As part of Assent’s mission to champion the consultancy industry, Jess from Assent Risk Management has been interviewing experts from all sectors of the consulting profession. In this interview, Jess talks with Jaz Taylor, Head of Client Services at Assent Risk Management about Choosing a Certification Body. Jaz explains why you need a certification body and the accreditation you should expect from a certification body. She also shares tips and what to consider when choosing a certification body.
What does a Certification Body do?
A certification body carries out external audits on your management system and issues the certificate to acknowledge you are meeting the requirements and are certified to the standard.
The certification process can be confusing and can vary depending on the scheme. Generally management systems such as ISO 9001 (Quality Management) and ISO 14001 (Environmental Management), usually follow a two-stage process, with the certificates lasting for a period of three years before renewal.
Once you engage with the certification body, they will send you your quotation. From there, you then have a stage one document review. The Stage One audit signals the start of the ISO process and it’s used as an opportunity for the certification body to review the structure of your management systems through the available documentation.
They will seek to verify that any mandatory requirements have been addressed within the documentation. This is usually conducted on-site, but since COVID certification bodies are a little bit more lenient on it and this may also be done remotely. However, it completely depends on the industry of your company.
A stage one audit, is not a pass or a fail, because, between stage one and stage two, you do have some time to fix any issues that may have been bought up.
Next is the stage two audit, which is the certification audit and will cover all aspects of the management system. This differs from stage one, as stage one was just the document review, stage two is sampling records to obtain objective evidence and make sure that the system is operating effectively.
For this reason, there typically needs to be a minimum of three months worth of records to evidence for the auditors to review. And again, whether or not this is held on-site or remotely, is completely depended on what industry you’re in and your certification body’s preference. After the stage two audit, you will get your certificate. Once you’ve passed, the certificate cycle lasts for three years. Each year you will have a surveillance audit to make sure that you haven’t got your ISO certificate and then stopped complying. These usually fall either annually or every six months and this varies depending on the complexity of your management system.
Once the three-year cycle is up, you can renew your certificate, following this process again.
Why do you need a certification body?
As a consultancy, this is one of the biggest misconceptions and one of the questions that I get asked the most. So, as a consultancy, we cannot offer certification due to conflict of interest and this works both ways. Any UKAS-accredited certification body will not offer the same services we offer and vice versa and this is due to the guidelines and the rules of the UKAS-accredited body. UKAS is the UK’s accredited body and any certification body should be UKAS accredited.
Once you’ve had a consultant such as Assent Risk Management in to support your journey, whether that’s full implementation, internal audits or just ISO support, the certification body will then come and externally audit everything we’ve helped you put in place. As I explained before, once you have successfully completed both of your external audits, your certification body will then provide you with a certificate.
Overall, the main reason you need that certification body is due to conflict of interest and so consultants are not auditing their own work and the certification body can provide an independent verification of the UKAS certificate.
Do Certification Bodies have to be UKAS Accredited?
Certification bodies should be UKAS accreditated, however, they don’t have to be. There are some certification bodies out there that are not UKAS accredited and we have worked with clients who are certified with non-UKAS accredited bodies, but we personally here in the UK, we only recommend that you work with UKAS.
There are other accreditation bodies out there, especially outside of the UK. For example in the US, there is one called ANAB.
What to consider when choosing a cert body?
So as a consultancy service, we can’t tell you who to choose, however, if a client as for some certification quotes, we can send out three emails to certification bodies asking for quotes. This allows them to get an idea of the different prices and quotes and they can choose their own, which ensures we are being impartial.
Something else to consider is the number of staff you have in your organisation. So high numbers of staff involved in the same process can reduce the number of audit days. Whereas in other cases the number of effective staff is used as a measure of complexity which can also affect the number of days.
When you speak with the certification body and provide the staff details and the scope details, they will provide you with a quote and the number of days recommended. You can always go back to your certification body and say I think we can cut it down here and there and they’ll always amend your quote for you.
Another thing to consider is the brand. So some certification bodies in the UK are a lot more recognisable than others, which can be very attractive when considering using their certification mark. So you can use it in marketing, on stationery, websites and products.
However, some certification bodies operate in niche markets or have particular reputations within certain industries. Some certification bodies will only cover certain standards whereas others won’t. So again, that’s something to consider when you are looking around.
You also should consider location as there may be travel costs, these aren’t always straightaway in the quote, it might say it at the bottom, so you do need to look out for that.
ISO certification is recognised internationally and if you operate in multiple territories, such as the UK, if your head office is here but then you’ve got an office in France or Italy, you may need to consider that the certification body is going to charge you for that travel if they need to visit that location.
The location of the certification body branch’s office can vary and those who are further away from your branches. Obviously, it will lead to increased travel costs. Alternatively, if you only operate in one country, then a smaller certification body could offer lower costs and a more personal service.
Since COVID many certification bodies still offer remote work as well, so they might need to only visit your site one day.
Also, it’s worth considering your future requirements and growth plans when you engage with a certification body. This is due to, for example, if you have ISO 9001 and then in a year’s time you wanted to add another standard, but that certification body doesn’t cover it. You either have to get the certification with another certification body, meaning you have two different ones. Or you change your certification body once the cycle is complete and move to one that can cover them all.
Finally, many of them will provide training services which can be a really big advantage to a company as it grows, while others have specialist services such as compliance software, insurance services and industry analytics.