Frequently Asked Questions
What do you want to know about ISO standards?
If you are simply trying to find out a bit more on ISO standards and what they mean, perhaps your question will be answered below. Some of the key questions we hear when we are training or visiting clients are listed on this page – feel free to scroll down and see if these help you!
If your particular question or enquiry is not listed then do get in touch; we are happy to answer anything that might assist you – just use our enquiry link here. You may also find out more detailed articles and information within our newsletter section – go here to see if there is anything to help. Finally, just use the site search engine to help you find what you are looking for (click on the magnifying glass at the top of the page).
Quality Management Systems and ISO 9001
Quality is simply that the characteristics of goods and/or services delivered meet or exceed the requirements of a client or customer.
ISO 9001 (currently the 2015 version is live) is recognised as the leading standard for Quality Management Systems (QMS). Used in just about every part of the globe, ISO 9001 gives organizations a set of management guidelines or requirements that help ensure consistency in the delivery of products and services to their clients. ISO 9001 does not explicitly say how a business should be organised but it does provide a framework (linked to the plan>do>check>act cycle) that helps deliver product with the objective of delighting clients!
Simply the arrangements and activities that are planned and delivered to meet a specific aim or objective. For quality, it is the arrangements in place to deliver the objective of quality products or services.
A management system that fulfils the requirement of ISO 9001 is usually developed around a plan > do > check > act model.
Adopting plan, do, check, act is also known as the systematic approach to management. Systematic means cyclical sequence of steps that when repeated leads to improvement in how the organisation operates.
- Plan: Establishing a policy and objectives for an organisation to ensure that all requirements are anticipated and met. Also establishing the sequence of processes and determining the necessary resources needed.
- Do: Delivering the product or service by ensuring all ‘inputs’ are available for the organisation’s processes including resources, infrastructure and procedures
- Check: Ensuring that the product or service was delivered to meet all requirements (through measurement or other means). Also ensuring that the process was effective and efficient in delivering the product or service and taking action for any issues observed. This is also where auditing fits into the cycle.
- Act: Improvement comes when changes are made to fix issues or improve a process. This can affect and change plans and the sequence of steps are repeated.
A QMS system that meets the requirements, and may be certified to, ISO 9001 helps an organisation to consistently deliver expected outcomes to its clients, thus improving customer satisfaction. In addition, my ensuring there effective processes in place it can boost operational efficiency, reduce risk and contribute positively towards the bottom line. Certification demonstrates your organisations commitment to quality and provides assurances to existing and potential customers that you are meeting best practice with regard to quality. Having certification can lead to additional business opportunities as well help you to secure and hold on to your existing clients.
No matter which sector you are in, ISO 9001 certification opens up the possibility of bringing benefits to your organisation(see last question). Certification is available to all kinds of organisations; they can be commercial or public sector, be a micro business or an international conglomerate.
Simply – you need to think if having certification will provide you with more benefits that the costs of developing systems and getting a certification body to assess you. It is our experience that the benefits always outweigh the costs.
We have prepared a quick guide to the main elements and requirements of ISO 9001 here. The standard is broken down in to clauses within which is a description of what the organisation is to do if it is to achieve certification. A clause normally begins with the phrase:
‘The organisation shall….’
It will then describe what you must do. (We cannot write out full clauses on this site due to copyright reasons)
To achieve ISO 9001 certification, you will need to demonstrate that you have effectively made arrangements to fulfil all of the requirements (or clauses) of the international standard. You must have in place the evidence and records to show that you are fulfilling your plans. In addition, you must be able to prove that your management system has been operational for at least three months and has undergone a management review and a full cycle of internal audits before you can earn ISO 9001 certification.
You are assessed by a Certification Body. Initial certification is achieved via a two-stage process – the second of which (if successful) will result in the award of a certificate. After achieving initial certification, you will need to complete yearly or 6-monthly surveillance audits (the frequency depends on the size and complexity of your organisation. Re-certification audits are required after three years.
QCS recommends that the audits are completed by an accredited third-party certification body.
People use the phrase accreditation and certification believing them to mean the same thing. They are not.
Simply, accreditation is the award or recognition given to an organisation (by an accreditation body) that is then able to assess other organisations and award them certification to a standard or other requirement. You are certified to ISO 9001 you are accredited to certify others.
In the UK all certification bodies are assessed by UKAS – the United Kingdom Accreditation Service.
QCS will only work with clients seeking certification along the UKAS route.
There shall be two main costs to bear.
The first are the costs within the organisation to develop and implement the management system. This might include the creation of processes and the retention of records to show that these processes are being followed and effective. Note that a certification body wants to see a system that is working not one that is simply designed.
