ISO certification for growth companies
The customer demanded it. The tender presupposed it. And suddenly, there's urgency. Here's what you need to know about the requirements, the process, the costs, and what's actually needed to pass the audit.
When does your company need ISO certification?
ISO certification is not a legal requirement. But for many growing businesses, it is practically mandatory.
Four situations most often trigger it. In Business Online, we see that there are some common triggers:
Customer requirements. An existing customer changes their purchasing terms, or a new tender requires the supplier to be certified. In oil and gas, construction, and public procurement, this is the norm. Without a certificate, you will not be considered.
Growth. The company has grown from 10 to 30 employees. What worked when everyone knew everyone no longer does. Procedures are being missed, deviations are not being captured, and oversight is disappearing. ISO provides a structure that scales.
ISO certification as a goal. Management has decided that certification is the next step. Often because they see the industry moving in that direction, and that it will cost more to wait.
Internationalisation. Foreign customers often assume certification as a minimum requirement. For Norwegian companies wanting to work outside the Nordic region, ISO 9001 is often the ticket to entry.
The common denominator is that ISO is rarely something the company plans far in advance. It pops up as a concrete requirement, and then it's urgent.
Find out more Growth pains in the company. What they are, and what you can do with them.
ISO 9001, 14001 and 45001. Differences and overlap
Three standards are relevant for most Norwegian companies. They follow the same basic structure (clauses 4 to 10) and are based on the same principle: plan what you are going to do, do it, check that it works, and
Improve what isn't working. This means they can be operated under a common management system.
| ISO 9001 | ISO 14001 | ISO 45001 | |
|---|---|---|---|
| Focus | Quality Management | Environmental management | Working Environment and Health and Safety |
| Main requirements | Processes, document management, deviations, customer focus | Environmental aspects, pollution prevention | Hazard identification, risk assessment, worker participation |
| Most common in | All industries | Industry, oil/gas, manufacturing | Construction, oil/gas, industrial |
| Typical order | First | Another or simultaneous | Another or simultaneous |
ISO 9001 is the most common and often the first one businesses start with. Many take on 14001 and 45001 at the same time because the structure is similar and much of the work can be reused.
The standard that puts the customer at the centre. The requirements a business must meet, and what that means in practice.
Working Environment and Health, Safety, and Welfare. Hazard identification, risk assessment, and what the standard requires of you as an employer.
What is required to become certified? The step-by-step process
Reviewers are not looking for binders with neat documents. They are looking for evidence that the system is used in everyday life. The process to get there typically takes 6 to 12 months for a company with 20 to 50 employees.
Gap analysis. Map out what the company already has in place and what is missing. Compare current routines against the requirements of the standard. This is where most discover they have more than they think, but that it
lacks traceability and structure.
2. Build the system. Establish document control, process descriptions, deviation procedures, and risk assessments. Write the policy documents the standard requires. This is where most of the work lies.
3. Implementer. All employees must actually use the system. Not just the quality manager. The auditor interviews people at all levels, and they expect a project manager to be able to explain their own deviation process without looking in a binder.
4. Internal audit. Perform an internal audit against the requirements of the standard. This is an absolute requirement (clause 9.2) and something the certification body always asks about early on.
5. Certification audit. An accredited certification body conducts a formal two-stage review. First, a document review, followed by an on-site audit. The auditor interviews staff and checks
systems and verifies that practices align with documentation.
How much does ISO certification cost?
The biggest cost of ISO certification isn't the auditor or consultant. It's internal time. Most people underestimate it.
For a company with 20 to 50 employees, the quality manager typically spends 20 to 40 % of their working hours over 6 to 12 months. Add time for management, process descriptions, risk assessments, and employee training. For a company with 30 employees, this quickly amounts to 400 to 800 hours in total. Calculated in salary costs, this is the largest item.
The audit itself is cheaper than most people think. An accredited certification body typically uses 2 to 4 days, at a daily rate of DKK 12,000 to DKK 20,000. First-time certification thus lands at around DKK 30
000 to 80,000 DKK. Follow-up audits are shorter.
Consultancy is optional but common for first-time certification. Expect DKK 50,000 to DKK 200,000 for gap analysis, document development, and audit preparation. Companies with internal expertise can entirely omit this cost. A digital quality system typically costs between DKK 100,000 and DKK 300,000 per year for a small or medium-sized enterprise, but this can vary significantly depending on the system supplier. The alternative is folders and spreadsheets. This works for certification but makes maintenance cumbersome.
Realistic total budget for ISO 9001:
| Component | Estimated |
|---|---|
| Internal time (value) | 200,000 – 500,000 kr |
| Certification body | £30,000 – £80,000 |
| Consultant (optional) | 50,000 – 200,000 kr |
| Quality system (annual) | 100,000 – 300,000 kr |
| Total first year | 380,000 – 1,080,000 kr |
The figures are indicative and vary with company size, industry, and what is already in place. In addition, there are annual follow-up audits and recertification every third year. Request a specific offer from the certification body for an accurate estimate.
If you take on more standards simultaneously, the cost increases by 30 to 50 %. However, much of the groundwork is reused.
Traceability and document control. The backbone of the quality system
ISO sets specific requirements for what the standard calls «documented information» (clause 7.5). This means the company must be able to show who created a document, who approved it, which version is current, and who has access. When an auditor asks «show me the current version of this procedure,» the answer must be immediate.
In practice, this is where many businesses struggle. In sales meetings at Business Online, 75 % of the companies stated that they lacked traceability in their documentation. 65 % had no version control. Half said that procedures were not followed in practice.
