Extending your certification - The journey from a QMS to an IMS - Part 3

Expanding_QMS_To_IMS

Extending ISO certification to other topics

September 2024.

This article is the third in our series on the taking the journey from a QMS (Quality Management System) to an IMS (Integrated Management System). It is based on an organisation that has ISO 9001 certification and is thinking about expending it to one or more other standards. For example, ISO 27001 Information Security, ISO 45001 (OH&S), or ISO 14001 Environment – or perhaps a combination of them.

This article has a focus on extending your certification.

The Certification Body and the Auditor

One very practical consideration is whether your existing CB (Certification body) is accredited for the additional standards.

What is accreditation?
It’s an independent third-party assessment of a CB's competence. There are a number of accreditation bodies around the world - such as UKAS, ANAB and JAS-ANZ. They do not certify organisations themselves but accredit CBs to do so. You may think of it as a seal of approval of the CB.

Most accredited CBs have a scope of capability that includes ISO 9001 (Quality), ISO 45001 (OH&S), or ISO 14001 Environment. Some (but not all) of them are also accredited to certify against the ISO 27001 Information Security standard. So, it's worth checking whether your existing CB has the required scope for the standards you plan to extend your certification to. If they don't, you can generally transfer your certification to one that does.

A second consideration is regarding your existing auditor. Again, many auditors are personally qualified to audit to more than one topic. It's therefore quite possible that your existing auditor is also qualified to handle an expanded certification. If not, the CB may either provide an alternative auditor, or two auditors may work together as a team. That can be quite common where an auditor has completed the required lead auditor course but doesn't yet have sufficient audit experience on a topic. In that case, they can work alongside a colleague that meets all the relevant criteria.

The cost of extending your certification

Of course, a major part of any decision to extend certification is likely to be the cost of the certification audit itself. The good news here is that this is a situation where 1+1 doesn’t equal 2.

Let's say that you already have ISO 9001 certification and are planning to extend it to also include ISO 45001 OH&S. Both standards are of an approximately similar length and level of complexity. Therefore, if an ISO 9001 certification audit for a small business takes say 2 days, it's reasonable to think that extending it to include ISO 45001 might take 4 days. Right? Wrong. It's likely that in such a case, the combined certification audit might take only 3 days. Here's why. Some years ago, ISO developed a common structure and common terminology for its management system standards. They now all look and feel very similar. You might say that they standardised the standards.

The result is that your arrangements to implement management system components such as setting objectives, managing documents, internal audits etc. are likely to be similar for each topic. The smart method is to integrate those activities where practicable. The more you integrate, the more efficient it will be to implement, and of course the more time-efficient efficient it will be for the CB to audit.

Take a look at the illustration below.

Qudos_Common_ISO_clauses

The common structure of certification standards

The coloured clauses are those that are very similar in each of the major management system certification standards. Those in grey are clauses that are specific to just one or two standards. For simplicity, we have taken a couple of liberties with some of the clause titles, but this clearly illustrates how much commonality there is.

The ISO 27001 Information Security standard does have some significant differences. Although it again follows that common structure, it also has a list of additional controls (known as Annex A) that need to be considered and implemented as required.

The certification cycle and when should you extend?

ISO management system certification is generally issued for 3 years - subject to at least 2 (usually annual) surveillance audits during that period. If you are planning to extend your certification, another consideration is at what point in the 3-year cycle should you do it? The answer is that it can really be at any time. It doesn't have to be at a re-certification audit or even at a surveillance audit. The timing of when to go for the extended certification may well be driven by commercial pressures. There will generally be cost savings if you can coincide the audits, but if you need the additional certification sooner rather than later e.g. to satisfy a contractual obligation or grasp a major opportunity, it may well be worth going early. However, it is generally simpler and more cost-effective to align the audit timings when practicable to do so. If it is not convenient to do so initially, it's worth considering aligning them later. Your CB should be able to advise. Qudos has also helped numerous clients through a wide range of extension scenarios and one of our consultants can also provide you with the benefit of their experience.

The next article in this series

In our next article in this series, we will be reporting on the ISO 45001 and ISO 14001 certification outcome for our client Allmet Engineering who have been the example used througout the series.

Sharing is caring - If you found this blog informative, why not share it with a colleague or business associate.

Find out more about System Development services

Your system development can be fast-tracked with the help of our qualified and experienced consultants.

Qudos Club is all about helping you with your management system, Its free to join and you will get access to newsletters, resources and more.

Click the LinkedIn Follow button below to follow Qudos and be the first to receive further articles like this.