"How do I get ISO certification?" is a question often asked by organisations, and when thrown into Google means you’ll get hit with a myriad of ads and organic posts by consultancy companies and certification bodies.
It’s at this point many organisations find the whole thing a bit too confusing and the task goes back down the ‘to-do’ list to be looked at another time.
So we’ve come up with the following pathway to make things a bit clearer when you’re looking to get ISO certification (e.g. ISO 9001, ISO 14001, ISO 45001 or ISO 27001):
So there’s a few things to consider as you progress through the journey. Firstly, how do you decide the best way to put in a management system? And how much does it cost?
Well, implementation and consulting costs for a management system in any organisation can vary greatly. The range of prices that you're likely to hear is anything from £500 to £40,000+. The actual price depends on the size and complexity of your organisation and on what you're trying to achieve. It also depends on the level and type of service you're looking for.
On the low end of the scale, you can purchase an “ISO in a box” documentation package for around £500 (some run even less). This approach will provide you with a set of generic text-based documents that you will then have to edit to make them somewhat representative of your company’s operations. You will still need to have some training for your general staff, management, and internal auditors. Generally, most mass market, low cost, do-it-yourself ISO products are designed for companies that manufacture/produce some kind of product.
In the lower-middle of the range are providers of “hybrid” services that merge the generic “canned” documentation approach with some hands-on (on-site) training and some coaching. In general, these approaches do not differ that much from the “canned” products. The resulting management system is typically compliance-orientated and of limited (if any) business value, but the results are generally better and faster than with a purely “canned” product. Customers also feel a bit better about the outcome because they receive some hand-holding.
Then there are companies such as ours who are ISO consultants that work directly with companies to implement standards in a way that is specific to your company. The objective and expertise of our consultants is to achieve registration by developing a custom system that meets the requirements of the applicable standard(s), but also uses this as a platform for genuine business improvement.
Then we get into the whole ‘ISO certification’ or ‘ISO accreditation’ thing. When it comes to ISO, the words ‘certification’ and ‘accreditation’ seem to be used interchangeably, but there is actually a difference. Certification represents a written assurance by a third party of the conformity of a product, process or service to specified requirements (‘specified requirements’ could be, for example, the ISO 9001 standard).
Accreditation, on the other hand, is a ‘type’ of certification, in that the third party doing the certifying has been accredited by a suitable body - in our world, this would mean that a Certification Body has been accredited by UKAS (the United Kingdom Accreditation Service). So if you have been certified by a UKAS-approved Certification Body for the ISO standard you’ve chosen, you have gained accredited certification.
When you install a management system in your business, and it’s been operating for at least three months, then you CAN (please note that you DO NOT have to) get it certified. A Certification Body will audit you (i.e. they check that you, as a business, comply with the requirements of the standard or standards you are implementing). If you pass this audit then you will be awarded certification. Referring to above, if the Certification Body is accredited, then you will be awarded accredited certification.
Some certification bodies specialise in certain industries, some have international reputations, and some are more competitively priced than others. There are around 100 certification bodies who are accredited by UKAS and it is up to your business who you ask to assess your ISO system. All certification bodies should do a similar job - however, as with anything, the type of service given can vary.
The costs of a Certification Body are usually calculated on a ‘day rate’ basis. The rate depends entirely upon the Certification Body which you choose. This is where it's useful to get quotations as prices can vary anywhere between £600 - £1,200 per day. Again, the number of days depends on the size and complexity of your company, and it's also important to take into account something called the ‘certification cycle’ (you can find out more about this in our FAQs section).
But to get your initial certification, as well as the size and complexity of your organisation, there is the consideration of how many standards you are asking them to audit. One standard could be as few as two days, and then would increase to three days for two standards, then four days for three standards, etc.
But if you just want some advice on starting your journey - whichever route you want to go down - then we’re always happy to help, just get in touch.
There’s no getting away from it - whichever ISO standard you look at, whether it’s the one for quality, the environment, health & safety, information security, etc - controlling your own supply chain is a major part of the requirements.
And with good reason. In all standards the delivery of your objectives, whatever they are, will undoubtedly rely on the competence, expertise and/or professionalism of a supplier somewhere along the line, from outsourced couriers to accountants.
Quality management, for example, addresses this with the concept of a chain - in this chain everyone in an organisation, no matter where they work in it, is considered a link, and the chain eventually leads to an external customer.
Put simply, if quality is maximised as a product or service moves along this chain, then ultimately the external customer will be satisfied. Changes in customers’ requirements should also be able to be communicated effectively backwards along the chain. These chains stretch back to suppliers, making their role key to the whole outcome of quality for an organisation.
