ISO Certification FAQs
In this line of business we get a lot of questions. We are contacted by organizations with varying degrees of understanding of standards, auditing, management systems,and certificate/registration requirements. Regardless of your level of understanding or knowledge, we would like help you sort out some of those nagging questions and make sense of these new demands.
To follow is a fairly comprehensive list of questions we are frequently asked. We have also provided some information and additional facts about where to go for more answers. Of course, if you are still not sure what to do next or are left with some questions unanswered, feel free to contact us. You can also find some additional interpretations and information about different aspects of management systems and their requirements in our articles.
- What is ISO 9001 certification?
- Who or What is ISO?
- Why do I have to become ISO certified/registered?
- What is the process for becoming ISO certified/registered?
- We may need some assistance in developing our management system. Does TRC provide these services as well?
- We are a small company. Are there any discounts for ISO certification of small companies?
- The standard says that internal audits cannot be completed by someone involved in the activity. How does a small company meet this requirement?
- Why does our quality manual have to be approved?
- If I have a pre-assessment (preliminary) audit and our system is found to be effective, do I still have to have a registration audit?
- We utilize a software program as part of our system operations. Can your audit personnel utilize these systems during the audit?
- Do we get to choose our auditor and will the same auditor be conducting all of our assessments?
- What is AS 9100 certification?
- Who develops the AS 9100 standard?
- Who requires AS 9100 certification/registration?
- What is OASIS?
- What can implementing AS 9100 do for my company?
- I am already registered to ISO9001:2008. Why do I need to meet AS 9100 requirements?
- I am compliant with AS 9100 and ISO 9001:2008 and my customer audits me on a regular basis. Why do I need to certify/register my system?
- What is the cost for ISO certification?
- Why does AS 9100 cost more than ISO 9001:2008?
ISO 9001:2008 is the most recent edition of the ISO 9000 series of quality management system standards. Initially established in 1987 and subsequently revised in 1994, again in 2000 and most recently during 2008, the latest ISO 9000 standard is designed to provide organizations, whether manufacturing or service, the tools necessary to improve performance and customer satisfaction. Previous versions of this standard were divided into parts focused on whether or not the organization designed products/services, did not design products/services, or were primarily responsible for final inspection or test of products. The main goal of the ISO 9001:2008 series standard is to provide a generic approach to management systems that could be implemented into all types of organizations. The ISO 9001 standard also places greater emphasis on continual improvement throughout the organization; on customer satisfaction, both of the internal and external customers; and on regulatory requirements that impact an organization. The standard was also designed to be more compatible with ISO 14000, the environmental management standard.
ISO, or the International Organization for Standardization, is comprised of multiple groups of industry leaders responsible for the development of several standards. The standards range from quality management system standards to technical standards. More information can be found on the ISO website at: www.iso.org.
For many organizations, certification/registration is a requirement to be a supplier to many organizations. Certification/Registration is merely a means to ensure your organization and your customer that you have effectively implemented a management system. Further, that the system truly provides the means to ensure that your products or services are developed with consistency, quality, and customer expectations in mind. Other organizations implement and register a QMS because they are aware of the benefits associated with both the management system and registration. With the added audits performed by the registration body, your organization has access to valuable information like industry trends and best practices; a second set of eyes that can identify areas of needed improvement in the system where your internal audit team may not; and finally recognition in the efforts your organization makes towards continual improvement, product/service quality, and customer satisfaction.
To define the process for registration, we will start from the beginning.
1. A QMS cannot function as a separate entity within an organization, it must have the support of all personnel from the top down. Without total buy-in from top management, the system will likely not succeed or provide expected results. Top management will need to identify who has the main management function for the QMS and develop the plans for implementation of the system and the organization’s goals, objectives, product requirements, and customer expectations, to name a few.
2. Begin documenting the QMS. In most cases an organization will find that there is already existing documented procedures or work instructions in place. Work Instructions do not generally require changing, but procedures may need to blended to meet requirements. If not already established, your organization will need to implement processes for document control, internal audit, and management review. Other processes may need to be established as well and these will be determined during this implementation process.
3. Once you have implemented the QMS you will need to evaluate whether or not you have established the system in a manner that results in its effectively providing results. This is done through internal audit and management review.
