Beyond the Badge: Navigating the Next Steps After Achieving ISO Certification

Published on: February 26, 2024

Upon successfully completing a Certification Audit, many organisations may adopt a relaxed stance towards their Management System, viewing it as the culmination of the process. However, achieving Certification marks the commencement of a journey rather than its conclusion. The path to realising actual improvements and reaping the benefits of ISO Certification unfolds post-certification.

Achieving ISO Certification is not an isolated event; rather, implementing a Management System involves more than merely checking a box or displaying a certificate on the wall. It necessitates the development of a holistic system that is embraced throughout the business. Consequently, the actions taken after obtaining ISO Certification are just as crucial as the initial decision to implement the standard.

But what actually needs to happen after Certification is achieved?

Exploring the next steps after achieving ISO certification

In this blog about navigating the next steps after achieving ISO certification, you’ll get to learn the following: 

Understanding the ISO Certification audit cycle

The most common ISO Management System Certifications (i.e. to ISO 9001:2015, ISO 45001:2018, ISO 14001:2015, ISO 27001:2022 etc.) are issued for a period of three years.

Certification is achieved upon successful completion of the initial Certification Audits (also known as External Audits) conducted by an Accredited Conformity Assessment Body (CAB), consisting of Stage 1 and Stage 2 Audits:

  • Stage 1 Audit: The auditor reviews the documented information that makes up the management system, and verifies that every clause of the relevant ISO Standard(s) has effectively been addressed, checking Certification Readiness for the entire Certification process.
  • Stage 2 Audit: The auditor returns after a few days or weeks to verify the processes via sampling across the management system and operational practices, to confirm that the organisation is actually doing what the management system says they do. The auditor verifies that the management system is implemented and effective for the organisation.

Organisations will be required to address any adverse findings from these audits in order to achieve Certification. Once this is done, the auditor will assess if the issues have been appropriately addressed. If there are no further gaps, the CAB will issue the organisation with its ISO Certificate(s).

12 months after the initial Certification Audits, the CAB will conduct the first Surveillance Audit. The same process is followed for two consecutive years after the initial Certification.

Surveillance Audits are less intensive than the initial Certification audits. They are a “snapshot” in time of the auditor’s review to ensure the management system still meets the main elements and intents of the ISO Standard(s). Not every element will be reviewed during a surveillance audit. If there are any gaps, a non-conformance is raised and the organisation is responsible for addressing such issues to ensure ongoing Certification.

At the end of year three, the management system will undergo a Recertification Audit. This process is similar to the initial Certification Audits, but a bit shorter and only one audit visit – which can happen over a few days, depending on the standards, business size and risks. The aim is to verify that the management system continues to fully conform to all requirements of the Standard(s). Upon a successful outcome, the CAB will provide the organisation with a newly issued certificate, and the 3-year Certification Cycle starts over again.

Ongoing management activities required by organisations

To maintain ISO Certification and conform with the requirements of the ISO Standard(s) (to achieve successful annual audit results), a few activities need to be conducted on a regular basis.

Any identified gaps in the organisation’s system can result in major or minor non-conformances OR improvement opportunities raised by the auditor. Depending on the severity of the identified issue, the organisation can be at risk of losing its ISO Certification as a consequence.

At a minimum, the following activities must be completed to maintain the Certification as per the standards requirements: 

  1. Management review and business planning update
  2. Regular internal audits
  3. Check up on and resolve open issues

Below is a more detailed explanation of the base-line activities that should be conducted to meet the ongoing ISO management requirements:

Ongoing management activities required by organisations for achieving ISO certification

1. Management Review & Business Planning Update

Management reviews are required to be conducted and documented on a regular basis (at least annually). As part of this review, organisations should revisit their business planning such as objectives and targets, and other strategic and essential documentation such as interested parties analysis, SWOT/PESTLE analysis, as well as their business risk and opportunity assessment etc. It’s important that these documents are not only reviewed but also up-to-date.

