How to Get ISO 9001 Certification: Step-by-Step Process for Businesses
To get ISO 9001 certification, a business must prepare and run a Quality Management System, define its certification scope, complete a gap analysis, organize documents and records, train employees, perform internal audit and management review, choose an external certification body, complete Stage 1 audit and Stage 2 audit, close nonconformities, and maintain certification through surveillance and recertification.
ISO 9001 certification applies to an organization’s Quality Management System, also called a QMS. It does not certify an individual person. A company is also certified to ISO 9001, not “by ISO,” because ISO develops standards but does not issue certificates.
To get ISO 9001 certification, build a working QMS, complete internal audit and management review, choose a certification body, pass Stage 1 and Stage 2 audits, close nonconformities, and maintain the certificate through ongoing audits. Detailed explanation below:
What ISO 9001 Certification Means for a Business
ISO 9001 certification means an external certification body has audited an organization’s QMS and confirmed that the system meets ISO 9001 requirements within a defined scope.
The certificate is not just proof that documents exist. The certificate shows that the organization has processes, roles, controls, records, review methods, and improvement actions in place.
ISO 9001 Is a Quality Management System Standard
ISO 9001 is a quality management system standard for organizations that want to control work, meet customer expectations, satisfy applicable requirements, and improve performance over time. ISO describes ISO 9001 as a standard that helps organizations establish, implement, maintain, and continually improve a QMS.
A QMS is the way a business manages quality. It includes process controls, responsibilities, policies, objectives, training, supplier controls, customer feedback, internal audits, corrective actions, and performance review.
In simple terms, ISO 9001 asks one main question: Can the organization consistently deliver what the customer and applicable requirements expect?
Companies Are Certified to ISO 9001, Not by ISO
Companies are certified to ISO 9001 by an external certification body. ISO does not perform certification, does not issue ISO certificates, and does not allow the ISO logo to be used in connection with certification.
That wording matters. “Certified by ISO” is not correct. The cleaner wording is:
- Certified to ISO 9001
- ISO 9001 certified organization
- ISO 9001 certified quality management system
- ISO 9001 certificate issued by a certification body
This distinction protects the organization from weak certificate claims, wrong marketing language, and buyer confusion.
ISO 9001 Certification Applies to Organizations, Not Individuals
ISO 9001 certification applies to an organization’s QMS. An individual can complete ISO 9001 awareness training, internal auditor training, or lead auditor training, but that is not the same as organization-level ISO 9001 certification.
A person may hold a training certificate or an auditor qualification. A business holds ISO 9001 certification when its QMS has been audited and certified within a defined scope.
What Is the Process for ISO 9001 Certification?
The ISO 9001 certification process moves from preparation to audit to certificate maintenance. Each step builds evidence that the QMS is not only written, but also used.
Step 1: Understand ISO 9001 Requirements
The first step is to understand what ISO 9001 expects from the organization.
ISO 9001 covers major QMS areas such as:
- Context of the organization
- Leadership
- Planning
- Support
- Operation
- Performance evaluation
- Improvement
These areas help the organization define business context, assign responsibilities, set quality objectives, control work, monitor performance, check results, and improve the system. ISO’s own ISO 9001 overview lists these core topic areas.
Step 2: Define the Certification Scope
The certification scope defines what the ISO 9001 certificate covers.
The scope should state the activities, locations, products, services, departments, or process boundaries included in certification. A vague scope creates problems later because buyers, auditors, and internal teams need to know exactly what the certificate applies to.
A single-site service company may have a simple scope. A multi-site manufacturer, contractor, or logistics company usually needs a more detailed scope because audit planning changes when locations and processes change.
Step 3: Conduct a Gap Analysis
A gap analysis compares the current QMS against ISO 9001 requirements.
