ISO Certification

An ISO certificate is two very different things depending on who issued it. If it came from a NABCB or IAF-recognised certification body after a real Stage 1 and Stage 2 audit, it opens doors — PSU tenders, export-buyer onboarding, fintech contracts, M&A diligence. If it came from a website that promised the certificate in 48 hours for ₹4,999, it is a printout that fails every serious scrutiny and quietly damages your credibility when a buyer checks the IAF CertSearch database.

This page is about the first kind. Whether you need ISO 9001 for a manufacturing tender, ISO/IEC 27001:2022 for a SaaS security review, ISO 14001 plus 45001 for a factory audit, or 13485 for medical-device exports, the work is the same shape: build a management system that actually runs your business, then prove it to an auditor who knows what to look for.

At a Glance

• Who needs this: Manufacturers, exporters, IT/SaaS firms, hospitals, food businesses, medical-device companies, and any organisation bidding for PSU or large-enterprise contracts where ISO is a qualifying criterion.
• Standards covered: ISO 9001 (Quality), 14001 (Environment), 45001 (OH&S), 27001:2022 (Information Security), 22000 (Food Safety), 13485 (Medical Devices), 50001 (Energy).
• Governing framework: International Organization for Standardization (ISO) standards; accreditation under IAF MLA through NABCB in India, UKAS, ANAB, JAS-ANZ globally.
• Turnaround: ISO 9001 standalone 60-90 days; integrated 9001+14001+45001 system 90-120 days; ISO/IEC 27001:2022 90-150 days; ISO 13485 120-180 days.
• Certificate validity: Three years, with annual surveillance audits in Year 1 and Year 2 and a full recertification audit in Year 3.
• Verifiable on: IAF CertSearch (iafcertsearch.org) — a certificate that doesn't appear there is not a real ISO certificate.

What's New for FY 2026-27

ISO standards and the accreditation landscape have shifted meaningfully in the last two years. These are the points that change how a 2026-27 implementation looks compared to a 2022 one.

• ISO 27001:2022 is the only issuable version: The transition window from the 2013 version closed in October 2025. Any active 2013 certificate is now invalid; new and renewing certificates must be against the 2022 standard with its 93 Annex A controls in four themes.
• DPDP Act 2023 cross-mapping: Indian organisations implementing 27001:2022 are now mapping Annex A controls to Digital Personal Data Protection Act obligations — consent, data principal rights, breach notification, Data Protection Officer responsibilities — using the ISMS as the operating layer for DPDP compliance.
• ISO 9001 revision in motion: ISO/TC 176 has confirmed a revision of ISO 9001, with publication expected in late 2026. The 2015 version remains current and certifiable; implementations now should anticipate climate-action language and digital-transformation clauses likely to enter the revised text.
• Climate change amendment already in force: ISO published a common amendment in February 2024 requiring organisations to consider climate change as part of their context and interested-party expectations across all management-system standards. Audits in FY 2026-27 will check for it explicitly.
• NABCB scrutiny on light-touch CBs: NABCB has withdrawn or suspended accreditation from several CBs in the last 18 months for inadequate audit duration and weak evidence trails. Buyers and tenders are increasingly verifying certificates against the live IAF CertSearch database, not the paper certificate.

Why ISO Certification Is Worth the Effort

• Tender qualification: Most PSU, government and large-enterprise vendor onboarding processes treat ISO 9001 as a baseline qualifying criterion. ISO 14001 and 45001 are increasingly added for infrastructure, manufacturing and services contracts.
• Export-buyer audits: EU, Japanese and US buyers routinely require ISO certificates as part of supplier onboarding. For food, 22000 alongside FSSAI is standard; for medical devices, 13485 is effectively mandatory for CE-marked or FDA-bound product.
• Information-security contracts: Banks, fintechs, healthcare clients and global SaaS customers ask for ISO/IEC 27001:2022 before they sign. It is the most-asked-for security credential after SOC 2 and is often a faster path to revenue for Indian SaaS exporters.
• Insurance and lender comfort: Insurance underwriting and working-capital lenders look at ISO certificates as a soft signal of operational discipline, particularly in manufacturing and logistics.
• Internal operating discipline: Done seriously, the management system clarifies process ownership, builds a non-conformity and CAPA habit, and creates a measurement layer that survives staff turnover.
• M&A and investor diligence: Acquirers and PE diligence checklists now include ISO certificates with the CB name and IAF verification — non-accredited papers are flagged and reduce valuation comfort.

