Why Verifying an ISO Certificate Matters More Than You Think
You receive a supplier quote. Their proposal looks great, the price is competitive, and they have an ISO 9001 certificate attached to their email. You forward it to your procurement team and move on. That is a mistake a lot of businesses make, and it can be a costly one.
On this page
ISO certification fraud is more common than most people realise. Fake certificates, expired certificates, certificates issued by non-accredited bodies, and certificates that cover a completely different scope to what a supplier claims are all real problems that surface regularly in supply chains, government tenders, and contractor vetting processes.
If you are relying on an ISO certificate to make a business decision, whether that is approving a supplier, awarding a contract, or satisfying a regulatory requirement, you need to confirm that certificate is legitimate before you act on it. This guide walks you through exactly how to do that, step by step.
Understanding the Difference Between Accredited and Non-Accredited Certification
Before you can verify a certificate properly, you need to understand one fundamental concept: not all ISO certifications are equal. The most important distinction is whether the certification was issued by an accredited certification body or a non-accredited one.
What Accreditation Actually Means
Accreditation is the formal recognition that a certification body is competent to carry out ISO audits and issue certificates. Accreditation bodies are national or regional organisations that assess and oversee certification bodies against international standards, primarily ISO 17021, which sets the requirements for certification body competence.
In Australia, the relevant accreditation body is JASANZ. In the UK it is UKAS. In the US it is ANAB. Each country has its own, and they are all members of the International Accreditation Forum (IAF), which means certificates issued under their oversight carry mutual recognition globally.
A certificate from an accredited body means an independent third party has verified that the certification body follows proper audit processes, employs qualified auditors, and maintains impartiality. A certificate from a non-accredited body means none of that has been independently verified.
Why Non-Accredited Certificates Are a Problem
Non-accredited certificates look identical to legitimate ones. Same logo placement, same language, same format. But they carry no internationally recognised weight. If a government tender, contract, or customer requirement specifies ISO certification, a non-accredited certificate typically does not satisfy that requirement.
There are hundreds of non-accredited certification bodies operating globally. Some are simply low-cost providers offering certificates with minimal audit rigour. Others are outright fraudulent. Fake ISO certificates do exist, and they do cost businesses contracts when discovered.
Step-by-Step: How to Verify an ISO Certificate
Here is a practical process you can follow every time you need to confirm whether a certificate is legitimate. It takes between five and fifteen minutes when you know what you are doing.
Step 1: Check the Accreditation Body Mark on the Certificate
A legitimate ISO certificate issued by an accredited certification body will display the logo or mark of the accreditation body that oversees it. Look for marks such as JASANZ, UKAS, DAkkS, ANAB, or the IAF MLA mark.
If there is no accreditation body mark on the certificate at all, that is a significant red flag. It does not automatically mean the certificate is fake, but it means you need to investigate further before relying on it.
Step 2: Identify the Certification Body and Check Its Accreditation Status
The certificate will name the certification body that issued it. Your next step is to verify that this certification body is actually accredited for the standard in question.
Go directly to the accreditation body's website and use their public register. Here are the key ones:
- JASANZ (Australia and New Zealand): Use the public register at JASANZ.org to search for the certification body by name.
- UKAS (United Kingdom): Search the UKAS directory at ukas.com.
- IAF CertSearch: This is a global database of certificates issued by IAF-accredited certification bodies. It is one of the most useful tools available and is free to use.
- ANAB (United States): Search their directory at anab.ansi.org.
When you find the certification body in the register, confirm two things. First, that their accreditation is currently active and not suspended. Second, that their accreditation scope covers the specific standard on the certificate. A certification body accredited for ISO 9001 is not automatically accredited for ISO 27001 or ISO 45001.
Step 3: Use IAF CertSearch to Verify the Specific Certificate
The IAF CertSearch database allows you to search for individual certificates by certificate number, company name, or certification body. This is the most direct way to confirm a specific certificate is real and current.
Enter the certificate number from the document you have received. If it appears in the database with matching details, that is strong confirmation of legitimacy. If it does not appear, it does not necessarily mean fraud, as not all accredited certification bodies upload their certificates to CertSearch, but it warrants further investigation.
You can also verify ISO certificates online directly through many certification body websites, which maintain their own searchable registers of current certificates.
Step 4: Check the Certificate Directly on the Certification Body's Website
Most reputable accredited certification bodies maintain a public register of their current certificates. Go to the certification body's website and look for a certificate search or verification tool.
Search for the company name or certificate number. Confirm the following details match what is on the certificate you received:
- The company name and legal entity
- The registered address or site address
- The standard and version (for example ISO 9001:2015, not an older version)
- The certification scope, which describes what activities the certificate covers
- The issue date and expiry date
That last point about scope is critical and is where a lot of people stop short. A company might hold a genuine, accredited ISO 9001 certificate, but the scope might only cover their head office administration function, not their manufacturing operations. If you are relying on that certificate as evidence of manufacturing quality management, it may not apply to what you actually care about.
Step 5: Confirm the Certificate Has Not Expired or Been Suspended
ISO certificates are typically issued for a three-year cycle, with annual surveillance audits required to maintain them. A certificate can be suspended if a company fails a surveillance audit or does not address non-conformities within the required timeframe.
Always check the expiry date on the certificate you have received. Then cross-reference that against the certification body's register, because a company might hand you a certificate that was valid when it was issued but has since lapsed or been suspended. The register will show the current status.
