How to Get ISO 9001 Certification: A Step-by-Step Guide Most guides explain what ISO 9001 is. Far fewer explain how to actually move through certification without losing months to rework, nonconformities, and documentation that doesn't reflect how your organization actually operates.

ISO 9001:2015 is the international standard for Quality Management Systems, and certification requires more than writing procedures — it requires building, implementing, and having your QMS independently audited by an accredited certification body. For first-time applicants, that process has a specific sequence, and skipping or rushing any stage creates problems downstream.

This guide walks through each step of the certification process, what the audit stages look like, and the key factors that determine how long and how difficult the journey will be.

TL;DR

  • ISO 9001 certification is issued by an independent, accredited certification body — not by ISO itself
  • The process follows five phases: preparation, documentation, implementation, internal audit, and certification audit — in that order
  • The certification audit runs in two stages: Stage 1 reviews documentation, Stage 2 evaluates your QMS on-site
  • Certificates are valid for three years with annual surveillance audits required
  • Most organizations achieve initial certification within 3–6 months of starting implementation

What Is ISO 9001 Certification?

Before pursuing certification, it helps to understand exactly what you're working toward. ISO 9001:2015 specifies requirements for a Quality Management System, giving organizations a framework for delivering products and services consistently. It is not a prescriptive operating manual — how you meet the requirements is up to you.

Two terms are commonly confused: certification and accreditation.

  • Certification applies to organizations. A certification body (CB) audits your QMS against ISO 9001 requirements and issues a certificate if it conforms.
  • Accreditation applies to certification bodies. Bodies like ANAB in the US assess whether a CB is competent and impartial enough to conduct those audits.

ISO itself does not certify organizations — it publishes the standard. The chain runs: ISO publishes the standard → accreditation bodies accredit certification bodies → certification bodies certify organizations. When selecting a CB, verify it holds current accreditation from a recognized national body. In the US, that's ANAB.

Why Organizations Pursue ISO 9001 Certification

The most immediate driver is usually contractual. Many procurement programs in aerospace, defense, healthcare, and manufacturing require suppliers to hold ISO 9001 certification before they can even bid.

Beyond contract eligibility, the operational case is real. A 2013 meta-analysis of 92 studies found ISO 9001 certification generally supports income and financial performance — though effects vary by geography, size, and how seriously the system is implemented. The standard works when it's treated as a management discipline, not a certificate to hang on the wall.

Practical reasons organizations pursue certification:

  • Qualifying for contracts that require ISO 9001 as a vendor prerequisite
  • Entering quality-sensitive sectors where it's an assumed baseline
  • Reducing internal errors, rework, and process inconsistency
  • Building documented, repeatable processes that survive personnel changes
  • Demonstrating operational credibility to customers and stakeholders

Certification is voluntary — but understanding why so many organizations pursue it makes the path forward clearer. The steps below walk through exactly how to get there.

How to Get ISO 9001 Certified: The Step-by-Step Process

Step 1: Prepare Your Organization

Preparation starts with a gap analysis — a structured comparison of your current processes against ISO 9001:2015 requirements. The output tells you where gaps exist and how much work the certification project will require.

Alongside the gap analysis, this phase involves:

  • Securing top management commitment (ISO 9001 requires visible leadership involvement, not just sign-off)
  • Defining the scope of the QMS — which sites, departments, and processes are included
  • Assigning a management representative to own the project and serve as the registrar's point of contact

For organizations unfamiliar with the standard's structure, working with an experienced consultant at this stage is worth the investment. Synergistic Systems, for example, conducts gap analysis as part of its standard project kickoff — experienced outside eyes consistently catch nonconformities that internal teams normalize over time.

Step 2: Build Your QMS Documentation

ISO 9001:2015 is less prescriptive about document format than earlier versions, but it requires documented evidence of key processes. Core documents include:

  • Quality policy and quality objectives
  • QMS scope statement
  • Documented procedures and work instructions
  • Forms, checklists, and process maps
  • Records demonstrating that processes are operating as planned

Documentation must reflect how your organization actually operates — not an idealized version. Procedures written around a theoretical state will produce nonconformities the moment an auditor observes what employees actually do. Involve the people performing the work when writing procedures. They know where the real process lives.

