Skip to content

ISO consulting & certification specialists/Supporting businesses right across Australia

ISOISO AccreditationAustralia

Process & How-To Guides

How to Get ISO Certified in Australia: A Step by Step Guide

11 Apr 20267 min read

A clear step by step guide to getting ISO certified in Australia, from gap analysis to your certificate, including timelines, audit stages and what it costs.

Getting ISO certified can feel daunting from the outside, but the path is well worn and surprisingly consistent regardless of which standard you are chasing or how big your business is. Whether it is ISO 9001 for quality, ISO 45001 for safety, ISO 14001 for environment or ISO 27001 for information security, the journey follows the same shape. This guide walks through every step from your first enquiry to the certificate on your wall, with honest guidance on timelines, what each audit actually involves, and where businesses tend to come unstuck.

The short version: you assess where you stand, build a management system that fits how you actually work, run it long enough to generate real records, check it yourself, then have a JAS-ANZ accredited certification body audit it in two stages. Most small to medium businesses get there in three to nine months. The certificate then lasts three years, with lighter surveillance audits along the way.

Before you start: certification vs accreditation

One piece of language trips people up, so it is worth clearing first. Your business gets certified to an ISO standard by a certification body. That certification body is itself accredited by JAS-ANZ, the Joint Accreditation System of Australia and New Zealand. So you are certified, the auditor is accredited. When a tender asks for accredited certification, it means a certificate issued by a JAS-ANZ accredited body. Choosing a cheap, non accredited certifier is the single most common way to end up with a certificate that the contracts you wanted will not accept.

The certification journey at a glance

Step 1: Gap analysis

You start by comparing what your business already does against what the standard requires. A good gap analysis is honest and specific, listing exactly which requirements you meet, which you partly meet, and which are missing. It becomes your project plan. Skipping it is a false economy, because you end up either building things you did not need or discovering missing pieces at the worst possible moment, during the audit.

Step 2: Build the management system

Next you develop the policies, processes and records the standard requires. The single most important principle here is that the system must reflect how your business actually operates. A generic template pack describing a business you do not run is worse than useless, because your people will not follow it and an experienced auditor will see through it immediately. The aim is a system your team recognises as a description of their real work, tightened up where the standard demands.

Step 3: Implement and embed

A management system on paper is not enough. You need to actually use it long enough to generate evidence, completed records, real risk assessments, genuine training logs, before an auditor can confirm it is working. This usually takes two to three months, sometimes longer for more complex standards like ISO 27001 or ISO 13485. This is the step businesses most often underestimate, because it requires patience rather than effort.

Step 4: Internal audit and management review

Before any external auditor arrives, the standard requires you to audit the system yourself and to hold a formal management review where leadership examines how the system is performing. These two activities are mandatory, and a missing or token internal audit and management review is one of the most common reasons certification is delayed. Done properly, they also surface and fix problems before the certification body finds them.

Step 5: Stage 1 audit

The certification body conducts the audit in two stages. Stage 1 is a documentation and readiness review. The auditor checks that your system is designed correctly, that the mandatory elements are in place, and that you are ready for the deeper audit. They will usually flag any gaps so you can address them before Stage 2. Think of it as a structured dress rehearsal rather than a pass or fail exam.

Step 6: Stage 2 audit

Stage 2 is the main event. The auditor examines your system in operation, interviewing staff, reviewing records and checking that what you do matches what your system says. They look for evidence that the system is genuinely implemented and effective. Any shortfalls are raised as nonconformities, which you then address. Minor nonconformities usually require a corrective action plan, while a major nonconformity must be resolved before certification can proceed.

Step 7: Certification decision and your certificate

Once any nonconformities are cleared, the certification body makes an independent certification decision and issues your certificate. It is valid for three years. From this point you can legitimately state that you are certified to the standard and use it in tenders and marketing, within the rules the certification body sets.

Step 8: Surveillance and recertification

Certification is not a one off. The certification body conducts lighter surveillance audits, typically once a year, to confirm the system is still operating. At the end of the three year cycle you complete a recertification audit, a fuller assessment that renews the certificate for another three years. This cycle is why a system built to survive only the first audit always fails later, and why building something genuinely usable from the start matters.

How long does it take?

For a focused small to medium business, three to four months is achievable for a single, simpler standard like ISO 9001. Larger or multi site organisations more commonly take six to nine months, and more complex standards such as ISO 27001 or ISO 13485 can take longer because of the depth of risk assessment or documentation involved. The biggest variable by far is internal capacity. If someone in the business has dedicated time, the project moves; if it is squeezed around everyone's day job, it drifts.

Should you use a consultant or do it yourself?

You can certainly pursue certification in house, and some businesses with spare expertise and time do exactly that. The honest trade off is speed and confidence. A good consultant compresses the timeline, steers you away from the common traps, and builds a system that is genuinely usable rather than a binder no one opens, but you still own and run the system. The wrong kind of consultant sells you a generic template and disappears, which is the worst of both worlds. The test of a good one is simple: do they build a system around your business, or your business around their template.

Common mistakes to avoid

  • Choosing a non accredited certifier to save money, then finding the certificate is not accepted where it counts.
  • Using a generic template that describes a business you do not run.
  • Rushing implementation so there are not enough real records for the auditor to assess.
  • Skipping or tokenising the internal audit and management review, which are mandatory.
  • Treating the certificate as the finish line rather than the start of a three year cycle.

How ISO Accreditation can help

We guide Australian businesses through every step of certification, from gap analysis and building a system that fits how you actually work, to coaching your team through both audit stages and supporting you across the surveillance cycle. We keep the process simple and the system usable, and we will be straight with you about timelines and effort. Book a free consultation and we will map the most efficient path for your business.

Book a free consultation → isoaccreditation.com.au/contact-us

Call 1800 577 060 · info@isoaccreditation.com.au

Frequently asked questions

How long does ISO certification take in Australia?

Commonly three to four months for a simpler single standard in a small business, and six to nine months or more for larger organisations or complex standards. Internal capacity is the biggest factor.

What are Stage 1 and Stage 2 audits?

Stage 1 is a documentation and readiness review. Stage 2 is the main audit of your system in operation, where the auditor checks that what you do matches what your system says.

Do I need a consultant to get certified?

No, but a good consultant speeds the process and helps you avoid the common traps. The key is choosing one who builds a system around your business rather than selling a generic template.

What happens after I am certified?

Your certificate lasts three years, with lighter surveillance audits about once a year and a fuller recertification audit at the end of the cycle.

Why does the certifier need to be JAS-ANZ accredited?

Because tenders and serious buyers expect accredited certification. A certificate from a non accredited body may not be recognised, which can defeat the purpose of getting certified.

Keep reading