What Is ISO Certification? Definition, Process, and How to Verify It
ISO certification is a third-party conformity assessment that confirms an organization’s management system meets the requirements of a specific ISO standard such as ISO 9001 (Quality), ISO 14001 (Environmental), ISO 45001 (Occupational Health and Safety), or ISO/IEC 27001 (Information Security). The certification is performed by an independent certification body (also called a registrar in US market usage), not by ISO itself. ISO develops and publishes international standards but does not perform certification or issue certificates. Certification adds credibility by providing independent evidence that products, services, or management systems conform to specified requirements.
This article defines what ISO certification means, explains who issues ISO certificates and how the certification process works, and provides a step-by-step method to verify whether a certificate is legitimate using the IAF CertSearch global database.
ISO Standards vs ISO Certification: Why the Distinction Matters
ISO the International Organization for Standardization is a standards body that develops and publishes international standards through technical committees. ISO has published over 24,000 standards covering quality, safety, environmental management, information security, and hundreds of other disciplines. ISO standards define requirements. ISO certification is a separate activity performed by external certification bodies that audits whether an organization meets those requirements.
This distinction matters because a common misconception is that organizations are “certified by ISO.” They are not. A company cannot be certified by ISO. Certification is performed by external certification bodies independent third-party organizations that audit management systems against ISO standard requirements and make certification decisions based on audit evidence. The relationship between ISO, certification bodies, and accreditation bodies forms a trust chain that underpins the credibility of every ISO certificate:
| Entity | Role | Output | How to Verify |
|---|---|---|---|
| ISO (International Organization for Standardization) | Develops and publishes international standards | Published standards (ISO 9001, ISO 14001, ISO 27001, etc.) | iso.org standards catalogue |
| Certification Body (CB) | Audits organizations and makes certification decisions | Management system certificate (scope-bound) | Check with accreditation body or IAF CertSearch |
| Accreditation Body (AB) | Evaluates and recognizes the competence of certification bodies | Accreditation certificate for the CB (scope-bound) | IAF website: list of MLA signatories |
| IAF (International Accreditation Forum) | Manages the Multilateral Recognition Arrangement (MLA) for cross-border acceptance | IAF MLA signatory status for accreditation bodies | iaf.nu and IAF CertSearch global database |
Who Issues ISO Certificates (and What “Accredited” Means)
ISO certificates are issued by certification bodies (CBs) independent third-party organizations that perform management system audits and, following a positive certification decision, issue a certificate documenting the scope of conformity. In the United States, certification bodies are also commonly called registrars.
Certification bodies that undergo external evaluation by an accreditation body (AB) are classified as accredited certification bodies. Accreditation provides independent confirmation that the certification body operates with competence, impartiality, and consistency the 3 core principles defined by ISO/IEC 17021-1:2015, the international standard governing bodies providing audit and certification of management systems.
Accredited vs Non-Accredited Certification
Accredited certification carries higher market acceptance because the certification body’s competence has been independently verified by a recognized accreditation body. Non-accredited certification is not inherently invalid, but it lacks the independent oversight layer and may not be accepted by customers, regulators, or procurement processes that require accredited certification as a supplier qualification condition.
Accreditation is scope-bound: an accreditation body recognizes a certification body for specific standards and industry sectors (defined by IAF codes). A CB accredited for ISO 9001 audits is not automatically accredited for ISO 27001 audits. Organizations selecting a certification body should verify that the CB holds accreditation for the specific standard and sector relevant to their certification scope.
IAF MLA: How Accredited Certificates Gain International Recognition
The IAF Multilateral Recognition Arrangement (MLA) is the mechanism that enables cross-border acceptance of accredited certifications. Accreditation bodies that are IAF MLA signatories recognize each other’s accreditation decisions, meaning a certificate issued under one MLA signatory’s accreditation is accepted across all IAF member economies. Examples of IAF MLA signatory accreditation bodies include ANAB (USA), UKAS (UK), EIAC (UAE), and EGAC (Egypt).
How the ISO Certification Process Works (Audit Lifecycle)?
The ISO certification process follows a structured audit lifecycle defined by ISO/IEC 17021-1. The process begins with initial certification (Stage 1 and Stage 2 audits), continues through mandatory annual surveillance audits, and renews through a recertification audit every 3 years. The full certification cycle spans 3 years.
