How to Get ISO 9001 Certification

The ISO 9001 implementation and certification process will not only result in certification (also called registration or accreditation), but prove to be one of the most valuable things you can do to improve virtually all aspects of your company. The menu below is for ease of navigation.

If you are a small business owner and under pressure to get ISO 9001 certified, you may have numerous doubts and questions. Let us try to clarify a few points:

Is ISO 9001 too expensive for SMEs?
ISO 9001 is an investment. How much you invest depends much on the implementation approach (in-house or consultant); we will show you below how to get ISO 9001 on a small budget. For SMEs in particular, the potential returns can be huge.

Is ISO 9001 difficult for small businesses?
No – just the opposite, in fact. There are hundreds of thousands of small and micro enterprises around the world that have successfully implemented an ISO Quality Management System (QMS). In our experience, it's generally much easier for small businesses to set up an ISO 9001 system than it is for bigger firms. The fewer activities and employees the company has, the easier the implementation process. Large conglomerates, for example, often require extensive help from consultants: fees for these services can be astronomical, and it's not uncommon for the implementation process to take up to 12 months or longer.

Typically, how long does it take for an SME to get certified?
We've seen claims that a fully-fledged system can be implemented in as little as six weeks. In our experience it generally takes about three months – though two months is possible. If minor problems enter the system, ironing them out can add two or more weeks. According to our database the average time taken for SMEs in the USA to implement ISO 9001 was just under three months; for SMEs in Southeast Asia the average time was roughly three months and two weeks. In our opinion this disparity is due to English fluency levels.

Will a small business get bogged down by excessive paperwork?
There seems to be a misconception that ISO 9001 is only about paperwork while in fact the requirements are rather minimal. Certainly, documents and records are needed, but they are far from excessive and may not be much more than what you are already using. Taking the right implementation approach will avoid unnecessary paperwork.

Does a small business require a costly consultant to get ISO 9001 certified?
No, definitely not. Using an ISO 9001 consultant is only one of the options. Most small businesses are well advised to implement ISO 9001 in-house with the help of some of the inexpensive tools available.

Our members generally agree that while ISO 9001 initially seems complicated, achieving certification is actually quite straightforward.

Manfred Hofer, Director of Member Services, 9001Council

The truth is that few SMEs struggle with ISO 9001. Implementation is seldom as hard as it sometimes first appears, and every year hundreds of thousands of small, micro and medium-sized businesses around the globe become ISO 9001 certified and reap the associated rewards.

ISO 9001 Certification vs. Compliance
Most companies only consider ISO 9001 certification and overlook the other option: ISO 9001 compliance. Achieving ISO 9001 compliance utilizes the same implementation approach as ISO 9001 certification but omits the last step: the certification audit, the certificate and the subsequent re-registration or surveillance audits. Instead of hiring a registrar to assess the effectiveness of the ISO 9001 Quality Management System (QMS), ISO 9001-compliant companies perform a self-assessment. The main benefits of ISO 90001 compliance over certification are cost savings. Let's look at a more in-depth comparison:

Certification is more expensive that compliance due to the registrar's fees for the certification audit, along with costs for registration and periodic surveillance audits.

Implementation time
The time needed to implement the QMS is the same, but ISO 9001 certification takes longer due to the audit and registration process.

ISO 9001 requirements for companies seeking compliance rather than certification are identical. In both cases the Quality Management System is the same.

Internal benefits
Certification has no direct impact on the operational benefits of an ISO 9001 system. Certified and compliant companies are able to reap equal internal benefits.

ISO 9001 certification provides objective evidence that the QMS is effectively implemented. ISO 9001-compliant companies can state they have a Quality Management System in place but obviously lack documentary evidence to support this. This could lead to customers performing their own audits of a non-certified company.

ISO 9001 certification is recognized worldwide and can serve as a powerful marketing tool; non-certified companies cannot advertise any certification mark and therefore lack the associated prestige and marketing benefits.

