How to Verify If a Company Is Actually ISO 9001 Certified

CertBetter

Team CertBetter

12 min read
ExploreGetting CertifiedCompliance & Risk
How to Verify If a Company Is Actually ISO 9001 Certified

Why Certificate Verification Actually Matters

You have a supplier quoting on your next contract. Their proposal looks polished, their pricing is competitive, and right there in their credentials section it says: ISO 9001 Certified. So you tick the box and move on. Most procurement teams do exactly that.

The problem is that ISO 9001 certification is not self-declared. It requires an independent audit by an accredited certification body. But the certificate sitting on a supplier's website or attached to a tender response? That piece of paper can be outdated, suspended, or in some cases, completely fabricated. And if you are relying on it to make a sourcing decision, a contract award, or a regulatory compliance call, you need to know it is real.

This guide walks you through exactly how to verify ISO 9001 certification, what the common traps are, and what to do when something does not add up. If you are a procurement manager, a quality professional, or a business owner vetting a potential partner, this is the process you should be following every single time.

Understanding What ISO 9001 Certification Actually Means

Before you can verify a certificate, it helps to understand what legitimate ISO 9001 certification involves. ISO 9001 is an internationally recognised quality management standard. To become certified, a company must implement a quality management system that meets the standard's requirements, then have that system independently audited by a certification body that holds accreditation from a recognised accreditation body.

That last part is critical. The certification body must itself be accredited. In Australia, the relevant accreditation body is JASANZ (Joint Accreditation System of Australia and New Zealand). In the UK it is UKAS. In the US it is ANAB. These bodies oversee certification bodies and ensure audits are conducted to a consistent standard. A certificate issued by a non-accredited certification body is not worth the paper it is printed on, regardless of how official it looks.

This matters because the verification process is not just about checking whether a certificate exists. It is about checking whether the certificate was issued by a credible body, whether it covers the right scope, and whether it is still current.

Audit Workshop
Self-paced online ISO standard courses, Foundation to Lead Auditor
ISO 45001:2018 Lead Auditor Training Course
Limited time
ISO 45001:2018 Lead Auditor Training Course
USD 129USD 789
ISO 14001:2026 Lead Auditor Training Course
Limited time
ISO 14001:2026 Lead Auditor Training Course
USD 129USD 789
ISO 9001:2015 Lead Auditor Training Course
Limited time
ISO 9001:2015 Lead Auditor Training Course
USD 129USD 789
View all ISO courses
Exemplar Global logo
Audit Workshop is an Exemplar Global Recognised Training Provider

Step One: Look at the Certificate Itself

Start with what the company has given you. A legitimate ISO 9001 certificate should contain several specific pieces of information. If any of these are missing or vague, that is your first warning sign.

What a Legitimate Certificate Should Include

  • The full legal name of the certified organisation, not just a trading name
  • The certification scope, which describes exactly what activities, products, or services the certification covers
  • The standard and version, which should read ISO 9001:2015 for any current certification
  • The issue date and expiry date, typically a three year cycle with annual surveillance audits
  • The name and logo of the certification body that issued it
  • The accreditation body logo, such as JASANZ, UKAS, or ANAB, along with an accreditation number
  • A unique certificate number that can be used to verify the record online

Pay close attention to the scope. A company might be certified for one division, one site, or one product line, but present their certificate as if it covers everything they do. A manufacturer certified for the production of steel brackets is not automatically certified for their installation services. Always match the scope to what you are actually buying.

If you want to understand more about what separates a genuine certificate from a suspicious one, the article how to spot fake ISO certificates and why they will cost you contracts goes into the visual and structural red flags in detail.

Step Two: Search the Certification Body's Online Registry

Every reputable accredited certification body maintains a public register of certified organisations. This is the most direct way to confirm that a certificate is current and legitimate. You do not need to contact anyone. You just need to know where to look.

How to Find and Use the Register

Take the name of the certification body from the certificate, then go directly to their website and look for a certificate search tool, a register, or a directory. Most major certification bodies have this functionality. You will typically be able to search by company name, certificate number, or both.

When you find the record, check four things:

  1. The company name matches exactly, including any registered entity details
  2. The scope listed in the register matches the scope on the certificate you have been given
  3. The certificate status is active, not suspended, withdrawn, or expired
  4. The site or sites covered match the locations relevant to your business relationship

Some certification bodies also publish the date of the last surveillance audit and the next scheduled audit. If a company is overdue for a surveillance audit, that can indicate their certification is at risk even if the expiry date has not yet passed.

For a broader walkthrough of the verification process across different standards and certification bodies, the guide on how to verify your ISO certificate online covers the major registries and what to look for in each one.

Step Three: Check the Certification Body's Own Accreditation

This step is one that most people skip, and it is arguably the most important one. Confirming that the certification body is actually accredited closes the loop on the entire verification chain.