With documentation drafted, the next step is making it real.

Step 3: Implement the QMS

Implementation means your documented procedures are integrated into daily operations, employees understand the quality policy and their role in it, and records are being generated as evidence. This is where many certification projects stall — the QMS must be visibly operating, not sitting in a folder waiting for the audit.

Keys to successful implementation:

  • Train employees on relevant procedures before the audit window opens
  • Start generating objective evidence (records) as soon as procedures are live
  • Conduct informal process walkthroughs early to catch gaps before they become audit findings
  • Address nonconformities and corrective actions in real time, not as a pre-audit cleanup exercise

5-step ISO 9001 certification process flow from gap analysis to certification audit

Once the QMS is operating in practice, you're ready to put it to the test internally.

Step 4: Conduct an Internal Audit

The internal audit is a mandatory self-assessment that must be completed before applying for certification. It evaluates whether the QMS is implemented as documented and conforms to ISO 9001 requirements.

Requirements per ISO 9001 Clause 9.2:

  • Auditors must be independent of the processes they audit
  • The audit program must cover all QMS processes (though not all departments need to be audited simultaneously)
  • Audit results must be retained as documented information

Following the internal audit, a management review (Clause 9.3) must be conducted. Senior leadership reviews QMS performance data, resource adequacy, risks and opportunities, and determines corrective actions. Both the internal audit findings and management review outputs are records the certification auditor will examine.

Synergistic Systems conducts the system-wide internal audit as part of its standard engagement — giving clients an objective assessment from experienced auditors before the third-party registrar arrives.

Step 5: Select a Registrar and Apply

Choosing the right certification body matters. Criteria to evaluate:

  • Accreditation status — confirm ANAB accreditation (or equivalent) before anything else
  • Industry experience — verify the CB has auditors familiar with your sector
  • Audit scope and pricing — request itemized quotes covering initial certification, annual surveillance, and recertification
  • Scheduling flexibility — some CBs have longer lead times than others

Synergistic Systems has worked with most major accredited registrars, including ABS Quality Evaluations, DNV, Bureau Veritas, Lloyd's Register, BSI, NQA, SGS, Intertek, and others — which means clients get informed guidance on registrar selection rather than a cold search.

When applying, you'll typically submit: QMS scope, employee headcount, number of sites, and key processes. The CB uses this information to calculate audit duration based on IAF MD 5:2023 requirements and schedule accordingly.

What to Expect From the ISO 9001 Certification Audit

The certification audit occurs after your QMS is fully implemented and operational. It has two distinct stages.

Stage 1: Documentation Review

Stage 1 is typically conducted remotely. The auditor reviews your QMS documentation — quality policy, procedures, records, and scope — to determine whether the system is sufficiently designed to proceed to Stage 2.

Stage 1 findings commonly include nonconformities that must be resolved before the on-site audit begins. A weak Stage 1 does not automatically stop the process, but unresolved major gaps will.

The auditor is specifically looking for:

  • Quality policy and scope that are clearly defined and documented
  • Procedures that address the relevant ISO 9001 clauses
  • Records and forms that support the documented processes
  • Evidence the system is designed — not just drafted

Stage 2: On-Site Evaluation

Stage 2 is the operational audit. The auditor observes processes in action, interviews employees and process owners, and reviews objective evidence — actual records — to confirm the QMS is effectively implemented and not just documented.

ISO/IEC 17021-1 defines what Stage 2 must cover. Auditors are required to evaluate:

  • Conformity to ISO 9001 requirements
  • Performance monitoring and measurement results
  • Progress against quality objectives
  • Operational controls in practice
  • Internal audit results and management review outputs

ISO 9001 two-stage certification audit process Stage 1 documentation and Stage 2 on-site evaluation

Any nonconformities found at Stage 2 must be closed through documented corrective actions before the certificate is issued.