Step 1: Stage 1 Audit (Readiness and Documentation Review)
The Stage 1 audit evaluates the organization’s readiness for the Stage 2 assessment. Auditors review management system documentation including policies, procedures, scope statements, and documented information to confirm that the system is designed to meet the applicable ISO standard requirements. The Stage 1 audit also verifies that internal audits and management reviews have been planned and performed, and identifies any areas that need attention before Stage 2. For organizations preparing documentation for this stage, ISO documentation services can support audit readiness through clause-by-clause documentation mapping.
Step 2: Stage 2 Audit (Implementation and Effectiveness Assessment)
The Stage 2 audit is the implementation assessment. Auditors collect objective evidence through personnel interviews, process observation, record review, and evidence sampling to evaluate whether the management system operates effectively in practice. Auditors evaluate conformity against audit criteria the specific clauses of the applicable ISO standard, the organization’s own procedures, and any statutory or regulatory requirements. Audit findings are classified as conformity, nonconformity (major or minor), or observations (opportunities for improvement).
Step 3: Certification Decision
The certification decision is made by a function within the certification body that is independent from the audit team. This separation of audit and decision functions protects impartiality. The certification decision determines whether the organization’s management system conforms to the applicable standard and whether a certificate should be granted, withheld, or granted with conditions requiring corrective action closure.
Step 4: Surveillance Audits (Annual, Mandatory)
Surveillance audits are mandatory and occur at least annually during the 3-year certification cycle. Surveillance audits verify ongoing conformity with the applicable standard, confirm that nonconformities from previous audit cycles have been addressed through corrective action, and assess whether the management system continues to achieve its intended outcomes. Failure to complete surveillance audits within the required timeframe results in suspension of certification.
Step 5: Recertification Audit (Every 3 Years)
The recertification audit evaluates the entire management system before the 3‑year certificate expires. A recertification audit covers the full certification scope and, upon a positive certification decision, initiates a new 3‑year certification cycle. Organizations that fail to complete recertification before certificate expiry face withdrawal of certification.
| Phase | Timing | What Happens | Outcome |
|---|---|---|---|
| Stage 1 audit | Before Stage 2 (initial) | Documentation review, readiness assessment, scope verification | Readiness confirmation or gap identification |
| Stage 2 audit | After Stage 1 (initial) | On‑site implementation assessment through interviews, observation, and evidence sampling | Audit findings leading to certification decision |
| Certification decision | After Stage 2 | Independent review of audit results by a separate function within the CB | Certificate granted, withheld, or conditional |
| Surveillance audit | Annually (years 1 and 2) | Ongoing conformity verification and corrective action follow‑up | Continued certification or suspension |
| Recertification audit | Every 3 years (before expiry) | Full‑scope re‑evaluation of management system effectiveness | New 3‑year cycle or withdrawal of certification |
How to Verify an ISO Certificate Is Valid?
Verifying the validity of an ISO certificate confirms that the certification is genuine, the certificate is current (not expired, suspended, or withdrawn), and the certification body that issued it is accredited by a recognized accreditation body. The primary verification tool is the IAF CertSearch global database the official platform maintained by the International Accreditation Forum for confirming accredited management system certifications.
Step-by-Step Verification Using IAF CertSearch
- Step 1: Go to iafcertsearch.org.
- Step 2: Search by organization name, certificate number, or certification body.
- Step 3: Confirm the certification status is “Active” or “Valid” (not suspended, withdrawn, or expired).
- Step 4: Verify the certification scope matches the products, services, or processes relevant to your evaluation.
- Step 5: Check that the certification body is accredited and that the accreditation body is an IAF MLA signatory.
- Step 6: Confirm the certified locations match the sites relevant to your procurement or compliance requirement.
What If a Certificate Is Not in IAF CertSearch?
Not all legitimate certificates appear in IAF CertSearch. The database covers certificates issued under accreditation by IAF MLA signatory accreditation bodies. Certificates issued under non-MLA accreditation or by non-accredited certification bodies may not appear. In these cases, contact the certification body directly, request a copy of the certificate, and verify the CB’s accreditation status with the relevant accreditation body. ISO also recommends contacting the relevant accreditation body or the certification body directly to confirm certificate status.
ISO Certification vs ISO Compliance: Not the Same Thing
ISO certification and ISO compliance are related but distinct concepts. Certification is an independent third-party audit and certification decision resulting in a scope-bound certificate issued by an accredited certification body. Compliance is the organization’s internal adherence to the requirements of an ISO standard which may exist without any external audit or certificate.
An organization can be compliant with ISO 9001 without holding an ISO 9001 certificate. Compliance means the organization follows the standard’s requirements in practice. Certification means an independent third party has audited the management system and issued a formal certificate confirming conformity. The difference matters because customers, regulators, and procurement processes that require ISO certification specifically require the third-party certificate not a self-declaration of compliance.
