ISO certification, accredited certification body, international standards, ISO management systems, ISO auditor, ISO consulting, ISO certificates, ISO training, conformity assessment, accredited ISO certification, third-party certification, ISO certification services, ISO audit process, ISO registration, ISO compliance

Need help or have a question? Contact Us

RO ISO certification, accredited certification body, international standards, ISO management systems, ISO auditor, ISO consulting, ISO certificates, ISO training, conformity assessment, accredited ISO certification, third-party certification, ISO certification services, ISO audit process, ISO registration, ISO compliance office@rigcert.org
RO

Contact Us

ISO certification, accredited certification body, international standards, ISO management systems, ISO auditor, ISO consulting, ISO certificates, ISO training, conformity assessment, accredited ISO certification, third-party certification, ISO certification services, ISO audit process, ISO registration, ISO compliance
office@rigcert.org

Follow Us

Certification Rules

Home

Certification Rules

Management system certification rules

GENERAL

Management system certification is a process through which a third party (the certification body) evaluates whether an organization’s management system conforms to defined requirements. If the evaluation is successful, the certification body issues a certificate to confirm conformity.

The primary purpose of certification is to provide assurance that a management system meets specified standards. The value of certification lies in the trust and confidence it provides, based on an impartial and competent evaluation.

This document sets out the general rules for obtaining, maintaining, and renewing management system certification. Depending on the specific management system certification scheme, additional requirements may apply.

Responsibility for the conformity of the management system lies solely with the organization. RIGCERT is responsible for assessing objective evidence upon which its certification decisions are based.


INITIAL CERTIFICATION PROCESS

Application and Contract

The certification process begins with the submission of an application by any interested organization. This application may be submitted electronically or in paper format, directly to RIGCERT or through an authorized RIGCERT partner.

The application provides basic information about the organization seeking certification and is necessary for RIGCERT to prepare an appropriate offer. In addition to the completed application, RIGCERT may request supporting documents to verify the organization’s legal status, structure, and authorized activities.

Certification can only be granted for activities that the organization performs and is legally authorized to carry out under applicable laws and regulations.

The application must also indicate whether the organization has used consultancy services in the design or implementation of its management system. Depending on the discipline, consultancy may include related activities such as reporting, risk assessment, incident or accident investigation, internal audits, communication with authorities, or holding relevant roles.

All information must be provided by an authorized representative of the organization.

RIGCERT reviews the submitted information to define an audit programme specific to the applicant organization. A certification offer is issued, and upon acceptance by the client, a formal certification contract is signed.


Initial Certification Audit

The initial certification of a management system involves a two-stage audit process.

The audit is performed by an audit team appointed by RIGCERT. The composition of the audit team is communicated to the client prior to the audit. The client has the right to raise justified objections regarding the proposed audit team members. In such cases, RIGCERT will review the objection and, if necessary, replace the concerned team member(s).


Stage 1 

The purpose of the Stage 1 audit is to evaluate the readiness of the organization for the Stage 2 audit and to review key aspects of the management system. This includes reviewing the management system documentation; gaining an understanding of the client’s operations, locations, processes, and equipment; evaluating the client’s understanding of certification requirements; confirming readiness for the Stage 2 audit.

Stage 1 is typically conducted at the client’s premises. Upon completion, the audit team communicates any concerns or observations that may, if unresolved, lead to nonconformities during Stage 2.

The interval between Stage 1 and Stage 2 audits is determined based on the findings of Stage 1. Significant issues may result in a delay or cancellation of Stage 2.


Stage 2

Stage 2 audit assesses the implementation and effectiveness of the management system in meeting the requirements of the applicable standard.

This audit is conducted at the client’s location(s) and follows an audit plan prepared by the audit team and agreed upon with the client in advance.

The audit begins with an opening meeting and concludes with a closing meeting where the audit findings and conclusions are presented.