Ongoing effectiveness
ISO 9001-certified companies need to be audited periodically by their registrar in order to verify their QMS remains fully implemented. Non-compliant companies are not compelled to maintain their ISO 9001 system as they only conduct self-assessments.

There are several pros and cons for avoiding the rigor of certification. The good news is that it's always possible to switch from compliant to certified. For the purpose of providing a complete picture, this article will describe the entire process of achieving ISO 9001 certification.

1. How or when should I get started with ISO 9001?

Most companies have been established for several years before they even think about ISO 9001, but if you are in the process of starting a new company – focus on ISO 9001 right now: structure your business processes according to ISO 9001:2015 requirements and start implementing ISO 9001 before hiring employees.

As a first step, familiarize yourself with the ISO 9001:2015 standard and its requirements. It is important to get a good understanding of the requirements, how they will affect your company and how much is involved in the ISO 9001 certification process. Our website has abundant information and resources, and we encourage you to read pertinent articles, editorials and reviews. You may also want to consider introductory ISO 9001 training, an option that generally yields very positive results.

If you are starting or about to start a new company, it may seem strange to suggest you should focus on ISO 9001 right now. This is however the most efficient approach as it ensures new employees are aware of your intentions from the outset and therefore more likely to cooperate during the implementation process. Staff resistance to change is a common problem in established companies, where employees are often less enthusiastic about embracing ISO 9001.

More information
Refer to our Resources & Reviews section for important information on ISO 9001:2015 and links to organizations selling the standard and ISO 9001 training courses.

Once you have a working knowledge of ISO 9001 and its implementation, you will need to decide which approach to take: hire a management consultant or implement ISO 9001 in-house.

2. Should we use an ISO 9001 consultant?

We have conducted several surveys to clarify this issue and believe that while consultants can be of great help, they can also cause serious damage, depending on the consultant and how you use them.

An ISO 9001 system adapted and fine-tuned to your company's needs can only be established by somebody with a thorough understanding of its internal processes and culture. While good consultants can gain this understanding by learning about your company, staff and work processes, the learning process is often slow and (due to consultants' fees) expensive.

Another important point to realize is that there will be a point in time when the consultant leaves and passes on responsibility for the ISO 9001 system to a company insider, who, at this point, is expected to be intimately familiar with ISO 9001. In other words, it is not possible to outsource the management and practical use of the ISO 9001 quality management system to a consultant. If you are inclined to hire a consultant, you may want to read our article on the pros and cons of ISO 9001 consultants.

For SMEs, a better and far less expensive alternative to consultants is to implement ISO 9001 in-house. Budget-conscientious business owners assign the task of ISO 9001 implementation to themselves or a capable manager, and use tools, services and even consultants to assist them.

ISO 9001 documentation by consultants
ISO 9001 policies, procedures and work instructions build the foundation of your Quality Management System. Your company's operational processes need to be in compliance with these documents. If these documents don't fit your company like a glove, you may introduce inefficiencies, costs and other problems. If the consultant is not intimately acquainted with your company, it is best not to use him to author your documentation.

Of the common problems we encounter, the most severe is poorly-written, overly complicated and convoluted documentation. This type of documentation is often authored by consultants, and almost always results in inefficient and bureaucratic ISO 9001 Quality Management Systems. We have even come across situations where consultants purposely made the ISO 9001 requirements complicated and restrictive in an apparent effort to justify the high price of their services.

Consultants as trainers
Good ISO 9000 consultants can add value as trainers. However, since some tend to focus on selling their consultancy services, specialized ISO 9001 instructors are generally a better option. Online ISO 9001 training courses are also a good, inexpensive alternative to consultants.

More information
Learn how to evaluate QMS consultants, avoid unethical and inadequate consultants and find one that fits your needs in our guidelines on how to choose an ISO 9001 consultant.

The next section explains how SMEs can implement ISO 9001 in-house – an approach that significantly reduces implementation costs and often leads to a more efficient ISO 9001 system.