How Accreditation Works

Accreditation bodies like JASANZ operate under international mutual recognition arrangements. This means that a certificate issued by a JASANZ accredited certification body is recognised in over 90 countries. The International Accreditation Forum (IAF) coordinates this global network, and you can use the IAF database to check whether a certification body holds valid accreditation.

Go to the JASANZ website if the company is Australian or New Zealand based. Search for the certification body by name. You should be able to confirm their accreditation scope, which includes which standards they are accredited to certify against, and whether their accreditation is current.

If the certification body does not appear in any recognised accreditation body's register, the certificate they have issued is not internationally recognised. This matters enormously if you are in a regulated industry, tendering for government contracts, or operating across borders.

If you are not sure what accreditation actually means in practice or how it differs from certification itself, the article on certification versus accreditation explains the distinction clearly.

Step Four: Ask the Company Directly

Once you have done your background checks, it is completely reasonable to ask the company to provide supporting information. A legitimately certified organisation will have no hesitation in providing this. In fact, they should welcome the question because it demonstrates that you take quality seriously.

What to Ask For

  • A copy of the current certificate, not a scan from three years ago
  • The most recent surveillance audit report or a summary of findings
  • Confirmation of any non-conformities raised in recent audits and how they were addressed
  • The name and contact details of their certification body so you can verify independently

If a supplier becomes defensive or evasive when you ask for these things, treat that as a significant red flag. Legitimate certification is something companies are proud of. They do not hide it.

It is also worth asking about the scope specifically. Ask them to confirm in writing that the scope of their certification covers the products or services they are providing to you. This protects you contractually if something goes wrong later.

Common Situations Where Certificates Are Misleading

Not every misleading certificate is a deliberate fraud. Sometimes businesses present their certification in ways that are technically accurate but practically deceptive. Here are the scenarios you are most likely to encounter.

Expired Certificates Still in Use

ISO 9001 certificates have a three year validity period, but they require annual surveillance audits to remain active. A company that fails a surveillance audit or simply does not schedule one can have their certification suspended or withdrawn. Yet the physical certificate still exists and still looks official. Always check the registry, not just the document.

Scope That Does Not Match the Work

A company might be certified for design and manufacture of one product category but quote on work that falls outside that scope entirely. This is not always intentional deception. Sometimes businesses grow into new areas and their certification simply has not caught up. But it means the quality management system has not been independently audited for the work you are contracting them to do.

Certification of a Parent Company Only

Some companies present the ISO 9001 certificate of their parent or holding company as if it applies to them. Unless the subsidiary or operating entity is specifically named in the scope of the parent's certificate, this is not valid. Each legal entity and each site needs to be covered either individually or explicitly within a multi-site certification arrangement.

Non-Accredited Certification Bodies

There are organisations that issue certificates that look entirely legitimate but are not backed by any recognised accreditation. These are sometimes called certification mills. The certificate will have logos, certificate numbers, and official-looking language. But if the certification body does not appear in JASANZ, UKAS, ANAB, or another IAF member accreditation body's register, the certificate has no standing. This is a growing problem and one worth taking seriously, particularly when dealing with suppliers from overseas markets where regulation is less consistent.

The article on why ISO certification sometimes feels like just paperwork covers the broader issue of certification that exists on paper without real substance behind it.

What to Do When You Cannot Verify a Certificate

Sometimes you will hit a dead end. The certification body has no online registry. The company is based overseas and you cannot access the relevant accreditation body's database. Or the certificate looks suspicious but you cannot definitively confirm whether it is fraudulent or just poorly formatted.

Practical Options When Verification Stalls

Contact the certification body directly by phone or email. Provide the certificate number and the company name and ask them to confirm whether the certification is current. Any legitimate certification body will respond to this enquiry. If they do not, or if they cannot find the record, that tells you something important.

You can also contact the relevant accreditation body directly. JASANZ, for example, will confirm whether a certification body holds current accreditation and whether a specific certificate falls within their scope. This is a free service and one that procurement teams rarely use but should.

If you are in a situation where certification is a contractual or regulatory requirement and you cannot verify it, do not proceed on the assumption that it is fine. The risk sits with you if you award a contract based on a certificate that turns out to be invalid.

Building Verification Into Your Procurement Process

One-off checks are useful, but the most effective approach is to make certificate verification a standard part of your supplier qualification process. This does not need to be complicated.

A Simple Supplier Certification Checklist

  • Request a copy of the certificate at the time of quoting, not just at contract award
  • Record the certificate number, expiry date, and certification body in your supplier register
  • Set a calendar reminder to re-verify before the certificate expiry date
  • Check the certification body's registry at least annually for high-value or critical suppliers
  • Include a clause in supplier contracts requiring notification if certification status changes

For businesses that are themselves ISO 9001 certified, maintaining evidence that your key suppliers hold valid certifications is often a requirement of your own quality management system. Your next audit will likely include a review of how you manage supplier qualification, and a supplier register with verified certification records is exactly the kind of documented evidence auditors want to see.