The gap analysis should identify:
- Missing documents
- Weak records
- Unclear responsibilities
- Uncontrolled processes
- Training gaps
- Supplier control gaps
- Missing internal audit evidence
- Missing management review evidence
- Corrective-action weaknesses
A gap analysis is useful because it turns a broad certification goal into a clear action plan. Without a gap analysis, teams often prepare documents randomly and miss the evidence auditors actually need.
Step 4: Build or Update the Quality Management System
The organization must build or update the QMS before the certification audit.
A working QMS includes:
- Quality policy
- Quality objectives
- Process controls
- Roles and responsibilities
- Risk-based thinking
- Supplier control
- Customer feedback handling
- Document control
- Record control
- Corrective action
- Performance monitoring
The QMS should fit the business. A small service company does not need the same system as a multi-site manufacturer. The system needs to be controlled, documented, used, and measurable.
Step 5: Prepare Documents and Records
ISO 9001 uses the term documented information for the documents and records needed to run and prove the QMS. Documents describe what should happen. Records prove what happened.
The organization should prepare controlled documents and real records before the external audit. Written procedures with no records usually show that the system is not fully implemented.
Step 6: Train Employees and Implement the System
Employees need to understand the parts of the QMS that affect their work.
Training should cover:
- Process responsibilities
- Quality objectives
- Documented procedures
- Customer requirements
- Risk controls
- Recordkeeping
- Nonconformity reporting
- Corrective-action steps
ISO 9001 certification requires implementation. A company cannot rely on a manual sitting in a folder. Auditors look for evidence that people know the process and use the process.
Step 7: Conduct an Internal Audit
An internal audit is the organization’s own check before the external certification audit.
The internal audit checks whether the QMS meets ISO 9001 requirements and whether the organization is following its own processes. Internal audit evidence can include audit plans, checklists, audit notes, findings, reports, and corrective actions.
This step matters because the internal audit finds problems before the certification body arrives.
Step 8: Complete Management Review
Management review is leadership’s formal review of QMS performance.
A proper management review may cover:
- Audit results
- Customer feedback
- Quality objectives
- Process performance
- Supplier performance
- Risks and opportunities
- Corrective actions
- Resource needs
- Improvement actions
Management review proves that top management is involved in the QMS. ISO 9001 is not only a quality department task.
Step 9: Choose a Certification Body
A certification body, sometimes called a registrar, performs the external audit and issues the ISO 9001 certificate when requirements are met.
ISO recommends evaluating several certification bodies, checking whether the certification body uses the relevant conformity-assessment standards, and checking accreditation where appropriate. Accreditation is not compulsory, but ISO describes accreditation as independent confirmation of certification-body competence.
Before choosing a certification body, check:
- Accreditation status
- Industry experience
- Audit scope capability
- Audit fees
- Audit timeline
- Certificate verification route
- Surveillance and recertification process
- Rules for certificate marks and logo use
The certification body should not be the same party that built the QMS for you. That separation protects audit independence.
Step 10: Complete Stage 1 and Stage 2 Certification Audits
The initial ISO 9001 certification audit usually has two main stages: Stage 1 and Stage 2.
Stage 1 is a readiness and documentation review. Stage 2 is the full assessment of how the QMS works in practice. Certification-body audit guides describe this route as a Stage 1 audit, Stage 2 audit, surveillance audits, and recertification audit within the certificate cycle.
Step 11: Resolve Nonconformities and Receive the Certificate
A nonconformity is an audit finding that shows a requirement has not been met.
Nonconformities can delay certification when the issue is serious or when corrective action is weak. The organization must correct the issue, identify the cause, take corrective action, and submit evidence to the certification body.
The certification body makes the certification decision after reviewing audit results and corrective-action evidence.
Step 12: Maintain ISO 9001 Certification
ISO 9001 certification must be maintained after the certificate is issued.
Maintenance usually includes:
- Surveillance audits
- Continued records
- Internal audits
- Management reviews
- Corrective actions
- Scope updates
- Recertification planning
A certificate can lose value when the QMS stops working after the first audit. The system must keep producing evidence.
