Top Tips For ISO Certification

Introduction: ISO Certification—Getting It Right From the Start

If you're preparing for ISO certification—whether it's for quality (ISO 9001), environmental management (ISO 14001), health and safety (ISO 45001), or another standard read this guidance.  I have been where you are, learn from my mistakes and make the process as simple as possible.  Sure, every company is different but considering these top tips for ISO certification will help as the ISO framework is the same for everyone to build from. 

ISO isn’t about ticking boxes or creating piles of paperwork. At its core, it’s about building a management system that works for your business—supporting performance, reducing risk, and enabling continual improvement. You are the boss, so long as you achieve the aim of each clause you get certified, how you get there is your choice.

This blog shares five focus areas which I believe will help you approach ISO certification the right way. Whether you're new to ISO or looking to refresh your current system, these principles will help you create a strong foundation, keep things manageable, and ensure your system adds real value to your organisation.

1.    Determine what type of certification is right for you – UKAS or Non-UKAS certification.

One of the first and most important steps to achieving any ISO certification is a decision on the accrediting body you will use.  There are many accrediting bodies however they will either be UKAS accredited or not UKAS accredited.  Understanding the positives and negatives of each and then which suites your business needs is a vital step.  If you are looking at ISO certification to bid for a contract check the ISO criteria as they may stipulate a need for UKAS accreditation.

If the choice is yours then this will help, here are the positives and negatives of UKAS accreditation and a non-UKAS accredited structure from my personal experience.  But firstly What Is UKAS?

UKAS (United Kingdom Accreditation Service) is the UK’s government-recognised national accreditation body. This means they are the responsible body for ensuring the internationally recognised standard is maintained within the UK.  To do this UKAS audit every company on a regular basis who offer UKAS certification, this makes for a stricter audit process but like most things, the harder something is to achieve the more benefits are given.  Below are some advantages and disadvantages of choosing UKAS certification over non-UKAS certification. 

Advantages of UKAS-Accredited ISO Certification

1. Credibility and Trust:

   • Recognized internationally and often preferred by regulators, government bodies, and large corporations who may require this before tender success. 

2. Assurance of Quality:

   • Regular audits by UKAS ensure the certification body is competent and impartial.  In my experience UKAS accredited auditors know more about the ISO standards and bring more value during audit.  This said I have no doubt there are some non-UKAS accredited auditors who really know their stuff, they are just harder to find. 

3. Market Access:

   • Some tenders, contracts, and supply chains specifically require UKAS-accredited certification.  I often help with tender submission for the companies I represent and find that UKAS certification eases the initial tender stages and almost always gains invite to stage2.

4. International Recognition:

   • UKAS is part of international accreditation agreements (e.g., IAF MLA), this is exceptionally useful for companies who operate internationally. I am not sure exactly how many countries recognise ISO standard today however it was 167 in 2022.

5. Risk Reduction:

   • More thorough audits reduce the risk of non-compliance or identify non-conformance to avoid systemic failures within your management system.  Most people look at audit (both internal and external) as a negative experience and if possible would avoid them, try to look at the positive.  Audits are just another way of performance monitoring and provide opportunities to improve.

   
   

Disadvantages of UKAS-Accredited Certification

1. Higher Cost:

   • Typically preparation and resource are more expensive due to the governed  standards and audit structure.  I saw a non-UKAS ISO certificate in one company reception which was called something along the lines of instant certification, when I asked the operations manager about this he stated that all that was needed was to answer and evidence 20 questions.  Certainly lower cost and some tenders simply require ISO accreditation without further stipulation therefore this may be a short term answer to business growth!

2. Longer Process:

   • The certification process for UKAS may take more time due to stricter compliance requirements, this is however dependant on your current company position, you may have an excellent management system in place pre-ISO and therefore find the transition simple.  Yes the process will usually take time, there are various stages to full certification which I have highlighted on my website, click the link to see https://www.ss-safety.co.uk/iso-standards

3. Less Flexibility:

   • UKAS-accredited bodies must follow strict guidelines, leaving less room for customization.  I hear this said and inevitably because non-UKAS is completely unregulated it is true, however do not think that you cannot adapt the ISO framework to your company.  This is exactly what you are supposed to do.  It is your management system and it is for your business.  Make sure it fits your business and don’t document unworkable process and practice just because you think it sounds good, create it your way, if it works, its right.

