AGS IRAQAmerican-accredited, third-party ISO Certification Body

ISO Certification Audit and Compliance Process: Stage 1, Stage 2, Surveillance, Recertification

The ISO certification audit process is a structured pathway that begins with application, progresses through a two-stage initial audit, leads to a certification decision, and continues with surveillance audits and recertification audits throughout a three-year certification cycle. Compliance is achieved when the organization demonstrates conformity to audit criteria through verified audit evidence and closes all nonconformities with corrective action.

What is the ISO Certification Audit Process?

An ISO certification audit is a third-party assessment that collects audit evidence and evaluates it against audit criteria to determine conformity with an ISO management system standard. The audit produces findings that support a certification decision issued by an accredited certification body. The ISO certification process encompasses the complete pathway from initial application through ongoing certification maintenance. Organizations seeking Accredited ISO Certification Services in Iraq follow this structured process to obtain and retain their ISO certificates.

 

ISO Audit Defined: Evidence-Based Evaluation Against Audit Criteria:

 

An audit is a systematic, independent, and documented process for obtaining and evaluating audit evidence objectively to determine the extent to which audit criteria are fulfilled. Audit criteria consist of the requirements against which conformity is assessed—typically the applicable ISO management system standard, organizational procedures, and relevant regulatory requirements. Audit evidence includes records, statements of fact, and other verifiable information collected through interviews, observation of activities, and review of documented information. The audit team evaluates this evidence against the audit criteria to produce audit findings.

 

Roles in the ISO Certification Audit Process:

 

  • Certification body (CB): The independent third-party organization that conducts certification audits and makes certification decisions. Certification bodies operate under the requirements of ISO/IEC 17021-1, which define the obligations of competence, impartiality, and consistency.
  • Audit team: The auditors assigned to conduct a specific audit. The team includes a lead auditor responsible for planning audits, coordinating the team, and preparing audit reports. Technical experts support the team when specialized knowledge is required.
  • Auditee: The organization being audited. The auditee provides access to personnel, processes, documented information, and facilities required for evidence collection.
  • Process owner: Personnel within the auditee organization responsible for specific processes being audited. Process owners demonstrate how their areas conform to management system requirements.

 

Audit Types: First-Party, Second-Party, Third-Party

 

  • First-party audits (internal audits): Conducted by the organization itself to evaluate its own management system conformity. Internal audits are a mandatory requirement in ISO management system standards and provide readiness evidence for certification audits.
  • Second-party audits (supplier audits): Conducted by an organization on its suppliers or contractors to evaluate conformity to specified requirements. These audits verify supply chain compliance.
  • Third-party audits (certification audits): Conducted by an independent certification body to assess conformity for certification purposes. Third-party certification audits follow the two-stage structure defined in ISO/IEC 17021-1.

 

Seven Principles of Auditing (ISO 19011):

 

ISO 19011 audit guidelines establish seven principles that auditors apply during management system audits:

 

  • Integrity: Auditors perform work honestly, diligently, and responsibly
  • Fair presentation: Audit findings, conclusions, and reports reflect audit activities truthfully and accurately
  • Due professional care: Auditors exercise care appropriate to the importance of the audit task
  • Confidentiality: Auditors protect information obtained during audits
  • Independence: Auditors remain free from bias and conflicts of interest
  • Evidence-based approach: Audit evidence is verifiable and conclusions are based on evidence evaluation

 

Risk-based approach: Audit planning and execution consider risks and opportunities

How is the Certification Cycle Structured?

The certification cycle is a planned audit programme that starts with the certification decision and includes a two-stage initial audit, surveillance audits in the first and second years, and a recertification audit in the third year before certificate expiration.

