FAQ

Frequently Asked Questions about ISO Certification and Audits

> ISO — The Basics

  • ISO is an independent, non-governmental organization established in 1947. The International Organization for Standardization (ISO) is a worldwide federation of national standards bodies from some 160+ countries and includes over 3,000 technical bodies.

    Their mission is to promote the development of standardization and related activities in the global marketplace with a view to facilitating the international exchange of goods and services, and to developing cooperation in the spheres of intellectual, scientific, technological, and economic activity.

    ISO’s work results in international agreements that are published as International Standards. These, in turn, help maintain quality, consistency, efficiency and safety across industries and countries. ISO certification demonstrates that a company’s manufacturing processes, services, documentation procedures and management systems meet the requirements of standardization and quality assurance.

    Interestingly, ISO is not an acronym for the International Organization for Standardization, but is derived from the Greek word isos, meaning equal (e.g. isosceles triangle, meaning equal sided). The acronym ISO was adopted by the IOS as their name because it is valid in any language including English, French and Russian, the three official languages of ISO. The complete explanation can be found on page 1 of the International Organization for Standardization home page, www.iso.org.

  • No, ISO does not provide certification or conformity assessments. Organizations pursuing certification need to contact an accredited Certification Body.

  • No. However, we work closely with these organizations and can refer you to an appropriate, high calibre ISO certification body. At The ISO Edge, we provide the support and lay the groundwork for your company to become ISO certified.

  • ISO is about building management systems which are discipline specific. Putting ISO practices into place controls the activities of the business to meet industry standards, reduce risks and procure reliable results.

  • Quality Management Systems are sector or discipline-specific and narrower in scope while Business Management Systems are more generic, broader, and exist at the organizational level.

    Quality Management Systems are “micro systems” that aim to manage the activities and outputs of the company. The ISO Edge has extensive expertise in this.

    Whereas Business Management Systems are designed to help the company manage overall at a higher level. When we discover this service is needed, we refer organizations to our affiliate company Business Pathfinders.

    The one main similarity between Quality Management Systems and Business Management Systems is that both bring rigour to your operations.

  • Not necessarily, but it can help most businesses. All businesses – of any sort – can benefit from adopting ISO.

  • You don’t need ISO to operate your café but as a business, having ISO 9001 protocols will help you in your marketplace and potentially give you a competitive advantage.

  • The standards are applicable to all types of organizations and to all services, across sectors. The language employed in the standard continues to be simplified and made more user-friendly, reducing the manufacturing bias with each revision. (Please note: the definition of the term ‘product’ within ISO 9000 includes hardware, services, software, and processed materials).

  • It can take anywhere between 6-18 months to design, build and implement a new management system. To determine how long it will take your organization to become certified or registered, the first step is to conduct a gap assessment. A gap assessment will tell you where your current practice meets the requirement of the International Standard and where it does not. With this knowledge, you can begin defining the steps necessary to developing your management system. Only once you know what is required can you begin to define the resources and timing. Many factors impact timing and can include how many people work on the project, how knowledgeable and/or experienced they are, and how large and complex your organization is.

    Most Certification Bodies want you to have your management system implemented and running for a minimum of three months prior to the initial certification audit. It takes at least three months to develop adequate proof of performance and effectiveness typically, in the form of records, information and data.

  • This is the most common question and the hardest to answer. How much it costs depends on a lot of factors such as: project deadline; results of the gap assessment; internal resource availability (leadership, dedicated Project Management personnel, documentation development, implementation support, internal auditors etc.) and their level of knowledge and experience; external resources (consulting and training support); software (utilizing existing information systems and/or purchasing software programs for management system administration and oversight) and certification fees.

  • The ISO Edge provides some of the most knowledgeable, experienced, and dynamic coaches and facilitators in the realm of management system implementation, performance enhancement and business excellence. Our experts provide insightful, entertaining keynote and other presentations that will exceed the expectations of the most discerning audiences.

  • ISO 9000 was published in 1987 for the first time by the International Organization for Standardization, but there’d been many years of work in the realm of standards before that. Together, industries adopted ISO 9000 which is described as a “family” of quality management systems. ISO 9000 deals with the fundamental concepts, principles, and vocabulary for QMS, including the seven quality management principles that underlie the family of standards. It’s the accepted “dictionary” for all management system standards.

