada, it is the SCC, the Standards Council of Canada.) Standards are periodically updated to account for changes in the business environment, technology advancements, and to provide an understanding of best practices. ISO issued updates in 1994, 2000, and 2008, and most recently in 2015, which new adoptees and existing certificate holders are beginning to implement. Revised documents are labelled by the year of their revision, such as 9001:2008.

Launched in 1987, ISO 9000 is based on the British standard BS-5750 released in 1979 to consolidate many requirements of assorted stakeholders. ISO 9000 is part of a century-long effort to not only improve quality and better serve all customer needs and safety concerns, but also increase consistency in output as supply chains became longer and more global. Over a million certificates have since been issued worldwide.

Besides ISO 9000, the ISO body issues over 21,000 standards governing everything from the management of aerospace, telecom, computer software, food safety, electromechanical technology and, most recently, managing sustainable events. The standards include ISO/IEC 90003 for software engineering, ISO 17582 for electoral organizations at all levels of government, and ISO 18091 for local government. These standards are complementary to ISO 9000 quality management in bringing best practices specific to those areas.

Learn more about the history of ISO and how it can help organizations in The Ultimate Guide to ISO 9000.

What Does It Mean to Be an ISO 9001 Certified Organization?

Many organizations choose to be formally certified as ISO 9000 compliant, which means becoming ISO 9001 certified. To be certified, an independent certification organization audits your company or organization to ensure that your processes are in line with ISO requirements. Once certified, your organization may then display the seal of certification on your website and products. Certification informs customers and partners that you have a quality management system in place, and that processes and deliverables should be consistent. Certification may be a prerequisite to working with certain customers, in particular government clients.

ISO 9000 Principles
ISO 9000 has seven recognized principles: customer focus, engagement of people, leadership, process approach to quality management, continual improvement, fact-based decision making, and relationship management.

What Are the Benefits of ISO Certification?
All systems have positive and negative aspects. A certificate is no guarantee of efficiency or quality deliverables. However, over the past 30 years, many organizations have experienced real benefits after performing the work to achieve ISO 9001 certification including:

  • Increased efficiency and reduced costs.
  • Increased involvement of management in business and increased employee empowerment.
  • Increased reassurance to customers and other stakeholders that deliverables are produced with consistent processes and are of a consistent quality.
  • Potential acceptance into a global supply chain.

Disadvantages to Certification
Certification and ISO 9001 requirements themselves are not without criticism. Here are some of the misgivings voiced by users:

  • The standards themselves are written in jargon. The standards were based on a military model, and some jargon remains. However, the most recent revision leans farther towards plain language.
  • If you certify, your organization will end up buried in procedures and documentation. Again, the original model focused on procedures and documentation, and some organizations were certified on paperwork alone. The 2015 version does not specify that documentation is essential and is more interested in what people do than what they write down.
  • It takes a long time to certify. Even for small companies, certification can take at least six months.
  • Certification is expensive. Training and auditing can cost a minimum of several thousand dollars.

If Organizations Follow ISO 9000, Are They Required to Be Certified?

No, certification is not a requirement. Organizations can derive the benefits that come from being more aware of the root causes of problems and increase quality simply by following ISO 9000 prescriptions. Andy Nichols, Quality Program Manager for the Michigan Manufacturing Technology Center, gives the example of a small North Atlantic Treaty Organization (NATO) supplier he worked for that followed ISO 9000, but for whom it would have been impractical to certify because the customer conducted their own audits. 

 

How to Start ISO 9001 Certification

Whether you decide seek certification or merely want to implement ISO 9001 standards, there is a path to achieve your goal. You can start by buying copies of the ISO 9000 and 9001 standards. These documents are widely available as paid downloadable PDFs or other electronic documents, and may be cheaper from another country. The content is always the same, but each issuing country will have a different cover and the name of its representative ISO organization. Now that a new version exists, ensure that you get the 2015 version.