ISO 9001 implementation without a consultant

Our research on SMEs and their use of consultants clearly shows that small, micro and medium-sized companies can not only implement ISO 9001 in-house quite easily, they can generally do it more effectively and less expensively than a consultant.

ISO 9001 implementation kits
There are several certification packages on the market that contain various tools to help those implementing ISO 9001 in-house. Good certification packages not only contain templates for the ISO 9001 documentation but also detailed instructions on how to modify and adapt the prewritten procedures to make them fit your company's individual circumstances. The best packages also include a simple yet detailed step-by-step project guide that addresses the needs of SMEs, along with forms, checklists, internal audit tools and training materials.

Cross-company cooperation
We interviewed Professor Dr. de Vries, a leading expert on ISO 9001 and standardization, and discussed in-house implementation. As an additional option to consultants and ISO 9001 implementation kits, Prof. Dr. de Vries proposed that small and medium-sized businesses team up with other SMEs, either in the same geographic area or as members of the same trade association. An additional benefit of this approach would be the ability to share a common quality manager.

More information
Find out more about ISO 9001 certification kits in our article on ISO 9001 documentation templates.

3. Preparation and planning

When planning for ISO 9001 implementation, the CEO and top management should have a clear idea of their objectives and the specific benefits the organization will gain from achieving ISO 9001 accreditation. Top management has to be aware and accept that the Quality Management System will be integrated into every area of the company. If necessary, information and training may need to be provided before getting started.

The next step is to assign responsibility for the implementation of ISO 9001. Though many employees and managers will eventually be involved, it is necessary to assign responsibility to a high-ranking manager or company owner (at small to medium-sized companies) or to a project team (in the case of larger organizations). The person responsible for ISO 9001 was traditionally called "ISO 9001 Management Representative", though the latest revision of ISO 9001 no longer uses this term.

Before step-by-step planning can start, the individual responsible for ISO 9001 needs to gain a broad understanding of ISO 9001:2015 requirements. Detailed analysis and interpretation of each requirement can be learned at a later time.

Note that the above steps apply regardless of whether or not you are planning to implement ISO 9001 in-house or hire a consultant. Even if you decide to task a consultant with the entire ISO 9001 implementation, there will be a point when he leaves and a company insider takes over maintenance tasks. The following steps, however, could be partially outsourced to a consultant if the budget allows and if you are willing to forgo the non-monetary benefits of in-house implementation.

Prior to starting any activities, it is important to inform all staff about the ISO 9001 certification plans and explain what it means both for the company and individual employees. Without this formal introduction, gossip, negativity and opposition to ISO 9001 may arise, all of which will hinder the entire implementation process. An inexpensive and highly effective method of introducing ISO 9001 to employees at this stage is to use multimedia video presentations.

Once you have employee buy-in and full support from top management, you may review the extent to which your company is already meeting ISO 9001 requirements. Here you will compare each requirement to what you already do. This review is called a "gap analysis" as it will uncover the gaps between actual business practices and ISO 9001 requirements. For each requirement, your gap analysis will have one of two basic outcomes:

Meets requirements: simply continue what you are doing.

Does not meet requirements: improve your process to meet the ISO 9001 requirements.

Based on your gap analysis and knowing which processes require improvement, you can now start planning your ISO 9001 implementation project. You now know which departments require particular attention and which process improvements will engender the greatest benefits.

This is also a good time to choose a registrar – the independent certification body that issues the ISO 9001 certificate upon successful completion of the certification audit. The first criteria to look at when choosing a registrar is their accreditation. The registrar needs to hold valid accreditation from an accreditation board (for example, ANAB in the USA).

A word of caution
Beware of companies offering ISO 9001 certificates without accreditation. Some consultants and providers of templates "guarantee" ISO 9001 certification and issue an "ISO 9001 certificate" that is not backed up by an accreditation board. Displaying such a "certificate" will likely backfire and portray its bearer as dishonest.

