When an organization implements a management system according to one or more of the ISO management system standards, the usual next step is to get that management system certified by a certification body.
If an organization needs to certify its management system (according to ISO 27001, ISO 9001, ISO 14001, ISO 45001, AS9100, ISO 20000, IATF 16949, or ISO 13485), then it will need to choose a certification body. This article seeks to describe some criteria to be taken into account when choosing an ISO certification body.
Why does an organization need to choose a certification body?
Certification is the process of providing assurance that an organization complies with a set of requirements (e.g., an ISO standard). Who will provide that document, the certificate stating that an organization has implemented and is maintaining a management system?
A certification body is an independent third party responsible for the process of certification. Organizations use certification bodies in order to obtain independent recognition. Independent recognition is increasingly important in a globalized world where potential customers are not able to visit potential suppliers or service providers on the other side of the world.
Can an organization self-certify? It could, but what would be the credibility of that certificate - who would trust that certificate?
Importance of choosing the right certification body
Many organizations look at the choice of certification body as a choice between commodities, that is, looking for the lowest price. Of course, price is an important factor, but it is not the only one.
If your organization uses price as the only criterion, you may find yourself working with a certification body without any experience in your field, or one that has a bad reputation, or one that is not recognized by your potential customers.
An organization may find it useful to consider a certification body that is able to bring value to the relationship - more than just pure compliance recognition.
Things to consider when choosing a certification body
With so many ISO certification bodies to choose from, how can you make the right decision? There is no universal answer, as different organizations will value different things. However, here are some issues to consider when choosing a certification body, in order to be able to capture more value than just getting a piece of paper saying that you are certified.
Reputation. If you want to use your certificate for marketing purposes, you probably don’t want to get the certificate from a certification body that is known to give them away with no criteria whatsoever. You should choose a certification body with a solid - if not perfect - reputation.
Accreditation. Actually, anyone can give you a piece of paper saying that you are certified, but not everyone is accredited (i.e., licensed) to do so - therefore, you need to check whether that certification body has accreditation, that is, if they have a license from the local government body in your country. For example, in the United Kingdom, this body is UKAS; in the United States, it is ANAB. To learn more about accreditation, read this article: Accredited ISO certification versus non-accredited: What it means and why it matters.
Specialization. If you are a bank, it is actually not a very good idea to have a certification body that has previously certified only manufacturing companies. Their auditors may have a lot of experience in quality, or environment, or safety, or information security, but if they have audited only manufacturing companies, you will lose too much time explaining to them how the bank works - as a result, they will be learning much more from you than you will from them.
Experience. Even if you might wish to choose an auditor with low experience to get by easily, it is actually in your best interest to have an experienced auditor because, otherwise, you might miss out on some valuable insights. So, do not be afraid to ask which auditor will audit you; ask for his or her CV and/or a list of companies he/she has audited.
Integrated audit. You may be starting with ISO 27001, but if you also plan to implement ISO 14001, ISO 9001, or other standards, you can actually ask your certification body to do a so-called integrated audit, instead of hiring separate ISO 27001 and ISO 9001 certification bodies. This means you won’t have to go through separate audits for each and every system (and pay the full fee for each of them); instead, you can do one audit for all of these systems together - not only will you save time (an integrated audit takes less time than several separate audits), but also - yes, you will pay less. To learn more about integrated management systems, check out this article: How to implement integrated management systems.
Flexibility. If the certification body has to fly in the auditor from another continent (because they don’t have anyone locally), it will be very difficult for you to change the date of the audit (e.g., if you don’t finish your project on time, or some other problem comes up), since all the travel arrangements would have been made already.
Maturity. If your organization has a timeframe to become certified, for example, because of a commercial commitment, and the management system is recent, the maturity of the management system could be an issue. So, ask certification bodies about their requirements regarding maturity of the management system before certification.
Language. Even though the certification body might provide a translator if necessary, the audit will go much more smoothly if the auditor speaks your language. He will read your documents much more easily, and you will be able to develop a better relationship with him if there is no language barrier.
Tips for choosing a certification body
Start by asking yourself what benefits your organization wants to get from certification. From there, you can start designing a set of criteria to fit your particular situation. So, for example, some organizations choose a particular certification body because it has a reputation among potential clients due to their experience and expertise. Other organizations choose a certification body known among the main export markets.
Start the search for a certification body early. Most organizations start choosing a certification body at the end of the management system implementation. You can start earlier, asking for quotes from at least a couple of ISO certification bodies, and asking them what other benefits they can provide besides the certification audit. For example, perhaps they can provide advice about the scope of your management system.
Check which certification bodies are used by your main clients or competitors. Perhaps these certification bodies have more knowledge about your economic sector and may bring valuable improvement tips.
Check what services are included. When comparing costs, make sure you are comparing similar items, like checking if travel expenses or documentation review are included.
Then, contact your short list of ISO certification bodies and ask them for a meeting to address your questions and evaluate their potential to be partners in more than just compliance evaluation.
Price is not the only criteria
Choosing a certification body can be much more than just comparing prices in a commoditized market. Your organization can think beyond just compliance. Many organizations forget that they are the ones choosing and paying the certification body. Of course, certification bodies need to follow a code of conduct and their internal processes, and if your management system does not comply with the standard(s), they have to raise nonconformities. But they may introduce a fresh, outside look that brings value to your management system. So, do your due diligence and choose the right certification body according to what is valued by your organization.
To learn which questions to keep in mind when choosing a certification body, download these free checklists: List of questions to ask an ISO 9001 certification body, List of questions to ask an ISO 27001 or ISO 22301 certification body, or List of questions to ask an ISO 13485 certification body.
Carlos Pereira da Cruz has more than 25 years of experience working as a consultant, trainer, and auditor with ISO 9001 and ISO 14001. He is the author of several books on strategic management, ISO 9001, and ISO 14001, as well as a 9001Academy author.