Surveillance and Recertification

The ISO 9001 certificate is valid for three years. During that period:

  • Annual surveillance audits review a subset of the QMS — not a full re-audit
  • Surveillance typically covers internal audits, management review, corrective actions, and objectives progress
  • At the three-year mark, a full recertification audit renews the certificate

DNV audit data from 2023–2025, covering more than 25,000 companies, found that over half of audited organizations had ISO 9001 Chapter 6 planning nonconformities — with Clause 6.1 (risk and opportunity management) accounting for 35.4% of planning-related findings. Organizations that build real risk planning into their QMS from day one arrive at surveillance audits with far fewer findings.

Key Factors That Affect Your ISO 9001 Certification Timeline and Cost

Most organizations achieve initial certification within 3–6 months of starting implementation. The QMS must be operational for at least three months and include a completed internal audit and management review before certification — no amount of acceleration compresses below that floor.

Several variables push that timeline in either direction:

Factors that extend the timeline:

  • Large employee count or multiple sites
  • Complex or highly customized processes
  • Limited internal resources dedicated to the project
  • Minimal existing documentation at the start

Factors that compress the timeline:

  • Existing documented processes and performance measures
  • Strong top management commitment and resource allocation
  • Prior experience with process documentation or quality systems
  • Consultant support during gap analysis and documentation phases

ISO 9001 certification timeline factors comparison extending versus compressing schedule

Cost planning deserves the same attention. Budget for these main cost categories:

  • CB fees: initial certification audit, annual surveillance, and recertification
  • Internal staff time: implementation, documentation, and training hours
  • Consultant fees, if engaged
  • Employee training and any system infrastructure costs

Registrar fees vary based on employee count, number of sites, process complexity, and audit duration calculated under International Accreditation Forum (IAF) guidelines. Because pricing is not standardized, request itemized quotes from at least two or three accredited CBs before committing.

Synergistic Systems' fixed-price engagement covers consulting, documentation, training, internal audit, and management review. Registrar audit fees are a separate cost negotiated directly with your chosen CB.

Common Mistakes to Avoid During ISO 9001 Certification

Three patterns derail more certification efforts than anything else:

  1. Writing procedures for an ideal state, not actual operations. When auditors observe employees doing something different from what procedures describe, that's a nonconformity. Write procedures with the people who do the work, not around them.

  2. Treating certification as a one-time event. Organizations that let internal audits lapse, stop updating documentation, or skip management reviews after certification fail surveillance audits. The QMS needs active maintenance, not just an annual checkup before the auditor visits.

  3. Assuming ISO 9001 is only for large manufacturers. The standard applies to any size organization — from a five-person engineering firm to a multi-site manufacturer. Small organizations often find that scoping the QMS tightly produces a leaner, more useful system than trying to document everything at once.

Frequently Asked Questions

How do you achieve ISO 9001 certification?

Implement a QMS that meets ISO 9001:2015 requirements, complete a full internal audit and management review, then pass a two-stage certification audit conducted by an independent, accredited certification body. The CB issues the certificate — not ISO.

How hard is it to get ISO 9001 certified?

Difficulty depends on your starting point. Organizations with existing documented processes and consistent practices find it more straightforward. The most common challenge is ensuring the QMS is consistently implemented with objective evidence — not just documented on paper.

How long does ISO 9001 certification take?

Most organizations achieve initial certification within 3–6 months. Timeline varies based on organization size, number of sites, process complexity, and available resources dedicated to the project.

What documents are required for ISO 9001 certification?

Required documented information includes your quality policy, QMS scope, objectives, procedures, work instructions, and records proving the system operates as planned. ISO 9001:2015 is flexible on format but requires specific evidence across numerous clauses.

Can a small business get ISO 9001 certified?

Yes. ISO 9001 has no minimum size requirement and applies to organizations across all sectors and industries. A well-scoped QMS for a small business can be just as effective — and significantly leaner — than one for a large enterprise.

Do I need a consultant to get ISO 9001 certified?

A consultant is not required, but most organizations benefit from expert guidance during gap analysis, documentation development, and audit preparation. The most avoidable pitfalls — procedures disconnected from real operations, insufficient internal audit scope, and thin management review outputs — are also the ones experienced consultants catch before the registrar does.