Certification is a three-year control cycle, not a one-day event. Stage audits, surveillance and recertification each protect the validity of the certificate.
- Initial certification moves from Stage 1 readiness to Stage 2 implementation evidence.
- Surveillance audits keep the certificate alive in years one and two.
- Recertification must finish before expiry to avoid a gap in validity.
Companies often treat certification as a finish line: pass the audit, frame the certificate, done.
You provide details of your organisation: sites, headcount, shifts, processes, standard and desired scope.
The rules below come from ISO/IEC 17021-1, the standard all accredited certification bodies must follow, so the structure is essentially the same whichever accredited body you use and whichever standard you certify (ISO 9001, ISO 14001, ISO 45001, ISO 22000 and others).
Before the audit: application and contract
You provide details of your organisation: sites, headcount, shifts, processes, standard and desired scope. The certification body uses this (under IAF rules) to calculate audit duration in auditor-days and quote. Two things to check at this stage: that the proposed scope wording matches what you actually want to claim, and that the quote covers the full cycle (both surveillance audits and recertification), not just the initial audit.
Stage 1: readiness review
Purpose: confirm you are ready for the full audit, so that stage 2 does not become an expensive discovery exercise. The auditor reviews your documented system (scope, policy, objectives, risk assessment, key procedures) and confirms that the internal audit and management review machinery exists and has run. Stage 1 also finalises stage 2 planning: sites to visit, processes to sample, site-specific conditions.
Stage 1 output is a report listing areas of concern: issues that could become nonconformities at stage 2. Treat this list as gold, it is the closest thing to a rehearsal you will get. If significant gaps exist, stage 2 is postponed rather than failed.
Stage 2: the certification audit
The full on-site audit of implementation: records sampled, processes observed in operation, staff interviewed at every level. (See our separate guide, What Auditors Actually Check: Inside a Stage 2 Audit, for the detail.) Findings are classified:
- Minor nonconformities: isolated failures; you submit correction, root cause analysis and corrective action within the CB's deadline.
- Major nonconformities: systemic failures; the CB must verify effective closure, sometimes with a follow-up visit, before certification can proceed.
The certification decision
The audit team recommends; an independent reviewer at the certification body, not involved in your audit, makes the decision. This separation is mandatory under ISO/IEC 17021-1. On a positive decision, your certificate is issued with a three-year validity, an initial issue date, and a defined scope and site list. Check every word: scope statements and site addresses on the certificate are what tenders and customers will verify.
Surveillance audits: years one and two
Certification is maintained, not merely awarded. The CB must conduct surveillance audits at least once per calendar year (except recertification years), and the first surveillance must follow within 12 months of the certification decision date. Miss that window and the CB is obliged to act against your certificate: this is the most common avoidable cause of suspension.
Surveillance audits are shorter than stage 2 and do not cover everything. They always examine the system's vital signs (internal audits, management review, complaints handling, corrective actions, use of marks and certificate claims, progress on previous findings), plus a rotating sample of processes so that the full system is covered across the cycle. Practical implications:
- Keep the system running continuously. Backfilling a year of records in the fortnight before surveillance is both obvious and a findings generator.
- Tell your CB about significant changes as they happen: new site, major process change, ownership change, scope change. Certification rules require it, and surprising your auditor is never the better option.
Recertification: year three
Before the certificate expires, a recertification audit reviews the whole system again, like stage 2, but informed by three years of history: surveillance results, complaints, performance trends, and how the system handled change. Two scheduling realities matter:
- Start early. The audit, closure of any findings, and the certification decision must all be completed before the expiry date to keep certification continuous. Leaving recertification to the final month is gambling with a gap.
- If the certificate lapses, the CB cannot simply extend it; depending on how much time passes, you may face additional audit activity or effectively restart. A lapse also means a period with no valid certificate, awkward mid-tender.
A successful recertification issues a new certificate for the next three years, and the cycle repeats.
Special audits: the unscheduled checkpoints
Certification bodies can also conduct:
- Follow-up audits to verify closure of major nonconformities;
- Special or short-notice audits in response to complaints, serious incidents, or significant changes;
- Scope extension audits when you add sites, products or activities to the certificate.
Suspension, withdrawal and transfer
- Suspension happens when the system persistently or seriously fails, for example major nonconformities not closed in time, surveillance audits refused or missed, or misuse of the certificate. During suspension your certification is invalid; CBs publish certificate status, so counterparties can see it.
- Withdrawal follows if the causes of suspension are not resolved in the allowed period. After withdrawal you start again from initial certification.
- Transfer: you can move a valid accredited certificate to another accredited CB without restarting the cycle. The receiving body conducts a pre-transfer review and honours the existing cycle dates. What cannot be transferred is an unaccredited certificate, or one under suspension (transfers cannot be used to outrun findings).
Reading the cycle strategically
The three-year rhythm is a management tool if you use it deliberately:
- Put all cycle dates in your management calendar the day the certificate is issued: surveillance windows, recertification lead time, findings deadlines.
- Schedule internal audits and management review to complete ahead of each external audit, so the external auditor sees a system that has already found and fixed its own problems.
- Budget for the whole cycle up front: surveillance and recertification are predictable costs, not surprises.
Companies that internalise the cycle find external audits become routine confirmations. Companies that rediscover the cycle two weeks before each audit live in a permanent state of emergency, and their findings history shows it.
QSI Cert is a SAAC-accredited, SFDA-approved certification body based in Riyadh and Al Khobar.
