Common ISO Terminology and Acronyms Explained

Published on: February 24, 2023

Have you ever come across an ISO-related term or acronym and had no idea what it means? Or have you just begun your ISO journey and want to understand ‘ISO language’ in its simplest form? This blog covers ISO terminology and frequently asked questions to work as a quick guide for you.

If this is just the beginning of your ISO journey, you may be doing some research to understand the ISO Certification process. Or, you may already be familiar with the Certification process, and still find yourself confused with the many technical terminologies and acronyms that most articles use.

To help you navigate this sometimes intricate glossary, this blog covers some common questions we hear from our clients, students and colleagues, to work as a quick guide for you.

Before we dive into the FAQ’s, let’s cover a few common acronyms in the ISO world, which will also be used throughout this blog:

  • ISO – International Organisation for Standardisation
  • CAB – Conformity Assessment Body
  • BMS – Business Management System
  • QMS – Quality Management System
  • EMS – Environmental Management System
  • ISMS – Information Security Management System
  • OHSMS – Occupational Health & Safety Management System
  • OFI – Opportunity for Improvement
  • NC – Non-conformance

Okay, now you’re up to speed with those acronyms, let’s cover some frequently asked questions.

What is ISO?

It is a common misconception that ‘ISO’ is a product, when in actual fact, it is an organisation. The International Organization for Standardisation (ISO) is an international non-governmental organisation. ISO develops and publishes a wide range of proprietary, industrial, and commercial standards, to ensure that businesses of all size, type and nature can benefit from International Standards.

ISO plays an important role in facilitating world trade by providing common standards among different countries. These standards are intended to ensure that products and services are safe, reliable, and of good quality. For the end-user and consumer, these standards ensure that certified businesses and products conform to the minimum standards set internationally.

It’s important to note that ISO does not actually certify businesses to ISO Management System Standards. Businesses are certified by an Accredited Conformity Assessment Body (CAB), which will be explained later in this blog.

What is a Management System?

A Management System, also commonly referred to as a Business Management System (BMS), is a systematic framework of a business’ policies, processes and procedures, which details how the business operates towards achieving its set objectives and targets. A Management System can also conform to the requirements of one or more ISO Management System Standards, such as the ISO 9001:2015 Quality Management System Standard.

If you want to know more about Management Systems, you can read more here.

What is a Management System Standard?

ISO Management System Standards (MSS) are documents which are established to define global best practices for specific areas. These documents contain requirements, specifications and guidelines that an organisation can implement to improve its management framework and operations.

ISO has developed over 80 MSS, all containing a set of requirements, which businesses can implement into their Business Management System to achieve their goals and achieve Certification. The four most frequently adopted management system standards are:

Is a CAB, Certification Body and Certifier the same thing? What do they do?

CAB is the acronym for Conformity Assessment Body, which is the technically-correct name for, what we commonly call, a Certification Body. Often, you will also hear them being referred to as a Certifier. So yes – they all mean the same thing!

The role of a Certification Body is to conduct audits of a business’s Management Systems to issue Certifications against the chosen Standard(s). It is a requirement for Certification Bodies to be accredited, otherwise the Certification they provide to a business will not be recognised internationally.

For the Asia-Pacific region, this accreditation is provided by the Joint Accreditation System of Australia and New Zealand (JAS-ANZ). If you want to see the full list of Accredited Certification Bodies, you can search via the JAS-ANZ register.

If you’re from a different region, you can find out which Accreditation Body applies to your region by visiting the International Accreditation Forum’s website.

How do businesses get ‘ISO Certification’?

How businesses get ISO Certification

Every business will start their Certification journey at a different stage. Some businesses may already have some sort of Business Management System in place, while others may be starting from scratch. Some businesses may also have internal resources to develop and implement their Management System, and some may choose to engage with a professional consultant to help with their Certification Readiness.

In its simplest form, the process to achieving Certification to one or more ISO Management System Standards is as follows:

  1. Define the ISO Standard(s) required
  2. Identify the gaps between the ISO Standard(s) and the current business processes
  3. Develop processes and supporting documentation required by the Standard(s)
  4. Implement the processes and maintain the required records
  5. Conduct an Internal Audit and Management Review
  6. Get the system Audited by a Certification Body

Once a business has achieved Certification(s), the 3-year certification cycle begins. During this period, the Certification Body will return to conduct yearly Surveillance Audits to verify that the Business Management System is still meeting the ISO Standard(s) requirements, as well as their own operational requirements.

If you want to know more about the Certification Process in detail, you can read more here.

How long does it take for a business to become ‘ISO Certified’?

This answer will vary from business to business, as it depends on the size and complexity of the organisation, as well as the ISO Management System Standards the business is aiming to achieve certification to. Generally, it may take between 3-6 months, but it could extend up to one year for larger organisations.

It’s important to note that once a business has implemented their chosen ISO Standards requirements into their Management System, it is recommended that a business runs with their system for at least a few weeks and ideally longer (depending on pre-existing implementation levels) before conducting their Internal Audits, and then moving forward with the Certification Audits. This allows an adequate amount of time for the business to identify any issues, and collect enough evidence to show that their Management System has been effectively implemented, and works for the business.

What is the difference between Certification and Accreditation?

Certification for ISO Management System Standard(s) is provided by an independent Certification Body. When a business achieves Certification, it means that their ISO Management System meets all of the requirements of their chosen standards.