An advantage of hiring a registrar early in the implementation project is the assistance they may provide. Many registrars offer valuable resources to their customers and may answer specific questions concerning the interpretation and implementation of the Standard.

4. ISO 9001 documentation

Developing ISO 9001 documentation is a significant and very important part of the implementation process.

The ISO 9001:2015 standard contains numerous explicit and implicit requirements for the nature and content of your documentation. The necessary documents are:


Quality policy

Quality objectives

Process map (process flowchart)

Scope statement (scope of the Quality Management System)

Work instructions (where they add value)

Forms and checklists (where they add value)

Work instructions provide detailed guidelines for employees on how to perform their duties. However, the ISO 9001:2015 standard is very clear that work instructions need only be created where they add business value. For example, a trained painter will not find value in instructions on how to paint, while brief instructions (possibly in the form of pictures) explaining how to replace a filter could be a great time-saver.

Forms and checklists are not an explicit requirement of ISO 9001:2015. An explicit requirement, however, is the recording and retaining of numerous sets of information. Well designed forms and checklists simplify the recording of information and increase efficiency as they guide the user through the process of collecting and recording the information. Once forms and checklists are filled in and kept on file, they become records. Typical ISO 9001 forms include the Corrective Action Report Form, the Corporate Environment Form and the Customer Survey.

What about the ISO 9001 Quality Manual?
The Quality Manual was once synonymous with ISO 9001 documentation, but since the 9001:2015 revision it is no longer required. It used to be a high-level description of the Quality Management System, but offered little practical use. A few savvy companies, however, modified it to become a marketing tool and – while still implementing ISO 9001 – used it as evidence to advertise their upcoming certification.

In addition to the above listed documents, ISO 9001:2015 requires numerous records that provide evidence of performed activities or achieved results. In many cases, records are best created by filling out forms. ISO 9001:2015 uses the term "Documented Information", which it defines as a combination of both documents and records. For the sake of clarity and to reduce confusion, the 9001 Council and most professionals continue to use the terms "documents" and "records".

The ISO 9001 documentation is the backbone of your Quality Management System. Your documents specify how work processes are performed and what information to collect. In order to be ISO 9001 compliant or certified, your company must:

  1. have documentation that meets all ISO 9001 requirements, and
  2. do what the documentation says in daily business practice.

The importance of good ISO 9001 documentation can not be overstressed: good documentation is the first step towards better processes and operational improvement, while poor documentation could lead to inefficiencies and increased cost.

More information
Find out more about the required ISO 9001 documentation in our article on ISO 9001 documentation requirements.

5. Implementation

Your ISO 9001 documentation is the foundation of actual work processes. Employees and managers need to follow the procedures and work instructions carefully, and all involved personnel must be properly briefed and/or trained to understand the requirements that pertain to them.

This is the point at which you may want to look at the results of your gap analysis and at your ISO 9001 procedures. Make a plan of the functional areas and departments that need training in particular requirements.

Management review, for example, is something that only affects top management. Your gap analysis and any subsequent discussions with senior management may reveal that similar business reviews are already conducted periodically and that the items of the ISO 9001 management review could simply be added.

Document control, to give another example, is a requirement that affects everybody who uses documents, no matter if the documents are in form hard copies, intranet pages, Word documents etc. In most companies, everybody is somehow affected by the document control requirements. You may look at your gap analysis and plan for appropriate training at individual departments. Training in document control could be conducted at a meeting in a conference room in which you introduce the ISO 9001 documentation and your wide-ranging document control procedure.

We previously mentioned that work instructions (which describe detailed work processes) need to be prepared where they add value, and are best done so by those who actually perform the work. Preparing them as part of a team work activity is one of the best opportunities for process improvement as it gives individuals the chance to air ideas for improvement they may have had for a long time but didn't know how to implement. Now is the time for staff to better understand and consider how the work processes they are part of impact on the processes of others, and vice versa. It is also the time for employees working on process improvements to reduce or eliminate difficulties in their own work processes. This results in improved processes and a better work environment, which in turn leads to higher company-wide job satisfaction.

