The steps to getting certified

ISO certification may appear complicated at first, but it is basically a set of eight steps. OLIVER NAIDOO, managing director and founder of JC Auditors, explains what companies can expect during the certification process.

JC Auditors is an accredited certification body globally recognised in terms of the International Accreditation Forum multilateral agreement. Our core service is accredited certification for ISO 9001 Quality Management, ISO 14001 Environmental Management, ISO 45001 Occupational Health & Safety as well as the SANS 1395 Road Transport Management System (RTMS) Standard. 

We also carry out health and safety audits. It is a legal requirement for companies that operate in South Africa to comply with the Occupational Health and Safety Act of 1993. Our auditing systems can be measured directly against the OHS Act and ISO 45001 (formerly OHSAS 18001) as well as measuring your status against legal compliance and your own internal standards. 

An audit will show exactly how you measure up to legal requirements and HSE guidance, and whether your systems are working (in practice). It will act as a benchmark from which you can form a health and safety plan, so your valuable time and resources are spent in the areas where they are most needed. 

Step 1: Gap analysis (Where are we now?) 

The first recommended step is normally some kind of gap assessment to determine your current level of compliance. A consultant or auditor will look at your business system; ask you questions; review documents and determine how well you are doing what (compared to the requirements of the ISO standard that you have chosen to be assessed against). You will then get a report describing all the areas where you comply as well as those where you do not. 

Step 2: System set-up 

Once step 1 is finalised, the next step is to complete everything you need to do in order to meet the requirements. The most common of these are adhering to a system of continuous improvement; management reviewing the system on a regular basis; creation of a system for dealing with and preventing problems; and several compulsory procedures and documents. You may, or may not, choose to get a consultant to help you with this part (the extent to which you do this will determine the cost and speed associated with your organisation becoming compliant). 

Step 3: Certification audit 

The certification body will then conduct the certification audit. This consists of an initial audit (stage 1) and the main certification audit (stage 2). 

There is generally a six-month time limit between the precertification audit and the certification audit. If you go over the six-month timeline, you will need to do stage 1 again, so it is worth being prepared before you go for the precertification audit. 

Step 4: Resolving any audit findings 

A non-conformance simply means an area of your system does not comply with the standard. 

Audit findings may include minor or major non-conformances. Records must be kept on all the remedies implemented to address the non-conformance, as an auditor has to decide on the effectiveness of the actions taken. 

In general, a certification audit doesn’t have to be feared since it presents an opportunity to add value to any business. 

Step 5: Certificates issued 

Once you have successfully passed the certification audit, you will be issued with your certificate and an agreement stipulating the requirements for certification. 

It is important to remember that certification is a service, and you are the customer. If you are not happy with the certification body or the auditor’s behaviour or services, you are fully entitled to complain and to change providers. However, I would caution against changing from provider to provider several times. Once you have found a certification body you respect, and from whom you have received good value, build a relationship with them as they may offer other valuable services (apart from certification). 

It is also important to note that the odd non-conformance or a suggestion for improvement is not a reason to jump ship. Audits, and even non-conformances, can be tremendous opportunities to learn and improve. You will get the most value out of your certification if you use auditor visits to come up with as many ideas for best practice as possible. 

Step 6: Maintain your certification 

Many companies do not realise that a significant investment of time and effort is required on an ongoing basis once you have achieved certification. 

Between audits you will be expected to maintain the habits that you have implemented – such as management reviews, internal audits, dealing with customer complaints and non-conformances (in a formal way). 

Many companies ask consultants to help out with internal audits, as this requires the highest level of knowledge and skill of any of the requirements. It is, however, quite possible to conduct internal audits using your staff provided they are appropriately trained. 

At JC Auditors, we believe that there is no need to dramatically change what a business is doing, but rather we simply tweak and improve upon the systems that are already established and working well. In this way, we enable companies to achieve compliance with a minimum amount of change, disruption and ongoing effort. 

Step 7: Maintenance/surveillance audit 

At the six- or twelve-month mark you will need to undergo a surveillance or maintenance audit. The frequency of audits is determined by the certification body, based on the level of risk and the level of compliance. 

If you are a high-risk food manufacturer, for example, you can expect audits every six months. If you are an office-based professional services organisation, every twelve months is generally the norm. 

During the maintenance audit process, the external auditor will visit your organisation and undertake some sample audits of different areas, to ensure that your system is still ticking over. If they find that you have allowed areas of the system to lapse, you will receive non-conformances. You will get time to fix these depending on how serious they are. 

On occasion we come across external auditors who get a bit carried away in issuing non-conformances. The auditor should explain exactly what isn’t conforming to the standard. If they cannot do so, or if you are unsure or not happy, you have every right to question what they have said and follow up with the certification body if you are still not satisfied. 

Step 8: Recertification/triennial audit 

Every three years you will need to go through a recertification audit. This is similar to the initial certification audit, where the external auditor goes through your system with a fine-tooth comb, basically checking the health of every area and doing some in-depth audits in all the critical areas of your business. The recertification audit always takes longer than the surveillance audit. Once you have gone through that successfully, your certification is approved for another three years.