Mark Hammar
October 18, 2016
Early on, when you are implementing a Quality Management System (QMS) using the requirements of ISO 9001:2015, you will need to talk to a certification body to find out what you need to do to certify your management system as compliant with the requirements. During your discussions you will be told about the documentation audit, the certification audit, and the cycle of surveillance audits until your recertification audit; but, what does all of this mean? Here’s how this works.
The three-year certification cycle is used for companies certified against ISO 9001, although there are some modifications possible as described below. When you have implemented your QMS and are having your first certification, you will start with a documentation audit. This is where an auditor from your certification body will review all of your documentation, and compare it to the ISO 9001:2015 standard requirements, to verify that what you have documented meets the requirements of the standard.
Once the documentation is confirmed, you will schedule your certification audit. This is where the certification body will perform an on-site audit of all of your QMS processes, and then issue your ISO 9001:2015 certification (when you have completely addressed any corrective actions that were found). You will then have on-site surveillance audits for the next two years, until your re-certification audit on the third year of your cycle, which will start you into the next three-year cycle. Most certification bodies conduct one surveillance audit a year, but this could be more often if you negotiate this between your organization and your certification body.
Below is a graphic of how this works, with the link back to the surveillance audit after the re-certification. As long as you are maintaining your current certification with the same certification body, you will not need to go back to the certification audit. However, if you change certification bodies or your version of the ISO 9001 standard (as companies are now changing from ISO 9001:2008 to ISO 9001:2015), you will then have a transfer audit. This is much like starting back at the certification audit step, where a full audit is performed and then old certificates are withdrawn and new certificates are issued.
For some guidance on choosing a certification body, you can read this article on How should you pick an ISO 9001 certification body?
So, you are probably asking what the difference is between the surveillance audit and the certification/re-certification audits. All three are on-site audits done by the certification body, will have corrective actions issued that need to be addressed, and will have an audit report issued to your company as a record of the audit. The difference is the number of hours devoted to processes in the audit.
For the certification/re-certification audit, the certification body auditors will look at the implementation of every process within your QMS to check for conformance to the ISO 9001 standard, as well as your company documentation, process effectiveness, and continual improvement. This audit will often take several auditors many days to complete, depending on the size of your company and the number of processes within your QMS.
By comparison, the surveillance audit will spend less time on only some portions of your QMS processes, rather than everything. They will start each time by looking at your key processes (such as management review, internal audit, and corrective actions), and will then only look at some of the remaining processes within your QMS. They may also only look at a portion of the whole organization, such as only one out of two production lines, or even only certain sites chosen by the auditors, rather than multiple sites. There is a recommended rule to use a square root of all possible locations; for example, if there were a total of 16 retail stores in the scope of the certification, then at least four should be audited in a surveillance audit.
Since the auditors will be spending less time on fewer of your QMS processes, these surveillance audits will take less time to perform than the original certification audit. The goal for the certification body is to audit all of the processes and business sites at least once within the QMS during the two-year surveillance cycle.
For some help on preparing for your initial certification audit, check out this blog post on What questions to expect on the ISO 9001 certification audit.
Since the surveillance audit does not look at all processes, some people start to think that these audits are less important than the certification audit, but this is not the case. Just because the certification body won’t spend much time auditing a specific process during an upcoming surveillance audit doesn’t mean you can just ignore this process yourself. You still need to perform your internal audits for all processes as per your audit schedule, and make any corrections or improvements that you find necessary. It is also important to remember that if a major non-conformance found during a certification audit is not addressed, you can still lose your certification.
Your certification body audits are there to bring a different set of eyes on your processes than you would have for your internal audits. By having an outside observer, who has seen other companies and has different experiences than people in your company, you can find different improvement opportunities than you would if you only audited on your own. Use the information from your surveillance audit reports to help focus your improvements, but don’t lose sight of other improvements you are making.
For a helpful list of questions to ask potential certification bodies, see this free download: List of questions to ask ISO 9001 Certification Body.