During the audit, the team collects evidence through interviews, direct observation of activities, and review of documented information. Audit team members are bound by confidentiality obligations for all information obtained.

The client is expected to provide full access, cooperation, and relevant information to ensure an effective audit process.

Nonconformities identified during the audit are classified as either major or minor. Definitions of these nonconformities are included in the audit plan.

Following completion of the Stage 2 audit, the audit team prepares a final audit report, which includes their recommendation regarding certification.


Audit time calculation

Audit time is calculated in auditor days and includes time allocated for planning, conducting, and reporting the audit.

RIGCERT determines the number of auditor days based on several factors, including the effective number of personnel (as stated in the application), the number and complexity of sites or locations, the scope of certification sought, the applicable certification scheme.

The calculation is performed in accordance with RIGCERT’s internal procedures and international standards and guidelines.

The effective number of personnel includes permanent, temporary, and part-time staff involved in the scope of certification, and may also include contractors or subcontractors whose activities are controlled by the organization and are relevant to the certification scope.


Multi-site organizations

For organizations with multiple sites, RIGCERT may apply sampling methods as permitted by the applicable certification scheme.

Not all multi-site organizations are eligible for sampling; specific eligibility criteria must be met. RIGCERT will inform the client in advance if sampling will be applied and under what conditions.


Certification decision

The certification decision is made following an independent review of the audit documentation by RIGCERT, based on its internal procedures.

If major nonconformities are identified during the Stage 2 audit, the client is required to implement corrective actions within a maximum of 6 months from the audit conclusion. Certification is granted only after the corrective actions have been reviewed and accepted by the audit team. If the nonconformities are not addressed in this timeframe, a new Stage 2 audit must be conducted.

For minor nonconformities, the client must submit proposals for corrective actions, which will be verified during the next scheduled audit (typically the first surveillance audit).

The certification cycle spans three years and includes: the initial certification audit (Stage 1 and Stage 2), the first surveillance audit (approximately one year after certification), the second surveillance audit (approximately two years after certification), a recertification audit in the third year.


    Fees

    Certification fees include the following components: application review and audit planning, auditor day rates, report review and certification decision.

    Fees vary depending on several factors, including the certification scheme(s), the geographical location(s) of the client, audit language, specific characteristics of the audit.


      Conformity certificate

      RIGCERT issues a certificate for each standard under which the management system has been evaluated and found compliant.

      Together with the certificate, the client receives a certification programme outlining the timing of surveillance and recertification audits.


      SURVEILLANCE

      Throughout the three-year certification cycle, RIGCERT monitors the conformity of the certified management system according to the schedule outlined in the certification programme.

      Surveillance activities include at least one audit per calendar year, except during recertification years. The main objective of surveillance audits is to assess whether the management system continues to meet applicable requirements.

      In addition to on-site audits, surveillance activities may include requests for relevant information from the certified client, review of public statements made by the client about their certification, other monitoring methods to evaluate performance.

      If major nonconformities are identified during surveillance and corrective actions are not implemented in due time, certification may be suspended.

      The first surveillance audit must be conducted no later than 12 months from the date of the certification decision. Subsequent surveillance audits must be carried out annually.

      Delays to the planned dates outlined in the certification programme may be accepted only under exceptional circumstances, with proper justification, and must not exceed 6 months beyond the scheduled date.


      SHORT-NOTICE AUDITS

      Under certain circumstances, RIGCERT may carry out short-notice audits. These situations may include investigation of complaints, follow-up on suspended clients, significant changes affecting the management system, other risk-based reasons identified by RIGCERT.

      Clients are informed of these audits on short notice. Depending on the purpose, such audits may cover the full management system or focus only on specific areas or processes.

      The scope and arrangements for short-notice audits are determined by the audit team and communicated to the client in the audit plan.


      EXTENSION OF CERTIFICATION SCOPE

      Clients may request an extension of the certification scope, which can include the addition of new activities and/or locations.