4. Some time during the implementation and evaluation portion you will want to contact registration bodies to gather proposals to determine which is the best fit for your organization. For many organizations, cost is a factor, and we understand that; however, be thorough in your review. Many registration bodies charge fees annually or triannually on top of the man-day rates or have other added-on fees. Determine the availability of local assessors to avoid travel-related expenses and be sure to review the qualifications of the assessors they have available to you. You should have someone reviewing your system that at least has some familiarity to your type of business. Registration bodies are required to follow a defined guideline for on-site assessment time. Be wary of any proposal that is way off from other proposals you receive as this could jeopardize the future of your registration if appropriate justification is not given for drastic reductions in the guidelines. Also be wary of much lower man-day rates as these are likely offset with other fees or will drastically change at the time of re-registration.
5. Once you have selected your registration body they will require you to submit a copy of your 1st and 2nd tier documentation (manual and procedures) for a document review. This review is conducted to ensure that the established system requirements actually addressed the requirements of the referenced standard.
6. Completion of a successful document review opens the window for scheduling an initial registration assessment. The initial assessment reviews the entire QMS and goes as deep into your records as is necessary for the auditor to sufficiently judge whether or not the requirements are addressed and followed and the system is effective. If all requirements of the standard are not addressed or fully implemented, the requirements for registration are not met and a re-audit is generally required.
7. Upon completion of a successful registration audit (this could mean that there were minor nonconformities or no nonconformities and corrective action is taken and accepted where applicable) the registration body conducts a review of the audit results and makes a decision regarding issuance of the registration certificate. At TRC there is 2-part review process once all required post audit actions have been taken.
8. Once your registration is issued you are required to undergo regular monitoring or surveillance audits each year. Surveillance schedules are determined at the time of proposal, likely beginning with annual or 6-month surveillance intervals and are then continuously reviewed following each audit to determine either a decrease in time between surveillance activity or an increase.
No, TRC does not provide consulting services. The purpose of 3rd party assessments is to provide your organization with an unbiased, impartial review of the QMS. If TRC were to be involved in the development and implementation of the QMS, impartiality would no longer exist. Additionally, TRC reviews all auditor activities to ensure that auditors who are also consultants have not been involved in the development and implementation of the QMS scheduled for assessment; this includes not only the audit but decisions related to the client. TRC has access to a listing of consultants and we are happy to provide you recommendations or references to consultants in your area.
While there are no discounts for being a small business, you will inherently pay less for registration as requirements for onsite audit activities are lower. Requirements for onsite time are established by international governing bodies and their basis for use begins with the organization size or number of employees. From there other considerations are made for the degree of complexity of activities and the standard requested for registration.
An organization that has fewer resources must look to other options, like outsourcing or cross-functional activities, to fulfill internal requirements for audit. There are many individuals and organizations that provide internal audit services to small companies at a fraction of the cost of employing personnel full time. The contracted individual or organization manages the planning process for internal audit based on your established procedures or you can develop the plans for ongoing internal audit. Another option is to train individuals within your organization that can perform internal audits and alternate audit activities between processes. For small companies this is often not possible as people are actively involved in all the processes and activities of the company; therefore, outsourcing is a better option to ensure objectivity.
The development and implementation of a quality management system begins with establishing the requirements of the system you are putting in place. We are required to ensure that the manual adequately and effectively addresses the requirements set forth in the international standard. This approval must occur prior to conducting the registration assessment. Further, should you make any major changes to the manual during the term of registration/certification; you are required to resubmit the manual or changes for review prior to implementation. This is done to ensure that the changes do not directly impact the continued effectiveness of the QMS. Where changes are minor in nature, review can take place during normal surveillance activity.
A preliminary audit is generally a surface level assessment that provides your organization with a final review to ensure that indeed the system is fully implemented. In some cases an auditor may find that the organization is prepared for registration as only a few minor nonconformities exist that can be addressed through corrective action. Decisions regarding registration of the system at this point can only proceed if the preliminary audit is the same amount of time as is required for the registration assessment. As a typical preliminary audit is scheduled for a day or two, this would mean that additional time is required, in most cases. An auditor can make the decision to return and complete the registration either the following day or the following week. Auditors are required to contact our offices before finalizing this decision.