These are some of the steps you might follow in the course to certification

  • Preparation
    • Gap Analysis: Perform this analysis to compare the difference between actual performance and potential or desired performance to determine in what ways your organization is and is not compliant with ISO 9001. For more ideas, see our gap analysis templates.
    • Value Stream Mapping: Understand your processes through value stream mapping. You can potentially include every part of your organization, such as human resources and technical publications.​
       
    • Determine Context: Consider what your organization really stands for, and clearly identify your customers and their requirements.
    • Management Support: Get management and leadership buy-in for the ISO 9000 efforts.
    • Conduct a Risk Analysis: Understand how problems appear in process steps, evaluate those risks, and anticipate opportunities. 
  • Project Planning
    • Determine whether you’ll create an internal team, hire consultants, and which registrar, or certification body, you’ll choose.
    • Consider whether you need to produce a quality manual and identify procedures. Other documentation you may need might include checklists, guidelines, and training materials. 
  • Training
    • Introduce concepts if ISO is completely new to team, or salient changes if transitioning to a newer version.
  • Do the Work
    • Redesign your processes as needed, and document the changes. 
    • Train employees on the new quality management system (QMS).
    • Update procedures as necessary.
    • Follow a production cycle using the new QMS and procedures.
  • Internal Audit
    • Now that you’ve run through your new system, see how closely it actually hews to the new procedures.
    • Take corrective actions, if necessary.
    • Review the system to ensure you’re ready to submit an application.
  • External Audit
    • Submit documentation and audit records to registrar.
    • Auditor visits.
    • Show and tell the auditor what you do. 
    • If the auditor says you must take corrective action, fix it, and then have the auditor come again to verify.
  • Register Your Certificate
  • Go Forth and Conquer!

 

Get Ready to Get Certified for ISO 9001

Download Plan to Get ISO 9001 Certified - Excel

Excel | Smartsheet

How Long Does an ISO 9001 Certification Process Take?

How long it takes to complete the certification process depends on how much your organization already practices quality management, and ISO 9000 principles specifically. Your customers may already perform audits and have requirements in place. If ISO 9000 is new to you, becoming ISO 9001 certified can take longer, especially if implementing new practices means changing entrenched behaviors. 

Organization size affects the length of time to certify. “Smaller [company size] equals quicker, and larger equals longer,” says Nichols. For a small organization with a staff of five to 10, the process may take a minimum of six months, and for larger organizations with multiple locations and hundreds or thousands of employees, it can take 18 months or more. 

The number of days an auditor spends performing an initial audit is actually prescribed by the International Accreditation Forum (IAF) in Mandatory Document 5. The time the audit takes is based on the number of employees in an organization, the level of safety and health risk of your product, and other factors. You can calculate an estimated length of an auditor’s visit to your establishment by reviewing “Annex A - Quality Management Systems” in Mandatory Document 5. The definitions for these criteria are outlined in the rest of the document.  

How Much Does ISO Certification Cost?

Costs can be substantial. Copies of standards alone can cost $120 or more per copy. Costs include any courses that quality team members or others need, consultants fees, and the auditor’s time. According to Nichols, auditor costs are approximately $1,300 per day. For a small organization, the minimum for everything might be $10,000 to $15,000. 

What Are ISO Certification Companies?

Certification companies, called registrars in the U.S. and Canada, provide external audits and issue ISO certificates. Before you choose a registrar, ensure that they are accredited for your certifying standards. 

National standards bodies that accredit entities that follow the IAF accreditation scheme provide a well-regarded accreditation. The IAF and ISO work closely to maintain mutual recognition. Accreditation means that practitioners can prove a minimum standard of knowledge. Verification may include a visit to a client to observe the registrar in an audit. Accreditation must be renewed every four years.

ISO 9000 Training

Training serves two markets: people preparing their company for certification and taking internal audit training, and people training to become external auditors to either work for a registrar or establish their own consultancy. 

For organizations looking to certify, as Nichols says, “It’s all over the map.” Training and preparation materials for certification includes offerings from downloadable templates for around $1,000 - what Nichols calls “ISO in a can” - to packages guaranteeing 24/7 support that cost several thousand dollars. 