The problem is rarely that the routines don't exist. The problem is that they are in a folder on a file server, in version 7 (or was it 8?), and no one knows if it was approved by the quality manager or just put online.
that some people thought it was okay.
A quality system solves this with three functions:
Version control. Only one version applies. Previous versions are archived with a date and change description. Employees always see the current version.
Approval flow. Documents go through a defined approval process before being published. Auditors can see who approved, when, and potentially who rejected.
Access control. The right people have access to the right documents. Sensitive procedures are restricted. Distribution is traceable.
Without these three, it works for the auditor, but not for everyday life. And a quality system that only works during an audit is not a quality system.
The most common approach is manual follow-up. Document lists, action sheets, and checklists reside in Excel. This works for ten documents. With a hundred a week, it falls apart.
How a quality system supports ISO work
When the auditor asks about deviation management, they will look at the entire process: registration, root cause analysis, measures, approval, closure. When they ask about document management, they will look at version control and approval history. These are specific requirements. A good quality system covers the most demanding ones directly.
Business Online has reviewed ISO 9001, 14001 and 45001 clause by clause. Here are the most important requirements:
| ISO requirements | How Business Online solves it |
|---|---|
| Document Management (7.5) | QDMS with version control, approval workflow, and access management |
| Deviation management (10.2) | KHMS reporting with a 5-phase workflow from registration to closure |
| Risk assessment (6.1) | Risk management with Bow-Tie diagrams |
| Process management (4.4) | BPM with Visual Process Designer |
| Quality control (8.1) | QCPs (Quality Control Plans) at project level |
| Supplier management (8.4) | CRM with evaluation and deviation linking |
ISO 9001 has the highest direct coverage (50 %) because the standard deals with processes, document management, and non-conformance handling. These are the areas that Business Online is built for. ISO 14001 (30 %) and ISO 45001 (35 %) have lower direct coverage because they contain subject-specific requirements such as environmental aspect registers and emergency preparedness plans.
Requirements that are not directly covered, such as policies, context analyses, and objectives, are stored as documents in QDMS. Some requirements, such as the calibration of physical measuring equipment, fall outside a digital system.
In Business Online, a deviation in a project is linked to the customer, the project, and the employee. Pure quality systems stop at the deviation. Everything is connected here.
What is the alternative?
Businesses looking to be ISO certified have four practical options:
- Maps and spreadsheets. It is possible to become certified with Word, Excel and a file server. Many have done it. The problem arises after certification, when the routines need to be maintained. Without traceability and
Version control is it a burden to keep the system updated, and follow-up revisions become laborious. - ISO consultant building the system for you. The consultant delivers a complete set of documents. The problem is that the system is often adapted for revision, not everyday use. When the consultant is finished, the company owns a Document structure nobody quite understands.
- A dedicated quality system. Solutions such as EQS (Extend) and EG Landax Quality management is good. However, they lack project management, CRM and HR. The company ends up with one system for quality and one for everything else.
- Integrated platform. Business Online combines quality management with CRM, project management and HR in one platform built on Microsoft 365. Deviations, documents, projects and customers share the same data source. Employees work in the tools they already use (Word, Excel, Teams, Outlook), but everything gets a natural place, so you don't lose track of things and it becomes easy to find again.
The choice depends on the company's size, complexity, and what it needs beyond quality management. For companies that only need QHSE, a dedicated tool is a good choice. For companies that also need project management, customer overview, and personnel administration, an integrated platform provides fewer systems to maintain.
Frequently asked questions about ISO certification
Is ISO certification required?
No. But try to win a tender in oil and gas or construction without it. In practice, the market demands it, not the law.
Which ISO standard should we start with?
ISO 9001 (quality management) is the natural starting point for most businesses. It is the most widespread, and much of the foundational work (document management, non-conformities, process descriptions) can be reused if you later adopt ISO 14001 or 45001.
How long does a certification process take?
For a company with 20 to 50 employees, it typically takes 6 to 12 months from starting to certification. The time taken depends on how much is already in place and whether the company has internal ISO expertise.
Can we use one system for multiple ISO standards?
Yes. ISO 9001, 14001 and 45001 follow the same basic structure (clauses 4 to 10). An integrated management system is both permitted and recommended. It reduces duplication of work and makes maintenance simpler.
What happens if we don't pass the audit?
Auditors distinguish between non-conformities and observations. A non-conformity means that a requirement has not been met. A minor non-conformity gives you a deadline (typically 90 days) to rectify it. A major non-conformity requires a new audit of the area concerned. An observation is a recommendation, not a barrier to certification.
Do we need a consultant?
It depends on internal expertise. A quality system that handles document control, deviations, and risk makes the groundwork easier, but you still need to understand the standard and adapt it to the organisation. Some
handles this internally. Others benefit from consulting for gap analysis and preparation.
What is the difference between ISO certification and internal controls?
Internal control is a legal requirement for all Norwegian companies (the Internal Control Regulations). ISO certification is voluntary and sets higher standards. An ISO-certified company automatically meets the requirements for internal control, but not the other way around.
How do we maintain the certification?
The certification is valid for three years with annual follow-up audits. Between audits, the company must conduct internal audits, address non-conformities, and update documents. Companies that use
The quality system in everyday life makes this ongoing. Companies that do not do so, feel it three weeks before the auditor arrives.
Ready for the next step?
Your business doesn't need more PDFs. It needs a system that actually works in everyday life. We'll show you how Business Online meets ISO requirements with your processes. 30 minutes. No obligation.