"ISO certified company", What does it mean?
What does "ISO certified company" really mean? Understanding the certification of management systems
In the world of business, the term "ISO certified company" is often thrown around as a hallmark of quality and reliability. But what does it actually mean? There’s a common misconception that when a company is ISO certified, it’s the entire organization that gets the stamp of approval. The truth is a bit more nuanced.
ISO certification: it’s about the management system, not the company
ISO (the International Organization for Standardization) develops standards which among many other aspects address disciplines such as quality management, information security, environmental management, occupational health and safety or business continuity. When a company is said to be “ISO certified”, technically it’s not the company itself that’s certified, but rather its management system. This distinction is important to understand for anyone working in or with management systems and standards.
A management system is a framework of processes and procedures used to ensure that an organization can fulfil the tasks required to achieve its objectives. These objectives might relate to quality (ISO 9001), environmental performance (ISO 14001), information security (ISO/IEC 27001), and many others. Each ISO standard sets out the criteria for a specific management system, providing a structured approach to managing these areas of business.
Why this distinction matters
For management system professionals, understanding this distinction is essential. ISO certification signifies that a company’s management system complies with a specific ISO standard, meaning that the processes in place are effective, consistent, and aligned with international best practices. However, this doesn't necessarily mean that every aspect of the company is perfect; it means that the company has a reliable system in place to manage and continually improve a particular aspect of its operations.
This distinction is more than just a technicality. It has practical implications:
- Scope of certification: When a company is “ISO certified”, it’s important to understand what its management system certification covers. It’s possible for the certification to refer to only a part of the company or to only some of its activities.
- Auditing and compliance: Obtaining and maintain an ISO certification involves regular audits conducted by impartial and competent auditors. Certification without audits and self-certification are fakes and their sole purpose is to deceive clients and other stakeholders.
- Communication: When communicating with stakeholders, it’s important to accurately present what the ISO certification refers to, what it covers, and also who issued that certification. Misrepresenting the scope of certification, not explaining the discipline that the certification refers to (e.g. quality management, business continuity, food safety, etc.) or not specifying who exactly issued that certification, are not signs of an honest and transparent communication.
The technicality that makes a difference
While the distinction between certifying a company versus its management system might seem like a technical detail, it’s a detail that carries significant weight. For professionals tasked with implementing and maintaining these systems, grasping this concept is foundational to effective management.
Conclusion
The term "ISO certified company" might be a convenient shorthand, but it’s important to remember that it’s the management system, not the company itself, that the certification refers to. For management system professionals, understanding this distinction is important, although it may seem like a minor technicality.