Before starting with process improvements and work instructions, the following should be done:

Introduce document control - it will affect the documentation of work instructions.

Explain flowcharting basics - flowcharts are very useful during process improvement and the documentation of work instructions.

Introduce any pertinent procedures - some work processes will not only require improvement and documentation but also changes based on ISO 9001 requirements.

In some cases, it may be beneficial to attend process improvement and work instruction activities as a moderator. This is usually an excellent training approach as it allows new ISO 9001 requirements to be introduced at the same time as improvement opportunities are discussed. By doing this, the newly introduced ISO 9001 requirements become welcome additions to the improvement initiatives.

At most companies, the implementation phase requires introducing several new requirements. Depending on the size of the organization, you may be able to introduce all new requirements to all affected departments. At larger organizations, you may want to introduce changes to top managers who can then either implement the requirements themselves or delegate them to subordinate managers.

Note that the implementation phase is not simply a unidirectional introduction of your new ISO 9001 procedures but also an opportunity to improve and fine-tune them. At the time you introduce any new requirements, you will receive questions and feedback. Use this feedback to improve procedures where needed.

Only companies with large budgets consider outsourcing the implementation phase to a consultant. While some companies argue that employees are more receptive to new requirements when they are introduced by an external consultant, our experience is generally the opposite. We find, for example, that employees are more likely to accept new processes when they are presented by a familiar company insider; we find too that in the correct environment this approach often leads to healthy debate and the discussion of improvement opportunities.

6. Internal audits

Internal audits are an ISO 9001 requirement. They are used to monitor the Quality Management System, to see if it is still effectively implemented and to detect opportunities for improvement. Without periodic audits, many ISO 9001 Quality Management Systems would start deteriorating as standards wane and corners are cut.

Internal ISO 9001 audits are conducted in addition to any audits performed by a company's registrar. They are conducted by an employee or group of employees appointed and trained for the role. Anybody at the company can become an internal auditor: SMEs often use their ISO 9001 Management Representative (the individual responsible for the company's ISO 9001 system), while larger companies appoint several internal auditors. In order to ensure objectivity, auditors cannot audit their own work, which means that even very small companies actually need two internal auditors – one to perform the bulk of the audit, and a second to audit the work undertaken by the first.

Best Practices
Auditing is an excellent way for employees to learn from each other and share best practices throughout the organization. Audits also help in understanding how constraints in one department can affect activities in other departments. It is for this reason that some companies appoint a large number of internal auditors.

There are several options for internal auditor training: professional instructors can be hired to train staff in-house; employees can attend public classes, either as individuals or in groups; and online training is available for those seeking a convenient, inexpensive alternative.

We recommend starting internal audits early as part of the implementation phase. This way, internal audits could serve as a training and implementation tool and accelerate the ISO 9001 implementation.

7. The ISO 9001 certificate

The ISO 9001 certificate is issued by an independent, accredited registrar after verification that your company has implemented an ISO 9001 Quality Management System and follows all its requirements in daily operations.

Prior to obtaining ISO 9001 registration, your company needs to have the entire ISO 9001 Quality Management System implemented; this includes having created the documentation in accordance with ISO 9001 and following all the requirements stipulated in your own documentation. Once you are satisfied that your company's ISO 9001 system is properly set up and working, your company is ISO 9001 compliant. The next - optional - step is ISO 9001 certification.

Before the certification audit can be performed and certification issued, your company needs to meet two additional conditions:

  1. Perform one complete internal ISO 9001 audit.
  2. Your company must have a track record of operating according to ISO 9001 requirements; most registrars require about 2 months of records.

