The Question Every Business Owner Asks First
When a business owner calls me about ISO 9001 certification, the first practical question is almost always the same: how long is this audit actually going to take? It is a fair question. You need to plan around it. Your team needs to be available. You might need to book a meeting room for two days, or you might need to prepare for five. Getting the number wrong in either direction causes real problems.
On this page
The honest answer is that there is no single universal number. The duration of your ISO 9001 certification audit depends on a combination of factors, and understanding those factors will help you go into the process with realistic expectations. This article breaks down exactly how audit days are calculated, what drives the number up or down, and what you can do to make the most of the time you have.
How Audit Days Are Actually Calculated
The ISO 17021-1 standard, which governs how certification bodies conduct audits, sets out a methodology for determining audit duration. It is not arbitrary. Certification bodies are required to follow a structured approach, and the primary input into that calculation is the number of employees in your organisation.
The IAF (International Accreditation Forum) has published mandatory documents that certification bodies must follow when determining audit time. These documents set minimum audit durations based on headcount, and no accredited certification body is permitted to go below those minimums without documented justification.
The IAF Mandatory Document for Audit Duration
The IAF MD 5 document provides a table of minimum audit days for management system certification. For ISO 9001 specifically, the table works roughly like this based on employee count:
- 1 to 5 employees: approximately 1.5 audit days total across Stage 1 and Stage 2
- 6 to 10 employees: approximately 2 audit days
- 11 to 25 employees: approximately 3 audit days
- 26 to 45 employees: approximately 4 audit days
- 46 to 65 employees: approximately 4.5 audit days
- 66 to 85 employees: approximately 5 audit days
- 86 to 125 employees: approximately 5.5 audit days
- 126 to 175 employees: approximately 6 audit days
- 176 to 275 employees: approximately 6.5 audit days
- Over 275 employees: calculated individually based on complexity
These are total audit days across the full initial certification cycle, which includes both Stage 1 and Stage 2. They are also minimums, not targets. Your actual audit could be longer depending on the factors discussed below.
Get 3 ISO Quotes. 24 Hours Response
Tell us what you need and compare vetted ISO consultants or certification bodies within 24 hours. Free, no obligation.
Trusted by 400+ businesses like yours
Stage 1 vs Stage 2: How the Days Are Split
The certification audit happens in two distinct stages, and understanding how days are distributed between them matters for your planning.
Stage 1 Audit
The Stage 1 audit is a readiness review. The auditor examines your documentation, checks that your quality management system is designed to meet ISO 9001 requirements, and confirms that you are ready to proceed to Stage 2. For most small to medium businesses, Stage 1 takes somewhere between half a day and one full day. For a 20-person company, you might expect around 0.5 to 1 day at Stage 1.
Stage 1 can often be conducted remotely, which many businesses prefer. The auditor reviews your quality manual, procedures, risk register, internal audit records, and management review minutes. If there are significant gaps, Stage 1 findings will need to be addressed before Stage 2 can proceed. Our article on 8 things to do before an ISO Stage 1 readiness audit covers exactly what you should have in order before your auditor arrives.
Stage 2 Audit
Stage 2 is the main certification audit. This is where the auditor verifies that your quality management system is not just documented but actually implemented and working in practice. They will interview staff, observe processes, review records, and test whether what you say you do matches what you actually do.
Stage 2 takes the bulk of the audit days. For a 20-person business, you might expect 1.5 to 2 days at Stage 2. For a 60-person business, Stage 2 alone could be 3 to 4 days. If you want a detailed breakdown of what happens during this phase, our article on 10 things to do before an ISO Stage 2 certification audit is worth reading before you start.
Factors That Increase Your Audit Days
The employee headcount table is just the starting point. Certification bodies apply adjustments based on a range of factors that can push the number of days up significantly. Here is what actually drives audit duration beyond the baseline.
Complexity of Processes
A manufacturing company with multiple production lines, specialised equipment, and complex quality controls will take longer to audit than a small consulting firm that delivers services. The auditor needs to observe each critical process, and complex operations simply take more time to assess properly. If your business involves regulated products, hazardous materials, or highly technical processes, expect your audit days to sit at the higher end of the range for your headcount.
Number of Sites
If your business operates across multiple locations, each site that falls within the scope of your certification needs to be audited. A business with three offices in different cities will require significantly more audit time than a single-site operation of the same size. Some certification bodies use sampling for multi-site organisations, particularly where sites perform similar functions, but this needs to be agreed in advance and documented. Our article on what determines how many audit days you need for ISO 9001 goes deeper into how multi-site arrangements affect the calculation.
Scope of Certification
The broader your certification scope, the more processes fall under review. A business that certifies its entire operation from sales through to delivery will take longer to audit than one that limits scope to a specific product line or service. If you are considering narrowing your scope to reduce audit time and cost, our article on whether you can limit the scope of your ISO 9001 certification explains how that works and what the trade-offs are.
Proportion of Employees in Non-Repetitive Roles
The IAF guidance recognises that organisations where most employees perform varied, non-repetitive tasks require more audit time per person than organisations where most staff do similar, repetitive work. A professional services firm where every team member has a different client portfolio and different responsibilities will take longer to audit than a warehouse with 50 pickers all doing the same job.
Regulatory Requirements
Industries with heavy regulatory oversight, such as medical devices, food production, aerospace, or defence, often attract additional audit time. The auditor needs to verify not just ISO 9001 compliance but also the intersection of your quality management system with applicable regulations. If your business operates in a regulated sector, discuss this with your certification body upfront so the audit plan reflects it.