      Such extensions require a dedicated audit, which may be performed in conjunction with a scheduled surveillance audit, or as a separate scope extension audit.

      Scope extension activities are formalized through an addendum to the existing certification contract.

      If the extension is granted, RIGCERT issues a revised certificate reflecting the updated scope. The validity of the revised certificate remains aligned with the original certification cycle.


      CERTIFICATION SUSPENSION

      Certification may be suspended by RIGCERT in the following cases: the certified management system persistently or seriously fails to comply with certification requirements; the certified client does not permit surveillance or recertification audits to be performed as scheduled; the client voluntarily requests suspension; the client misuses the certificate(s) or certification mark and fails to take corrective action; the client fails to inform RIGCERT of significant changes affecting the management system, such as legal, organizational, or ownership changes, changes to key personnel, locations, or activities, modifications that impact the system’s capability to meet requirements.

      The management system certification can also be suspended if the client does not comply with changes in certification requirements as communicated by RIGCERT or delays payment of fees beyond the terms agreed in the contract.

      If certification is suspended, RIGCERT will inform the client of the decision and specify the suspension period, which shall not exceed 6 months.

      During the suspension period, the certification is considered temporarily invalid.

      Certification may be reinstated if the issues that led to suspension are resolved within the allowed timeframe. If not, the certification may be withdrawn or the scope reduced.


      CERTIFICATION WITHDRAWAL

      Certification may be withdrawn by RIGCERT under the following circumstances: the client fails to resolve issues that led to the suspension within the permitted timeframe; the client ceases operations, is dissolved, declared bankrupt, or otherwise legally unable to function; the client voluntarily requests withdrawal.

      Once certification is withdrawn the client is no longer permitted to use the certificate(s) or reference the certification in any form. Any outstanding financial obligations to RIGCERT remain in effect and must be fulfilled.


        REDUCTION OF CERTIFICATION SCOPE

        The scope of a certification may be reduced when specific activities, processes, or locations covered by the current scope no longer meet certification requirements.

        Scope reduction may be requested by the certified client, or decided by RIGCERT as a result of audit findings or significant changes in the organization.

        Any reduction in scope is reflected in the revised certificate issued to the client. The revised certificate retains the same expiration date as the original.


        RECERTIFICATION

        The purpose of the recertification audit is to confirm the continued conformity and effectiveness of the management system as a whole, and to ensure ongoing fulfillment of the relevant standard’s requirements.

        RIGCERT contacts certified clients in advance to plan and schedule the recertification audit in a timely manner, ensuring the process is completed before the current certificate expires.

        The recertification audit includes a comprehensive review of the management system, past performance, effectiveness of corrective actions, and results of surveillance audits.


        CERTIFICATION TRANSFER

        RIGCERT may accept the transfer of a valid management system certification issued by another accredited certification body, provided that: the certificate was issued under the accreditation of a body that is a signatory of the IAF Multilateral Recognition Arrangement (IAF MLA) and the certification subject to transfer is not suspended or withdrawn at the time of the transfer request.

        Transfers can be requested at any point during the certification cycle. The decision to accept or reject a transfer is based on a review of supporting documentation and, if necessary, an additional audit.

        Suspended or withdrawn certifications are not eligible for transfer.


        APPEALS

        Clients may submit appeals regarding certification decisions made by RIGCERT, or the outcomes of complaint investigations.

        Upon receipt of an appeal, RIGCERT verifies its validity and initiates an investigation. Depending on the nature of the case, actions may include contacting relevant parties, conducting additional audits, requesting supporting information from internal or external sources.

        Appeals are reviewed and decided by personnel who were not involved in the activity or decision under appeal, ensuring impartiality. The composition of the appeals panel is communicated to the appellant.

        RIGCERT keeps the appellant informed about the progress of the appeal investigation. The process is designed to be fair and transparent, and the submission of an appeal will not result in any discriminatory action against the appellant.