Which Documents Are Required for ISO 9001 Certification?
ISO 9001 certification requires documents and records that show how the QMS is planned, controlled, checked, and improved. The exact documents depend on the organization’s scope, process complexity, industry, and certification-body expectations.
Core QMS Documents
Core QMS documents explain how the organization controls quality.
Common examples include:
QMS Document | What It Does |
QMS scope | Defines the activities, locations, products, or services covered by certification |
Quality policy | States the organization’s quality direction |
Quality objectives | Sets measurable quality goals |
Procedures | Explain how key work is controlled |
Work instructions | Give detailed task-level instructions where needed |
Process maps | Show process flow, inputs, outputs, and responsibilities |
Forms and templates | Help teams capture consistent information |
Document control method | Controls document approval, update, access, and use |
The document set should match the business. Overbuilt documentation creates confusion. Underbuilt documentation creates audit risk.
Records That Prove the QMS Is Working
Records prove that the QMS is active.
Common examples include:
- Training records
- Inspection records
- Supplier evaluations
- Customer complaint records
- KPI reports
- Internal audit reports
- Corrective-action records
- Management review minutes
- Calibration records where applicable
- Process monitoring records
Auditors rely on records because records show what actually happened.
Documents vs Records
This table separates documents from records because many teams confuse the two during ISO 9001 preparation.
Item | Meaning | Example |
Document | Describes what should happen | Procedure, policy, work instruction |
Record | Proves what happened | Training log, audit report, corrective-action record |
A procedure can say that staff must be trained. A training record proves that staff training happened.
What Happens During the ISO 9001 Certification Audit?
The ISO 9001 certification audit checks whether the QMS meets ISO 9001 requirements and works in daily operations.
The audit is not only a document review. Auditors also review records, interview employees, sample processes, and check whether the organization follows its own system.
Stage 1 Audit: Readiness and Documentation Review
Stage 1 audit checks whether the organization is ready for the full certification audit.
The auditor may review:
- Certification scope
- QMS documents
- Key processes
- Internal audit status
- Management review status
- Readiness gaps
- Audit planning information
Stage 1 helps the certification body decide whether the organization is ready for Stage 2.
Stage 2 Audit: Full QMS Assessment
Stage 2 audit checks whether the QMS is implemented and effective.
The auditor may review:
- Employee awareness
- Process controls
- Operational records
- Customer feedback
- Supplier controls
- Internal audit evidence
- Management review evidence
- Corrective actions
- Performance monitoring
- Quality objectives
Stage 2 is the main certification audit. The auditor gathers evidence and reports findings for the certification decision.
Stage 1 vs Stage 2 Audit
This table explains the difference between the two main certification audit stages.
Audit Stage | Main Purpose | What the Auditor Checks |
Stage 1 audit | Readiness and documentation review | Scope, QMS documents, planning, readiness gaps |
Stage 2 audit | Full QMS implementation assessment | Records, interviews, process evidence, corrective actions, operational control |
Stage 1 asks, “Is the organization ready for the full audit?” Stage 2 asks, “Does the QMS work in practice?”
What Auditors Look for in Practice
Auditors look for evidence that the organization controls quality in real work.
Common audit evidence includes:
- Employees understand their responsibilities
- Procedures match actual work
- Records are complete and traceable
- Supplier evaluations are maintained
- Customer complaints are reviewed
- KPIs are monitored
- Internal audits are completed
- Corrective actions are closed with evidence
- Management review decisions are recorded
A clean audit comes from daily discipline, not last-minute paperwork.
Can You Fail an ISO 9001 Audit?
Yes. A business can fail or delay ISO 9001 certification if major nonconformities show that the QMS does not meet ISO 9001 requirements or is not implemented effectively.
A delay does not always mean the project is lost. The organization may be asked to correct issues, submit evidence, and complete further review before the certification decision.
What Happens After ISO 9001 Certification?
