I've been auditing ISO management systems for 6 years across Australia. In nearly every Stage 1 audit, someone asks me: "So once we're certified, we're compliant with everything, right?"
On this page
No. And that confusion costs businesses dearly.
Your ISO certificate proves conformance to the standard. It doesn't prove compliance with laws, regulations, or customer requirements. These are fundamentally different things, and mixing them up creates legal exposure your certificate won't protect you from.
Here's what I actually check when I audit your system.
The Definitions That Actually Matter
Conformance: Your management system meets ISO standard requirements.
When I audit for ISO 9001 conformance, I'm checking whether your Quality Management System satisfies clauses 4 through 10 of ISO 9001:2015. Does your system address context, leadership, planning, support, operations, performance evaluation, and improvement? If yes, you conform.
Compliance: You meet legal, regulatory, and obligatory requirements.
This includes environmental laws, workplace safety regulations, industry standards, customer contract terms, and any other mandatory requirements your business must follow. These exist regardless of whether you pursue ISO certification.
The certificate on your wall says "conforms to ISO 9001:2015." It does NOT say "complies with all applicable laws and regulations."
Get 3 ISO Quotes. 24 Hours Response
Tell us what you need and compare vetted ISO consultants or certification bodies within 24 hours. Free, no obligation.
Trusted by 400+ businesses like yours
What I'm Actually Checking in Your Audit
My job is checking two things:
First, does your management system conform to ISO requirements? I'm verifying your documented processes, implementation evidence, and effectiveness against the standard's clauses.
Second, do you have a robust system to identify and manage your compliance obligations? This is where conformance and compliance intersect.
Here's what that second part means:
ISO 9001 clause 4.2 requires you to determine relevant interested parties and their requirements. Clause 6.1.3 requires you to determine compliance obligations. Clause 9.1.2 requires you to evaluate compliance.
So I check: Do you know which laws and regulations apply to your business? How do you stay updated when they change? What's your process for ensuring you meet them? Can you show me evidence?
What I'm NOT doing:
I'm not verifying whether you actually comply with every environmental regulation, workplace safety law, or industry standard. That's beyond my scope and competence. I'm an ISO certification auditor, not a legal compliance expert in every regulatory domain.
I'm checking you have a system to manage compliance, not auditing compliance itself.
Real Scenarios From My Audit Experience
Scenario 1: The Conformant But Non-Compliant Manufacturer
I audited a metal fabrication company in Melbourne. Their QMS documentation was excellent. Procedures were well-implemented, records were maintained, training was documented. They conformed to ISO 9001 requirements beautifully.
During the site walkthrough, I noticed chemical storage that looked questionable. I asked: "What regulations apply to your chemical handling and storage?"
Blank stares. They had no legal register. No process for identifying environmental regulations. No evidence they were tracking EPA requirements.
I raised a non-conformance against clause 4.2 and 6.1.3. Not because they violated EPA regulations.. I'm not qualified to audit that. But because they had no system to identify and manage their legal obligations.
They were conformant to most of ISO 9001 but failed a critical requirement about knowing their compliance obligations.
Scenario 2: The Construction Company Missing WHS Compliance
ISO 45001 audit for a commercial construction contractor. Their safety management system documentation looked strong on paper.
I asked to see their legal compliance register. They showed me a three-year-old spreadsheet listing outdated regulations. No evidence of reviewing updates. No process for monitoring changes to state WHS legislation.
When I interviewed the site supervisor, he wasn't aware of recent changes to fall protection requirements that directly impacted their current projects.
Straight non-conformance. Their system didn't conform to ISO 45001 clause 6.1.3 requirements for determining legal and other requirements.
The real risk? They were potentially operating sites with non-compliant fall protection, exposing workers and the company to serious penalties. The ISO certificate wouldn't protect them when WorkSafe showed up.
Scenario 3: The "We're Certified So We're Compliant" Service Business
I see this a lot! Professional services firm, ISO 9001 certified for the first time. Right after the audit, they posted on LinkedIn proudly saying that ISO certification means that they comply with privacy obligations under the Australian Privacy Act.
Their ISO 9001 conformance could be generally good, but they might have a massive compliance gap. They assumed certification meant they were "covered" for everything.
ISO 9001 requires you to determine compliance obligations (clause 6.1.3). Privacy law is a compliance obligation for your business.
Why This Distinction Costs Businesses Real Money
Government tenders specify both.
Tender documents say: "Must hold current ISO 9001 certification AND demonstrate compliance with relevant workplace safety regulations, environmental legislation, and industry standards."
Two separate requirements. Your certificate proves the first. You need separate evidence for the second.
I've seen businesses lose $150K+ tenders because they provided ISO certificate as proof of compliance with specific regulations. Tender evaluators rejected them because certificate doesn't prove regulatory compliance.
Insurance and liability issues.
Your public liability or professional indemnity insurance has clauses about regulatory compliance. Non-compliance can void coverage.
ISO certification doesn't protect you. If you're operating non-compliant with workplace safety regulations and an incident occurs, your insurer investigates compliance status. Your ISO 45001 certificate is irrelevant if you violated actual safety laws.
Penalties and prosecution.
Environmental regulators don't care if you're ISO 14001 certified. Workplace safety inspectors don't care about your ISO 45001 certificate.
They check actual compliance with legislation. If you're non-compliant, you face penalties, prosecution, and potentially director liability. The certificate provides zero legal protection.
Certification at risk.
If your non-compliance becomes public or results in prosecution, your certification body may suspend or withdraw your certificate.
Why? Because ISO standards require you to have systems for managing compliance obligations. If you're prosecuted for major non-compliance, it demonstrates your management system fundamentally failed. That's a conformance failure.