How It Actually Works

ISO certification is not a document-only exercise. It is a build, then an audit. Here is how a real engagement runs from kickoff to certificate, with realistic durations.

Step 1: Standard and Scope Selection (2-3 Days)

We start with the commercial driver — which tender, which buyer audit, which contract clause is asking for this. That drives the standard, the scope statement (which sites, which products, which services are covered) and the choice of certification body.

The scope statement matters more than people realise. A scope that is too narrow gets rejected by the buyer; one that is too wide makes the audit unnecessarily expensive. We get this right at the start in writing.

Step 2: Gap Analysis (5-10 Days)

A trained auditor walks the business clause by clause against the standard, plus Annex A control by control for 27001. The output is a gap report — what exists, what is missing, what needs strengthening, with priority and effort estimates against each item.

This is the moment to be honest. Hiding gaps here means discovering them at the Stage 2 audit, when fixing them is ten times more expensive.

Step 3: System Build and Documentation (30-90 Days)

Annex SL gives the high-level structure shared across modern ISO standards — context, leadership, planning, support, operation, performance evaluation, improvement. We build one management system on that backbone, then layer sector specifics (HACCP for 22000, design controls for 13485, Statement of Applicability for 27001) on top.

Documents are written to match how the business actually operates, not copied from templates. If a procedure does not reflect reality, the auditor will spot it inside ten minutes.

Step 4: Internal Audit and Management Review (7-15 Days)

A trained internal auditor — independent of the audited processes — runs a full internal audit. Non-conformities are raised, corrective actions assigned, root causes identified and closure verified.

Top management then sits down for a formal management review meeting against the standard's required inputs and outputs, with minutes that demonstrate decisions, resource allocations and improvement actions.

Step 5: Stage 1 and Stage 2 Certification Audit (10-30 Days)

Stage 1 is a documentation and readiness review by the certification body — usually a day or two on site (or remote for ISMS). The CB confirms scope, checks the documented system, and flags areas of focus for Stage 2.

Stage 2 is the real implementation audit — typically two to five auditor-days for a small to mid-sized organisation. The auditor interviews staff, samples records, traces processes end to end, and raises non-conformities. Minor non-conformities can be closed with corrective action plans; major ones need verified closure before the certificate is issued.

Step 6: Certificate Issue and Surveillance Calendar

Once corrective actions are accepted, the CB issues the certificate, which is then listed on IAF CertSearch with a verifiable certificate number, scope and validity dates.

Surveillance audits follow at roughly the 12-month and 24-month marks, with recertification at month 36. The system must keep running between audits, not be revived a week before the auditor arrives.

A Real Example: SaaS Firm Pursuing ISO 27001:2022 for a Banking Contract

Consider a 45-person SaaS company in Pune building a workflow product. A private-sector bank has offered a three-year contract worth ₹3.6 crore but requires ISO/IEC 27001:2022 from a NABCB-accredited CB before signing. Here is what the engagement looks like.

• Scope: ISMS covering the SaaS platform, development team, customer-support function and Pune office. Cloud infrastructure on AWS Mumbai region, with shared-responsibility model documented.
• Timeline: 110 days from kickoff to certificate — gap analysis 8 days, system build and SoA 55 days, internal audit and management review 12 days, Stage 1 audit at day 80, Stage 2 audit at day 100, certificate issued at day 110 after closing two minor non-conformities.
• Investment: Professional fees for build and audit support roughly ₹4.5 lakh; certification-body fees for Stage 1, Stage 2 and three years of surveillance roughly ₹3.8 lakh plus taxes. Annual surveillance fees are typically a third of the Stage-2 fee.
• What got built: Statement of Applicability against 93 Annex A controls, asset register, access-control matrix, secure-coding standard, vendor-risk register, BCP/DR plan with tabletop exercise, incident-response runbook, DPDP-mapped privacy controls, and a monthly metrics dashboard.