   
   

 Why a Non-UKAS Certification May Be Advantageous for Some Companies

• Start-ups or SMEs: If you are a small business a non-UKAS certification may be just the ticket to start creating the right structure and generating business interest.  You may need ISO certification for marketing or customer assurance but cannot yet afford the time or cost of UKAS-accredited options. 

• Internal Improvement Focus: Some companies adopt ISO standards for internal system improvements, not for external validation.  I started my business as a health and safety consultant, I always used the ISO framework for building a companies health and safety structure.  Using the framework is a great way of ensuring you have covered all the right bases.  There is a reason these are internationally recognised standards, it’s because they are good, and they work well.  They provide a template for success, so use it for health and safety, quality or environmental management systems in your business.  You do not need a certificate to be good or even excellent at what you do!

• Low-Risk Industries: In less regulated industries, the emphasis on third-party validation may be minimal.

• Immediate Need: Non-accredited bodies can often deliver certification quickly for urgent needs such as a client requirement.

2.    Understand the Context and Define the Right Scope

One of the most important steps toward successful ISO certification whether it’s ISO 9001, ISO 14001, or ISO 45001 is defining your organisation’s context and the scope (what areas of the business you wish to be certified under ISO standard).   

Doing this accurately and in detail creates the foundation for everything that follows. It helps ensure that your system is focused, relevant, and not overly complicated.

What Do "Context" and "Scope" Mean?

Context refers to what your business does, its mission if you like and the internal and external factors that affect it, things like the market, customers, legal obligations, and competitors.

Scope defines exactly which parts of your business are covered by the ISO certification. It does not have to include everything. In fact, being selective can help you keep the system manageable and aligned with business goals.

Factors to Consider When Defining Scope

When setting the boundaries of your ISO management system, consider the following:

• Business Strategy: What are your core objectives? Align the system with what you're trying to achieve.

• Risk and Compliance Areas: Focus on locations, departments, or services with higher operational or regulatory risks.

• Control and Influence: Only include areas where you have direct control. Avoid including outsourced activities or third-party-managed locations.

• Customer Requirements: If certification is requested for specific services or locations, tailor the scope accordingly.

• Legal and Regulatory Duties: Ensure the scope includes areas where compliance obligations are significant (e.g. environmental permits or health & safety risks).

Examples of What You Might Exclude

Your scope can be limited to what's relevant and beneficial. Some typical exclusions include:

• Head Office Admin Functions – If not involved in quality, safety, or environmental processes.

• Sales Offices or Retail Locations – Where customer interaction occurs but no operational processes takes place.

• Third-Party Logistics – Warehousing or delivery partners not under your direct control.

• Unrelated Business Units – A company might only certify its manufacturing arm and exclude unrelated consultancy services.

Justifiable Clause Exclusions (ISO-Specific Examples)

ISO standards allow for exclusions.  The ISO framework contains Clauses which must be achieved, each clause is then broken down further into many sub-clauses.  When defining your scope ensure that you identify any of the sub clauses that do not reflect your business.

Common examples:

• ISO 9001 – Clause 8.3: Design and Development

  If you only create or manufacture products or deliver services to customer specification, and do no in-house design, you can exclude this clause.

  
  

  ISO 14001 – Clause 8.2: Emergency Preparedness and Response

  For low-risk businesses, a simplified approach may suffice if there are no significant environmental hazards.

 Why This Matters

Defining your scope well, is not just about meeting ISO requirements, it’s about making your management system work for your business. A focused, well-scoped system is easier to implement, more relevant to daily operations, and more likely to deliver real benefits to company efficiency, safety and profit.

3.    Identify the Resources You’ll Need to Succeed

Achieving ISO certification is not just about having the right documents in place, it’s about having the right people, knowledge, and infrastructure to support the management system.