The Common Confusions I Hear Every Week
"We passed our ISO audit, so we're compliant with regulations."
No. You demonstrated conformance to ISO requirements, including having a system to manage compliance obligations. I didn't audit your actual compliance with every regulation—that's not my role.
"Can you verify we're compliant with EPA regulations during the audit?"
I can check whether you have a system to identify EPA requirements, track changes, and manage compliance. I cannot audit actual EPA compliance—I'm not an EPA specialist. You need EPA consultants or environmental lawyers for that.
"Our compliance audit is next month."
Be careful with terminology. If you mean your ISO conformance audit, say that. "Compliance audit" often refers to regulatory compliance audits by government agencies or customer-specific compliance verification.
These are different activities with different scopes.
"ISO certification proves we meet all customer requirements."
ISO certification proves your system conforms to ISO standards. Whether you meet specific customer requirements depends on your contract terms, which I review for evidence you have processes to manage them.
If customer contracts require specific technical standards or delivery timeframes, ISO certification doesn't automatically mean you're meeting those. Your QMS should have processes to identify and manage customer requirements, but certificate doesn't verify each requirement is met.
What I Actually Check: The Audit Breakdown
Stage 1 Audit - Documentation Review:
I'm checking documented processes for identifying compliance obligations. Do you have a procedure for determining applicable legal and regulatory requirements? How is it described? Who's responsible?
I look for legal/compliance registers or similar tools. How do you list requirements? How do you track changes? What's the review frequency?
Stage 2 Audit - Implementation Evidence:
I interview responsible personnel. Can they explain how they identify applicable regulations? Walk me through the last time they updated the legal register.
I review records. Show me evidence you've identified relevant requirements. Show me evaluation of compliance. Show me how you respond to changes.
I check awareness at operational level. Do site supervisors know which regulations apply to their work? Can production managers explain compliance requirements affecting their processes?
What Passes:
You have a documented process for identifying legal and compliance obligations. You maintain a register or equivalent tool listing applicable requirements.
You have evidence of periodic review and updates. You can demonstrate evaluation of compliance status. Staff at appropriate levels understand their compliance obligations.
What Fails:
No process for identifying legal requirements. Outdated or incomplete compliance registers. No evidence of reviewing regulatory changes. Staff unaware of basic compliance obligations affecting their work. No system for evaluating whether you're meeting requirements.
The Practical System You Need
Based on hundreds of audits, here's what works:
Maintain a compliance tracker (could be a register) listing all applicable requirements.. workplace safety laws, environmental regulations, industry standards, customer contractual obligations, any other mandatory requirements.
Most importantly, what those mean to YOUR BUSINESS!
I always ask, "Why does this XYZ regulation apply to your business?" followed by "How". Your answer tells me the whole story behind your compliance model.
Schedule regular reviews of the tracker.. quarterly or at minimum annually. Document the review with evidence of what changed or confirmation no changes occurred.
Include compliance obligations in your risk assessment process. Non-compliance is a risk that should be evaluated and controlled.
Train relevant staff on compliance requirements affecting their work. Site supervisors need to know safety regulations. Operations staff need to know environmental requirements. Everyone needs basic awareness.
Conduct internal compliance checks separate from ISO conformance audits. These might be self-assessments, specialist compliance audits, or external expert reviews depending on complexity.
The ISO Certification Body Perspective
What we can and cannot do:
We audit conformance to ISO standards. We check whether your management system meets standard requirements.
We verify you have systems for managing compliance obligations. We cannot verify actual compliance with every regulation... we're not specialists in environmental law, workplace safety legislation, privacy acts, industry-specific regulations, or customer-specific technical standards.
If we identify obvious non-compliance during site visits (unsafe practices, environmental violations), we'll raise it as evidence your compliance management system isn't working. But we're not conducting comprehensive regulatory compliance audits.
When we escalate issues:
If non-compliance is severe, public, or results in prosecution, we report it to our certification body. They investigate whether it demonstrates fundamental management system failure.
Serious non-compliance suggests your system for identifying and managing compliance obligations failed. That's a conformance issue that could result in certificate suspension pending corrective action.
The Bottom Line
Your ISO certificate proves conformance to the standard.
It demonstrates you have a management system meeting ISO requirements. One of those requirements is having a system to identify and manage compliance obligations.
It does NOT prove you comply with all regulations.
That's your responsibility to verify through appropriate specialist audits, legal reviews, and compliance assessments beyond the ISO audit scope.
The businesses that get this right:
They maintain robust compliance registers. They engage specialists for regulatory compliance audits separate from ISO audits. They understand ISO certification is about management system conformance, not comprehensive regulatory compliance verification.
The businesses that get burned:
They assume ISO certification means they're "compliant with everything." They rely solely on ISO audits to identify compliance gaps. They're surprised when regulators penalise them despite holding current certification.
My advice after seeing both:
Treat ISO certification as proof your management system works. Treat regulatory compliance as a separate responsibility requiring specialist verification.
When tendering, provide an ISO certificate for conformance requirements and separate compliance evidence for regulatory requirements. When managing risk, remember non-compliance creates liability your certificate won't protect you from.
At CertBetter, our mission is to simplify the ISO certification process so businesses can quickly discover, compare and request quotes from verified providers.
We verify consultants understand the conformance versus compliance distinction and can help you build systems that address both. Because getting ISO certified while remaining non-compliant with regulations is a costly mistake.
Visit certbetter.com to connect with verified ISO consultants who understand what auditors actually check and what your business truly needs beyond the certificate.
Conformance gets you certified. Compliance keeps you legal. You need both.