Training can include classroom experience or self-paced online courses. More complex trainings for ISO 9000 program managers and auditors, including customer auditors, may be combined with a speciality such as medical devices. Complex training is often classroom-based, takes 20 or more hours, and costs $1,500 or more. Other trainings for organization leadership, team leaders, and personnel involved in ISO may include topics such as overviews of 2015 updates. This type of content may be delivered online, takes under 10 hours to complete, and costs around $250. 

For individuals, ISO auditing is not considered a viable career path, and involves considerable yearly travel. However, establishing oneself as a consultant can sometimes prove lucrative. “There’s not a huge draw for people coming into the industry,” Nichols adds. That’s a risk for the industry as many people who’ve studied ISO 9000 since its inception and worked as auditors begin to retire. 

The Quality Manual 
In previous versions of ISO 9000, the quality manual that a company created was the essential deliverable. A few parts were required:

  • A statement of what quality meant in your organization, how you intend to achieve it, and how you measure your success. 
  • The documentation that described how you do everything in your organization that falls under ISO 9001. 

“Traditionally, quality manuals have restated the ISO 9001 requirements almost to the point of copyright infringement,” explains Nichols. “As a result, they have been seen as little to no value. This is worsened by the fact that restating the standard – which wasn’t written using common business language terms – made for a difficult read.” 

9001:2015 does not mention the quality manual. But, as Nichols notes, customers or regulatory agencies may still require one. You can capture and present this content in any way that suits your organization and users, and can be in print or online. It does not have to follow a prescribed template, but it should be clean and readable.

You can describe processes through procedures, diagrams, guidelines, checklists - whatever your team members will use. The language doesn’t have to be riddled with jargon. In fact, you should be written in plain English as concisely as possible to convey essential and important concepts. Like strong documentation for any other purpose, the quality manual should be usable. Nichols shares a favorite template that you can adapt and customize for your purposes.

 

Quality Manual Template WORD

Download Quality Manual Template

Word | Smartsheet

Must ISO 9001 Certification Be Renewed?

Certification and renewal is voluntary, and based on your business requirements. You can choose not to renew, and for certification bodies with IAF accreditation, you can choose to renew with another registrar while your certificate is in good standing. The old certification body must cooperate with the new registrar, and the old registrar cannot suddenly revoke the certificate.

Why would an organization choose another registrar? In some cases, large organizations consolidate registrars for all certificates. It’s also a question of customer service, and whether a particular certification body seems to be offering good value for the money. Nichols suggests these possible criteria for changing:

Value of Audits

  • Does the auditor look only at compliance to a set of requirements?
  • Does the auditor look at the value the quality system brings to the organization?
  • Is the auditor competent in the client’s industry?
  • What’s the overall approach to the client by the assigned auditor or auditing team?

Customer Service from the Registrar’s Office

  • Is there technical support available to understand requirements and discuss issues affecting the audits?
  • Are office-based staff responsive to the needs of clients?
  • Is scheduling audit time done effectively?
  • Is invoicing for services clear, accurate, and timely?
  • Are there additional services the registrar provides, such as webinars or blogs?
  • What are the cost of audits, including duration, day fees, and other expenses?

Nichols notes that although some organizations don’t like the upheaval of frequently changing registrars, auditors who are familiar with an organization may become less attentive to detail, thereby decreasing the organization’s opportunities for improvement.

Certifications for ISO 9000 generally last for three years, which is based on an old British Ministry of Defence supply chain standard. However, a shorter annual audit is required to keep your certification in good standing. Audits for a second renewal are less substantial than for an initial audit. The formula for annual and renewal audits is also prescribed in the IAF Mandatory Document 5.

Updating a certification based on revisions of ISO is also voluntary.

ISO 9000 Auditing

If you choose to formally certify your organization, audits occur after you’ve implemented your refined processes. There are three types of audit:

  • First Party Audit: Also known as the internal audit, the first party audit checks that newly minted processes run according to new procedures. Auditors provide feedback to so you can correct any gaps.
  • Second Party Audit: This is typically a customer audit to ensure that processes run according to customer requirements. These audits can also occur for organizations that are not certified and are not undergoing certification.
  • Third Party Audit: Also called an external audit, this is conducted by a representative of a registration company. Successful completion leads to ISO 9000 or other standard certification.

