What ISO Certificate Renewal Actually Means
Most ISO certificates are valid for three years. That might sound like a long time, but the renewal cycle comes around faster than most businesses expect, especially when you factor in the surveillance audits, internal reviews, and corrective actions that need to happen along the way.
On this page
Renewing your ISO certificate is not simply a matter of paying a fee and receiving a new document in the post. The renewal process, formally called a recertification audit, is a full reassessment of your management system. Your certification body will evaluate whether your system still meets the requirements of the relevant standard, whether it has been properly maintained, and whether it continues to deliver the outcomes it was designed for.
If you have been maintaining your system properly throughout the three-year cycle, recertification should feel straightforward. If you have let things slip, it can be a stressful and expensive experience. This guide walks you through exactly what to expect and how to approach renewal with confidence.
The Three-Year Certification Cycle Explained
Understanding how the full certification cycle works helps you plan renewal properly. Most accredited certification bodies follow a structure that looks like this:
- Year 1: Initial certification audit (Stage 1 and Stage 2). Your certificate is issued once you pass.
- Year 2: First surveillance audit. A partial review of your management system, typically covering key clauses and any open nonconformances.
- Year 3: Second surveillance audit. Similar in scope to the first, often with a focus on continual improvement and management review outputs.
- End of Year 3: Recertification audit. A comprehensive review of the entire management system before your certificate can be renewed for another three years.
The surveillance audits are not optional extras. They are a mandatory part of maintaining your certification. If you miss a surveillance audit or repeatedly fail to close out nonconformances, your certification body has the right to suspend or withdraw your certificate before renewal even comes up.
If you want a clear picture of how often these audits occur throughout the cycle, our article on how often ISO certification audits are conducted covers the full timeline in detail.
What Happens During a Recertification Audit
A recertification audit is more thorough than a surveillance audit. Think of it as a reset. Your auditor will review the entire scope of your management system, not just selected areas. The audit typically covers:
- All clauses of the relevant standard
- Your management review records from the past three years
- Internal audit results and how nonconformances were addressed
- Objectives and whether they were achieved
- Changes to your business, context, and interested parties
- Evidence of continual improvement
- Any open corrective actions from previous audits
The auditor is looking for a system that is alive and functioning, not one that was set up three years ago and never touched again. This is an important distinction. A management system that exists only on paper will not pass recertification.
How Long Does a Recertification Audit Take?
Audit duration depends on the size of your organisation, the number of staff, the complexity of your processes, and the scope of your certification. A small business with 10 to 20 employees might complete recertification in one day. A medium-sized organisation with 50 to 100 staff across multiple sites could require two to three days on site.
Your certification body will calculate the audit duration based on IAF mandatory document guidelines, which set minimum audit time requirements based on employee numbers and risk level. If you are unsure how many audit days apply to your situation, our article on what determines how many audit days you need explains the calculation clearly.
How to Prepare for ISO Certificate Renewal
Preparation is the difference between a smooth recertification and a stressful one. Here is a practical approach that works for businesses of any size.
Step 1: Review Your Management System at Least Six Months Out
Do not wait until two weeks before your recertification audit to check whether your system is in order. Six months out is the right time to conduct a thorough internal review. Look at your document register, check that procedures are current, confirm that records are being maintained, and identify any gaps that need to be addressed before the auditor arrives.
If you have not been running regular internal audits throughout the three-year cycle, now is the time to catch up. Your certification body will want to see evidence that internal auditing has been happening consistently, not just in the month before recertification.
Step 2: Complete Your Management Review
A management review is a formal meeting where top management evaluates the performance of the management system. Most standards require this to happen at least once a year. Before your recertification audit, make sure your most recent management review is documented and covers all the required inputs, including audit results, customer feedback, performance against objectives, resource adequacy, and risks and opportunities.
If your management review records are thin or missing, this will be raised as a nonconformance during recertification. It is one of the most common findings auditors raise at renewal time.
Step 3: Close Out All Open Nonconformances
Any corrective actions that were raised during surveillance audits need to be fully closed before or during your recertification audit. An open major nonconformance from a previous audit is a serious problem and could result in your recertification being delayed or refused.
Go through every corrective action in your register. For each one, confirm that the root cause was identified, the corrective action was implemented, and there is objective evidence that the problem has been resolved. If any actions are still in progress, have a clear plan and timeline ready to present to the auditor.
Step 4: Run a Full Internal Audit
Before your recertification audit, run a full internal audit that covers all clauses of your standard. This gives you a chance to identify and fix problems before the external auditor finds them. It also demonstrates to your certification body that internal auditing is genuinely embedded in your system, not just a box-ticking exercise.
Our guide on how to run ISO internal audits that actually find problems gives you a practical framework for making your internal audits genuinely useful rather than a formality.
