Are you ready for ISO certification?

Our experience is that growth companies rarely get non-conformities in an ISO audit because they're working poorly. The non-conformities arise because routines are in people's heads, emails, and spreadsheets, not in one system the entire company uses. An audit is not an exam, but a check to see if the structure holds together. Here are the 12 points an auditor looks at, and where growth makes them most difficult.

A checklist for ISO certification becomes relevant when a customer requires ISO in a tender, or when a board wants to professionalise operations before the next growth phase. It then becomes clear that working well is not the same as being able to prove it.

This checklist for ISO certification goes through the 12 areas that are repeated across the standards: the three management standards, ISO 9001 (quality), 14001 (environment), and 45001 (occupational health and safety), which share the same basic structure (clauses 4-10). Most of the requirements are in the same clause in all three; a couple are located slightly differently, and we have noted where. Go through them honestly point by point; can you answer yes and show the documentation?

Checklist for ISO certification: the 12 points and stumbling blocks

Clause 4.2

Do you know who is making demands on you?

Auditors will see that you have mapped out customers, authorities, and others who affect operations, and what their actual requirements are. When you were small, this overview was held in the head of the managing director. As you have grown, no one any longer has it consolidated in one place, and it is precisely a consolidated, documented overview that the auditor is asking for.

Clauses 5.2 & 6.2

2. Do you have measurable goals, not just a policy on the wall?

Quality and HSEQ objectives must be concrete, measurable, and followed up with responsibility and deadlines. Many have the policy, but the objectives are vague and no one owns the follow-up – and then you have an intention, not an objective that an auditor can verify.

Clause 5.3

3. Are roles and responsibilities documented?

Ownership of what within the governance system must be assigned and communicated. «Everyone knows who does what» suffices when you have a handful of employees, but once you've surpassed 50–100 employees and the auditor requests it in writing, the unwritten distribution breaks down.

Clause 6.1 & 6.1.2

4. Do you have a structured risk assessment?

Both overarching risks and opportunities (6.1) and concrete hazard assessments in the working environment (6.1.2 in 45001) must be systematically assessed, with measures being followed up. The most common weakness is that risk is only managed when something goes wrong – reactively, and without the assessments being traceable afterwards.

Clause 6.1.3 · ISO 14001 & 45001

5. Do you have an overview of legal and compliance requirements?

Which laws, regulations, and other requirements apply to you, who monitors them, and when were they last reviewed? This is a specific clause requirement in 14001 and 45001, while 9001 covers legal requirements more indirectly through product and service requirements. A typical stumbling block is that the legal list is a Word document that no one has updated in two years.

Clause 7.2

6. Do you know who is lacking which skills, and when certificates are due to expire?

The auditor checks that the right people have the right competencies, documented and up-to-date. The problem often first arises during the audit. Certificates expire without anyone noticing because no one has a consolidated overview of who has what and when it expires.

Clause 7.5

Are all jobbers on the latest version?

Version control, approval, and distribution of documents shall ensure that the current version is always the one actually used by everyone. This is growing pain number one: five versions of the same procedure scattered across SharePoint, email, and desktops. If you recognise «Ctrl+F» as a method, this point is for you.

Clause 8.1

8. Is «best practice» built into the job, or does it live in a folder?

Checklists and controlled workflows are intended to ensure that things are done the same way, every time. The classic pitfall is that the procedure exists, but no one follows it because it is a side issue to the actual work rather than being part of it.

Clause 8.4 & 8.4.1

9. Do you systematically evaluate suppliers?

The selection, monitoring and evaluation of external suppliers must be documented in ISO 9001 under clause 8.4, in ISO 45001 under procurement (8.1.4) and in ISO 14001 under operational management (8.1). In practice, suppliers are often selected on the basis of experience and gut feeling, without a documented assessment that an auditor can review.

Clause 10.2

10. Deviations from registration to closure, with root cause?

A deviation must be traceable all the way from registration to investigation, action, approval, and final closure. When deviations are instead reported verbally, actions are forgotten and nothing can be documented retrospectively, and then you lack exactly the audit trail the auditor is looking for.

Clause 9.2

11. Do you have an audit program, or do you just panic before the external auditor arrives?

Internal audits should be planned throughout the year, with criteria, findings and follow-up. For many, «internal audit» in practice means a hectic week just before the external auditor arrives, revealing it to be almost like a lengthy fire drill, not a routine.

Clauses 9.1 and 9.3

12. Does management actually collect the data and act on it?

Management should regularly review variances, targets, risks and audit findings, and make decisions on that basis. When the figures are scattered across different systems, the review becomes mere guesswork rather than effective management, and the auditor quickly spots the difference.

How many could you confidently tick off?

10-12

Well equipped

The foundation is in place. Use the checklist to seal the last gaps before the inspection.

6-9

Someone lives outside the system

Much is in place, but parts are still stuck in spreadsheets and heads. This is where growth creates risk.

0-5

Classic growing pains

The structure hasn't kept pace with growth. This can be rectified.

Please note: this figure is an indicator, not a guarantee. A single significant shortcoming – for example, the complete absence of an internal audit – could in itself prevent certification, regardless of how many of the other criteria you tick off.

Download the full checklist

Get the 12 points as a fillable checklist you can incorporate into your preparations, and share it with the team.

How Business Online Helps

Business Online Collection document management (7.5), Anomaly management (10:02), Risk management (6.1 PM), Quality Control Plans, (8:01 am), Supplier follow-up (pg. 8.4 / 8.1.4) and Certificate tracking (kl. 7.2) in a system built on Microsoft 365. Several of the points above will therefore move out of disparate spreadsheets and into the workflow itself.

Business Online does not provide you with the certificate itself; that is done by the auditor. However, it offers the structure and traceability required to pass the audit.

If you want to see how the requirements link together clause by clause, we have documented it in a separate review. A natural next step is to put the points above into a responsibility matrix, the overview that shows where each requirement is covered.

FAQ

What is the difference between ISO 9001, 14001 and 45001?

ISO 9001 is about quality management, ISO 14001 on environmental management and ISO 45001 concerning the work environment. They share the same fundamental structure (clauses 4–10), so much of the preparation regarding document control, risk, non-conformities, internal audits, and objectives is shared. This checklist covers what is common across all three, with a note where a standard places the requirement differently.

How long does it take to become ISO certified?

For small and medium-sized businesses, an initial run typically takes 6–12 months, depending on how much structure is already in place. The more of the points above you can answer yes to, the shorter the journey will be.

Do we need our own system for certification?

No, the standards do not require a specific tool; they require that you can manage and document. However, in practice, it is the documentation and traceability that fall apart when a growing company tries to keep everything in spreadsheets and email. A common management system makes the requirements easier to meet and prove.

Why do growth companies most often fail due to structure, not quality?

Because good routines that worked with 10 employees do not scale to 100 employees without them being written down, version-controlled, and made accessible. Auditors look for you to be able to show that the work is done systematically and consistently, every time, not just that it gets done.

The ISO revision isn't an exam on how hard you work. It's a check to see if the structure can cope with you growing.

Are you facing certification with systems spread out?

We'll show you how Business Online brings together quality, projects, and documentation in one place.
Thirty minutes, no commitments.