An accredited ISO 9001 registrar needs to be hired to certify your company, and it's important to choose one that fits your circumstances. We recommend choosing a registrar early during the ISO 9001 implementation process as some registrars offer free support materials that help you implement the quality standard.

How to find an ISO 9001 registrar?
Finding an accredited ISO 9001 registrar is not difficult – a Google search will list several international and local registrars. You may also check our resources for suggestions.

Helpful Registrars
Evaluate your registrar carefully with the goal of finding one whose auditors are flexible (because there are countless ways of fulfilling the ISO 9001 requirements and some may fit better for an individual business) and don't mind sharing their experience (auditors are not allowed to consult but they are allowed to share best practices seen at other companies).

Certification audit
Once the above requirements have been fulfilled, your registrar will have an auditor (or a team of auditors) perform two audits:

A documentation audit, in which the auditor verifies the company's procedures meet the requirements of ISO 9001:2015. The documentation audit can be passed easily if you base your ISO 9001 documentation on good templates.

An onsite audit at your company, in which the auditor verifies the organization operates according to its ISO 9001 documentation and all ISO 9001:2015 requirements. As part of this audit (often referred to as an "external" audit to distinguish from the company's internal audits), the auditor will randomly check records, interview management and staff, and observe employees performing their work. The goal is to establish evidence that the company follows its own procedures and meets all ISO 9001:2015 requirements.

Small business owners often wonder what happens if they fail the audit. However, one doesn't really fail an audit. The auditor may discover problems (typically referred to as noncompliances or non-conformities) but that doesn't mean you failed the audit. Once the noncompliances are corrected, you will get your certificate.

ISO 9001 certificate
If no significant noncompliances have been discovered or after any noncompliances have been corrected, the registrar issues the ISO 9001 certification. The certificate is typically valid for three years and can then be easily renewed.

Surveillance audits
A condition for continued validity of your ISO 9001 registration is that periodic maintenance audits (usually referred to as surveillance audits) are conducted by the registrar, and that those surveillance audits show continued ISO 9001 compliance (again, the company has an opportunity to correct any non-conformities). Surveillance audits are usually conducted every 6 - 12 months; they are much smaller in scope, time and cost than the initial audit.

8. Cost of an ISO 9001 Quality Management System

While operating a good ISO 9001 Quality Management System typically results in significant cost savings, the implementation and certification process can sometimes be expensive.

The cost of implementation and achieving certification varies according to the size of your company and the implementation approach you take. The main contributors to cost are:

In the USA, the cost of the registrar is approximately USD $1,000 - $2,000 for registration fees. The cost of the certification audit depends on the size and complexity of your company. Expect to pay about USD $1,000 - $2,000 per auditor day. Small businesses may only require one audit day.

Consultant, implementation kit, training
Spending on external help varies greatly. Large companies often spend in excess of several hundred thousand dollars in consultant fees, while SMEs can get by with two thousand dollars or less for an ISO 9001 implementation kit and training.

ISO 9001 point person
The person assigned to lead the ISO 9001 implementation (often referred to as ISO 9001 Management Representative) will carry the burden of the ISO 9001 implementation and the time spent on it. The use of a consultant or certification package can significantly lessen the burden and allow the ISO 9001 point person to implement ISO 9001 while attending to their other responsibilities.

Employee time
Regardless of the approach you adopt to ISO 9001 implementation, employees and managers will need to spend time on ISO 9001. Throughout the entire implementation, staff will spend time on training, improvement initiatives and documenting work instructions. Using a consultant does not lead to significant time savings. Company managers and staff are usually able to manage their part of the ISO 9001 implementation without neglecting their normal responsibilities.

The above estimates apply only to ISO 9001 certification; in order to remain certified, your company needs to keep its ISO 9001 system up-to-date and undergo periodic surveillance audits. Depending on the size and complexity of your company, surveillance audits may be performed once or twice per year, with a cost of about USD $1,000 - $2,000 per auditor day. One audit day per year is sufficient for most SMEs.