 

Audit Programme Structure: Initial Audit, Surveillance, Recertification

 

The audit programme for full certification includes:

 

  • Two-stage initial certification audit: Stage 1 audit reviews readiness and documented information. Stage 2 audit evaluates implementation and effectiveness. Both stages must be completed before the certification decision.
  • Surveillance audits in years 1 and 2: Periodic audits verify continued conformity during the certification cycle. Surveillance audits cover a sample of the management system and focus on specific elements including changes, corrective action effectiveness, and continual improvement.
  • Recertification audit in year 3: Comprehensive audit conducted before certificate expiry to evaluate full management system conformity and renew certification for the next three-year cycle.

 

Certification Decision Starts the Three-Year Cycle:

 

The certification decision is the formal determination that the organization’s management system conforms to the applicable ISO standard within the defined certification scope. A positive certification decision results in certificate issuance and begins the first three-year certification cycle. The certification body’s decision-making function operates independently from the audit team to maintain impartiality. Decision-makers review audit reports, nonconformity closure evidence, and audit team recommendations before issuing the certification decision.

 

First Surveillance Audit Timing Requirements:

 

First surveillance audit timing is controlled by certification body procedures and typically occurs within 12 months from the certification decision date. ISO/IEC 17021-1 requires surveillance audits to be conducted at least once per calendar year. Surveillance audit scheduling considers the organization’s operational requirements, site accessibility, and the certification body’s audit planning constraints. Organizations receive advance notification of surveillance audit dates to ensure personnel and documented information availability.

ISO 9001 Certification Pillars
ISO 9001 Certification Pillars

What Happens in a Stage 1 Audit?

The Stage 1 audit is the readiness review conducted before the Stage 2 audit. The audit team evaluates documented information, confirms certification scope, assesses site conditions, and determines preparedness for Stage 2.

 

Readiness Review and Documented Information Review:

 

Stage 1 audit evaluates whether the management system is designed and documented to meet ISO standard requirements. Auditors review documented information, including the management system manual, policies, procedures, process documentation, and records that demonstrate planning and implementation. The audit team assesses documented information for completeness, consistency, and alignment with the certification scope. Gaps identified during Stage 1 require correction before Stage 2 can proceed effectively.

 

Scope Confirmation, Site Conditions, and Stage 2 Preparedness:

 

Stage 1 audit confirms the certification scope statement accurately describes the organization’s activities, products, services, and sites to be certified. Auditors verify that the scope aligns with the organization’s actual operations and the applicable ISO standard requirements. Site conditions are assessed to understand the operating environment and plan Stage 2 audit logistics. The audit team evaluates resource allocation, personnel availability, and site access requirements. Stage 2 preparedness is determined based on Stage 1 findings. If the organization demonstrates adequate readiness, Stage 2 audit is scheduled. Significant gaps require correction and may necessitate additional Stage 1 activities before Stage 2 proceeds.

 

Stage 1 Inputs: Internal Audit Evidence and Management Review Evidence

 

Internal audit records demonstrate that the organization conducts first-party audits covering all management system processes. Auditors review internal audit schedules, audit reports, findings, and corrective action closure evidence to evaluate the internal audit programme effectiveness. Management review records demonstrate top management involvement in evaluating management system performance.

 

Auditors verify that management reviews address required inputs including audit results, customer feedback, process performance, corrective action status, and improvement opportunities. These records provide evidence that the organization operates the compliance mechanisms required by ISO management system standards before external certification audit occurs.

What Happens in Stage 2 Audit?

Stage 2 audit evaluates management system implementation and effectiveness through on-site evidence collection. The audit team assesses whether processes operate as documented and achieve intended outcomes.

 

Implementation and Effectiveness Evaluation:

 

Stage 2 audit examines how the management system functions in practice across all processes within the certification scope. Auditors evaluate process inputs, activities, outputs, and interactions to verify implementation matches documented procedures. Effectiveness evaluation determines whether the management system achieves its intended outcomes. Auditors assess objective evidence demonstrating that processes deliver consistent results, risks are controlled, and objectives are achieved. The audit covers all management system elements including leadership commitment, resource management, operational controls, performance evaluation, and improvement activities.

