
A tender lists ISO 9001 as a condition of bidding, and the qualification stage marks it pass or fail before anyone reads your price. On another deal, an in-date certificate is written into the contract as a term. The deal is sitting behind a certificate you do not yet hold, and the clock is the buyer's, not yours.
This guide covers the practical route to getting ISO 9001 certified: the quality management system you build, the records you generate, and the external audit that issues the certificate. For what ISO 9001 is and which buyers ask for it, read the what is ISO 9001 guide ``.
ISO 9001:2015 is the current edition of the international standard for a quality management system, and it is the edition you certify to today. It sets out requirements across ten clauses, from the context of your organisation through to improvement. Certification means showing an external assessor that you meet the requirements in clauses 4 to 10 and hold the records to prove the system runs day to day.
In practice, the standard asks you to produce and maintain:
The full explainer sits in the spoke above. The rest of this guide is the process for turning those requirements into a certificate.
Certification splits into two halves. Steps 1 to 7 are your own work, building and running the system. Steps 8 to 10 belong to an external certification body, which assesses you and issues the certificate.
There is no fixed figure from ISO or UKAS. UK certification bodies such as BSI, ISOQAR and Amtivo commonly put a first-time SME at around three to six months, from starting the quality management system to the Stage 2 assessment. Larger or more complex organisations take longer. Treat this as industry-general guidance, not a rule.
The main reason it cannot be instant is evidence. A certification body usually expects the system to have operated for roughly three months before Stage 2, because the internal audit and management review need real records behind them. You cannot audit a system that has not yet run. Reusing management-system work you already hold, from an existing standard like ISO 27001, shortens the preparation, though the records still need time to accumulate.
The failures at Stage 2 tend to repeat, and most are avoidable if you know them in advance.
Naq gets your quality management system audit-ready and runs it day to day. The certificate still comes from an external UKAS-accredited body, as it does for ISO 27001. What the platform does is remove the duplication and hold the evidence in a form an assessor accepts.
One system for ISO 9001 and ISO 27001. Both standards use the same ten-clause Harmonised Structure, formerly known as Annex SL. Context, leadership, planning, support and the audit programme are common to both, so you build them once and they serve both standards through a single management review and internal audit programme. This is where the last blocker above disappears.
Controlled documentation by default. The document lifecycle moves each document from draft to effective to obsolete, with semantic versioning, a named owner and approver, mandatory approval comments and a review date set at sign-off. That is the controlled documented information clause 7 requires, kept up to date without a manual chase.
A CAPA register for nonconformity and improvement. Corrective actions run from open to closed, graded minor, major or opportunity for improvement, with a root cause required before closure and overdue items surfaced. This maps directly onto clause 10.2 and gives you the improvement evidence assessors look for.
An immutable activity history. Every change is logged and time-stamped, so the record you show an assessor is the record of what happened, and the AI assistant is read-only. It summarises and checks evidence on demand, and never edits the formal record. Setting measurable objectives stays a leadership task; the platform records and tracks them, it does not write them for you.
If you already run ISO 27001 with Naq, the ISO 27001 how-to guide covers the pairing from the other side.
An external certification body issues it, not ISO and not a software platform. In the UK, the credible route is a body accredited by UKAS, the national accreditation service. When a tender asks for ISO 9001, it almost always means UKAS-accredited certification, which procurement teams accept as independent proof.
UK certification bodies typically put a first-time SME at around three to six months, from building the system to the Stage 2 assessment. The main constraint is evidence: the body usually expects the system to have run for about three months so the internal audit and management review have real records behind them.
Stage 1 is a documentation and readiness review that confirms your system is designed correctly and ready for full assessment. Stage 2 is an on-site audit that checks the system works in practice, sampling records and observing processes. You clear any nonconformities from Stage 2 before the certificate is recommended.
Yes. Both use the same Harmonised Structure, so context, leadership, planning, support and the audit programme are common to both. Running them as one integrated management system means a single management review and internal audit programme serve both standards, which removes duplicated work.
ISO 9001:2015 is current and the edition you certify to now. A revision is in development, with publication expected in late 2026 and the usual multi-year transition once it publishes, so current certificates stay valid. Certify to 2015 today; there is no reason to wait