So tor this concept to work in practice, good communications throughout an organisation - and its suppliers - are essential.
Another factor is that, as companies improve their own quality performance as a result of implementing a management system, attention will, eventually, naturally turn to its supply chain a source of ‘variation’ and therefore an opportunity for improvement (notwithstanding the fact that ISO 9001 mandates that organisations shall “determine and apply criteria for the evaluation, selection, monitoring of performance and re-evaluation” of suppliers). So how should this be done?
A practical approach to assuring quality in supply chains is one based on risk. That is, companies assess their supply base according to the risk they present to their end product or service, and apply resources accordingly.
In this scenario, critical suppliers warrant the deepest evaluation (e.g. strategy, processes, systems), monitoring (e.g. tailored key performance indicators) and the most focus on giving those suppliers support for their own improvement. At the other end of the spectrum, transactional suppliers (e.g. cleaners, bookkeepers, etc) only require high-level evaluation, exception monitoring and almost no improvement support.
The first stage to guarantee quality in your supply chain is to assess and approve suppliers on their capability to supply to requirements consistently. Yes, the first step in this stage is for procurement to accept the price range offered by the potential supplier - but then they should be subjected to a supplier qualification assessment. This should be assessing whether the potential supplier has the capability to supply to your requirements.
As an organisation you should consider several criteria when conducting the assessment depending on what it is you deliver to your own customers or clients and what their requirements are. Only through doing it this way do you know if you’ve got a ‘close fit’.
The second stage is the monitoring and improvement of key suppliers. It is always better to plan and prioritise visits to key suppliers, spending more time with the ones that need more monitoring and development. It is also important to let the supplier’s management know what the monitoring and development consists of and how the supplier partnership should be conducted.
The best approach is to work with your suppliers to identify any weaknesses they might have, making sure that they understand and accept your findings, and to assist them in developing possible solutions for improvement.
In addition to better quality of outcomes, you’ll also find that you’ll get an improvement in productivity. This increase in productivity, efficiency and effectiveness will enable the supplier to offer competitive prices to you - so a win-win situation for both! You’ll find that those key suppliers that performed well will be rewarded with some of your increased share of the pie (so more purchase order for them).
And finally, a word about skills and competency in your supply chain. It’s worth noting that more established (usually larger) suppliers will have the resources to hire better staff and also send them out for training and development. Smaller suppliers are not always able to do this.
However, the flip side is that you can often work more easily with smaller suppliers to identify weaknesses and indicate where they need improvement. If you can find a smaller supply who genuinely wants to work with you in a true partnership, this can be worth its weight in gold (so to speak).
What are ISO standards, and what is their benefit to organisations? That's the million dollar question, and one worth exploring before you to the time and effort of implementing them!
ISO the organisation administers over twenty thousand standards in all areas and sectors of industry. But by far the most widely used are these three:
…and this one is becoming more and more popular in the current climate:
The year after the colon is simply a reference to the last time they were updated. All ISO standards are reviewed every six to eight years and at this point they may or may not be updated. The version of ISO 9001 before the current one was 2008 (hence the designation you may have seen ISO 9001:2008). The one before this was ISO 9001:2000. So the actual period of time between a change in standards can vary. There are currently no plans to update the ISO 9001:2015 standard.
When a standard is updated, there is always a lengthy transition period to make any changes. The latest ISO 9001:2015 revision was introduced in September 2015, and companies certified under the previous version (ISO 9001:2008) were told that they had three years to transition. The deadline for ISO 9001:2015 transition was 15 September 2018, which gave companies plenty of time to prepare.
How popular are they?
There are over one million companies and organisations in over 170 countries certified to ISO 9001. There are more than 300,000 certifications to ISO 14001 to be found in 171 countries. Note that these figures are just ones who are certified, there may be many companies operating to these standards but not certified, or who are in the process of getting certification.
ISO 45001:2018 is a new standard, but with a long history. It is set to replace OHSAS 18001 - this was a British Standard for occupational health and safety management systems and compliance with it enabled organisations to demonstrate that they had a system in place for occupational health and safety.
It was born out of a time when organisations worldwide recognised the need to control and improve health and safety performance with an occupational health and safety management systems (OHSMS), however, before 1999 there was an increase of national standards and proprietary certification schemes to choose from. This caused confusion and fragmentation in the market and undermined the credibility of individual schemes.
Recognising this deficit, an international collaboration called the Occupational Health and Safety Assessment Series (OHSAS) Project Group was formed to create a single unified approach. The Group comprised representatives from national standards bodies, academic bodies, accreditation bodies, certification bodies and occupational safety and health institutions, with the UK’s national standards body, BSI Group, providing the secretariat.