 

Evidence Collection Methods: Interviews, Observation, Records Review, Sampling

 

  • Interviews: Auditors interview personnel at various levels to verify understanding and implementation of management system requirements. Questions assess whether employees know their responsibilities, follow procedures, and understand how their work contributes to management system objectives.
  • Observation: Auditors observe activities, working conditions, equipment operation, and process execution. Direct observation verifies that actual practices conform to documented procedures.
  • Records review: Auditors examine records demonstrating process execution, monitoring results, and management system performance. Records provide objective evidence of conformity over time.
  • Sampling: Auditors select samples from available evidence to draw conclusions about the broader population. Sampling methods consider risk, process criticality, and audit time constraints. The audit plan specifies sampling approaches for different evidence types.

 

Findings: Conformity vs Nonconformity and Audit Report Output

 

Audit findings result from evaluating audit evidence against audit criteria. Findings are classified as conformity or nonconformity.

 

Conformity: The audit evidence demonstrates that requirements are fulfilled. Conformity findings confirm that specific management system elements meet ISO standard requirements.

Nonconformity: The audit evidence demonstrates that requirements are not fulfilled. Nonconformities are classified by severity:

 

  • Major nonconformity: The management system fails to meet a requirement, or a situation exists that raises significant doubt about the organization’s ability to achieve intended outcomes
  • Minor nonconformity: A single observed lapse or deviation that does not impact management system effectiveness

 

The audit report documents all findings, including conformities, nonconformities, opportunities for improvement, and audit conclusions. The report provides input for the certification decision and records the audit evidence basis for all findings.

How Compliance Gaps Are Closed?

Nonconformities require corrective action to close. The compliance process ensures that identified gaps are eliminated through systematic cause analysis, action implementation, and effectiveness verification.

 

Nonconformity Categories and Closure Evidence Concept:

 

Nonconformities are categorized based on severity and impact on management system effectiveness:

Major nonconformities require correction and corrective action before certification can be granted or maintained. The certification body verifies closure evidence through follow-up audit activities, which may include on-site verification.

Minor nonconformities require corrective action with verification typically at the next scheduled surveillance audit. The organization submits closure evidence demonstrating actions taken.

Closure evidence is objective evidence demonstrating that:

  • The root cause has been identified
  • Corrective action has been implemented
  • The nonconformity has been eliminated
  • Recurrence prevention measures are in place

 

Corrective Action: Cause Elimination, Recurrence Prevention, Verification

 

The corrective action process follows a structured sequence:

 

  • Root cause analysis: The organization determines why the nonconformity occurred. Analysis methods include 5-Why analysis, fishbone diagrams, and fault tree analysis. Accurate root cause identification is essential for effective corrective action.
  • Corrective action planning: The organization defines actions to eliminate the root cause and prevent recurrence. Action plans specify responsibilities, resources, timelines, and success criteria.
  • Action implementation: The organization executes planned actions. Implementation includes modifying processes, updating documented information, training personnel, and adjusting controls.
  • Effectiveness verification: The organization and audit team verify that corrective actions achieve intended results. Verification may include monitoring data, re-audit of affected areas, and review of updated records.

 

A nonconformity closes when the organization implements corrective action that eliminates the cause, provides objective closure evidence, and the audit team verifies effectiveness against the audit criteria during follow-up or surveillance activity.

Certification Outcomes: Suspension, Withdrawal, Scope Reduction, Scope Extension

Suspension

The certification body suspends certification when the organization fails to maintain conformity, misses surveillance audits, or violates certification requirements. Suspended certificates cannot be used until the suspension is lifted. Suspension periods are time-limited, typically 6 months maximum.

Withdrawal

Certification is withdrawn when suspension issues are not resolved within the allowed period or when serious conformity failures occur. Withdrawn certificates require full recertification if the organization seeks future certification.

Scope reduction

The certification body may reduce certification scope to exclude activities, sites, or products that no longer conform to requirements. Scope reduction is an alternative to full suspension when nonconformities are limited to specific areas.