The internal costs will vary by the size and complexity of what the organisation does and what you have in place already. Lots of organisations are already meeting many requirements of the ISO standards without realising.
You can improve the efficiency of developing the system by seeking assistance from a consultancy company such as QCS International. See our section on system implementation page.
The other costs will be associated with the charges made by your chosen certification body. These also vary by the size and complexity of the organisation.
If you want an informal chat on what the costs might be for you then fill in our contact form.
Simply – yes! It is a specific requirement within the standard that you have an audit programme that reviews the effectiveness of all arrangements to meet the objectives of your quality management system. You can do internal audits yourself or seek assistance with these from a consultant such as QCS International. Find out more here.
Environmental Management Systems and ISO 14001
Having a clear understanding of what we mean by the environment is fundamental to us then being able to manage this key resource. The environment is simply everything that surrounds us – air, land and water and all the constituent parts (mineral, flora and fauna) that it contains. Humans are a part of the environment – we do not sit outside it. We affect it and it has an impact on our quality of life
ISO 14001 (currently the 2015 version is live) is recognised as the leading standard for Environmental Management Systems (EMS). Used in just about every part of the globe, ISO 914001 gives organizations a set of management guidelines or requirements that help ensure consistency in the identification of key environmental issues (aspects/impacts) and how these are managed – so that organisations have a positive impact on the environment around them. ISO 14001 does not explicitly say how an organisation should deliver these requirements but does provide a framework (linked to the plan>do>check>act cycle) that helps it to meet its key environmental management objectives.
Having an Environmental Management System certified to ISO 14001 presents many benefits to an organisation. These include:
- Cost savings – an EMS requires reviews on how you consume resources such as raw materials, energy and water. By being more efficient in their use it can reduce cost – and increase profit!
- Having an effective EMS is good for the environment – we cause less damage and might also generate direct benefit (such as investment in renewables, habitats or reduction in pollution)
- Enhances your organisation’s image and reputation – nobody would want to work with an organisation damaging the environment and having ISO 14001 may actually open up markets to your business
- Having an EMS in place provides a framework so that you can demonstrate compliance with the law – this reducing possibility of prosecution
- An effective EMS reduces risk – meaning that you have identified concerns and developed measures to minimise the potential impact on your operations
No matter which sector you are in, ISO 14001 certification opens up the possibility of bringing benefits to your organisation(see last question). Certification is available to all kinds of organisations; they can be commercial or public sector, be a micro business or an international conglomerate.
Simply – you need to think if having certification will provide you with more benefits that the costs of developing systems and getting a certification body to assess you. It is our experience that the benefits always outweigh the costs.
QCS recommends that you only use certification bodies fully accredited by ACAS.
We have prepared a quick guide to the main elements and requirements of ISO 14001 here. The standard is broken down in to clauses within which is a description of what the organisation is to do if it is to achieve certification. A clause normally begins with the phrase:
‘The organisation shall….’
It will then describe what you must do. (We cannot write out full clauses on this site due to copyright reasons)
To achieve ISO 14001 certification, you will need to demonstrate that you have effectively made arrangements to fulfil all of the requirements (or clauses) of the international standard. You must have in place the evidence and records to show that you are fulfilling your plans. In addition, you must be able to prove that your management system has been operational for at least three months and has undergone a management review and a full cycle of internal audits before you can earn ISO 14001 certification.
You are assessed by a Certification Body. Initial certification is achieved via a two-stage process – the second of which (if successful) will result in the award of a certificate. After achieving initial certification, you will need to complete yearly or 6-monthly surveillance audits (the frequency depends on the size and complexity of your organisation). Re-certification audits are required after three years.
QCS recommends that the audits are completed by an accredited third-party certification body. In the UK these are approved by UKAS
People use the phrase accreditation and certification believing them to mean the same thing. They are not.
Simply, accreditation is the award or recognition given to an organisation (by an accreditation body) that is then able to assess other organisations and award them certification to a standard or other requirement. You are certified to ISO 14001 you are accredited to certify others.
In the UK all certification bodies are assessed by UKAS – the United Kingdom Accreditation Service.
QCS will only work with clients seeking certification along the UKAS route.
There shall be two main costs to bear.
The first are the costs within the organisation to develop and implement the management system. This might include the creation of processes and the retention of records to show that these processes are being followed and effective. Note that a certification body wants to see a system that is working not one that is simply designed.
The internal costs will vary by the size and complexity of what the organisation does and what you have in place already. Lots of organisations are already meeting many requirements of the ISO standards without realising.
You can improve the efficiency of developing the system by seeking assistance from a consultancy company such as QCS International. See our section on system implementation page.
The other costs will be associated with the charges made by your chosen certification body. These also vary by the size and complexity of the organisation.
