Implementing ISO 9001

Lee Horlock pic

By Engaged Expert

Lee Horlock

More content from this author

Learn about our Engaged Experts

Lee is a senior technical officer focused on management systems certification, ensuring that our certification services are fit for purpose.

In the second of our blog series, Head of Technical & Approvals - Management Systems, Lee Horlock looks at the implement and certification of the standard.


How do you implement it?

The ISO 9001 certification process should be straightforward and easily understood. It includes a detailed gap analysis, training sessions, risk assessment and two audits. All areas of the organization need to be considered, so working with the right certification body is essential to make the process manageable and easy to understand.

Identify the risks

To start the process, an organization must define the scope of the certification. This should consider why the certification is being undertaken; what the focus is; whether it is concentrated on a particular product, etc. The scope can be as broad or as narrow as needed for the individual organization (or product) but should lead to a statement that encapsulates what the organization is being certified for.

Once the scope is determined, the context of the certification must be considered. This includes looking at external and internal factors that might affect the specific organization, as well as how they might affect other businesses. This leads to a risk assessment, assessing all the relevant risks. This should include any changes in legislative requirements and consider the needs of interested parties in addition to employees. From this, the system can be documented and formalized, and the policies are agreed.


The initial certification process is carried out in two distinct stages. The first planned visit is a review of the documented system where it formally evaluates against the requirements of the standard. This Stage One audit acts as a gap analysis, checking whether the framework has been established and the mandatory policies, management review meetings and internal audit have taken place.

This helps to establish readiness for the Stage Two audit and highlights any areas of non-compliance that may require attention. Following the assessment, a detailed written report is presented to the organization which includes any findings.

Stage Two is a sample-based audit. A site assessment is carried out to verify that the system has been successfully implemented; that it is being followed by the entire team; and that the requirements of ISO 9001 are being met in practice. This can be demonstrated through a review of records and by interviews with staff. It is expected that the auditor may be engaging with all levels of employee from top management down. Upon completion of a successful audit, the company will receive another formal report and a recommendation for certification will be made.


As with other management standards, ISO 9001 is a three-year audit lifecycle, with two surveillance audits to ensure continuing compliance - one after 12 months and one after 24 months, followed by recertification.

The aim of the three-year cycle is to cover all elements of the management system over the cycle, so if something were missed at the first surveillance, it would be looked at during the second one. Detailed audit programs are recorded to map out what will be looked at over the three-year cycle.

At the first surveillance audit, the auditor will ask if there have been any significant changes or incidents in that time. Some samples will be taken, and the auditor will check that the organization is still on track and that mandatory checks are still being done. The second surveillance audit fills in any blanks before re-certification takes place. At the re-certification, the auditor will analyse trends and  investigate any causes for concern.


A vital part of the ISO 9001 implementation is evaluation. As part of the process, the senior management team must determine how to monitor the implementation and its success (or lack of success). Objectives need to be set, and systems should be measured over time to show how effective it is.

Evaluation is crucial in order to check that the system is achieving what is expected of it. Using a quantitative measure can be particularly effective, so that results can be seen over time. This not only helps organizations to demonstrate its value, but also cements the buy-in throughout the business, as the benefits of the system are clear to see.

An annual management review is required, with mandatory topics for discussion. As the meetings must all be minuted, this enables auditors to look at outputs which demonstrate continual improvement and a focus on evaluation.

Key to the evaluation process is breadth of correction and preventative actions. This includes the handling of non-conformities and root cause analysis; determining why problems were able to happen and what the reason was for them; and implementing corrective action.

Find related Resources