After ISO 9001 certification, the organization must keep the QMS active. Certification is not the end of the quality system. It is the start of ongoing maintenance.
Surveillance Audits
Surveillance audits check whether the QMS continues to meet requirements after certification.
The certification body reviews selected parts of the system during the certificate cycle. The exact schedule depends on the certification body, accreditation rules, scope, and certification program.
Recertification Audit
Recertification audit renews certification before the certificate cycle ends.
The recertification audit is usually broader than a surveillance audit because the certification body needs to confirm continued conformity across the QMS before issuing the next certificate cycle.
Continual Improvement After Certification
Continual improvement keeps the QMS useful after certification.
The organization should keep reviewing:
- Customer feedback
- Audit results
- Process performance
- Quality objectives
- Corrective actions
- Supplier performance
- New risks
- Improvement opportunities
The point is not only to “keep the certificate alive”. The point is to keep the QMS useful for the business.
After you understand the ISO 9001 certification route, the next step is to judge the practical factors that affect your timeline, cost, support needs, certificate legitimacy, and long-term maintenance.
How Long Does ISO 9001 Certification Take?
ISO 9001 certification timeline depends on readiness, scope, documentation maturity, process complexity, site count, internal audit status, management review status, and certification-body scheduling.
A company with an existing QMS can move faster than a company building the system from the beginning.
Timeline Factors
The main timeline drivers are:
Timeline Factor | How It Affects the Project |
Current readiness | Mature systems need less preparation |
Certification scope | A wider scope needs more review and audit planning |
Number of sites | More sites can increase coordination and audit time |
Process complexity | Complex operations need more evidence |
Documentation maturity | Weak documents need more work before the audit |
Internal audit status | A missing internal audit can delay certification readiness |
Management review status | Missing management review creates a readiness gap |
Certification-body scheduling | Audit dates depend on the auditor’s availability |
A realistic timeline starts with a gap review, not a fixed promise.
Why No Single Timeline Fits Every Organization
No single ISO 9001 timeline fits every organization because scope and readiness change the work.
A small service company with clear processes, trained staff, and existing records may need less preparation. A multi-site organization with weak records, supplier risks, and no internal audit history needs more time before Stage 1 and Stage 2 audits.
How Much Does ISO 9001 Certification Cost?
ISO 9001 certification cost depends on audit fees, implementation support, training, documentation work, internal time, number of sites, employee count, process complexity, and certification-body requirements.
A universal global price would be misleading without reviewing the organization’s scope.
Main Cost Drivers
The main cost drivers include:
Cost Driver | Why It Matters |
Certification-body audit fees | The certification body charges for external audit work |
Consultant support | Outside support adds cost but may reduce internal workload |
Staff time | Internal teams spend time on process work, records, and audits |
Training | Employees may need awareness or internal audit training |
Documentation help | Weak or missing documents need preparation |
Software or templates | Some organizations use tools for document and record control |
Number of sites | More sites can increase audit planning and audit time |
Scope complexity | More complex operations require more review |
Audit days | Certification-body audit duration affects fees |
The best first step is to define the scope and readiness level. Pricing before scope review is usually too rough to trust.
Do You Need a Consultant to Get ISO 9001 Certified?
A consultant is not always required to get ISO 9001 certified. The need for consultant support depends on internal expertise, available time, QMS maturity, documentation quality, and audit readiness.
Some organizations can implement ISO 9001 in-house. Others need outside support because the internal team is stretched or unfamiliar with certification work.
When In-House Implementation May Work
In-house implementation may work when the organization already has:
- A mature QMS
- Clear process owners
- Strong document control
- Existing records
- Internal audit experience
- Management review discipline
- Available staff time
- Quality or compliance expertise
This route can work well when the organization has the skill and time to manage the project without losing control of daily operations.