Whether you’re pursuing ISO 9001 (quality), ISO 14001 (environment), or ISO 45001 (health and safety), every standard requires that appropriate resources are planned and made available. These include people, time, knowledge, tools, and working conditions.  Consider this when creating your strategy, ensure this is in place so that your management systems can work effectively and meet requirements.

Assigning Roles and Responsibilities

A successful ISO system depends on clearly defined and documented roles. On paper this seems simple but I find that small businesses particularly struggle here as lower numbers mean that people wear many hats and there is a requirement for flexibility in role.  Remember its your system but it is important that individuals clearly understand their part in achieving ISO compliance. Most systems will require someone to be accountable for key activities like:

• Managing non-conformities and corrective actions

• Monitoring performance and compliance (internal audit, KPI etc)

• Creating and communicating policies and objectives

• Delivering or coordinating training

• Preparing for and facilitating external audits

Don’t Underestimate the Time Commitment

Implementing a management system and preparing for certification takes time, this is often more than first estimated. Time will be needed for:

• Writing or refining procedures

• Training staff

• Conducting internal audits

• Reviewing performance data

• Implementing corrective action

• Management of change – making sure that changes made still fit with your scope and ISO requirements.

 Knowledge Is a Key Resource

Knowledge is a commonly overlooked ISO resource. You’ll need access to:

• Internal knowledge – Understanding your processes, risks, and legal requirements.  Try and break down department walls (metaphorically speaking of course), understanding what others are trying to achieve helps everyone and therefore helps your business.

• External knowledge – Monitor Industry best practices, find someone who understands the ISO standards and can interpretate them, so you understand how to adapt them into your business.  , Keep an eye on legal updates, this can be a difficult task, there are many companies who will assist you with this for relatively small cost. Barbour and The compliance people are two examples that I have used in the past.

• Training and competence development – Ensuring people are skilled to fulfil their ISO-related duties, this may be an internal auditing course for example.

Knowledge can be held by individuals, captured in documented procedures, or provided by external consultants or trainers.

Infrastructure and Working Environment

In addition to people and knowledge, ISO standards require that your infrastructure and working environment support the system's effectiveness. This might include:

• Suitable equipment, facilities, and IT systems

• Clean, safe, and fit-for-purpose workspaces

• Tools and materials needed to carry out work consistently and safely

If the workplace or equipment hinders performance, quality, or safety, that will reflect in audit outcomes, and more importantly, in real-world performance.

A Final Word on Resources

Successful ISO certification is a team effort that depends on careful planning, appropriate resource allocation, and realistic expectations. By identifying and securing the right people, tools, and knowledge early on, you’ll not only be ready for audit day, you will build a system that truly works for your business.

4.    Identify and Document Your Key Processes

A common myth about ISO is that it requires every little task in your business to be written down. That’s not the case.

What ISO does require is that you identify your key business processes, particularly those that are vital to delivering your products or services and maintaining compliance.  It’s your decision what you document s long as you can present reasoning behind what is documented and what isn’t then there will not be a problem when the certification audit takes place. 

This isn’t just about compliance; documenting key processes helps reduce business risk, the running of a process should never be known by just one person.  Documenting key process helps resolve this and the reduces the negative impact this may have if an individual is sick, resigns or goes on holiday. 

What Are “Key Processes”?

Key processes are those that:

• Are critical to customer satisfaction or product/service delivery

• Involve risk or regulatory obligations

• Require consistency and control

• Involve multiple teams or complex interactions

Some examples might include:

• Order handling or contract review

• Product or service delivery

• Maintenance of critical equipment

• Incident reporting and investigation

• Employee onboarding and training

Remember: If a process is vital to your business running smoothly, it’s worth documenting, even if ISO doesn’t demand it.

When Do You Need to Document a Process?

ISO standards (like 9001, 14001, and 45001) state that processes should be documented “where necessary.” That means you use your judgement. If a process is:

• High-risk

• Complex

• Frequently misunderstood

• Vulnerable to human error

• Dependent on one person’s knowledge

…In these cases it’s usually a good idea to write it down.

The Advantages of Documenting Key Processes

I know I have already mentioned some, but there are more:

• Shared Knowledge – Avoid reliance on one person. If someone leaves or is off sick, others can pick up the task.