Drawing on the best of existing standards and schemes, the OHSAS Project Group published the OHSAS 18000 Series in 1999. The Series consisted of two specifications: 18001 provided requirements for an OHS management system and 18002 gave implementation guidelines.
These requirements were used in many companies around the world, however, they did not have the worldwide recognition that comes with a standard released by ISO, so a new ISO standard was voted upon and agreed by over 100 member nations from around the world. After a justification study the decision was made to release an OHSMS requirements standard from ISO.
In October 2013 the ISO 45001 standard was proposed, and a technical committee was formed, and worked until December 2015. From 2015 to 2017 a first draft failed to gain approval, but a second draft was approved. The finalised standard was published in March 2018.
After this point companies have three years - until March 2021 - to transition over to ISO 45001 if they have an OHSMS in place to the OHSAS 18001:2007 standard, at which point BSI will formally withdraw OSHAS 18001.
So at present it’s difficult to find definitive numbers on how many companies are certified due to the crossover from a British Standard to an ISO, but it’s particularly popular in manufacturing companies and any firms operating in the built environment. Indeed, it’s often a prerequisite to get on the supply chain lists of many large building firms.
Finally, there are around 34,000 ISO 27001 certifications issued worldwide, although this grew by a whopping 20% from 2018-2019 so as a standard it’s really starting to catch up.
So these are the standards we focus on as the key to improving your business.
The huge impact on businesses due to the COVID-19 pandemic has forced many businesses to come up with other revenue-raising ways.
This has sparked a ‘revolution in innovation’ as businesses either deliver their products or services differently or pivot to something completely new.
But businesses don’t have to wait for the next ‘big shock’ to find out whether they have the innovative nous to survive. Adopting a management system now can ensure that moving over to new business practices becomes a seamless process.
The link between business management systems is a strong bond. ISO systems are not just about continual improvement, they are also inherently linked to innovation. And in the current- and post-COVID economy, that’s something we’re going to need more than a small slice of.
Running a business along ISO management system lines means you’re looking for improvement by involving a whole range of stakeholders, from every employee to your clients, customers, suppliers and any other key person or group you’ve identified. You’re always after their views; you’re always gathering market information; you’re a very ‘switched on’ company. You marshal your resources in a way which makes you able to look for improvement and innovation at every level.
Let’s look at the figures: the failure of new products is well documented. For example, the retail and grocery sector sees an 85% failure of new products in the first year. The computer games industry sees around 50% of its sales generated by only 10% of releases.
The failure rate in the music industry is spectacular, with approximately 80-90% of new releases being duds. In the online magazine publishing industry, a massive 80% of new publications fail to last more than 12 issues, and book publishing is a notoriously difficult nut to crack where only a tiny proportion of new releases generate any kind of profit.
Genuine business improvements and new ideas as a result of them are actually very difficult to come across. Just look at confectionary manufacturers and the way they incessantly bring out bigger/smaller/special edition versions of 60-year-old snacks. This tired old formula has now become the template of product and service development in industries right across the board. There is, of course, one fundamental flaw with this process: the vast majority of things created by it fail.
But business improvement and innovation is so important because we are facing a number of key challenges. Globalisation, technological and knowledge revolutions, cultural debate and climate change are issues that face us all at some level. They mean that as well as wanting to improve and innovate in order to improve a process or product and add value, we also have to improve and innovate because there is an overwhelming imperative to do so.
The knowledge-driven economy brings new challenges for business. Markets are becoming more global with new competitors, product lifecycles are shortening, customers are more demanding and the complexity of technology is increasing.
So while the knowledge economy represents new opportunities, certain actions are needed to support and take advantage of these developments.
In the knowledge-driven economy, improvement and innovation have become central to achievement in the business world. With this growth in importance, organisations large and small have begun to re-evaluate their products, their services, even their corporate culture in the attempt to maintain their competitiveness in the global markets of today. The more forward-thinking organisations have recognised that only through such root and branch reform can they hope to survive in the face of increasing competition.
This is why the use of ISOs is so important. A successful business today understands the value of both improvement and innovation, and it knows that while these terms may have different meanings, they are equally critical for long-term business success. Organisations that embrace both methods of increasing business value are the ones that will not only survive, but thrive in today’s competitive marketplace.
Improvements are small, incremental changes that make a business’s goods or services better in some way, whether by reducing cost, increasing value, improving safety, or enhancing quality or satisfaction. They’re typically low-cost, low-risk ideas that can be implemented by the people doing the work all day, every day. Improvements start with examining a current process and asking the question: “How can I do this better?”
