The Short Answer Most People Don't Want to Hear
First party ISO certification is when your own organisation declares that it meets the requirements of an ISO standard. No external auditor. No independent verification. Just you saying, in effect, “we comply with this standard.”
On this page
It sounds straightforward, and in some contexts it genuinely is useful. But here's the honest truth that many businesses discover too late: first party ISO certification is almost never accepted as a substitute for third party accredited certification when it comes to winning contracts, tendering for government work, or satisfying customer requirements. If you've been told you can self-certify to ISO 9001 and use that to bid on tenders, you've been given bad information.
This article explains exactly what first party certification is, where it sits in the broader certification landscape, when it actually has value, and when it will let you down. If you're trying to decide whether to self-certify or pursue proper accredited certification, this is the guide you need to read first.
Understanding the Three Parties in ISO Certification
To understand first party certification, you need to understand the three-party model that underpins all conformity assessment. The difference between certification and accreditation becomes much clearer once you understand who each party actually is.
First Party: The Organisation Itself
The first party is you, the organisation implementing the management system. When you conduct your own internal audit, review your own processes, and declare that your management system meets ISO requirements, that is first party activity. It is self-assessment. You are both the assessor and the assessed.
Second Party: Your Customers or Partners
The second party is someone with a direct interest in your organisation, typically a customer, a client, or a partner in your supply chain. When a large manufacturer audits a supplier to check whether their quality management system meets certain standards, that is a second party audit. The customer is assessing you directly.
Third Party: An Independent Certification Body
The third party is an independent organisation with no commercial interest in your business. A accredited certification body sends trained auditors to assess your management system against the requirements of an ISO standard. If you pass, they issue a certificate. That certificate is issued by an organisation that is itself accredited by a national accreditation body, such as JASANZ in Australia.
This three-tier structure exists precisely because self-declaration has obvious limitations. When you assess yourself, there is an inherent conflict of interest. Third party certification removes that conflict, which is why the market trusts it.
What First Party Certification Actually Looks Like in Practice
First party certification takes a few different forms, and it's worth being specific about each one.
Self-Declaration of Conformance
The most basic form is a written declaration that your organisation conforms to a particular ISO standard. You might produce a document stating that your quality management system meets the requirements of ISO 9001, signed off by your CEO or quality manager. Some organisations publish these declarations on their website or include them in tender submissions.
This is legally permissible. ISO standards are voluntary, and there is nothing stopping you from declaring conformance. The question is whether anyone will accept it as meaningful evidence.
Internal Audits as Evidence of Conformance
A more structured form of first party certification involves conducting formal internal audits against the full requirements of an ISO standard and documenting the results. Running rigorous internal audits is genuinely valuable for improving your management system, but the results of those audits are still internal documents. They carry no weight with external parties who have no way of verifying the objectivity or competence of the people who conducted them.
Supplier Self-Assessment Questionnaires
In some supply chains, particularly in manufacturing and resources, buyers send out self-assessment questionnaires asking suppliers to confirm compliance with various standards including ISO standards. Completing one of these is technically a form of first party declaration. It has value within that specific supply chain relationship, but it is not a transferable credential.
Where First Party Certification Has Genuine Value
It would be unfair to dismiss first party certification entirely. There are specific situations where it serves a real purpose.
Internal Improvement Before External Certification
If you are preparing to pursue third party ISO certification, conducting a thorough internal assessment against the standard requirements is an excellent starting point. It helps you identify gaps, prioritise improvements, and build the documentation you will need. Think of it as a rehearsal rather than the performance itself. Many businesses use this phase productively before engaging a certification body.
Standards Where Third Party Certification Doesn't Exist
For some ISO standards, there is no formal third party certification scheme. ISO 26000 on social responsibility is a well-known example. ISO 26000 is explicitly designed as a guidance document, not a requirements standard, so organisations cannot be certified to it. In these cases, first party declaration is the only option available, and the market understands that.
Internal Risk and Compliance Management
Some organisations implement ISO frameworks purely for internal governance purposes, with no intention of ever seeking external certification. A company might adopt the risk management principles from ISO 31000 to improve its internal processes without any commercial driver to certify. In this context, self-assessment is entirely appropriate because the audience is internal management, not external customers or regulators.
Low-Risk Supply Chain Relationships
In some lower-risk supply chain contexts, a buyer may accept a supplier's self-declaration as sufficient evidence of basic quality practices. This is more common in smaller business-to-business relationships where the buyer has an existing relationship with the supplier and the risk of non-conformance is manageable. However, as supply chains become more sophisticated and regulated, this acceptance is becoming less common.
Where First Party Certification Will Let You Down
This is the section that matters most for most businesses reading this article.
Government Tenders and Procurement
Australian government procurement, at both federal and state level, frequently requires ISO 9001 certification as a condition of tendering. The requirement is almost always for third party certification from an accredited certification body. Understanding what ISO certification is required for government tenders makes it clear that self-declaration will not satisfy these requirements. Submitting a self-declaration in response to a tender that asks for ISO 9001 certification is likely to result in your submission being rejected outright.
Construction and Infrastructure Contracts
The construction sector in Australia has some of the most stringent certification requirements of any industry. Major contractors and project owners routinely require subcontractors and suppliers to hold accredited ISO 9001 and ISO 45001 certification. ISO certification requirements in construction are well-established, and first party declarations are not accepted. If you are a subcontractor trying to get onto an approved supplier panel, you need the real certificate.
