Blog
ISO 9001
July 17, 2026
Approx min read

How to get ISO 9001 certified

A tender lists ISO 9001 as a condition of bidding, and the qualification stage marks it pass or fail before anyone reads your price. On another deal, an in-date certificate is written into the contract as a term. The deal is sitting behind a certificate you do not yet hold, and the clock is the buyer's, not yours.

This guide covers the practical route to getting ISO 9001 certified: the quality management system you build, the records you generate, and the external audit that issues the certificate. For what ISO 9001 is and which buyers ask for it, read the what is ISO 9001 guide ``.

What ISO 9001 asks of you

ISO 9001:2015 is the current edition of the international standard for a quality management system, and it is the edition you certify to today. It sets out requirements across ten clauses, from the context of your organisation through to improvement. Certification means showing an external assessor that you meet the requirements in clauses 4 to 10 and hold the records to prove the system runs day to day.

In practice, the standard asks you to produce and maintain:

  • A defined scope for your quality management system and the context around it, including interested parties and, since Amendment 1:2024, a climate-change consideration (clause 4)
  • A quality policy set by top management and measurable quality objectives (clauses 5 and 6)
  • The documented information the standard requires, controlled and version-managed (clause 7)
  • Evidence the system operates: process records, internal audits, a management review and corrective actions (clauses 8 to 10)

The full explainer sits in the spoke above. The rest of this guide is the process for turning those requirements into a certificate.

How to get ISO 9001 certified, step by step

Certification splits into two halves. Steps 1 to 7 are your own work, building and running the system. Steps 8 to 10 belong to an external certification body, which assesses you and issues the certificate.

  1. Define your QMS scope and context. Set the boundary of the quality management system, the products and services it covers, and the internal and external issues that affect it (clause 4). Identify the interested parties whose requirements matter, including the climate consideration added by Amendment 1:2024.
  2. Map your processes and how they connect. ISO 9001 is process-based. Document the key processes that deliver your product or service, their inputs and outputs, and how you control and measure each one. Show where one process hands to the next.
  3. Set a quality policy and measurable objectives. Top management states the quality policy (clause 5). You then turn it into objectives with a metric, a target and a review cadence (clause 6), so performance can be measured rather than asserted.
  4. Produce the documented information. Create the scope, policy, objectives and procedures the standard requires, plus the records that show processes are followed. Keep it controlled: current versions, named owners, approval dates. This is documentation that reflects how the work happens, not a manual written to please an assessor.
  5. Implement and operate the system. Run the QMS long enough to generate genuine records. Operational control (clause 8), competence and training records (clause 7) and monitoring data (clause 9.1) all need real evidence before an assessor can see the system working.
  6. Run internal audits. Check the system yourself against the standard and against how you actually operate (clause 9.2). Record what you find, raise corrective actions for the gaps, and keep the dated evidence.
  7. Hold a management review. Top management reviews performance against the objectives, the internal audit results and customer feedback, then records the decisions that come out of it (clause 9.3). Assessors look for a dated review that genuinely happened.
  8. Pass the Stage 1 external audit. A UKAS-accredited certification body reviews your documentation and readiness. Stage 1 confirms the system is designed correctly and you are ready for the full assessment. The structure of this two-stage process is set by ISO/IEC 17021-1.
  9. Pass the Stage 2 external audit. The body carries out an on-site assessment to confirm the system works in practice. You clear any nonconformities they raise before a certificate is recommended.
  10. Receive the certificate and enter the surveillance cycle. The certificate is issued by the external UKAS-accredited body, not by a software platform, and runs on a three-year cycle. Surveillance audits in years two and three confirm the system is maintained, and you recertify before it expires. Continual improvement under clause 10 runs across the whole cycle.

How long ISO 9001 certification takes

There is no fixed figure from ISO or UKAS. UK certification bodies such as BSI, ISOQAR and Amtivo commonly put a first-time SME at around three to six months, from starting the quality management system to the Stage 2 assessment. Larger or more complex organisations take longer. Treat this as industry-general guidance, not a rule.