Step 6: Verify the Scope Covers What You Actually Need
This step is underused and it catches a lot of people out. The certification scope is the written description of what activities, products, services, and locations are covered by the certificate.
Read the scope statement carefully. If you are approving a supplier to manufacture components for you, the scope should explicitly cover manufacturing of that type of product. If you are using a certificate to satisfy a government tender requirement, confirm the scope aligns with the activities described in the tender specification.
A company can legitimately hold an ISO 9001 certificate for their consulting services while their manufacturing division has no certification at all. The certificate is not a blanket endorsement of the entire business.
Common Red Flags That Suggest a Certificate May Not Be Legitimate
Beyond the step-by-step verification process, there are some specific warning signs worth knowing. These do not automatically confirm fraud, but each one warrants a closer look.
The Certification Body Name Is Unfamiliar and Not in Any Accreditation Register
If you search for the certification body in every major accreditation register and cannot find them, the certificate is likely non-accredited at best and fraudulent at worst. Be especially cautious of certification bodies with generic names, unusual country registrations, or websites that provide very little information about their audit processes.
The Certificate Was Issued Very Quickly
A legitimate ISO 9001 certification process for a small business typically takes three to twelve months from start to finish, depending on the organisation's existing systems. If a supplier tells you they received their certificate in a few weeks, that is worth questioning. Genuinely rigorous certification takes time.
The Certificate Cannot Be Found in Any Public Register
If the company cannot point you to their certificate in any publicly accessible register, and the certification body does not have a searchable database, that is a problem. Accredited certification bodies are required to maintain records of current certificates and make them accessible.
The Scope Is Vague or Extremely Broad
Legitimate certification scopes are specific. They describe what the organisation does, what products or services are covered, and often which sites are included. A scope that simply says “all activities” or covers an implausibly large range of unrelated activities should raise questions.
The Certificate Uses an Outdated Standard Version
ISO standards are revised periodically. ISO 9001:2008 was superseded by ISO 9001:2015, and transition deadlines have long passed. If a certificate references an outdated version of a standard, it should not be accepted as current certification. Check what the current version of the standard is and confirm the certificate reflects it.
What to Do If You Suspect a Certificate Is Fake or Invalid
If your verification process raises serious doubts about a certificate, here is how to handle it professionally.
Contact the Certification Body Directly
Do not just rely on the online register. Call or email the certification body listed on the certificate and ask them to confirm the certificate number, the certified organisation, the scope, and the current status. A legitimate certification body will respond to this request without hesitation. If they are evasive or cannot confirm the details, that tells you something important.
Ask the Supplier for Their Surveillance Audit Records
A certified organisation should be able to provide evidence of their most recent surveillance audit. This would typically be a summary of audit findings or a confirmation letter from the certification body. If a supplier cannot produce any evidence of ongoing surveillance, their certification may have lapsed even if the certificate document itself has not yet expired.
Report Suspected Fraud to the Relevant Accreditation Body
If you have strong evidence that a certificate is fraudulent, the appropriate step is to report it to the accreditation body in your country. In Australia that is JASANZ, in the UK it is UKAS. They have processes for investigating complaints and can take action against certification bodies that issue fraudulent or non-compliant certificates.
You should also be aware that presenting a fraudulent ISO certificate in a tender or contract context can have serious legal consequences for the company doing so. It is worth documenting your verification process so you have a clear record of due diligence.
Building Certificate Verification Into Your Supplier Qualification Process
If you work with multiple suppliers or regularly evaluate contractors, it is worth building certificate verification into your standard supplier qualification process rather than doing it ad hoc.
Create a simple checklist that your procurement or quality team follows every time a supplier submits an ISO certificate. The checklist should cover the accreditation body mark, the certification body accreditation status, the certificate details in a public register, the scope relevance, and the expiry date. This takes about ten minutes per supplier and can save significant problems down the track.
For organisations managing their own ISO systems, internal audits are a good place to include a periodic review of key supplier certifications to confirm they remain current and valid. Build it into your supplier monitoring procedure.
It is also worth noting that if your own organisation holds ISO certification, your customers and partners may be applying exactly this verification process to your certificate. Keeping your certification current, ensuring your scope accurately reflects your activities, and making sure your certificate is findable in public registers is good practice from both sides of the relationship.
A Note on Cheap Certification and What It Usually Means
One pattern worth understanding is the relationship between certification cost and certification rigour. Genuine accredited ISO certification involves a meaningful amount of audit time, qualified auditors, and an independent oversight structure. That has a real cost.
When certification is offered at prices that seem implausibly low, it often signals either a non-accredited scheme or a process that lacks the depth required to produce a meaningful certificate. This does not mean the most expensive option is always the best, but it does mean that extremely cheap certification deserves scrutiny.
If you are evaluating your own certification options and want to understand what legitimate certification should cost, reading about hidden ISO certification costs can help you calibrate what is realistic. And if you are comparing quotes from multiple providers, understanding what you are actually paying for in each quote matters as much as the price itself.
Getting Certified Through a Legitimate Process
If this article has prompted you to think about your own certification journey, the same principles apply in reverse. Choosing an accredited certification body, working with a reputable consultant, and going through a genuine audit process means your certificate will stand up to exactly the kind of scrutiny described in this guide.
CertBetter connects businesses seeking ISO certification with verified consultants and accredited certification bodies. You submit one form and receive up to three competing quotes from vetted providers, all free of charge. It is a straightforward way to make sure you are starting your certification journey with the right people, and ending up with a certificate that is genuinely worth having.
