Books FAQ

Listed below are some of the most common questions 2SB are asked by our clients. If you do not find the answer you are looking for, or would like further information, please do call, send us an e-mail or fill out our enquiry form online.    

What does it cost?

Costs will vary depending on the size of organisation and its activities.  Implementation costs for a single ISO Standard for a small business is about £4,000 for the training from 2SB and a further £1,500 for certification in the first year.

If you are OK running the system yourselves in subsequent years you will only have to pay certification costs of £750 per year.

Do I still need a Management Representative for my ISO System?

Reference to the "Management Representative" has been removed from the "2015 revisions" to the ISO Standards with the responsibilities in previous standards for running and developing the management system being made the direct responsibility of "Top Management". The objective being to make it clear that Top Management do have final responsibility for the performance of their organisation's performance.

It is not however feasible, with the multiple responsibilities on the shoulders of the Managing Director/ Chief Executive that they can carry this responsibility alone and delegation to a Management Representative or other person for the "administration" of the system is entirely appropriate.

What does ISO mean?

ISO is the abbreviation for the International Organisation for Standardisation which is the only major international standard setting body of representatives from various national standards organisations

How much do I need to document?

Documentation requirements vary depending on which standards you are implementing. We can advise you on exactly what documentation is required. Contrary to popular opinion, ISO systems do not need to be heavily documented.

How long does it take to get certified?

For a single management system, a typical time frame to implementation is 4 months.

What is ISO? Who are UKAS? What are certification bodies?

The ISO assessment process can be quite confusing. Understanding the difference between ISO, UKAS (the national accreditation body) and the certification bodies is the first step:


ISO is the International Organisation that writes standards for many different industry sectors. ISO 9001, 14001 and 27001 are some of the best known but as of January 2016 there were over 21,000 different ISO standards. ISO will review standards and issue updates, and write new standards where there is a need. It sits right at the top.


If ISO write the rules, it is UKAS who oversees them at the highest level in the UK. UKAS is the sole national accreditation body for the UK and is recognised by government. UKAS visit certification bodies to ensure that they and their assessors are performing to a sufficiently high level. Certification bodies seek to get accreditation from UKAS to demonstrate their competence, and 2SB believe in only suggesting certification bodies who have been accredited by UKAS. Some certification bodies are not UKAS accredited, but this means the certificate they issue is unregulated – these certificates carry less weight and in the worst cases may not demonstrate any compliance to the ISO standard.

Certification Bodies

The next step down is the Certification Bodies (DNV, NQA, ISOQAR, BSI etc). It is the certification bodies who will visit and audit your business to check for compliance against the ISO standards. Some certification bodies specialise in certain industries, some have international reputations, some are more competitively priced than others. There are around 100 certification bodies who are accredited by UKAS and it is up to your business who you ask to assess your ISO system. All certification bodies should do a similar job, however like with anything, the type of service given can vary. 2SB can help you select the right body to use for your business (and are not affiliated with any certification body).


Consultants (like 2SB) are used to help guide businesses implement management systems. They understand the standards needed to achieve certification but also look to add value to your business. It is possible for a business to successfully gain certification without the use of consultants however it can require considerable internal resources. Consultancies possess the experience, knowledge and training that can streamline the process and provide cost effective guidance as well as bring added value to your systems.

The ISO Structure

How does the certification process work? How do I get certification?

Firstly you will need to have implemented or be in the process of implementing the specific management system you are hoping to achieve certification against. You don’t need to have fully implemented the system before contacting the certification bodies, however having made a start or knowing how far you have to go can help set a date to aim for.

Once you have in mind a date that you feel is realistic to work towards, the next step is to contact one or more certification bodies to ask for quotes. You will be required to provide information about your business (i.e. nature of your work, number of employees and the roles they do, number of sites) so the certification body can make a good approximation about how many days it will take an assessor to audit your business.

We recommend contacting at least two certification bodies since the price and number of days they expect the audit to take can vary. 2SB recommend that you always approach UKAS accredited certification bodies, as these certificates carry much more weight and you can be assured that your business is being correctly assessed.

Based upon the quotes received, you will need to decide the most appropriate body to certify with and set a date for your Stage 1 and Stage 2 audits.

What are Stage 1 and Stage 2 audits?

A Stage 1 audit is usually a one day visit from the assessor in which they aim to:

- Get a feeling for your business and the processes involved

- Check your readiness for the full Stage 2 audit

- See if there are any major gaps that need to be filled before Stage 2

This is an important step as if anything is missing it can be resolved before the full audit. You cannot ‘fail’ a Stage 1 audit however you should have your management system as fully implemented as possible. If your system is particularly weak at Stage 1, the Stage 2 audit may be postponed and you may need another Stage 1 audit to determine readiness at a later date.

A good consultancy like 2SB will help you be ready for your Stage 1 so nothing major is missing from your system and that you can move on smoothly to the Stage 2 audit.

At Stage 1 the assessor will want to look around the business but the main focus is on leadership and whether the structure of the management system is in place.


At Stage 2 the assessor will switch their focus away from management and be taking a much deeper look into your business processes. They will be speaking to staff in the organisation, looking at whether your own processes are well implemented, and checking to see if the systems meet the requirements of the ISO standard.

Stage 2 is a longer audit, and can last anywhere from 2 days up to 6 days depending on a number of factors including the size of the business, the number of sites, the complexity of your work and the number of standards you are certifying against.

Stage 2 can give one of three results:

1) Your system is well implemented and meets the requirements of the standard. There may be some recommendations for improvements but there are no non conformities. You don’t need to make any major changes and you will receive your certificate.

2) There has been a minor non conformity observed, and this needs to resolved. You will receive a report giving you details of the minor non conformity and a timeframe to address it within. Once you have submitted proof that the non conformity has been addressed you will receive your certificate.

3) There is a major non conformity observed. In this case it is likely you will have to resolve the issue and undergo another audit to confirm it has been addressed. Generally major non conformities will be prevented by the Stage 1 audit which should highlight any major gaps in the system.


The certificate, once gained is valid for three years with the UKAS requirement that surveillance audits carried out annually and re-certification audits in the third year.

What are surveillance audits?

Once you have gained your initial certification, you will be required to have annual surveillance audits to ensure that your system is still functioning as it is intended, and is compliant to the ISO standard.

Surveillance audits are ‘lighter’ audits than the initial certification audit and will generally focus on higher risk/more critical business functions and on areas that non conformities have been previously observed. 

If a minor non conformity is raised you will be required to address this before the next annual audit. If a major non conformity is raised, this will need to be addressed and proof submitted or further audits carried out to ensure the system has been repaired. 

Two years of surveillance audits will be followed by a re-certification audit in the third year, in a three year cycle.

What is a re-certification audit?

The re-certification audit forms the final part of the certification cycle. It is more in depth than the surveillance audits and successfully passing it will give a renewed certificate for a further three year cycle (with annual surveillance audits).