In order for a Certification Body to issue internationally-recognised Certifications, they must be Accredited. Accreditation only applies to Certification Bodies, not businesses who want to achieve Certification. In Australia and New Zealand, Certification Bodies are accredited by JAS-ANZ.

In essence, an Accredited Certification Body will conduct an audit and issue Certification to a business if the requirements of their chosen ISO Management System Standard(s) have been met.

What is the difference between an Internal and External Audit?

If you aren’t familiar with the Certification process, it can be confusing to differentiate the types of audits involved during the process. In its simplest form:

  • Internal Audits – An internal review of a businesses management system required by the ISO Management System Standards, prior to the external audits.
  • External Audits – The auditing process conducted by Certification Bodies that should result in Certification for a business.

If you want to know more details about Internal and External Audits, and how you can become qualified to conduct these Audits, you can read more here.

Can businesses use their own resources to conduct Internal Audits?

Businesses conducting in-house Internal Audits

Many people think that they have to outsource to a professional to conduct their Internal Audits, but this is not the case. Businesses are able to use their own internal resources, such as their employees, to conduct their Internal Audits, as long as they are trained and competent to do so.

In order for someone in the business to be deemed competent to conduct Internal Audits of ISO Management Systems, the first step is training. With our Management Systems Internal Auditor Training, you can achieve three levels of internationally recognised certificates, including the one for Competency after successful assessment of your first internal audit by one of our experts. Our Internal Auditor training also provides the tools to develop all the skills and resources needed to become a competent internal auditor, in line with the guidelines of ISO 19011:2018.

The competency of Internal Auditors may be questioned during External Audits, so it’s important that they have this training to demonstrate it.

Is an audit the same thing as an inspection?

These two terms often get used interchangeably, but they’re not the same thing.

An audit is an assessment of a process or a system to determine whether it meets a defined set of criteria. Audits can be performed internally or externally, to verify conformance to one or more ISO Standards and the organisation’s own requirements, through a systematic review of factual evidence. Other common types of audits are Operational audits and Financial audits.

On the contrary, an inspection is an evaluation of a place, product or service to ensure relevant requirements have been met. You may be familiar with site safety inspections, which generally check for hazards and potential risks in an environment, and usually verify that safety measures are in place and effective.

What are Non-Conformances?

In short, a Non-Conformance is the failure to meet a specific requirement. There are two types of Non-Conformances that could be raised during an audit:

  • Major Non-Conformance: the absence of or failure to conform to the requirements of the Standard(s) or the organisation’s own requirements. Failure to address Major Non-Conformances can result in non-achievement or suspension of the Certification.
  • Minor Non-Conformance: raised as a result of a process that hasn’t been fully implemented, or scenarios where adequate evidence couldn’t be produced during the audit. If not addressed within the required timeframe, they could subsequently be escalated to major non-conformances.

Both major and minor Non-Conformances will be recorded in the audit report, and must be resolved and closed within the time frame designated by the auditor.

What is an Opportunity for Improvement?

An Opportunity for Improvement (OFI) is an observation or suggestion that can be raised during audits regarding a potential improvement opportunity. While OFIs are recorded in the audit report, they won’t impact your Certification. Although, when addressed, it may prove beneficial toward making the system and business operations more effective.

No action is necessarily required. However, actions on OFIs may be reviewed at the next audit, and the business may be asked to show evidence of decisions and actions taken to address them.

What does it mean when a course is certified by Exemplar Global?

Being an Exemplar Global Recognised Training Provider (RTP) means that the course follows a higher standing that has been recognised by a third party. It demonstrates that the course has been reviewed by experts and is relevant to the industry globally.

All certificates issued will contain the Exemplar Global stamp, validating it as a certified training course which is recognised worldwide.

Completing the course will also allow you to gain many other benefits from being an Exemplar Global certified professional, to joining a network of professionals, and gaining access to exclusive resources and webinars.

If you want to learn more about Exemplar Global, you can visit their website here.


We hope that you were able to learn something new, and that these ISO related terms and acronyms are now clearer for you to understand. Need help demystifying other terms and processes to help with your ISO studies? Or, do you want to become qualified to conduct Internal Audits of ISO Management Systems?

Our Management System Internal Auditor Training is a practical eLearning course that teaches how to conduct effective Internal Audits in accordance with the main ISO Management System Standards. Delivered via video lessons, this training combines theory, practical real-life examples, and templates, so even those new to the internal audit world can succeed when performing management system Internal Audits! Click here to find out more, or give us a call on 1300 614 897 for more details.

Brooke is the Marketing Coordinator and Content Developer at ISO Certification Experts and ICExperts Academy. She is responsible for all of the communications with our audience, including well-researched content across our website, blogs, social media channels, and email marketing. Her passion revolves around simplifying complex topics, helping prospective clients to make well-informed decisions with ease.

All information on this blog site is for informational purposes only. As this information is based on our professional experience, opinion, and knowledge, we make no representations as to the suitability of this information for your individual business circumstances. Especiality Pty Ltd trading as ICExperts Academy and all related businesses and brands will not be liable for any errors, omissions, legal disputes or any damage arising from its display or use. All information is provided as is, with no warranties and confers no rights.

We will not be responsible for any material that is found at the end of links that we may post on this blog site. The advice, ideas, and strategies should never be used without first assessing your own personal business situation or seeking professional and/or legal advice. Information may also change from time to time to suit industry and business needs, requirements and trends.