Previous Nonconformities
If you are going into a surveillance or recertification audit with outstanding nonconformities from a previous cycle, the auditor will need to spend time verifying that corrective actions have been implemented and are effective. This adds time to the audit and can shift the focus away from forward-looking assessment. Closing nonconformities properly before your next audit is always the better path.
Factors That Can Reduce Your Audit Days
There are legitimate reasons why an audit might come in at the lower end of the range, and some of these are within your control.
Mature and Well-Documented Systems
Businesses that have been operating a quality management system for several years, have clean internal audit records, and can produce evidence quickly tend to move through audits faster. The auditor spends less time hunting for records and more time confirming that the system works. Investing in good documentation practices before your audit pays off in audit efficiency.
Experienced and Prepared Staff
When your team understands the quality management system and can answer auditor questions confidently and accurately, the audit moves at a better pace. Staff who are nervous, unsure of procedures, or who need to escalate every question to a single manager slow the process down. Preparing your team through internal briefings and mock interviews before the audit makes a real difference.
Limited Scope with Low Complexity
A small professional services business with a narrow, well-defined scope and straightforward processes can legitimately sit at the minimum audit duration for its headcount. If your operation is genuinely simple and your system is well-run, the audit reflects that.
Surveillance Audits and Recertification: What Changes After Year One
The initial certification audit is the longest part of the three-year cycle. Once you are certified, you enter a surveillance and recertification programme that involves shorter ongoing audits.
Annual Surveillance Audits
In years one and two after certification, you will typically have a surveillance audit. These are not full audits. They cover a subset of your quality management system, focusing on key areas and any issues identified in previous audits. Surveillance audits are generally around one third to one half of the initial Stage 2 duration. For a small business that had a 2-day Stage 2 audit, a surveillance audit might be 0.5 to 1 day.
Recertification Audit
At the end of the three-year certification cycle, you go through a recertification audit. This is more comprehensive than a surveillance audit but typically slightly shorter than the original Stage 2 because your system is established and the auditor has historical context to draw on. Recertification audits usually cover the full scope of the quality management system and include a review of performance across the three-year cycle.
Remote vs On-Site Audit Days: Does It Change the Duration?
Remote audits became far more common after 2020 and are now an accepted part of the certification landscape. Many certification bodies offer hybrid approaches where Stage 1 is conducted remotely and Stage 2 is on-site, or where certain elements of Stage 2 are conducted via video conference.
Remote audits do not necessarily reduce the number of audit days, but they can reduce the logistical burden on your business. The auditor still needs to spend the same amount of time reviewing evidence and interviewing staff. What changes is the format, not the duration. If you are considering a remote audit, our article on top 6 tips before running a remote ISO certification audit is worth reading to understand what works and what does not in a remote format.
What Happens If the Auditor Needs More Time?
Sometimes an audit runs long. The auditor discovers significant nonconformities that require detailed documentation. A process area turns out to be more complex than anticipated. Staff are unavailable or records are hard to locate. In these situations, the auditor may need to extend the audit or schedule a follow-up visit.
Extension visits are not free. Most certification bodies charge for additional audit time, and the cost can be substantial. This is one reason why preparing properly for your audit matters. An audit that runs over budget because records were disorganised or staff were unprepared is an avoidable cost. It also delays your certification, which has downstream effects if you have a tender deadline or a client requirement driving your timeline.
Getting an Accurate Audit Day Estimate From Your Certification Body
When you approach a certification body for a quote, they should provide you with a written audit plan that specifies the number of audit days, how they are split between Stage 1 and Stage 2, and the basis for the calculation. If a certification body cannot explain how they arrived at the audit day figure, that is a concern.
Ask specifically whether the quote includes travel time in the audit day count. Some certification bodies count travel as part of the audit day, which effectively reduces the time the auditor spends actually auditing your business. This is worth clarifying upfront.
Also ask what happens if nonconformities are found. Will the auditor conduct a follow-up visit, and if so, what does that cost? Understanding the full cost structure before you sign a contract avoids surprises later. Our article on hidden ISO certification costs nobody tells you about covers this topic in detail and is worth reading before you commit to a certification body.
A Practical Example: Audit Days for a 30-Person Manufacturing Business
Let us put this together with a realistic example. A manufacturing business with 30 employees, one site, a moderate level of process complexity, and a scope covering design, production, and delivery might expect the following:
- Stage 1: 1 day (document review, readiness assessment)
- Stage 2: 2.5 days (process walkthroughs, staff interviews, records review)
- Total initial certification: 3.5 days
- Year 1 surveillance: 1 day
- Year 2 surveillance: 1 day
- Recertification at year 3: 2 days
Over the three-year certification cycle, that business would spend approximately 7.5 audit days with their certification body. This is a meaningful time commitment, and planning around it from the start avoids disruption to normal operations.
How CertBetter Can Help
One of the most common frustrations I hear from businesses going through ISO 9001 certification for the first time is that they did not get a clear explanation of audit days until after they had already signed a contract. By that point, negotiating is difficult.
CertBetter connects businesses with verified ISO consultants and accredited certification bodies who provide transparent, itemised quotes upfront. You submit one form, receive up to three competing quotes, and can compare audit day allocations, costs, and service inclusions side by side before making any commitment. The service is completely free for businesses seeking certification. If you want to go into the process with clear numbers rather than surprises, it is worth starting there.