Defence and Critical Infrastructure
Defence contracts and critical infrastructure projects often require ISO 27001 certification for information security. These requirements exist because the consequences of a security failure are severe. A self-declaration that your information security management system meets ISO 27001 requirements carries no weight in this context. The whole point of the certification requirement is independent verification.
Export Markets and International Trade
If you are exporting to markets in Europe, North America, or Asia, your buyers will often require ISO certification as a condition of doing business. International buyers use third party certification as a proxy for quality and reliability precisely because they cannot audit you themselves. A self-declaration from an unknown Australian supplier will not satisfy a German procurement manager who needs evidence of quality management.
Regulated Industries
In sectors such as medical devices, food manufacturing, and pharmaceuticals, ISO certification intersects with regulatory requirements. Regulatory bodies and notified bodies require independent verification, not self-assessment. First party certification has no standing in these contexts.
The Credibility Problem at the Heart of First Party Certification
There is a fundamental credibility problem with self-declaration that no amount of internal rigour can fully overcome. When you assess yourself, the people conducting the assessment report to the same management that has a commercial interest in a positive outcome. Even if your internal auditors are genuinely independent-minded and technically competent, external parties have no way of verifying that.
This is not a theoretical concern. The ISO conformity assessment framework, governed by standards like ISO 17021, exists specifically because independent verification produces more reliable outcomes than self-assessment. The entire accreditation infrastructure, from JASANZ in Australia to UKAS in the United Kingdom, is built on the principle that independence matters.
Think about it from a customer's perspective. If a supplier tells you their products are high quality, you might believe them. But if an independent testing laboratory has certified that the products meet a defined standard, you have objective evidence. The same logic applies to management system certification.
A Common Misconception Worth Addressing
Some businesses, particularly smaller ones, encounter what are sometimes called “certificate mills” or unaccredited certification bodies that issue ISO certificates without proper independent auditing. These are not the same as first party certification, but they share the same fundamental problem: the certificate lacks independent credibility.
If you receive an ISO certificate from a body that is not accredited by a recognised national accreditation body, that certificate may be worth very little in practice. Knowing how to spot fake ISO certificates is important because submitting a certificate from an unaccredited body in response to a tender requirement for accredited certification can have serious consequences, including contract termination and reputational damage.
The rule of thumb is simple: if you need ISO certification to satisfy a customer, tender, or regulatory requirement, you need a certificate from an accredited certification body. Full stop.
What It Actually Costs to Get Proper Accredited Certification
One reason some businesses explore first party certification is cost. Third party certification does involve fees, and for a small business, those fees can feel significant. But it is worth understanding what you are actually paying for and what the return looks like.
For ISO 9001, the most widely adopted quality management standard, ISO 9001 certification costs in Australia vary considerably depending on the size of your organisation and the complexity of your operations. A small business might spend $3,000 to $8,000 for initial certification including audit fees. When you compare that to the value of a single government contract or a new export customer relationship, the return on investment is usually clear.
The cost of first party certification, on the other hand, is essentially the cost of your own time. But if it doesn't open any doors, the opportunity cost of pursuing it instead of proper certification can be substantial.
How to Move from Self-Assessment to Accredited Certification
If you have been doing internal work against an ISO standard and are now ready to pursue third party certification, the good news is that your internal work is not wasted. Here is a practical path forward.
Step 1: Gap Analysis Against the Standard
Take your internal documentation and assess it honestly against the full requirements of the standard. Where are the genuine gaps? This is where an experienced ISO consultant can add real value, because they have seen what auditors actually look for and can identify weaknesses that internal teams often miss.
Step 2: Build or Strengthen Your Management System
Address the gaps identified in your analysis. This means documented procedures, evidence of implementation, records of management review, internal audits, and corrective actions. The standard needs to be lived, not just documented.
Step 3: Choose an Accredited Certification Body
Select a certification body that is accredited by JASANZ or another recognised national accreditation body. Selecting the right ISO certification body involves more than just comparing prices. You want a body with auditors who understand your industry and a reputation for rigorous but fair auditing.
Step 4: Stage 1 and Stage 2 Audits
The certification process involves a Stage 1 audit where the auditor reviews your documentation and confirms readiness, followed by a Stage 2 audit where they assess actual implementation. If you have done the internal work properly, the Stage 2 audit should not be a surprise.
Step 5: Maintain and Improve
Accredited certification requires ongoing surveillance audits, typically annually, with a full recertification audit every three years. This ongoing cycle is what keeps your management system genuinely effective rather than a one-time exercise.
How CertBetter Can Help
If you've been relying on first party self-declaration and have now realised you need proper accredited certification, the next question is who to engage and how much it should cost. That's exactly the problem CertBetter was built to solve.
CertBetter connects businesses across Australia and globally with verified ISO consultants and accredited certification bodies. You submit one form describing your business and what you need, and you receive up to three competing quotes from vetted providers. There is no cost to you as the business seeking certification, and you are under no obligation to accept any quote.
Whether you need ISO 9001, ISO 27001, ISO 45001, or any other standard, getting multiple quotes means you can compare not just on price but on experience, approach, and fit for your industry. Visit CertBetter.com to get started.
