What Is ISO Certification? Definition, Process, and How to Verify It ISO certification is a third-party conformity assessment that confirms an organization’s management system meets the requirements of a specific ISO standard such as ISO 9001 (Quality), ISO 14001 (Environmental), ISO 45001 (Occupational Health and Safety), or ISO/IEC 27001 (Information Security). The certification is performed by an independent certification body (also called a registrar in US market usage), not by ISO itself. ISO develops and publishes international standards but does not perform certification or issue certificates. Certification adds credibility by providing independent evidence that products, services, or management systems conform to specified requirements. This article defines what ISO certification means, explains who issues ISO certificates and how the certification process works, and provides a step-by-step method to verify whether a certificate is legitimate using the IAF CertSearch global database. ISO Standards vs ISO Certification: Why the Distinction Matters ISO the International Organization for Standardization is a standards body that develops and publishes international standards through technical committees. ISO has published over 24,000 standards covering quality, safety, environmental management, information security, and hundreds of other disciplines. ISO standards define requirements. ISO certification is a separate activity performed by external certification bodies that audits whether an organization meets those requirements. This distinction matters because a common misconception is that organizations are “certified by ISO.” They are not. A company cannot be certified by ISO. Certification is performed by external certification bodies independent third-party organizations that audit management systems against ISO standard requirements and make certification decisions based on audit evidence. The relationship between ISO, certification bodies, and accreditation bodies forms a trust chain that underpins the credibility of every ISO certificate: Entity Role Output How to Verify ISO (International Organization for Standardization) Develops and publishes international standards Published standards (ISO 9001, ISO 14001, ISO 27001, etc.) iso.org standards catalogue Certification Body (CB) Audits organizations and makes certification decisions Management system certificate (scope-bound) Check with accreditation body or IAF CertSearch Accreditation Body (AB) Evaluates and recognizes the competence of certification bodies Accreditation certificate for the CB (scope-bound) IAF website: list of MLA signatories IAF (International Accreditation Forum) Manages the Multilateral Recognition Arrangement (MLA) for cross-border acceptance IAF MLA signatory status for accreditation bodies iaf.nu and IAF CertSearch global database If ISO writes the rules and certification bodies evaluate conformity, the next question is: who confirms that the certification body itself is competent and impartial? That is the function of accreditation. Who Issues ISO Certificates (and What “Accredited” Means) ISO certificates are issued by certification bodies (CBs) independent third-party organizations that perform management system audits and, following a positive certification decision, issue a certificate documenting the scope of conformity. In the United States, certification bodies are also commonly called registrars. Certification bodies that undergo external evaluation by an accreditation body (AB) are classified as accredited certification bodies. Accreditation provides independent confirmation that the certification body operates with competence, impartiality, and consistency the 3 core principles defined by ISO/IEC 17021-1:2015, the international standard governing bodies providing audit and certification of management systems. Accredited vs Non-Accredited Certification Accredited certification carries higher market acceptance because the certification body’s competence has been independently verified by a recognized accreditation body. Non-accredited certification is not inherently invalid, but it lacks the independent oversight layer and may not be accepted by customers, regulators, or procurement processes that require accredited certification as a supplier qualification condition. Accreditation is scope-bound: an accreditation body recognizes a certification body for specific standards and industry sectors (defined by IAF codes). A CB accredited for ISO 9001 audits is not automatically accredited for ISO 27001 audits. Organizations selecting a certification body should verify that the CB holds accreditation for the specific standard and sector relevant to their certification scope. IAF MLA: How Accredited Certificates Gain International Recognition The IAF Multilateral Recognition Arrangement (MLA) is the mechanism that enables cross-border acceptance of accredited certifications. Accreditation bodies that are IAF MLA signatories recognize each other’s accreditation decisions, meaning a certificate issued under one MLA signatory’s accreditation is accepted across all IAF member economies. Examples of IAF MLA signatory accreditation bodies include ANAB (USA), UKAS (UK), EIAC (UAE), and EGAC (Egypt). How the ISO Certification Process Works (Audit Lifecycle)? The ISO certification process follows a structured audit lifecycle defined by ISO/IEC 17021-1. The process begins with initial certification (Stage 1 and Stage 2 audits), continues through mandatory annual surveillance audits, and renews through a recertification audit every 3 years. The full certification cycle spans 3 years. Step 1: Stage 1 Audit (Readiness and Documentation Review) The Stage 1 audit evaluates the organization’s readiness for the Stage 2 assessment. Auditors review management system documentation including policies, procedures, scope statements, and documented information to confirm that the system is designed to meet the applicable ISO standard requirements. The Stage 1 audit also verifies that internal audits and management reviews have been planned and performed, and identifies any areas that need attention before Stage 2. For organizations preparing documentation for this stage, ISO documentation services can support audit readiness through clause-by-clause documentation mapping. Step 2: Stage 2 Audit (Implementation and Effectiveness Assessment) The Stage 2 audit is the implementation assessment. Auditors collect objective evidence through personnel interviews, process observation, record review, and evidence sampling to evaluate whether the management system operates effectively in practice. Auditors evaluate conformity against audit criteria the specific clauses of the applicable ISO standard, the organization’s own procedures, and any statutory or regulatory requirements. Audit findings are classified as conformity, nonconformity (major or minor), or observations (opportunities for improvement). Step 3: Certification Decision The certification decision is made by a function within the certification body that is independent from the audit team. This separation of audit and decision functions protects impartiality. The certification decision determines whether the organization’s management system conforms to the applicable standard and whether a certificate should be granted, withheld, or granted with conditions requiring corrective action closure. Step 4: Surveillance Audits (Annual, Mandatory) Surveillance audits are mandatory and occur at least annually during the