Step 5: Confirm Your Scope Is Still Accurate
Businesses change over three years. New services, new locations, new customers, and new risks can all affect the scope of your certification. Before renewal, confirm that your scope statement still accurately reflects what your business does and what is included in your management system.
If your business has grown significantly, you may need to discuss with your certification body whether the scope needs to be updated before recertification proceeds. Trying to certify a scope that no longer reflects reality is a recipe for audit findings.
Step 6: Notify Your Certification Body Early
Contact your certification body at least three to four months before your certificate expiry date to confirm the recertification audit schedule. Certification bodies have busy calendars, and leaving it too late can result in your certificate lapsing before the audit can be completed.
A lapsed certificate is a problem. It means you technically cannot claim certification during the gap period, which can affect contracts, tenders, and client relationships. Do not let this happen through poor planning.
What Happens If You Fail Recertification
Failing a recertification audit does not automatically mean your certificate is cancelled, but it does mean more work and more cost. The outcome depends on the severity of the findings.
Minor Nonconformances
If the auditor raises minor nonconformances during recertification, you will typically be given a set timeframe, usually 30 to 90 days, to submit evidence that the issues have been corrected. Once the certification body reviews and accepts your corrective action evidence, your certificate can be renewed.
Major Nonconformances
A major nonconformance during recertification is more serious. It indicates a significant failure in your management system, such as a complete absence of internal auditing, no management review records, or a systemic breakdown in a core process. In this case, the certification body may require an additional on-site visit before the certificate can be renewed, which adds cost and time to the process.
Certificate Suspension or Withdrawal
If the issues are severe enough, or if you have accumulated unresolved findings over multiple audit cycles, the certification body may suspend or withdraw your certificate. Suspension means you cannot claim certification until the issues are resolved. Withdrawal means the certification is cancelled entirely and you would need to go through the initial certification process again.
This is an extreme outcome and is usually avoidable with proper system maintenance throughout the three-year cycle. If you are concerned about the health of your management system, our article on how to check if your ISO management system is actually working is worth reading well before renewal comes around.
The Cost of ISO Certificate Renewal
Recertification is not free. You will pay audit fees to your certification body for the recertification audit, which are typically similar to or slightly higher than your surveillance audit fees. The exact cost depends on your organisation size, scope, and how many audit days are required.
On top of audit fees, factor in internal time for preparation, any consultant support you engage, and the cost of addressing nonconformances if they arise. Businesses that maintain their systems well throughout the three-year cycle consistently spend less on renewal than those who scramble to fix everything at the last minute.
If you are thinking about switching certification bodies at renewal time, that is actually a reasonable option. Renewal is a natural break point to reassess whether your current certification body is serving you well. Our article on why Australian businesses are leaving their ISO certification body covers the most common reasons businesses make the switch and what to consider before doing so.
Switching Certification Bodies at Renewal Time
If you decide to change certification bodies at renewal, the process is called a transfer. The new certification body will review your existing certification records and conduct a transfer audit, which is typically less extensive than a full initial certification audit. They will check that your system has been properly maintained and that there are no unresolved major nonconformances.
The practical steps for switching are straightforward, but timing matters. Initiate the transfer process well before your current certificate expires to avoid any gap in certification status. Your new certification body will coordinate with your previous one to obtain the relevant audit history and records.
Common Mistakes Businesses Make at Renewal Time
After many years of auditing and consulting, these are the mistakes I see most often when businesses approach recertification:
- Treating the management system as a set-and-forget exercise. Systems that are not actively maintained deteriorate quickly. By the time renewal comes around, the gap between the documented system and actual practice is often significant.
- Leaving internal audits too late. Running a single internal audit in the month before recertification does not demonstrate a culture of continual improvement. It looks exactly like what it is.
- Not updating documents when processes change. If your business has changed how it operates but your procedures still describe the old way of doing things, you have a problem. Auditors check whether documented procedures reflect actual practice.
- Ignoring corrective actions. A corrective action register full of overdue items is a red flag for any auditor. Address nonconformances promptly when they are raised, not just before your next audit.
- Forgetting to check certificate expiry dates. This sounds basic, but it happens. Set a reminder 12 months out and again at six months. Do not rely on your certification body to chase you.
How a Consultant Can Help With Renewal
Not every business needs a consultant for recertification. If you have a dedicated quality manager or compliance officer who has been actively maintaining the system, you may be well placed to handle renewal internally.
However, if your system has been neglected, if you have had staff turnover in key roles, or if you received significant findings during your last surveillance audit, bringing in an experienced ISO consultant for a pre-audit gap assessment can save you time and money. A good consultant will identify the issues before the auditor does and help you address them efficiently.
Finding the right consultant is where many businesses struggle. If you need help, CertBetter makes it straightforward. Submit one form and receive up to three competing quotes from verified ISO consultants and accredited certification bodies who have been assessed for experience and credibility. The service is completely free for businesses seeking certification help, and it takes the guesswork out of finding someone you can actually trust.