> ISO 9001

  • ISO 9001 is the Standard that sets the requirements for the essential features of an ISO 9001 Quality Management System (QMS). It is the basis for QMS certification. This document contains the specific requirements that must be fulfilled for an organization’s QMS to be certified. That said, the Standard does not contain any industry-specific or special requirements. It describes good management practice but does not state how an organization is to be controlled or operated since this will vary from one organization to another. The Standard recognizes the variation in organizational structures, processes, products, and procedures, and consequently can be applied to small and large organizations alike. Put another way, ISO 9001 is a generic requirements standard, applicable to any type of organization. It’s a tool that helps companies manage their business with a quality focus. The main benefits of implementing an ISO 9001 Quality Management System include:

    • Consistency in process and activity
    • Alignment, synergy
    • Synthesis of the focus on strategic management and the discipline of Quality
    • Enhanced ability to drive
    • Improvement
    • Measurement
    • Improved communication (internal & external)

    Several variants of ISO 9001 exist to address specific industries, better known as Technical Specifications. The most popular of these are:

    • Aviation – AS 9100
    • Food – ISO 22000
    • Medical Devices – ISO 13485
    • Automotive – IATF 16949
    • Telecommunications – TL 9000 (SW, HW, FW and Service)
    • Laboratories for test and metrology – ISO/IEC 17025
    • Certification of individuals – ISO/IEC 17024
    • Information technology – ISO 27001

  • These 17 steps are typical and reflect the accumulated wisdom of hundreds of successful certification projects using the process approach now specified in ISO 9001:

    1. Make a senior person responsible for your management system. This person will either be the CEO or report directly to the CEO.

    2. Form a Project Team and consider the need for or role of an advisor/consultant. We recommend a team of no more than eight personnel from a cross section of functions/departments.

    3. Conduct a self-assessment or hire The ISO Edge to perform a gap assessment using ISO 9001 and report the results. This report will identify the adequacy of as-is processes, identify any need for new processes and report on any existing practices that appear to meet the requirements of the standard regardless of how they are documented.

    4. Train the Project Team on the requirements of ISO 9001. This aids in developing leaders to create and sustain awareness. All members must learn so they understand and can explain.

    5. Create and then publish the Quality Policy, Quality Objectives and Action Plan.

    6. Define organizational structure and responsibilities including assignment of process owners. Keep this updated with names and job titles as a formal document.

    7. Involve employees in developing and improving the processes and closing gaps identified during the gap assessment using awareness sessions, flowcharting, team or peer reviews, experience and feedback.

    8. Decide on the document coding procedure. Use this from day one of developing any system documentation.

    9. Code all previously existing documentation in line with agreed coding procedure. Every document should belong to a process; remove redundant documents and create new ones.

    10. Correlate all forms to processes. Every form should have a place and if not, check completeness of processes.

    11. Review processes and flowcharts for accuracy. By “accuracy”, we mean what actually happens!

    12. Develop and use flowcharts to document processes. The flowchart can become the procedure; always include process objective(s) and performance expectations, which are typically associated with risks and opportunities.

    13. Review, reconcile, approve and issue as-is procedures. Involve everyone and do not ignore comments. Process owners should approve procedures prior to release.

    14. Create a document that describes your overall system (could be a quality manual). Keep it slim and simple for customers, all employees, and suppliers.

    15. Launch the system and respond quickly to revision requests. Throw a party – you deserve it! Invite continual improvement ideas.

    16. Audit and improve your system to raise value and reduce avoidable costs.

    17. Conduct a management review and document any resulting decisions and actions.

  • ISO does not specify a document format. How you format your Quality Management System documentation is entirely up to you. We recommend you select a format that adds the most value and is most easily used by your employees.

  • The requirements of ISO 9001 are applicable to all organizations of any size, either public or private including, but not limited to: sole-trader, company, corporation, firm, enterprise, authority, partnership, association, charity, or institution.

  • When customers and clients are dissatisfied with the products or services, they receive from an ISO 9001-certified business, they can escalate a complaint, completing each of these four steps in order:

    1) Every ISO 9001-certified organization is required to have a “customer focus” and an assigned role with responsibility and authority to ensure the promotion of customer focus throughout the organization. Begin by describing your complaint and the steps you have taken so far directly with the person you’re in contact with. This might be a salesperson, service person, customer representative, or an employee performing the service or providing the product. Be specific about what you expected, why you expected it, what you feel was not met and why you are disappointed. This could be a statement of commitment made on a website, a description of the product in a catalogue, an advertisement, or specific promises made by a salesperson. Insist, first, that you be provided with a product or service that meets the description. Fulfilling the needs and expectations of interested parties is an important principle in ISO 9001.

    2) If your initial contact cannot provide an acceptable resolution to your concern, find out who within the organization has been assigned the responsibility and authority for customer focus and escalate your concern. Remind the representative that you are the customer, and you expect your requirements to be understood and met.

    ISO 9001 has requirements that may be helpful to refer to in your communications with a company. Describe how you believe the organization is failing to meet these requirements: Customer focus (5.1.2), Establishing the quality policy (5.2.1), Quality objectives and planning to achieve them (6.2), Customer communication (8.2.1), Requirements for products and services (8.2.2), Review of the requirements for products and services (8.2.3), Customer satisfaction (9.1.2), Nonconformity and corrective action (10.2).

    3) ISO 9001 requires top management to demonstrate leadership and commitment to the organization’s quality management system. Section 5.1.1 requires that they take accountability for the effectiveness of the quality management system. Contact the top manager of the organization and describe your problem and expectations. If the organization has stock that is publicly traded, then the names of the top managers are publicly available.