Step 4: Nonconformity Closure (if any)

If nonconformities are identified, the organization is required to: Analyze root causes, implement corrective actions, submit objective evidence within an agreed timeframe. Certification decisions are not made until nonconformities are satisfactorily addressed.

Step 5: Certification Decision

An independent technical review is conducted to ensure audit findings comply with accreditation requirements. Upon approval, the ISO certificate is issued with: Defined scope, validity period, certification mark usage rules.

Step 6: Surveillance Audits

Surveillance audits are conducted annually to confirm: Ongoing conformity, system effectiveness, continuous improvement. These audits maintain the integrity and validity of certification.

Timeframe and Certification Duration

While timelines vary depending on organizational size and complexity, general parameters include:

  • Certification validity: 1 year
  • Surveillance audits: annually
  • Audit duration: determined by accreditation audit-day rules
  • Certification timeline: influenced by readiness and corrective action closure

     

Specific pricing and timelines are defined following application review and scope confirmation.

Documents and Preparation Requirements

Organizations are expected to establish and maintain documented systems relevant to the applied ISO standard. Typical requirements include:

 

  • Policies and objectives
  • Procedures and operational controls
  • Records and performance monitoring
  • Internal audit reports
  • Management review outputs
  • Legal and regulatory compliance evidence

     

As an independent certification body, AGS Iraq does not develop or implement management systems. Preparation may be completed internally or with the support of an external consultant.

Accreditation and Impartiality Assurance

Certification credibility depends on accreditation. Accredited certification ensures:

 

  • Compliance with ISO/IEC conformity assessment standards
  • Auditor competence and independence
  • International recognition of certificates
  • Impartial certification decisions

AGS Iraq operates under strict impartiality rules, separating certification activities from consultancy and advisory services. This safeguards the objectivity and trustworthiness of the certification process.

Certification Body vs Consultancy

AGS Iraq performs certification, auditing, and training services, not consultancy. Now, let’s understand that the distinction between certification and consultancy is essential:

 

Certification Body:

 

  • Independent third party
  • Audits management systems
  • Issues ISO certificates

 

Consultancy:

 

  • Advisory role
  • Designs and implements systems
  • Does not issue certificates

ISO Certifications We Provide in Iraq

As an accredited body, we issue certificates for the most sought-after management system standards:

ISO 9001 Certification Quality Management System
ISO 14001 Certification Environmental Management System (EMS)
ISO 45001 Certification Occupational Health & Safety (OH&S)
ISO 27001 Certification Information Security Management System
ISO 22000 Certification Food Safety Management System (FSMS)
ANSI/ASIS PSC.1-2022 Private Security Company Operations
ISO 50001:2018 Energy Management Systems (EnMS)
ISO 29001 Certification Quality Management System (QMS)
ISO 18788 Certification Security Operations Management System
ISO 37001 Certification Anti-Bribery Management System (ABMS)

Our Happy Client's

40
39
38
33
32
31
30
28
26
25
23
22
21
20
19
18
17
4
3
2
5
6
16
14
13
12
11
8
7
15

Frequently Asked Questions

What is required to obtain ISO 9001 Certification in Iraq?

You’ll need documented quality procedures, records, and a functional QMS aligned with ISO 9001:2015 clauses. AGS IRAQ helps you prepare every step of the way.

How long does the certification process take?

Typically 4–8 weeks depending on the organization’s size and readiness. We ensure minimal disruption to your operations.

Does ISO 9001 apply to small businesses?

Yes. ISO 9001 is scalable — suitable for startups, SMEs, and large enterprises alike.

Is ISO 9001 Certification mandatory in Iraq?

Not mandatory, but often a requirement in tenders and contracts (especially in oil & gas and government projects).

Does AGS IRAQ provide training and documentation support?

Absolutely. Our certified auditors provide end-to-end support from QMS documentation to staff training and audit preparation.
Translate »