How to Check If an ISO Certificate Number Is Valid

Why Verifying an ISO Certificate Number Actually Matters

You have just received a quote from a supplier. They attach a shiny ISO 9001 certificate to their tender response. It looks professional, the logo is there, the certificate number is printed clearly, and the expiry date is still a year away. Most procurement managers glance at it and move on. That is exactly where things go wrong.

ISO certificate fraud is more common than most businesses realise. Certificates get photocopied and reused after they expire. Scope details get altered. Some businesses simply print certificates that were never issued by anyone. Others use certification bodies that are not accredited by any recognised accreditation authority, which means the certificate is technically worthless even if the audit did happen.

Knowing how to check if an ISO certificate number is valid is not a bureaucratic exercise. It is a practical skill that protects your contracts, your supply chain, and your reputation. This guide walks you through exactly how to do it, step by step, without needing any special tools or insider knowledge.

What Information Appears on a Legitimate ISO Certificate

Before you can verify a certificate, you need to know what a legitimate one should contain. A properly issued ISO certificate will always include the following details.

The Certificate Number

Every certificate issued by an accredited certification body carries a unique certificate number. This number is the primary reference point for any verification check. It is typically a combination of letters and numbers, and it should be traceable in the certification body's own database or the relevant accreditation body's public register.

The Certification Body's Name and Accreditation Mark

The certification body is the organisation that conducted the audit and issued the certificate. A legitimate certificate will display the certification body's name clearly, along with the accreditation mark of the body that oversees them. In Australia, that accreditation body is JAS-ANZ. In the UK it is UKAS. Internationally, you might see marks from DAkkS, ANAB, or other IAF-recognised bodies.

The Standard and Version

The certificate must state which ISO standard the organisation is certified to, and which version. For example, ISO 9001:2015 or ISO 45001:2018. If the version is not stated, that is a red flag. If the version listed is outdated and the transition deadline has passed, the certificate may no longer be valid.

The Scope of Certification

This is one of the most commonly overlooked elements. The scope defines exactly what the certificate covers. A business certified to ISO 9001 for “design and manufacture of steel components” is not certified for software development. Always read the scope carefully, because a supplier may be certified, but not for the activities that are relevant to your contract.

Issue Date, Expiry Date, and Surveillance Audit Schedule

ISO certificates are typically valid for three years, with surveillance audits required in years one and two. A certificate that is past its expiry date is no longer valid, regardless of what the holder claims. Some certificates also list the date of the most recent surveillance audit, which tells you whether the organisation has kept up with its obligations.

How to Verify an ISO Certificate Number Step by Step

There are several ways to check whether a certificate number is legitimate. Use more than one method where possible, especially for high-value contracts or critical supply chain relationships.

Step 1: Search the Certification Body's Online Register

Most accredited certification bodies maintain a public register of current certificates. This is your first and most direct check. Go to the certification body's website, find their certificate search tool or register, and enter the certificate number. If the certificate is valid, the search result should match the details on the document you have been given, including the organisation name, scope, standard, and expiry date.

If the certification body does not have a searchable public register, that itself is worth noting. Reputable, accredited bodies make this information available as a matter of transparency.

Step 2: Check the Accreditation Body's Register

Even if a certificate number appears in a certification body's register, you also need to confirm that the certification body itself is accredited. An unaccredited certification body can issue certificates, but those certificates carry no formal weight. Many clients and government tenders specifically require certification from an accredited body.

In Australia, you can check whether a certification body is accredited through the JAS-ANZ register of accredited bodies. This register lists all certification bodies that JAS-ANZ has assessed and accredited. If the body that issued the certificate is not on this list, the certificate is not JAS-ANZ accredited, which matters enormously in Australian government procurement and many private sector contracts.

Step 3: Use the IAF CertSearch Database

The International Accreditation Forum operates a global certificate search tool called IAF CertSearch. This database aggregates certificate data from accredited certification bodies across multiple countries. If the certificate was issued by a body that participates in IAF CertSearch, you can search by organisation name, certificate number, or standard and get verified results directly.

This is particularly useful when you are dealing with overseas suppliers whose certification body you are not familiar with. Rather than trying to navigate a foreign accreditation body's website, IAF CertSearch gives you a single point of reference. You can access it through the IAF website at iaf.nu.

Step 4: Contact the Certification Body Directly

If the online search does not give you a clear answer, or if something about the certificate looks unusual, contact the certification body directly. Call them rather than emailing, and ask them to confirm the certificate number, the certified organisation, the scope, and the current status. A legitimate certification body will be able to confirm this information quickly. If they are evasive, unable to find the record, or ask you to pay a fee just to verify a certificate, treat that as a serious warning sign.

Step 5: Cross-Reference the Certificate Details Against the Document

Once you have confirmation from an official source, compare every detail against the certificate document you were given. Check the organisation name, the registered address, the scope of certification, the standard and version, the certificate number, the issue and expiry dates, and the name of the certification body. Any discrepancy, even a minor one like a slightly different address or a scope that has been reworded, should prompt further investigation.

Our article on how to spot fake ISO certificates covers the specific visual and textual signs that something has been altered or fabricated, which is a useful companion read to this verification process.

Common Reasons a Valid-Looking Certificate May Not Be Valid

Not every problematic certificate is an outright forgery. Some are technically issued but still invalid or misleading. Here are the most common situations you will encounter.

