The ISO certification process is managed by an accredited Certification Body (CB) — not ISO itself. The process typically follows these steps:

1. Gap Assessment (optional):
   You can engage a consultant or auditor to compare your current system against the standard’s requirements. This identifies what still needs to be implemented before formal certification.

2. Stage 1 Audit:
   The CB auditor reviews your documented system, ensuring you’ve addressed each requirement on paper and are ready for a full audit.

3. Stage 2 Audit:
   The CB auditor visits (onsite or remotely) to verify that your system is actually operating as documented — reviewing records, interviewing staff, and sampling processes.
   Passing Stage 2 leads to certification.

4. Surveillance Audits:
   Conducted annually to confirm you’re maintaining compliance and continual improvement.

5. Recertification Audit:
   Every three years, a full review ensures your system remains compliant before issuing a new certificate.

You can verify accredited Certification Bodies or check whether a company is genuinely certified on the official JAS-ANZ Register of Accredited Bodies.

Stage 1 is a readiness assessment. The auditor evaluates whether your documented management system design — policies, scope, and processes — meets the minimum requirements.
It prevents you from proceeding to Stage 2 before you’re ready.
Reference: ISO/IEC 17021-1:2015 Clause 9.3.1.2.

Stage 2 is the formal certification audit. The auditor tests whether your management system is operating effectively — by observing processes, interviewing staff, and reviewing evidence.
If you meet requirements and any findings are corrected, the CB issues your certificate.
Reference: ISO/IEC 17021-1:2015 Clause 9.3.1.3.

A recertification audit happens every three years to confirm your system still meets ISO requirements and has been maintained and improved.
It’s a full review, not a light check-in — your certificate renews only after successful completion.
Reference: ISO/IEC 17021-1:2015 Clause 9.6.3.

ISO does not issue certificates.
Certification is performed by independent accredited Certification Bodies (CBs).
In Australia, CBs are accredited by JAS-ANZ (Joint Accreditation System of Australia and New Zealand), which is recognised internationally by the International Accreditation Forum (IAF).
Only certificates issued by a JAS-ANZ-accredited CB are globally valid.

Auditors must remain independent and objective.
Under ISO/IEC 17021-1 Clause 5.2, a CB and its auditors must avoid any situation where they would be “marking their own homework.”

If someone helped design, implement, or maintain your system, they cannot later audit it.
This aligns with the Three Lines of Defence model used in governance frameworks:

• Line 1: The business implements controls.

• Line 2: Compliance or risk functions oversee them.

• Line 3: Auditors independently verify they work.

In practice, that means consultants can help build your system, but only independent auditors (working for a CB) can certify it.
This separation preserves credibility and confidence in the certification process.

Not for certification — that’s restricted to accredited CBs.
However, Assurance Bureau can perform internal audits, gap assessments, and readiness reviews to prepare you for certification.
Once you select a CB, we can refer you to reputable providers or coordinate as your independent consultant, provided no impartiality conflict exists.

You’re ready when:

• Internal audits and management reviews are complete.

• Staff understand and follow the system’s processes.

• Records show that controls are effective.

• Any previous findings have been addressed.

A readiness or “mock” audit by an independent consultant can confirm if you’re prepared before paying a CB.

Certification typically lasts three years, with annual surveillance audits to confirm continued compliance.
A recertification audit is required at the end of the three-year cycle.

• Internal audits are conducted by or for your organisation to verify conformance and readiness.

• External audits are performed by Certification Bodies (CBs) to confirm compliance and issue certification.

Both are required under ISO management system standards — internal audits demonstrate self-monitoring; external audits provide independent assurance.

No. That would create a conflict of interest and is prohibited under ISO 17021 and JAS-ANZ requirements.
Consulting (helping you design or implement controls) and auditing (evaluating them) must remain separate functions to preserve impartiality.

• A major nonconformity means a requirement is missing or ineffective — a systemic issue.

• A minor nonconformity means an isolated lapse or partial failure.
  Both require corrective action, but majors must be closed before certification can proceed.

During an ISO audit, findings are categorised based on the severity of what’s discovered. These categories help define what actions you need to take and whether certification can proceed.

A conformity means the requirement is met — your process and evidence align with what the standard expects. You simply maintain this control and keep doing what works.

An observation or opportunity for improvement (OFI) isn’t a nonconformity. It’s a suggestion the auditor makes where your system meets the requirement but could be improved to avoid future issues. Addressing it is optional, but it shows commitment to continual improvement.

A minor nonconformity is an isolated lapse or partial failure. For example, one missing training record, or a process that wasn’t followed in one instance. You’ll need to fix the problem, document the corrective action, and provide evidence to the auditor or certification body. Minor issues don’t stop certification as long as they’re corrected within an agreed timeframe.

A major nonconformity is more serious — it means a requirement hasn’t been met or there’s a systemic issue. For example, not having a defined risk assessment process or lacking management review records. You must identify the root cause, correct it, and provide evidence that the fix is effective. The certification body will verify closure before certification or recertification can proceed.

If major issues aren’t resolved within the required timeframe (typically 90 days), certification can be delayed, suspended, or withdrawn.
Failing an audit doesn’t mean starting over — it’s a chance to close gaps and strengthen your system before certification continues.

Reference: ISO/IEC 17021-1:2015 Clauses 9.4.5 and 9.4.6.

Your certificate remains valid for three years, provided you:

• Maintain your management system,

• Complete annual surveillance audits, and

• Demonstrate continual improvement.

If your system lapses or major nonconformities aren’t closed, your certificate can be suspended or withdrawn.
Think of certification not as an event, but as an ongoing commitment to effectiveness.

Not exactly. ISO standards are risk-based and leave room for professional judgement. Two auditors may interpret adequacy differently, especially if evidence quality varies.

To manage this, always:

• Ask your Certification Body for any guidance or “typical findings.”

• Keep a clear, risk-based rationale for each control or decision.
  This demonstrates you’ve thought about the “why,” not just the “what,” which auditors respect.

Usually not. Audits are point-in-time checks. If you can’t produce evidence during the audit, the auditor must assume the process isn’t consistently happening.

Good systems generate evidence naturally through daily operations — approvals, logs, reviews, and actions that occur as part of the process.
Pre-preparing evidence just for audit week can backfire, as it suggests a system that’s only “active on paper.”