Audits often begin when your documentation, including the quality manual and procedures, are sent for the desk audit, which the registrar performs. The auditors then perform a site visit of at least two days follows, where they observe and ask questions to determine if the organization is ISO compliant and to gauge employee knowledge of procedures. Questions are asked along the following model:

  • Tell me what you do. 
  • Show me where it says that in the procedures. 
  • Prove you did what you say through the documented records. 

If serious infractions exist, you must correct them. At this point, the auditor then returns to verify that corrections are in place. The candidate organization pays the cost for the auditing fees, plus the auditor’s travel and hospitality costs. 

How Do You Survive an ISO 9000 Audit? 

In his job as Quality Program Manager for the Michigan Manufacturing Technology Center, Andy Nichols often meets certification candidates. He says people often ask what auditors will ask. He tells his clients that he can’t guess that, but he can tell them what they need to know and to do. “Then they feel a lot more confident,” he adds. 

To survive an audit, everyone involved must own what they do. “It’s almost like a show and tell at school,” he explains. “Whether you’re management who own the process, or employees with activities related to a process, overwhelm the auditors with your knowledge of the process. Don’t wait to be asked. Tell, tell, tell.” 

 

He advises that hesitance can be interpreted as a lack of confidence, which an auditor can interpret as the potential inability to solve problems if they arise. “Giving an auditor a pause for thought by a lack of explaining can make it seem that effectiveness or compliance is not there, and they will start digging in for problems.”

What if your organization fails the audit? First, not every nonconformity is a failing offensive. For example, administrative errors can include filing documents somewhere other than what’s indicated in the procedures. Auditors can still provide a certificate while requiring that the errors be corrected within 30 days. 

Other infractions are more problematic. Not being in compliance with direct ISO requirements, for example, is a cause for rejection. Issues also arise when documentation does not match processes or where the processes simply don’t work. Some nonconformities may take months to amend, such as calibrating all gauges. However, Nichols advises that such stark failures are rare in the 21st century because so much information exists in cultural awareness, on the  Internet, and on social media. Most organizations are well prepared by they time they have their audit. “Very rarely these days do companies not have a clue,” he says. 

What About Transitioning from 9001:2008 to 9001:2015?

ISO released the revised 9000 standards in 2015, and these changes are gradually rolling out to organizations. Some of the salient points of the revision include:

  • Risk-Based Thinking: Identifying problems and opportunities ahead of time, rather than simply applying corrective actions. 
  • Real Support from Management: Leadership must understand and evangelize for quality standards, not just sign off on resource requests.
  • Better Understanding of Stakeholders: The organization must understand the context of what it is doing, who does it, who it is doing it for, and why. 

The new version even provides something for those who haven’t explored ISO 9000. According to Nichols, “2015 makes it a lot easier for companies to comply. Now is a good time for organizations that don’t have certification to set the myths aside, and look at 2015. It’s there to guide companies to meet their strategic goals.”

You can learn more about ISO 9000:2015 by checking out ISO 9000:2015 In Plain English and ISO 9000:2015. How to Use It.

Delivering Quality Management with Improved Processes in Smartsheet

Empower your people to go above and beyond with a flexible platform designed to match the needs of your team — and adapt as those needs change. 

The Smartsheet platform makes it easy to plan, capture, manage, and report on work from anywhere, helping your team be more effective and get more done. Report on key metrics and get real-time visibility into work as it happens with roll-up reports, dashboards, and automated workflows built to keep your team connected and informed. 

When teams have clarity into the work getting done, there’s no telling how much more they can accomplish in the same amount of time. Try Smartsheet for free, today.

 

 

Any articles, templates, or information provided by Smartsheet on the website are for reference only. While we strive to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability, or availability with respect to the website or the information, articles, templates, or related graphics contained on the website. Any reliance you place on such information is therefore strictly at your own risk. 

These templates are provided as samples only. These templates are in no way meant as legal or compliance advice. Users of these templates must determine what information is necessary and needed to accomplish their objectives.

Discover why over 90% of Fortune 100 companies trust Smartsheet to get work done.

Learn More About Smartsheet for Project Management