Can You Use the ISO Logo? (And How to Spot False Certification Claims)
The ISO logo is a registered trademark. ISO does not permit the use of the ISO logo in connection with certification claims. Organizations that hold ISO management system certification use the certification mark of their certification body and, where applicable, the accreditation mark of the relevant accreditation body not the ISO logo. Any organization displaying the ISO logo as evidence of certification is misusing the trademark.
Red Flags for False Certification Claims
False certification claims undermine the integrity of the conformity assessment ecosystem. The following indicators suggest a certification claim may be fraudulent or misleading:
| Red Flag | Why It Matters |
|---|---|
| “Certified by ISO” | ISO does not certify organizations. Certification is performed by external certification bodies. |
| ISO logo displayed as certification proof | The ISO logo is a trademark and is not authorized for use as a certification mark. |
| No certificate number provided | Every legitimate certificate has a unique number issued by the certification body. |
| No scope of certification stated | Certification is scope‑bound. Claims without scope are unverifiable. |
| Certification body not verifiable through accreditation records | Accredited CBs appear in accreditation body databases and IAF CertSearch. |
| No surveillance or recertification history | Active certifications require annual surveillance audits; absence suggests the certificate is lapsed or fabricated. |
How to Choose a Certification Body?
Selecting a certification body is a procurement decision that affects the credibility, international recognition, and long-term value of the certification. The following criteria help organizations evaluate certification body options:
- Accreditation status: Confirm the CB is accredited by a recognized accreditation body that is an IAF MLA signatory. Accreditation confirms that the CB operates with competence, impartiality, and consistency under ISO/IEC 17021-1.
- Scope alignment: Verify the CB’s accreditation covers the specific ISO standard and industry sector (IAF code) relevant to your organization. A CB accredited for ISO 9001 in manufacturing is not necessarily accredited for ISO 27001 in technology.
- Verification capability: Certificates issued by accredited CBs under IAF MLA signatory accreditation appear in the IAF CertSearch global database. This provides independent verification for customers, regulators, and supply-chain partners.
- Geographic coverage: For organizations with multiple sites, confirm the CB has auditor coverage across all relevant locations. For US organizations, confirm nationwide auditor availability. For international operations, confirm the CB’s ability to deliver audits across the relevant countries.
- Independence and impartiality: The certification body that audits and certifies an organization cannot also consult on that organization’s management system. This separation is required by ISO/IEC 17021-1 to protect the impartiality of the certification process. For details on third-party ISO certification audits, see the ISO Auditing Services page.
Common ISO Standards That Organizations Certify Against
ISO certification applies to management system standards that define requirements an organization can be audited against. The following standards represent the most commonly certified management systems worldwide:
| Standard | Management System | What It Governs | Certification Focus |
|---|---|---|---|
| ISO 9001 | Quality Management System (QMS) | Consistent product/service quality and customer satisfaction | Process effectiveness, customer requirements, continual improvement |
| ISO 14001 | Environmental Management System (EMS) | Environmental responsibilities and impact reduction | Environmental aspects, compliance obligations, pollution prevention |
| ISO 45001 | Occupational Health & Safety (OH&S) | Worker safety and occupational risk prevention | Hazard identification, risk assessment, incident prevention |
| ISO/IEC 27001 | Information Security Management System (ISMS) | Protection of information confidentiality, integrity, and availability | Risk treatment, security controls (Annex A), Statement of Applicability |
| ISO 22000 | Food Safety Management System | Food safety hazard control across the supply chain | HACCP principles, prerequisite programs, food safety hazards |
| ISO 50001 | Energy Management System | Energy performance improvement and consumption reduction | Energy planning, baselines, performance indicators |
| ISO 13485 | Medical Device QMS | Quality management for medical device design and manufacture | Regulatory compliance, design controls, risk management |
Why Work with AGS Iraq for ISO Certification?
AGS Iraq supports Globle companies through:
- Local regulatory understanding
- Tender-focused ISO consulting
- Documentation aligned with government expectations
- Auditing, training, and certification coordination
- Support during evaluations and site audits
Our local presence ensures practical compliance, not just certification.
Contact AGS Iraq for ISO consultation:
We’ll review your current situation and give you a clear, practical roadmap.
- Phone: +964 7721202253
- Email: info@agsiraq.com
- Office: American Global Standards. Al Jazair Street, Basrah- Iraq
