Article by Dejan Kosutic
Things with ISO standards can get really complicated: there are many ISO management standards – the most popular ones are ISO 9001, ISO 14001, ISO 27001, ISO 22301, ISO 20000, etc. – and there are a multitude of ways to get accredited/certified/registered related to those standards. But, that’s not all – there is a difference if you want to certify your company, or if you want to certify as an individual.
So, where should you start? Let’s make all this clear…
First of all, ISO standards are published by the International Organization for Standardization – this is an international body founded by governments around the world. Its purpose is to publish standards as a way to deliver knowledge and best practice – as of now, almost 20,000 standards are published in total, and they are recognized in every country.
ISO management standards are only part of these 20,000 standards, which were created primarily as a help for companies to improve their operations in certain areas (e.g., ISO 9001:2015 for quality management, ISO 27001 for information security management, etc.) – this is why most of the talk about these standards is related to companies and their registration, certification, and accreditation.
When you want to say that a company has implemented a standard (e.g., an Information Security Management System according to ISO 27001), has successfully completed the certification audit, and the certification body has issued the certificate, you would normally call this registration or certification.
In North America, the term “registration” is most commonly used, while in the rest of the world it is usually called “certification.” So, is there a difference? Technically, yes; but essentially, no.
Certification is when a certification body issues the certificate proving that a company is compliant with a standard; registration is when this certificate is registered with the certification body. So, basically, it comes down to the same thing – a company got a certificate that is formally recognized.
By the way, the International Organization for Standardization recommends usage of the term “certification” (see the ISO’s explanation here), so I’ll use this term from this point forward in this article.
This is the terminology difference that directly arises from the usage of certification/registration terms – in North America people usually use the term registrars, while in the rest of the world they are called certification bodies.
But, again, this is one and the same thing – those are the companies that perform the certification audits and issue the certificates. Here, also, the ISO recommends using the term “certification body”.
What is the accreditation, then? In order for certification bodies to able to perform the certification audits and issue the certificates, they need to get a license – and this license is called accreditation. So, certification bodies are getting accredited, while companies are getting certified. (The certification body needs to be compliant with the standard ISO 17021 if they want to get accredited for certifying management systems.)
There is usually only one accreditation body for each country (e.g., UKAS for the United Kingdom), while there are several certification bodies operating in each country – ranging from small local certification bodies to large multinational corporations like SGS, BSI, DNV, BV, etc.
The good thing about accreditation bodies is that they usually publish the list of accredited certification bodies in their countries – see here the list of certification bodies in the United Kingdom, and here the list of certification bodies in United States.
By the way, accreditation bodies also need to be compliant with a standard – this is ISO 17011, a standard which defines the process of accreditation.
In order to implement a standard in a company, or to audit it, someone needs to be trained to do it. This is why many trainings for ISO standards have been developed, and there are also certifications and accreditations related to that training industry. (For a list of the most common trainings, see this article: How to learn about ISO 27001 and BS 25999-2.)
Regarding the accreditation, there is a similar pattern as described above – if an institution wants to provide training certificates, it should be accredited by an accreditation body, and in this case, such institution needs to be compliant with ISO 17024.
Here are some of the most popular accredited training institutions: PECB, IRCA, Exemplar Global (formerly RABQSA), etc.
In most cases, those accredited training institutions are not delivering the courses directly to students; rather, they have a network of partners – training providers – who deliver the courses under their license and supervision.
This relationship between accredited institutions and training providers basically works in two ways: (a) training providers are using courses developed by accredited institutions, and then the accredited institution issues certificates directly to students, or (b) the training organization develops their own course and an accredited institution certifies such course – in this case, it is common for the training organization to issue the certificate to students, with the approval of the accredited institution.
There are numerous training organizations worldwide – ranging from the certification bodies that also offer the certification of organizations, to small, specialized niche-players and providers of online courses.
It is worth mentioning that certification of courses is mandatory for training providers that provide courses like Lead Auditor, because this is the only way to gain recognition from the certification bodies that will hire auditors with such certificates. However, for other, shorter courses, training providers often choose not to certify their courses because such recognition is not important, and they consider their brand name to be enough of a guarantee of the course quality.
So, remember – whether you are an individual looking to get recognized, or if your company needs to get an official statement that it is compliant with a standard, there is a certification program that covers your needs.
The point is – on one hand you have ISO standards as sources of knowledge and best practice, and on the other hand you have a well-established way to prove your knowledge and/or processes in your company. The only question you have to ask is – how can this benefit you?
Check out this ISO eTraining website with free online courses for ISO 9001, ISO 14001, and ISO 27001 – they will teach you how to implement the standards, but also enable you to get certified.