    4) If you still have not been satisfied, organizations that are certified to ISO 9001 have a Certification Body certificate. You can find out what firm issued the certificate by searching a list of certified companies. Contact the Certification Body with a description of your complaint.

    On a final note, the ISO organization itself develops and publishes standards, but has no role in enforcement. Please: do not contact them for help in resolving a dispute.

> ISO 9004

  • ISO 9004:2018 — Quality management — Quality of an organization — Guidance to achieve sustained success — provides guidance for organizations to achieve sustained success in the face of a complex, demanding and ever-changing world. The key to its approach is the use of its self-assessment tool that allows for maturity level modelling year-over-year. Its foundation is the Seven Quality Management Principles.

  • The Quality Management Principles have been around for decades and form the basis of the ISO 9000 series as well as many quality awards such as the Canadian Award for Excellence, Best Managed Companies and the Malcolm Baldridge National Quality Award (USA). ISO defines the principles as “a set of fundamental beliefs, norms, rules and values that are accepted as true and can be used as a basis for quality management”. The principles are:

    • QMP 1 – Customer Focus
    • QMP 2 – Leadership
    • QMP 3 – Engagement of people
    • QMP 4 – Process approach
    • QMP 5 – Improvement
    • QMP 6 – Evidence-based decision making
    • QMP 7 – Relationship management

    These principles form the basis for performance improvement and organizational excellence as they establish expectations for governing behaviour.

> IATF 16949

  • IATF 16949 is the Automotive Quality Management Standard owned by the International Automotive Task Force. In 2016, it replaced ISO/TS 16949. If defines the quality management system requirements for automotive production and service parts organizations (i.e. suppliers) along with associated automotive customer-specific requirements and ISO 9001.

  • IATF 16949 enhances ISO 9001 requirements by specifying additional requirements for automotive parts suppliers who are involved in the production of parts that are integrated into the products of an OEM (original equipment manufacturer) or OES (original equipment service) automaker.

    ISO 9001 is a generic quality management system standard that can apply to a broad range of industries and organizations.

> ISO 45001

  • ISO 45001 – Occupational health and safety management systems – Requirements with guidance for use – provides a framework for managing OH&S risks and opportunities. In other words, what an organization does to demonstrate sound OH&S performance including preventing work-related injury and ill health to workers; providing a safe and healthy workplace; eliminating hazards and minimizing OH&S risks through effective preventive and protective measures.

> ISO 14001

  • ISO 14001 – Environmental management systems —Requirements with guidance for use – provides organizations with a model for a systemic approach to environmental management. In other words, what an organization does to protect the environment and respond to changing environmental conditions in balance with socio-economic needs. It also provides the basis for an Environmental Management System Certification program.

> ISO — Audits

  • No. A company does not have to have any Internal Auditors on staff. However, in order to conduct a full management system audit, a minimum of 2 auditors must be involved. The internal auditors could be staff members or contracted. The reason you must have at least 2 internal auditors is that all management system standards prescribe that auditors must be independent and thus may not audit their own work. Therefore, even a contracted auditor could not audit the internal audit process because it would be his/her own work. An organization should have a sufficient number of competent internal auditors to do full meaningful internal audits at appropriate intervals without compromising the completion of other organizational responsibilities.

  • Certificates are issued for three-year periods. At the initial certification audit, auditors must verify fulfilment of every requirement of the standard. During the three-year period, surveillance or maintenance audits are arranged between the Certification Body and the certified organization. At each visit, typically every twelve months, the third-party auditors verify the fulfilment of the core requirements of the standard (Planning / Management Review / Internal Audit / Nonconformity and Corrective Action / Objectives, Targets & Programs / Continual Improvement) and a significant minority of the balance of the requirements (Purchasing / Document Control / Training etc.).

    During the three-year period, the entire system must be thoroughly audited. By the third anniversary date of the certification, a re-certification audit is conducted, and a new certificate issued.

    The re-certification audit is as comprehensive as the initial audit was and additionally focuses on areas that are important, have had less attention or have produced more issues during the previous three-year period. At any audit, nonconformities can be identified, and corrective action requests raised by the auditors. These corrective actions must be addressed by the organization based on their classification as either minor nonconformities or major nonconformities. Major nonconformities must be addressed quickly and fully to receive or maintain certification.

  • Internal Auditors must be trained and/or developed to a level of verifiable competence (determined by the organization) to conduct internal audits of the management system.

    We recommend that a cross-section of personnel be selected to act in the additional role of internal auditor (office/operations/sales/IT etc.). This is to ensure that technical competence from various parts of the organization is represented, thus allowing for a more in-depth and value-added audit process. ISO 19011 – Guidelines for auditing management systems — is a key document to select, evaluate and qualify internal auditors.

punctual, focused and professional
I really enjoyed working with Judy. She was very thorough and had many helpful suggestions. As an auditor myself, I really appreciated her candor and approach to understanding what we do and how she interacted with members of our team. She was very punctual, focused, and professional and she has a very strong ability to interact with people and make them feel comfortable. Good stuff!
— Mark MacIntyre, Quality Assurance Manager – Valmont West Coast Engineering