If you want an informal chat on what the costs might be for you then fill in our contact form.
Simply – yes! It is a specific requirement within the standard that you have an audit programme that reviews the effectiveness of all arrangements to meet the objectives of your environmental management system. You can do internal audits yourself or seek assistance with these from a consultant such as QCS International. Find out more here.
Information Security Management Systems and ISO 27001
Information security is defined as the preservation of the confidentiality, integrity and availability of information.
ISO 27001:2022 is the globally recognised international management system standard for information security.
ISO 27001 provides a recognisable framework aligned to the plan-do-check-act cycle, that supports activities in information security, cybersecurity and privacy protection when applied to an organisation.
An ISMS system that meets the requirements, and may be certified to, ISO 27001 helps an organisation to meet the requirements of wider information security, minimise cyber security incidents and protect PII (personally identifiable information) security in the application of best practice throughout the business. Through risk management and the application of controls organisations can prevent issues, reduce incidents, and avoid potential fines where breaches occur.
Through defining and meeting objectives set, the business can satisfy legal requirements and those of others including clients.
Having certification can lead to additional business opportunities as well help you to retain existing clients.
All types of business and organisations can be certified to ISO27001 matter which sector you are in bringing benefits to your organisation. Certification is available to all kinds of organisations; they can be commercial, not for profit or public sector, be a micro business or an international conglomerate.
ISO27001 is integral in providing confidence in how your organisation manages information security which may be a requirement of clients, regulators (ICO) and the security of your own data and systems.
To be certified to ISO 27001, you will need to demonstrate that you have effectively planned arrangements to fulfil all of the requirements (or clauses) of the international standard. You must have in place the evidence and records to show that you are fulfilling your plans. In addition, you must be able to prove that your management system has been operational for at least three months and has undergone a management review and a full cycle of internal audits before you can earn ISO 27001 certification.
You are assessed by a Certification Body. Initial certification is achieved via a two-stage process – the second of which (if successful) will result in the award of a certificate. After achieving initial certification, you will need to participate in annual surveillance assessments with the third year being a recertification audit.
QCS recommends that the audits are completed by a UKAS accredited third-party certification body.
People use the phrase accreditation and certification believing them to mean the same thing. They are not.
Simply, accreditation is the award or recognition given to an organisation (by an accreditation body) that is then able to assess other organisations and award them certification to a standard or other requirement. You are certified to ISO 27001 you are accredited to certify others.
In the UK all certification bodies are assessed by UKAS – the United Kingdon Accreditation Service
Occupational Health & Safety Management Systems and ISO 45001
ISO 45001 (currently the 2018 version is live) is the globally recognised international management system standard for occupational health and safety. This means the arrangements an organisation has in place to identify and manage hazards that have the potential to cause harm to individuals. The objectives of such as system will be to provide a safe and healthy working environment and to have continuing improvements in safety performance through time.
ISO 45001 provides a recognisable framework aligned to the plan-do-check-act cycle; this supports activities in risk management, resource allocation, objective setting, policy statements and the operational controls required to ensure that the organisation meets regulatory requirements.
Having excellence in safety management is easier when you have ISO 45001 in place – if requires you to adopt best practices and take a systematic approach to managing your safety risks. Some of the wider benefits include:
- Your company image and reputation and greatly enhanced – your clients and customers would prefer to work with an organisation that demonstrates good safety management and exposes them to less risk.
- An organisation with good safety management is also likely to be more efficient and profitable
- Your workforce are working in a safer environment – good for everyone and all other stakeholders
- ISO 45001 has within it activities and requirements that will make legal compliance easier
- Saves money – with reduced likelihood of issues and concerns on safety the company is less likely to suffer costs associated with poor safety practice
All types of business and organisations can be certified to ISO 45001, it can be relevant no matter which sector you are in. Certification is available to all kinds of organisations; they can be commercial, not for profit or public sector, be a micro business or an international conglomerate.
ISO 45001 is integral in providing confidence in how your organisation manages occupational health and safety which may be a requirement of clients, regulators (such as the Health and Safety Executive in the UK) and the security of your own data and systems. The costs of certification are invariably less that the benefits it brings.
To be certified to ISO 245001, you will need to demonstrate that you have effectively planned arrangements to fulfil all of the requirements (or clauses) of the international standard. You must have in place the evidence and records to show that you are fulfilling your plans. In addition, you must be able to prove that your management system has been operational for at least three months and has undergone a management review and a full cycle of internal audits before you can earn ISO 45001 certification.
You are assessed by a Certification Body. Initial certification is achieved via a two-stage process – the second of which (if successful) will result in the award of a certificate. After achieving initial certification, you will need to participate in annual surveillance assessments with the third year being a recertification audit.