        The final decision on the appeal is formally communicated to the appellant.


        COMPLAINTS

        Complaints may relate to the conduct of RIGCERT personnel, the behavior or performance of RIGCERT-certified organizations, the actions of other entities associated with RIGCERT.

        Upon receiving a complaint, RIGCERT acknowledges its receipt and determines whether it concerns certification activities for which RIGCERT is responsible.

        If the complaint involves a certified client, RIGCERT informs the client in a timely manner and requests a formal position on the matter.

        The investigation may include requests for information or clarification, special audits, additional review of evidence.

        Complaints are handled by individuals who are not involved in the subject of the complaint. The investigation is conducted confidentially, and the outcome is communicated to the complainant.

        Disclosure of complaint details to the public is considered on a case-by-case basis and agreed upon by the parties involved.

        Submitting a complaint will not lead to any discriminatory treatment of the complainant.


        REQUESTS FOR INFORMATION

        Upon request, RIGCERT provides information on the following aspects of certified clients: certification status (e.g., valid, suspended, withdrawn), client name and identification reference; scope of certification; geographical location (city and country).

        Information beyond the above will only be disclosed when required by law. In such cases, the client (and/or the individuals involved) will be informed about the nature of the disclosure.


        CONFIDENTIALITY

        All information obtained or created during audit and certification activities is treated as confidential by RIGCERT.

        All personnel involved in certification activities, whether directly employed by or acting on behalf of RIGCERT, are bound by confidentiality agreements and are required to maintain the confidentiality of any client-related information they access.

        RIGCERT does not disclose information about a client’s management system or activities to third parties without the client's prior consent, unless required by law or accreditation rules.

        Information received from sources other than the certified client (such as complainants or authorities) is also treated as confidential and is not disclosed without appropriate justification and safeguards.


        IMPARTIALITY

        RIGCERT recognizes that impartiality is essential to maintaining the trust and credibility of the certification process.

        All personnel working for or on behalf of RIGCERT are made aware of the importance of impartiality and are required to act without bias or conflict of interest.

        Certification decisions are based solely on objective evidence collected during audits and reviews, and are not influenced by any external pressure or internal commercial interest.

        RIGCERT continuously identifies and evaluates risks to impartiality. Where risks are identified, appropriate measures are implemented to eliminate or reduce them to an acceptable level.

        RIGCERT’s commitment to impartiality is public.


        INFORMATION EXCHANGE

        RIGCERT communicates certification requirements and process-related information through this document, its official website, and other informational or promotional materials.

        For specific geographic areas, RIGCERT may share certification-related information through local representatives or partners.

        In the event of changes to certification requirements—such as updates to international standards or accreditation body criteria—RIGCERT publishes relevant information on its website. Each certified client is informed of such changes directly or through authorized partners.

        The method of communication depends on the nature and significance of the changes involved.

        Certified clients are required to inform RIGCERT without delay about any internal changes that may affect their certified management system. These may include legal, commercial, organizational, or ownership changes, modifications in key management or personnel, changes to operational sites or activities, major alterations to processes or structure.


          REFERENCE TO CERTIFICATION AND USE OF MARKS

          Certified clients must comply with all applicable requirements regarding the use of certification marks and any reference to their certification status.

          These requirements are detailed in the Regulation on the Use of the Certification Mark, which is available on the RIGCERT website, and provided to clients along with the certification mark upon issuance.

          Certified clients are responsible for ensuring that references to certification are accurate and not misleading, clearly indicate the scope of certification (i.e., to which locations, activities, or standards the certification applies) and are not used in a way that implies certification of products, processes, or services, unless this is explicitly covered by the scope.

          Misuse of the certificate or certification mark, including any misleading references in advertising, on websites, or on product packaging, may result in requests for corrective actions, suspension or withdrawal of certification, legal or reputational consequences as defined in contractual terms and applicable regulations.


          Last update: 01 July 2025