The contract was signed two weeks after certificate issue. The same ISMS now answers SOC 2 questionnaires, RBI vendor assessments and global customer security reviews — one system, multiple revenue unlocks.

Surveillance, Recertification and What Keeps the Certificate Alive

The certificate is not a one-time event. It is the start of a three-year cycle that the business must actively maintain.

• Year 1 surveillance: A reduced-scope audit roughly 12 months after certification, focused on internal audit, management review, non-conformity and CAPA effectiveness, and any high-risk processes flagged at Stage 2.
• Year 2 surveillance: Similar to Year 1, with rotation of processes audited so that the full system is covered across the cycle.
• Year 3 recertification: A full audit, similar in depth to the original Stage 2, leading to a new three-year certificate.
• Mandatory ongoing activities: Annual internal audit, annual management review, continuous non-conformity and CAPA tracking, training and competence records, document control, and management of changes (new sites, new products, new clouds).
• Suspension and withdrawal: Skipping a surveillance audit, refusing access, or material non-conformities can lead to suspension or full withdrawal of the certificate before the three years end — and the withdrawal appears on IAF CertSearch.

An ISO certificate left to drift between audits fails surveillance more often than it fails Stage 2. The discipline is monthly, not annual.

Where It Goes Wrong

• Choosing a non-accredited CB: The single most common mistake. A certificate without an IAF/NABCB accreditation mark on it is rejected by serious buyers, fails tender qualification, and cannot be verified on IAF CertSearch. The saving is illusory.
• Templates pasted without tailoring: Procedures lifted from the internet that describe a different business. Stage 2 auditors spot this immediately — staff cannot describe what the procedure says they do, and the system gets flagged as not implemented.
• Internal audit done by the wrong person: Auditing your own area, or being audited by your direct report, breaks the independence requirement. The internal audit is then disregarded by the CB and counts as a major non-conformity.
• Statement of Applicability written backwards: For 27001, writing the SoA to match what you already do, rather than risk-driven control selection with documented justification for exclusions, gets caught at Stage 1.
• Management review as a ceremony: A meeting where top management is briefed but makes no decisions, allocates no resources and tracks no actions is not a management review under the standard. The minutes give it away.
• Climate change context ignored: Post the 2024 amendment, organisations that have not added climate considerations to context and interested-party analysis are getting non-conformities at surveillance audits in 2026.
• Surveillance treated as optional: Businesses celebrate the certificate, dismantle the cadence, then panic three weeks before the Year-1 surveillance. CBs are increasingly issuing major non-conformities for evidence gaps in the surveillance window.

What You Receive at the End

• ISO certificate from a NABCB or IAF-recognised certification body, verifiable on IAF CertSearch with a unique certificate number, scope, validity dates and accreditation mark
• Complete documented management system — manual, scope statement, policy, risk register, process maps, procedures and work instructions
• Statement of Applicability with all 93 Annex A controls and documented justifications (for ISO/IEC 27001:2022)
• Internal audit reports, non-conformity and CAPA register, and management review minutes for the certification cycle
• Stage 1 and Stage 2 audit reports from the certification body, with corrective-action closure evidence
• Three-year surveillance calendar with audit windows, evidence-collection schedule and reminder cadence
• Sector-specific records as applicable — HACCP plan and PRPs (22000), Design History File and risk management file (13485), energy baseline and EnPIs (50001)
• Training records and competence matrix for staff in audit-relevant roles
• DPDP cross-mapping document (for 27001:2022) showing how the ISMS supports Digital Personal Data Protection Act compliance
• Recertification preparation pack issued at the start of Year 3

How to Get Started

Share two things in writing — the commercial reason for certification (tender clause, buyer requirement, contract draft, regulatory trigger) and a one-page description of the organisation, including sites, headcount, products or services, and current management-system maturity. We use this to recommend the standard, the appropriate scope statement and the right certification body for your sector and geography.

Once the scope and CB are agreed, the gap analysis kicks off within a week. From there, the engagement runs to a documented plan with weekly checkpoints, internal-audit and management-review milestones, and a fixed Stage 1 and Stage 2 audit window booked with the CB so the entire programme has a hard end date.