How to choose an ISO certification body

When an organization implements a management system according to one or more of the ISO management system standards,?the?usual?next step is to?get?that?management system certified?by a certification body.

If an organization needs to certify its management system (according to ISO 27001, ISO 9001,?ISO 14001, ISO 45001, AS9100, ISO 20000, IATF 16949, or ISO 13485), then it will need to choose a certification body. This article seeks to describe some criteria to be taken into account when choosing an ISO certification body.

Why does an organization need to choose a certification body?

Certification is the process of assuring that an organization complies with a set of requirements?(e.g.,?an ISO standard). Who will provide that document, the certificate stating that an organization has implemented and is?maintaining?a management system?

A certification body is an independent third?party responsible for?the?process of certification. Organizations use certification bodies to obtain independent recognition. Independent recognition is increasingly important in a globalized world where potential customers are not?able?to visit potential suppliers or service providers on the other side of the world.

Can an organization self-certify? It could, but what would be the credibility of that certificate – who would trust that certificate?

Importance of choosing the right certification body

Many?organizations look at the choice of certification body as a choice between commodities, that is, looking for the lowest price.?Of course,?price?is an important?factor, but it is not the only one.

If?your?organization uses price as the only?criterion,?you?may find?yourself?working with a certification body without any experience in your field, one that has a bad reputation, or one that is not recognized by your potential customers.

An organization may find it useful to consider a certification body?that can bring value to the relationship?–?more than just pure compliance recognition.

Things to consider when choosing a certification body

With so many ISO certification bodies to choose from, how?can you?make the right decision? There is no universal answer,?as?different organizations will value different things. However,?here?are some issues to consider when choosing a certification body,?to be able to capture more value than just getting a?piece of paper saying that you are certified

Reputation.?If you want to use your certificate for marketing purposes, you probably don’t want to get the certificate from a certification body that is known to give it away with no criteria whatsoever. You should choose a certification body with a solid?–?if not perfect?–?reputation.

Accreditation. Anyone can give you a piece of paper saying that you are certified, but not everyone is accredited (i.e., licensed) to do so – therefore, you need to check whether that certification body has accreditation, that is, if they have a license from the local government body in your country. For example, in the United Kingdom, this body is UKAS; in the United States, it is ANAB.

Specialization.?If you are a bank, it is not a very good idea to have a certification body that has?previously?certified only manufacturing companies. Their auditors may have a lot of experience in quality, environment, safety, or information security, but if they have audited only manufacturing companies, you will lose too much time explaining to them how the bank works?–?as a result, they will be learning much?more?from you than you will from them.

Experience.?Even if you wish to choose an auditor with low experience to get by easily, it is actually in your best interest to have an experienced auditor because, otherwise,?you might miss?out on?some valuable insights. So, do not be afraid to ask which auditor will audit you; ask for his or her CV and/or a list of companies he/she has audited.

Integrated audit.?You may be starting with ISO 27001, but if you also plan to implement ISO 14001, ISO 9001, or other standards, you can ask your certification body to do a so-called integrated audit, instead of hiring separate ISO 27001 and ISO 9001 certification bodies. This means you won’t have to go through separate audits for every system (and pay the full fee for each of them); instead, you can do one audit for all of these systems together – not only will you save time (an integrated audit takes less time than several separate audits), but also – yes, you will pay less.

Flexibility.?If the certification body has to fly in the auditor from another continent (because they don’t have anyone locally), it will be very difficult for you to change the date of the audit (e.g., if?you?don’t?finish your project?on time, or some?other?problem?comes up),?since all the travel arrangements?would?have been made already.

Maturity.?If your organization has a timeframe to?become certified, for example,?because of a commercial commitment, and the management system is recent, the maturity of the management system?could?be an issue. So, ask certification bodies?about?their requirements regarding?the maturity?of the management system?before certification.

Language.?Even though the certification body might provide a translator, if necessary, the audit will go much?more smoothly?if the auditor speaks your language. He will read your documents much more easily, and you will be able to develop a better relationship with him if there is no language barrier.

Tips for choosing a certification body

Start by asking yourself what benefits your organization wants to get from certification. From there,?you can start designing a set of criteria to fit your particular situation.?So, for example, some organizations choose a particular certification body because it has a reputation among potential clients?due to their experience and expertise. Other organizations?choose?a certification body known among?the?main export markets.

Start?the search?for?a?certification body?early.?Most organizations start choosing a certification body at the end of the management system implementation. You can start earlier, by asking for quotes from at least a couple of ISO certification bodies,?and?asking them what other benefits they can provide besides the certification audit. For example,?perhaps?they can provide?advice?about the scope of your management system.

Check which certification bodies are used by your main clients or competitors.?Perhaps these certification bodies?have more knowledge about your economic sector and may bring valuable improvement tips.

Check what?services are?included.?When comparing costs,?make sure you are comparing similar items,?like checking if travel expenses or documentation review?are?included.

Then, contact your short list of ISO certification bodies and ask them?for?a meeting to?address?your questions and evaluate their potential to be partners in more than just compliance evaluation.

Price is not the only criteria

Choosing a certification body can be much more than just comparing prices?in a commoditized market. Your organization can think beyond just compliance.?Many organizations forget that they are the ones choosing and paying the certification body.?Of course,?certification bodies need to follow a code of conduct?and their internal processes, and if your management system does not comply with the standard(s),?they have to raise non-conformities.?But they may?introduce?a fresh,?outside look that brings value to your management system. So, do your due diligence and choose the right certification body according to what is valued?by?your organization.