2. Regular Internal Audits

The ISO Standards state that internal audits have to be conducted by an individual who is independent of the business process being audited. Ensuring the internal auditor isn’t usually involved in the processes being audited maintains the objectivity and impartiality of the internal audit process. It’s important to note that external auditors may ask for proof of internal auditing competency, meaning that the internal auditor must be trained and deemed competent in conducting effective management systems internal audits.

Internal audits are useful to find out if your management system processes and documents are up to date, relevant and reflecting how the actual activities, services and operations are conducted in the organisation. When conducted effectively, they’re a great tool to facilitate continual improvement. It is essential to conduct internal audits regularly, for example, on a quarterly basis or as specified otherwise in the internal audit schedule.

The internal audit schedule needs to cover any system requirements as well as the requirements of the ISO Standard(s) and take a risk-based approach. Some businesses may opt to engage with an external consultant to conduct these audits, while others may choose to use their own internal resources (their employees).

However, for someone in the business to conduct internal audits, they need to be deemed competent to do so, and the first step is training. With our Management Systems Internal Auditor Training, you can study online and achieve three levels of internationally recognised certificates, including the one for competency after a successful assessment of your first internal audit by one of our experts. Our Internal Auditor training also provides the tools to develop all the skills and resources needed to become a competent internal auditor.

3. Check up on and Resolution of Open Issues

This should be a time for the organisation’s team to check on any “open” and/or “work in progress” issues raised in the previous external and internal audits, and plan actions to address and close them. When doing so, it’s important to pay special attention to issues reported in your previous external audits, such as Non-Conformances (NC), Opportunities for Improvement (OFI), or Observations (OBS).

For example, if the auditor finds that a previously raised minor NC has not been effectively addressed by the time of the next audit, it may turn into a major NC. A major system nonconformity can jeopardise your Certification.

How to plan the ongoing certification management activities

Conducting regular internal audits, management reviews, business planning updates and checking on any open issues is an excellent way to start with system ongoing management activities.

However, there is more to it and if you feel like you need a more structured approach, you can schedule the necessary activities in your calendar. For example, conducting employee performance reviews, documented team meetings, regular site safety inspections, etc.


Conducting Internal Audits of the Management System is a requirement to achieve and maintain Certification to an ISO Management System Standard. From a business perspective, you can benefit from qualifying your team to conduct these Internal Audits.

Our Management System Internal Auditor Training is a practical eLearning course that teaches how to conduct effective Internal Audits of the main ISO Management System Standards in accordance with the ISO 19011:2018 Standard. With our course, you can achieve three levels of internationally recognised certificates, giving you the skills and tools you will need to perform effective Internal Audits.

Check out our Management System Internal Auditor training page to download the course guide, or give us a call at 1300 614 897 to find out more.

Managing Director at <a href="" style="color: inherit">ICExperts Academy</a> and <a href="" style="color: inherit">ISO Certification Experts</a>

Erica is the Managing Director of ISO Certification Experts and ICExperts Academy. She has been helping businesses with their ISO Certification needs for over 20 years. Erica is also a Certified trainer, implementer and auditor for ISO 9001, ISO 14001, ISO 45001 and ISO 27001 standards. Erica primarily heads up the day-to-day operations of the businesses, and is also a current member of the Australian Organisation for Quality and Brand Integrity Committee.

All information on this blog site is for informational purposes only. As this information is based on our professional experience, opinion, and knowledge, we make no representations as to the suitability of this information for your individual business circumstances. Especiality Pty Ltd trading as ICExperts Academy and all related businesses and brands will not be liable for any errors, omissions, legal disputes or any damage arising from its display or use. All information is provided as is, with no warranties and confers no rights.

We will not be responsible for any material that is found at the end of links that we may post on this blog site. The advice, ideas, and strategies should never be used without first assessing your own personal business situation or seeking professional and/or legal advice. Information may also change from time to time to suit industry and business needs, requirements and trends.