When Consultant Support May Help
Consultant support may help when the organization has:
- Weak documentation
- Limited ISO 9001 experience
- No internal audit program
- Tight tender deadlines
- Multiple sites
- Complex operations
- Unclear process ownership
- Previous audit findings
- Limited staff capacity
A good consultant should make the QMS clearer, not heavier. The support should help the organization build a system it can actually run.
Consultant vs Certification Body
A consultant helps prepare the QMS. A certification body performs the external audit and issues the certificate when requirements are met.
These roles should stay separate. If the same party prepares the system and controls the certification decision, independence becomes unclear.
How Do You Verify an ISO 9001 Certificate?
You verify an ISO 9001 certificate by checking the certificate details, certification body, accreditation status, where applicable, certificate scope, certified site, and current status.
IAF CertSearch describes itself as a global database for accredited management-system certificates and allows users to check certificate authenticity, status, scope, certification body, accreditation body, and certified locations where data is available.
Check the Certification Body
Start with the issuing certification body.
Check:
- Certification body name
- Certificate number
- Organization legal name
- ISO 9001 standard reference
- Certification scope
- Certified site or location
- Issue date
- Expiry date
- Current status
A certificate with no traceable certification body should be treated carefully.
Check Accreditation Status
Accreditation adds confidence because it confirms that a certification body has been recognized as competent within a defined scope.
ISO states that accreditation is not compulsory, and non-accreditation does not automatically mean a certification body is not reputable. Still, accreditation provides independent confirmation of competence and should be checked where buyer requirements call for accredited certification.
Use IAF CertSearch or Relevant Verification Routes
Use IAF CertSearch where applicable for accredited management-system certificate validation. You can also contact the certification body, accreditation body, or relevant verification route when certificate details are unclear.
Do not assume a certificate is valid because it looks professional. Check the certificate number, scope, issuing body, and status.
Final Takeaway
Getting ISO 9001 certification is not about buying a certificate. The real work is building a QMS that controls quality, records evidence, trains people, checks performance, and improves when problems appear.
Start with the scope. Review the gaps. Build the system. Run the internal audit. Complete management review. Choose a credible certification body. Then move through Stage 1 and Stage 2 audits with evidence, not assumptions.
If your organization is preparing for ISO 9001 certification, a readiness review can help you see what is missing before the certification body arrives.
Frequently Asked Questions About Getting ISO 9001 Certification
Can You Get ISO 9001 Certification Online?
Some ISO 9001 preparation work may be completed online, but legitimate certification still requires a credible certification body and a valid audit process. Remote document review, training, gap review, and corrective-action tracking can work well. The audit format depends on the certification body, scope, site activity, and accreditation rules.
Can Individuals Get ISO 9001 Certified?
No. ISO 9001 certification applies to an organization’s QMS, not to an individual person. Individuals can complete ISO 9001 training, internal auditor training, or lead auditor training, but those credentials are different from organization-level ISO 9001 certification.
Is ISO 9001 Changing in 2026?
Yes. ISO lists ISO/FDIS 9001 as under development and expected to replace ISO 9001:2015 in September 2026. ISO 9001:2015 remains the current published version until replacement is finalized and transition rules are confirmed.
Is ISO 9001 Certification Worth It?
ISO 9001 certification can be worth it when the organization needs stronger quality control, customer confidence, supplier approval, audit readiness, or a structured improvement system. ISO describes ISO 9001 as helping organizations improve performance, meet customer expectations, and demonstrate commitment to quality.
Is ISO 9001 the Same as ISO 9000?
No. ISO 9000 refers to the wider quality management family and fundamentals, while ISO 9001 is the certifiable QMS requirements standard. ISO describes the ISO 9000 family as a set of quality management standards, with ISO 9001 as the best-known QMS standard in that family.
Can a Small Business Get ISO 9001 Certified?
Yes. A small business can get ISO 9001 certified when the QMS scope, process controls, records, and audit evidence fit the business size and activities. ISO 9001 is suitable for organizations of any size and sector, according to ISO’s official overview.