The main reason it cannot be instant is evidence. A certification body usually expects the system to have operated for roughly three months before Stage 2, because the internal audit and management review need real records behind them. You cannot audit a system that has not yet run. Reusing management-system work you already hold, from an existing standard like ISO 27001, shortens the preparation, though the records still need time to accumulate.

Where teams get stuck

The failures at Stage 2 tend to repeat, and most are avoidable if you know them in advance.

  • Documentation written for the auditor. Procedures describe an idealised process that nobody follows, so the records contradict how work actually happens. Assessors spot the gap quickly.
  • Thin internal audit and management review evidence. Clauses 9.2 and 9.3 are where many first-timers fall short. A single undated document does not show a review took place. Assessors want dated records that prove you ran them.
  • Objectives that are not measurable. Clause 6.2 asks for objectives with a metric, a target and a cadence. Vague aspirations with no number attached fail the test.
  • No evidence of improvement. Clause 10 expects a system that adapts. A QMS set up once and left static gives an assessor nothing to see.
  • Evidence gathered twice. Organisations that already hold ISO 27001 often rebuild context, leadership, document control and audit programmes from scratch for ISO 9001, duplicating work the two standards share.

How Naq gets you there faster

Naq gets your quality management system audit-ready and runs it day to day. The certificate still comes from an external UKAS-accredited body, as it does for ISO 27001. What the platform does is remove the duplication and hold the evidence in a form an assessor accepts.

One system for ISO 9001 and ISO 27001. Both standards use the same ten-clause Harmonised Structure, formerly known as Annex SL. Context, leadership, planning, support and the audit programme are common to both, so you build them once and they serve both standards through a single management review and internal audit programme. This is where the last blocker above disappears.

Controlled documentation by default. The document lifecycle moves each document from draft to effective to obsolete, with semantic versioning, a named owner and approver, mandatory approval comments and a review date set at sign-off. That is the controlled documented information clause 7 requires, kept up to date without a manual chase.

A CAPA register for nonconformity and improvement. Corrective actions run from open to closed, graded minor, major or opportunity for improvement, with a root cause required before closure and overdue items surfaced. This maps directly onto clause 10.2 and gives you the improvement evidence assessors look for.

An immutable activity history. Every change is logged and time-stamped, so the record you show an assessor is the record of what happened, and the AI assistant is read-only. It summarises and checks evidence on demand, and never edits the formal record. Setting measurable objectives stays a leadership task; the platform records and tracks them, it does not write them for you.

If you already run ISO 27001 with Naq, the ISO 27001 how-to guide  covers the pairing from the other side.

Frequently asked questions

Who issues an ISO 9001 certificate?

An external certification body issues it, not ISO and not a software platform. In the UK, the credible route is a body accredited by UKAS, the national accreditation service. When a tender asks for ISO 9001, it almost always means UKAS-accredited certification, which procurement teams accept as independent proof.

How long does ISO 9001 certification take for an SME?

UK certification bodies typically put a first-time SME at around three to six months, from building the system to the Stage 2 assessment. The main constraint is evidence: the body usually expects the system to have run for about three months so the internal audit and management review have real records behind them.

What is the difference between the Stage 1 and Stage 2 audits?

Stage 1 is a documentation and readiness review that confirms your system is designed correctly and ready for full assessment. Stage 2 is an on-site audit that checks the system works in practice, sampling records and observing processes. You clear any nonconformities from Stage 2 before the certificate is recommended.

Can I certify to ISO 9001 and ISO 27001 together?

Yes. Both use the same Harmonised Structure, so context, leadership, planning, support and the audit programme are common to both. Running them as one integrated management system means a single management review and internal audit programme serve both standards, which removes duplicated work.

Is a new edition of ISO 9001 coming?

ISO 9001:2015 is current and the edition you certify to now. A revision is in development, with publication expected in late 2026 and the usual multi-year transition once it publishes, so current certificates stay valid. Certify to 2015 today; there is no reason to wait

Written by
The Naq Team
Newsletter

The latest in compliance and cybersecurity direct to your inbox

Sign up now