• Measurable Objectives and KPIs – Defined processes help set meaningful objectives and track performance.

• Stronger Internal Audits – Auditing a process instead of just a clause gives a broader, more practical view of system effectiveness.

• Continuous Improvement – When you understand how a process works, it’s easier to spot opportunities for improvement.

Process-Based Auditing: A Smarter Approach

Rather than ticking off clauses in isolation, internal audits can focus on real-world business processes. For example:

• Auditing your "order to delivery" process might naturally include elements of customer communication, quality control, training, record-keeping, and compliance—all in one go.

It is the way forward, I started by doing clause by clause internal audits and at times these are unavoidable but I find process based auditing more enjoyable and more beneficial for all who are involved. This approach provides:

• A more holistic view of how your system works in practice

• Better engagement with staff (they can relate to their job, not ISO clauses)

• More meaningful audit findings

By documenting the right processes, remember, not everything, just the important stuff, you will strengthen your management system, improve performance, and reduce business risk.

5.    Keep a Consistent Approach All Year Round

I find one of the most common mistakes in the running, maintenance and preparation of ISO management systems is inconsistency.  A flurry of activity right before the external audit, followed by months of silence. That’s not how ISO is meant to work.  I get it, it takes work and effort and everyone sighs relief post audit, lots of high fives and then a rest, which inevitably extends about 9 months until someone states that the audit is approaching again.  Have a little break of course, but consistency really does work better for the business and for stress levels.

Plan the Year in Advance

Start by mapping out key activities across the calendar year:

• Internal audits – Spread them throughout the year rather than saving them all for the last minute.  Also look at areas of the business that are changing or have had past non-conformance.  You can audit the same thing several times if you wish or leave well performing process out if you wish.  All clauses should however have been audited at least once every three years and most companies benefit from a shorter frequency than this.

• Time for improvements – Allow space between audits and reviews to identify and fix non-conformances properly, an audit is not closed until the non-conformities have been closed and all opportunities for improvement considered.  If you do not leave enough resource to do this, you have not allowed the benefits of audit to be taken.

• Management review – Schedule dedicated time for a full review involving all relevant department leaders and those with pivotal allocated responsibilities.

Doing a little each month reduces pressure and gives you time to reflect, improve, and build confidence in your system.

Make Management Review Work for You

ISO standards require a management review—but how you do it is up to you.

While some large companies hold a formal annual meeting, smaller businesses often work differently. You might already have weekly or monthly meetings. That’s fine, as long as there’s a point where:

• All senior managers with ISO responsibilities are involved

• You review key inputs (objectives, audit findings, risks, complaints, etc.)

• You track actions and improvement

The value here is in cross-process understanding. When departments communicate, cooperate, and align their priorities, it breaks down silos and strengthens the whole system.

Your System, Your Way

Above all, remember this:

It’s your management system.

ISO doesn’t prescribe how to run your business. It sets out what needs to be achieved—but how you do it is entirely up to you.

• Prefer visual dashboards to spreadsheets? Use them.

• Want to hold your management review over several short sessions instead of one long meeting? That’s fine.

• Use a shared drive or simple folders instead of expensive software? No problem.

As long as the requirements are met and the system supports your business, you’re doing it right.

It might sound obvious as you read this but remember, internal auditors are working with you to prepare your system for audit certification; external audit companies no matter which, want your business, they are in business too.  It is in their interest to provide a fair audit allowing you to represent your system and support your decisions.  If a process, or lack of process, is identified as non-conforming you will be given a reasonable period to rectify the issue.  It is in nobodies’ interest for you to fail.

Conclusion: Make ISO Work for You

ISO management systems aren’t one-size-fits-all. They’re designed to be flexible, scalable, and shaped around your business; not the other way around.

The key to success lies in clear planning, honest assessment, and steady progress. Define a sensible scope, assign the right resources, document what really matters, and take a consistent approach throughout the year. Don’t wait until audit time, treat your system as a living part of the business, not an annual event.

And remember: You don’t have to document everything you don’t need a perfect system on day one you can shape the system to suit your business culture

Certification is a milestone, but the real value of ISO lies in building a system that helps your business run better, safer, and more sustainably.