QCS recommends that the audits are completed by a UKAS accredited third-party certification body.
People use the phrase accreditation and certification believing them to mean the same thing. They are not.
Simply, accreditation is the award or recognition given to an organisation (by an accreditation body) that is then able to assess other organisations and award them certification to a standard or other requirement. You are certified to ISO 45001 you are accredited to certify others.
In the UK all certification bodies are assessed by UKAS – the United Kingdom Accreditation Service
Energy Management Systems ISO 50001
The aim of an EnMS is to establish a system and associated processes to improve an organisation’s energy performance. This could be through a combination of improving energy efficiency, reducing energy use and/or consumption.
ISO 50001 (currently the 2018 version is live) is recognised as a best practice model for the strategic management of energy and associated costs. A definition of energy management is the management of energy consumption.
A EnMS system that meets the requirements, and may be certified to, ISO 50001 helps an organisation to consistently deliver expected outcomes, for example:
- Enhanced sustainability credentials through Improved Energy Performance: ISO 50001 helps organisations optimise their energy use, energy efficiency and reduced energy consumption .
- Cost Savings: By implementing energy-efficient practices and technologies, organizations can reduce energy costs
- Having certification can lead to additional business opportunities as well help you to secure and hold on to your existing clients.
- Enhanced reputation, certification to ISO 50001 demonstrates a commitment to energy management and sustainability, improving the organisation’s reputation with interested parties.
The greater significant energy has as a cost and impact on your operations then the greater the benefits are likely to be.
No matter which sector you are in, ISO 50001 certification opens up the possibility of bringing benefits to your organisation(see last question). Certification is available to all kinds of organisations; they can be commercial or public sector, be a micro business or an international conglomerate.
Simply – you need to think if having certification will provide you with more benefits that the costs of developing systems and getting a certification body to assess you. It is our experience that the benefits will outweigh the costs.
Another good reason for certification is that it contributes towards fulfilment of regulatory requirements placed upon larger energy users – such as the Energy Savings Opportunity Scheme (ESOS).
To achieve ISO 50001 certification, you will need to demonstrate that you have effectively made arrangements to fulfil all of the requirements (or clauses) of the international standard. You must have in place the evidence and records to show that you are fulfilling your plans. In addition, you must be able to prove that your energy management system has been operational for at least three months and has undergone a management review and a full cycle of internal audits before you can earn ISO 50001 certification.
You are assessed by a Certification Body. Initial certification is achieved via a two-stage process – the second of which (if successful) will result in the award of a certificate. After achieving initial certification, you will need to complete yearly or 6-monthly surveillance audits (the frequency depends on the size and complexity of your organisation. Re-certification audits are required after three years.
QCS recommends that the audits are completed by an accredited third-party certification body.
People use the phrase accreditation and certification believing them to mean the same thing. They are not.
Simply, accreditation is the award or recognition given to an organisation (by an accreditation body) that is then able to assess other organisations and award them certification to a standard or other requirement. You are certified to ISO 50001 you are accredited to certify others.
In the UK, all certification bodies are assessed by UKAS – the United Kingdom Accreditation Service
Quality Management Systems for Medical Device Manufacture - ISO 13485
Simply, a QMS for medical device manufacture is one that ensures that the items manufactured consistently and reliably meet customer and regulatory requirements. Unlike a ISO 9001 QMS, ISO 13485 has within it some particular requirements linked to the full life cycle of the product and greater emphasis on regulatory compliance and risk management.
Having a QMS that meets the requirements of ISO 9001 will not be sufficient should an organisation seek certification to ISO 13485. There are some elements of ISO 13485 that require additional work and further evidence to be in place. The standard itself lists some of the key differences which include:
- Arrangements specific to the types of products manufactured – such as cleanliness of production areas, cleanliness and sterilisation of products (where required), servicing and installation arrangements.
- Processes in place (and evidence) to demonstrate some activities have been validated – such as the use of software or mechanisms to achieve sterile environments
- The establishment of a medical device file to support the product – with mandatory content
- Mandatory documented procedures – there are mandatory documented procedures in ISO 13485 but none in ISO 9001
- Arrangements for record keeping vary – with additional requirements in ISO 13485 that records associated with the device are retained for its lifetime
There are many other variables. You can find out more about the standard on our ISO 13485 Foundation Course
Without certification to ISO 13485 it can be extremely difficult to have your devices approved by relevant regulatory bodies (which vary by your location in the world). Simply, ISO 13485 contributes positively towards the generation of records your regulatory body must see to allow you access to the market and to allow your product to be used by medical professionals. It may not be that you must have ISO 13485, but without it the process can be much more difficult.
