The journey to certification can take some time, depending on how large or complex your scoped organisation is. In general, larger organisations can reach certification in about eight to twelve months, whereas smaller companies can obviously achieve this somewhat faster – in the extreme in as little as two months. This is the time between deciding that you wish to pursue ISO 9001 and achieving certification.11
Once your organisation has actually implemented its QMS in accordance with the Standard, there are a few final steps worth taking before booking your certification audit:
• Get the QMS running
Once all the pieces are in place, you should have schedules set up for the regular elements like monitoring and measurement, internal QMS audits and management reviews. Without these in place and proof that they’re working, it’s difficult to prove that your QMS actually meets the Standard’s requirements. You don’t need to have a year’s data to prove this, but some records of initial quality measurements and audits, evidence that you have assessed any nonconformities that might have occurred, and an effective continual improvement process (shown in records of management reviews, for instance) will go a long way to proving that the QMS is a functioning management system rather than a static ‘snapshot’ of what a QMS might look like.
Remember: having documented processes doesn’t prove they’re being followed. Having records of the processes working as described is proof that they are being followed (but interviews and observation by an independent auditor can also demonstrate proof).
• Gap analysis
As mentioned earlier, a gap analysis is a good method to use early in the implementation to see where your organisation stands, but it’s equally useful once you think you’ve got everything in place. Even if your QMS appears to be functioning correctly, it’s a good idea to make sure that every requirement is being met.
• Pre-certification audit
Ideally this would be separate from your internal QMS audit regime to make sure you have external validation. Whether it involves getting someone from another part of the organisation to audit the QMS or engaging a consultant to do it for you, it will help prepare you for the audit as well as identifying any oversights. In general, it’s more useful to have an external party perform this audit, as they are less likely to be influenced by personal relationships or organisational politics, and are better positioned to provide a truly objective review.
Assuming the results of the gap analysis and pre-certification audit are positive, your organisation will be ready for certification.
Even with these preparations made, certifying your QMS can be a daunting prospect. This is especially true for smaller organisations that may feel they do not have the resources available to have a ‘proper’ management system in place, so it’s important to dispel a few myths about certification.
Do I have to certify?
Although certification is definitely valuable, some organisations may feel it’s unnecessary and that simply conforming to the Standard is sufficient. This is entirely true – many benefits are derived solely from implementing good practice quality management. If you’re happy simply gaining these benefits and are not too terribly worried about being able to demonstrate your credentials, then conformance may be enough.
Certification is an expensive disruption
Certification need not be expensive because the length of the certification audit scales with the size of your organisation, so smaller businesses can generally be audited in just a few days and, hence, relatively inexpensively. Naturally, larger organisations with more products and services, and more complex processes, will take longer, but are equally likely to gain more by being certified (such as access to new markets, clients and so on).
There’s so much documentation involved
In reality, there’s only as much documentation as you need. Many organisations make the mistake of thinking that literally everything has to be documented, which results in a mess of documentation and little coherence. For small organisations in particular, you should be wary of creating too many policies, procedures and work instructions. Rather, make sure you have enough documentation to tell people how the process works (a work instruction for the product/service and for checking the product/service) where it is needed and to check that they’re doing it correctly (such as a log or checklist). If a process is suitably controlled and measured to ensure it is systematically communicated, understood, executed and effective so as to be repeatable and dependable without fully documenting it then, in the absence of an explicit requirement for it to be documented, you do not need to write it down.
Certification won’t guarantee quality
It’s true that a certified QMS won’t guarantee quality – because nothing can make that guarantee. What certification does guarantee is that your organisation is doing everything it can to ensure quality and minimise customer dissatisfaction. Furthermore, because the QMS is inherently a preventive action, certification shows that your organisation is proactive in meeting customer requirements.
Can’t my customers audit my quality processes instead of paying for a certification body?
Although some customers will be happy to do that, many more don’t want to spend the time auditing a host of suppliers individually. Furthermore, if you have several customers who all want validation of your quality credentials, then repeated audits by your customers is likely to become a significant burden and disruption. Because ISO 9001 is the internationally recognised standard for quality management, being certified means that the majority of your customers will be perfectly happy with seeing the certificate and checking that the scope of your QMS (stated on the certificate) covers your relationship with them. This means that all of those customer audits can be replaced by a single certification audit, with less extensive surveillance audits annually in most cases through to the three-year recertification audit.
The certification auditor is just looking for problems
This is only true if you have a very bad auditor. Certification Body auditors are passionate about quality management and, like anyone passionate about something, they want to see it done right. If you establish a good relationship with your certification auditor, you’ll find that their reporting can be very helpful in providing opportunities for improvement and addressing nonconformities.
Maintaining quality
Although a certification to ISO 9001:2015 is proof that your organisation has implemented a management system that conforms to the specification, it is not proof that your organisation continues to follow best practice. Furthermore, your certification body will want to conduct surveillance audits at least annually, and organisations that don’t make much of an effort to continue running their QMS will generally find it much, much harder to negotiate their next certification body audit without significant findings being raised and ultimately jeopardising certification.
Mercifully, the whole process is actually very simple if the QMS has been properly established. The critical stage is making sure that you select an appropriate process approach, such as the plan-do-check-act cycle.
Regardless of the methodology you choose to follow, you should be sure that it has a cyclical structure so that it continues working without requiring additional impetus.
11 Different certification bodies and service providers quote varying lengths from initial commitment to quality management through to certification, but the preceding estimates are generally representative. Furthermore, as ISO 9001:2015 is very new at the time of writing, these numbers are based on implementing ISO 9001:2008. It’s reasonable to assume that the length of the process will not be markedly different under the 2015 version of the Standard.