The Certificate Has Expired

This is the most straightforward issue. Check the expiry date. If it has passed, the certificate is no longer valid regardless of what the holder says. Some businesses forget to renew, others deliberately continue using expired certificates hoping no one checks. Either way, an expired certificate provides you with no assurance.

The Certification Body Is Not Accredited

There are certification bodies operating in Australia and globally that are not accredited by any IAF-recognised accreditation body. They can still conduct audits and issue certificates, but those certificates are not recognised by most clients, government agencies, or industry bodies. If you have been given a certificate from a body you do not recognise, check their accreditation status before accepting the certificate as evidence of compliance.

This is a surprisingly common issue. Our article on why some ISO 9001 certificates are not accepted by clients or government goes into more detail on this specific problem and why it catches businesses off guard.

The Scope Does Not Cover the Relevant Activities

A supplier might be genuinely certified, but the scope of their certificate might not cover what they are doing for you. For example, a construction company certified for “commercial fit-out works” is not certified for civil infrastructure projects. If the scope does not match the work, the certificate is irrelevant to your contract even if it is otherwise completely valid.

Surveillance Audits Have Been Missed

ISO certification requires ongoing surveillance audits, typically annually. If a company has missed a surveillance audit, their certification body should have suspended or withdrawn the certificate. However, not all certification bodies act promptly on this. When verifying a certificate, it is worth asking the certification body whether all surveillance audits have been completed on schedule.

The Certificate Has Been Suspended or Withdrawn

A certificate can be suspended or withdrawn at any time if the certified organisation fails to meet the standard's requirements or does not cooperate with the certification body. The certificate document itself will not show this. You need to check the certification body's register to see the current status, not just the document the supplier has handed you.

Red Flags That Should Prompt Immediate Verification

There are specific situations where you should always verify a certificate rather than taking it at face value.

• The certificate was emailed as a PDF with no accompanying verification link. Legitimate certification bodies usually provide a way to verify online. If the supplier cannot direct you to a public register, investigate further.
• The certification body name is unfamiliar and does not appear in any accreditation register. There are dozens of unaccredited bodies operating globally. Not recognising a name is a reasonable trigger for a check.
• The scope of certification is written very broadly or very vaguely. Phrases like “all activities of the company” are a warning sign. Legitimate scopes are specific.
• The certificate number does not appear in any searchable database. This is the clearest possible indicator that something is wrong.
• The supplier is reluctant to provide the certification body's contact details. Any legitimately certified organisation should be happy for you to verify their certificate directly.
• The certificate design looks inconsistent with other certificates from the same body. Font changes, logo quality issues, or formatting inconsistencies can indicate a document has been altered.

If you are in a procurement role and want a more structured approach to assessing supplier certification claims, our guide on what procurement teams actually do with your ISO certificate explains how this fits into a broader supplier assurance process.

What to Do If You Discover a Certificate Is Invalid

If your verification checks reveal that a certificate is invalid, expired, or fraudulent, the appropriate response depends on the context.

In a Procurement or Tender Context

If you are assessing a supplier or tender response, disqualify the submission and document your reasons. If the certificate appears to have been deliberately falsified, you may also have an obligation to report it to the relevant accreditation body or, in serious cases, to regulatory authorities. Submitting a false document in a government tender can constitute fraud.

In an Existing Supplier Relationship

If you discover that a current supplier's certificate is no longer valid, notify them in writing and request evidence of current certification or a clear timeline for renewal. Depending on your contract terms, an expired or invalid certificate may constitute a breach. Review your contract carefully before deciding how to proceed.

If You Suspect Deliberate Fraud

Contact the certification body named on the certificate and inform them that their name is being used on what appears to be an invalid or falsified document. Contact the relevant accreditation body as well. JAS-ANZ in Australia has processes for investigating complaints about misuse of accreditation marks and certification claims.

How to Make Certificate Verification a Standard Business Practice

Rather than verifying certificates only when something feels wrong, the smarter approach is to build it into your standard supplier onboarding and contract renewal processes. Here is what that looks like in practice.

• Include a requirement in your supplier questionnaire for the certification body's name, certificate number, and a link to the public register where the certificate can be verified.
• Set a calendar reminder to re-verify supplier certificates at least once a year, or whenever a certificate is due for renewal.
• Assign responsibility for certificate verification to a specific role in your procurement or quality team so it does not fall through the cracks.
• Keep a log of verified certificates including the date of verification, who performed the check, and the source used. This provides an audit trail if questions arise later.

If you are on the other side of this equation and want to make sure your own certificate is easy to verify and presents well to clients, our article on what you should check when you receive your ISO certificate is worth reading before you start sharing your certificate with clients and in tender submissions.

Getting the Right Certification From the Start

The best way to avoid certificate verification problems on your own side is to work with a reputable, accredited certification body from day one. That means choosing a body that is accredited by JAS-ANZ in Australia, or by another IAF-recognised accreditation body if you operate internationally. It means making sure your certificate is registered in a searchable public database. And it means keeping up with your surveillance audits so your certificate remains current and verifiable at any point in time.

If you are looking to get certified and want to make sure you are working with a credible, accredited provider, CertBetter can help. Submit one free request and receive up to three competing quotes from verified certification bodies and consultants. Every provider on the platform has been vetted, so you can focus on comparing proposals rather than worrying about whether the provider is legitimate.