TRC auditors have experience with resource planning and on-line documentation systems. At TRC we encourage organizations to utilize tools that assist in and improve the processes and QMS of the organization.
TRC clients have input in the personnel utilized to conduct 3rd party assessment. Clients may request or decline any personnel selected for their audits and review the qualifications and credentials of all audit personnel prior to any assessment. TRC understands that a certain level of comfort and familiarity is gained over a period of time, making the assessment more efficient. While every attempt is made to maintain a consistent audit process, we must ensure that clients understand that there is a possibility that the auditor can change from time to time or permanently. With so many unknowns, management should be aware that there can be change and that we are unable to guarantee the same audit personnel. Other factors that may affect the options for audit personnel include requirements that we as a registrar are required to follow. Some industries require that TRC will to have different audit personnel assess the QMS to ensure the continued effectiveness of the QMS. A change in audit personnel is thus required at the time of re-assessment.
AS 9100 is an Americas Standard published by SAE for establishing a quality management system that is based on the requirements of ISO 9001:2008 integrated with key aerospace industry requirements. Its intent, together with harmonized standards for Europe and Asia/Pacific Sectors, is to create common, consistent methods for quality and safety of products and services provided to original equipment manufacturers (OEM) world-wide.
AS 9100 is developed by the American Aerospace Quality Group (AAQG) and coordinated with the International Aerospace Quality Group (IAQG). The AAQG consists of a membership of organizations that are responsible for the design, development, manufacture, and support of original equipment at the systems level. The IAQG is responsible for international aerospace initiatives and consists of member organizations from Europe, the Americas, and the Asia-Pacific who together provide input into the standards through experience and industry practices. The IAQG is also responsible for the management of the Online Aerospace Supplier Information System or OASIS.
Most, if not all, aerospace OEM organizations are requiring or establishing requirements for AS 9100 compliance and registration. As it is designed to be a flow-down requirement, many tier one to tier three supplier organizations are requiring their suppliers to implement and register an AS 9100 complaint quality management system.
The Online Aerospace Supplier Information System, or OASIS, is the international database of information regarding all registered aerospace suppliers world-wide. The information on a company’s certificate is considered “level one” data and is available for public access in OASIS. Information regarding the company’s performance during initial and surveillance audits is considered “level two” data and is only available through controlled access. Controlled access is granted by the registered company to their customer or to an individual for a specified amount of time through SAE. The registrar is required to enter a registered company’s data into the OASIS database within 30 days of issuing the registration certificate. The registrar is responsible to ensure the fee for the OASIS listing is paid to SAE.
In addition to ensuring you meet customer specific requirements, AS 9100 has many benefits including, but not limited to:
- Reduced operating costs
- Reduced waste
- Reduced customer audits
- Improved allocation and use of resources
- Increased productivity and performance
- Increased marketability
- Increased customer satisfaction
If you supply to a customer in the aerospace industry, which includes commercial airline manufacturers, military and defense manufacturers, and space and aeronautics manufacturers, you are required to meet customer specific requirements related to quality and safety. Those customer specific requirements are built into the AS 9100 standard. For tier one suppliers, unless granted a waiver, compliance and registration to AS 9100 is likely required.
By registering your compliant AS 9100 AQMS you will see a reduction in customer audits and the potential is there to eliminate those audits altogether. In addition, with the registration you
are listed in OASIS which creates a new resource for marketing your organization’s products or services.
As a registrar we are required to utilize the specific standards to arrive at your company’s audit duration. These standards are based on a company’s size or number of employees. After the number of employees is established, we determine the complexity of the product or service, number of processes, and maturity of an existing quality management system, if applicable.
AS 9100 inherently costs more than ISO 9001:2008 because of the sector requirements. Audits are generally required to be longer than an ISO 9001:2008 assessment for the registration. Surveillance audits are also increased and additional time is necessary for the auditor to conduct off-site planning and reporting. You are also going to pay for the expertise of the audit personnel. AS 9100 auditors are highly qualified industry professionals, specifically selected and certified through RABQSA. ISO auditors, although equally as qualified in their industries, are not required to be certified or meet qualifications that are as stringent as those for AS 9100 auditors.