If you are thinking about what your own ISO certification journey looks like and how to approach it properly, the first-time ISO certification guide for Australian businesses is a practical starting point.

A Note on Government Tenders and Regulated Industries

In some contexts, ISO 9001 certification is not just a nice credential. It is a mandatory requirement. Government procurement frameworks in Australia and internationally increasingly specify certification as a condition of tender eligibility. In these situations, submitting a certificate that cannot be verified is not just a commercial risk. It can constitute a false declaration.

If you are on the other side of this equation and you are tendering for government work, make sure your certification is current, that the scope covers the work you are bidding for, and that your certification body is accredited by a JASANZ or IAF-recognised body. The article on which ISO certifications are required for government tenders covers the specific requirements in more detail.

Getting Certified Yourself? Here Is Where CertBetter Comes In

If this article has prompted you to think about your own certification status, or if you are a business that wants to get ISO 9001 certified so that your customers can verify you without any doubt, CertBetter can help. CertBetter connects businesses with verified ISO consultants and accredited certification bodies through a simple, free process. You submit one form and receive up to three competing quotes from vetted providers, all of whom are checked for accreditation and track record before they appear on the platform. There is no cost to you as a business seeking certification, and no obligation to proceed with any quote you receive. It is a straightforward way to find a provider you can trust, and one whose certificate your customers will be able to verify without any difficulty.

Get 3 ISO Quotes. 24 Hours Response

Tell us what you need and compare vetted ISO consultants or certification bodies within 24 hours. Free, no obligation.

Trusted by 400+ businesses like yours

Frequently Asked Questions

The most reliable method is to search the online registry of the certification body named on the certificate. Most accredited certification bodies maintain a publicly searchable database where you can look up a company by name or certificate number and confirm whether the certification is current, suspended, or expired. You can also contact the certification body directly with the certificate number and ask them to confirm its status. Do not rely solely on the expiry date printed on the certificate, as certifications can be suspended before that date if a company fails a surveillance audit.

The certification scope defines exactly which activities, products, services, or locations are covered by the ISO 9001 certification. A company can be certified for one part of their business but not another. For example, a company might be certified for the manufacture of a specific product range but not for the installation or servicing of those products. When you are verifying a certificate, always check that the scope covers the specific work or products you are engaging them for. If the scope does not match, the certification provides no assurance for the services you are receiving.

For most practical purposes, yes. A certificate issued by a certification body that is not accredited by a recognised accreditation body such as JASANZ, UKAS, or ANAB carries no international standing and is not accepted under most government procurement frameworks or regulated industry requirements. Some industries and contracts specifically require certification from an IAF-recognised accredited body. If you cannot confirm that the certification body holds valid accreditation, treat the certificate as unverifiable and seek clarification before relying on it.

Yes, and it does happen. Fake certificates can be created by altering a genuine certificate from another company, by using the name of a real certification body without authorisation, or by obtaining a certificate from a so-called certification mill that issues documents without conducting any real audit. The way to protect yourself is to verify directly with the certification body's online registry rather than relying on the document alone. If the company does not appear in the registry under the certificate number provided, the certificate cannot be considered legitimate regardless of how it looks.

ISO 9001 certificates are typically issued for a three year period, but maintaining the certification requires annual surveillance audits during that period. At the end of the three year cycle, the company undergoes a full recertification audit. If a company fails a surveillance audit or does not schedule one, their certification can be suspended or withdrawn before the three year period ends. This is why checking the certification body's registry is important even when a certificate's printed expiry date has not yet passed.

A refusal to allow verification is a serious red flag. Legitimate ISO 9001 certification is a matter of public record through the certification body's registry. There is no valid reason for a certified company to obstruct verification. If a supplier becomes defensive, claims their certification is confidential, or provides reasons why you cannot check directly with the certification body, you should treat that as a strong indicator that the certification may not be genuine. At minimum, you should escalate the matter before awarding any contract that relies on that certification being valid.

Dilawar Laghari

Hi! I am Dilawar Laghari, founder of CertBetter.

I created CertBetter to help anyone compare ISO certification providers for free.

Related Articles

What Are the Business Benefits of ISO 14001 Certification?
Getting Certified

What Are the Business Benefits of ISO 14001 Certification?

14 June 2026

How to Verify a Company Has ISO 22301 Certification
Getting Certified

How to Verify a Company Has ISO 22301 Certification

13 June 2026

How Long Does It Take to Close Audit Nonconformities?
Getting Certified

How Long Does It Take to Close Audit Nonconformities?

11 June 2026

How to Report a Fraudulent ISO Certificate
Getting Certified

How to Report a Fraudulent ISO Certificate

4 June 2026

Browse by Topic

ISO Standards381 articlesGetting Certified290 articlesManagement Systems182 articlesCompliance & Risk111 articlesIndustry News31 articles
How to Verify If a Company Is ISO 9001 Certified - CertBetter