The trick is to couple this with innovation, which starts with the status quo and asks: “How can I do this in a whole new way, to achieve significantly better results?” Innovative ideas are ground-breaking, far-reaching, significant changes to business processes that serve the purpose of improving the organisation in wide swathes. But you have to have your business processes functioning properly in the first place.
Food for thought before the next economic shock rumbles inevitably towards us.
“Should I get ISO certification?” - this is a question only you can answer, and really only when you’ve answer the question “why do I need ISO certification”?
It might be that you need it because a client has said it won’t deal with you until you do; or you want to get onto a supply chain list; or your competitors have it so you need to get it to compete.
While there’s nothing at all wrong with any of these reasons, the trouble is they drive a ‘tick box’ industry when it comes to certification. Certification just becomes an end in itself, and simply a side project that achieves certification by ticking off a series of actions in preparation for an audit then ignored as soon as the auditor walks back out of the door and other priorities take over.
Then its back to battling through self-inflicted mistakes and complaints for another 11 months before starting to look at fabricating evidence to show the auditor again in a month’s time. This is an all-too-familiar story.
The main reason you should want ISO certification is the reason they were developed in the first place - to improve your organisation.
The quality standard - ISO 9001 - is used by over one million companies across the world and is revered by large corporations and small firms alike. If it’s applied properly and diligently, then organisations reap the benefits over time.
The only problem with it is that it’s a seriously underused system, mainly because of all of the unnecessary bureaucracy, costs and generally poor implementation which have become associated with the certification of them. But this does not have to be the case. If done correctly it can be, simply put, the most effective way of improving your business.
If you strip away all of the rigmarole surrounding certification, then it can be the level-best way to continually improve your business from your customer’s point of view.
So when trying to gauge if it’s worth it, then this is a really important thing to frame it against.
Due to the nature of ISOs, it can be difficult to work out whether it’s cost-effective - many of the costs fall into the ‘it depends’ category (it depends on your company size, sector, risks, etc) and the benefits will depend on many things so can only be estimated.
“Is ISO worth it?” might be one of those million dollar questions, but in reality it’s more of a “work in, work out” answer. The benefits that are gained will vary greatly on the ISO standard that you implement and the amount of effort you put into improving the management system.
Some of the benefits are not as obvious as they can be harder to quantify. For example, when implementing ISO 9001 we would be looking at your processes and identifying streamlining opportunities, often reducing time and paperwork. Unless you are doing time and motion studies then it will be hard to obtain the cost benefits from these improvements. But you can certainly estimate how much time and money you have saved and see the value from that perspective.
The more focus you place on process improvements the more benefit you will gain - the ISO 9001 standard, as we’ve discussed, is all about continual improvement.
The ISO 14001 standard on the other hand could be easier to justify from a money perspective as you will need to monitor your waste and utilities usages. It is very easy to save money from both with this environmental standard. It is not uncommon for businesses to save at least 10% year-on-year through improvements and just focusing on those areas such as energy reductions.
It’s possibly harder to demonstrate cost benefits with the ISO 45001 standard but there are some businesses that will see the value of this more than others, especially when you analyse time off work through sickness or accidents. If you reduce these and improve the wellbeing of personnel then this will return monetary savings.
Likewise, ISO 27001 enables organisations to avoid the potentially devastating financial losses caused by data breaches. The global average cost of a data breach has skyrocketed to £3.13 million (a 6.4% increase from 2017), according to the Ponemon Institute.
The standard is also designed to ensure the selection of adequate and proportionate security controls that help to protect information in line with increasingly rigid regulatory requirements such as the EU General Data Protection Regulation (GDPR) and other associated laws.
When you’re looking at costs there’s a lot to take into account, such as implementation costs, employee hours costs and Certification Body costs (IF you want to be certified - you don’t HAVE to be certified).
The Ideas Distillery’s spent a lot time putting together a rough-and-ready spreadsheet calculator - our Cost Benefit Analysis (CBA) tool - to address the main areas of installing an ISO management system, including becoming certified.
The idea is, at the end of the process, you can see the overall costs and compare these with the overall benefits, in the context of both one-off and ongoing costs and benefits, and how ISOs might benefit you (or not) in the long term.
The downloadable CBA tool and accompanying guides (there’s one for ISO 9001, 14001 and 45001 then a separate one for ISO 27001) will quickly get you underway allowing you to work out a good indication of how much your chosen path is going to cost. Just click here for our CBA tool and guides.
Here you'll find the latest blog articles on all things compliance, particularly focussed on quality, environment, health & safety and information security.
Get a completely free, no obligation, totally tailored ISO Gap Analysis for your business...