The ISO 9001:2015 standard is the international standard that defines the requirements of a quality management system (QMS). Its purpose is not product quality in itself, but the organisation's ability to deliver, consistently, products and services that meet customer requirements and the applicable legal ones. Being certified means that an independent and accredited certification body has verified, through an audit, that this system exists, works and improves. It is important to separate two concepts that the market confuses: certification is granted by the certification body; accreditation is the recognition, by the national entity (in Spain, ENAC), that this body is competent to certify. A certificate without recognised accreditation is worth little in a serious tender.
The question every management team asks is legitimate: is the effort and the cost worth it? This article answers with measurable criteria, breaks down the process, the real costs and the expected return, and separates the genuine benefits from the marketing of the certificate hung on the wall.
What ISO 9001:2015 really requires
The 2015 version introduced the high-level structure (HLS), today called the Harmonized Structure, which aligns all management-system standards into ten common clauses and makes it easier to integrate quality, environment (ISO 14001) and safety (ISO 45001) into a single system. Its conceptual pillars are three: risk-based thinking (clause 6.1), which replaced preventive actions and requires identifying risks and opportunities; the process approach, which models the organisation as a network of interconnected processes with inputs, outputs and indicators; and leadership (clause 5), which holds top management directly accountable, eliminating the figure of the "management representative" as an alibi. The PDCA cycle (Plan-Do-Check-Act) underpins the entire system.
The certification process step by step
- Initial diagnosis (gap analysis). The organisation's current state is compared with the requirements of the standard to size the effort.
- Designing and implementing the QMS. Defining the quality policy, the process map, identifying risks, documenting the necessary information (the 2015 version reduced the mandatory paperwork) and performance indicators.
- Operation and generation of evidence. The system must run for a while (usually three to six months) to generate real records that the auditor can examine.
- Internal audit and management review. Mandatory requirements of the standard before certification.
- Two-stage certification audit. Stage 1 reviews the documentation and the readiness; Stage 2 verifies the effective implementation on the ground. If there are non-conformities, a period opens for corrective actions.
- Issuance and maintenance. The certificate is valid for three years, with annual surveillance audits and a recertification audit at the end of the cycle.
Real costs and calculating the ROI
The cost of certifying has three components: the implementation consultancy (optional but common), the internal cost of the team hours dedicated to the system, and the fees of the certification body, which are calculated according to the audit days, which in turn depend on the number of employees and the complexity. The ROI should not be measured only in sales won, but in four concrete levers:
- Market access: many public tenders and contracts with large industrial customers require ISO 9001 as an admission requirement. Here the return is binary: without the certificate, you cannot bid.
- Reduction in the cost of poor quality: fewer reworks, fewer returns, fewer warranty claims. This is the lever most measurable internally, by comparing the non-conformity rate before and after.
- Operational efficiency: documented processes reduce the dependence on specific individuals and the training time for new hires.
- Trust and reputation: less commercial friction and a better negotiating position in the face of customer audits.
It is worth highlighting a nuance that distinguishes a well-managed certification from a merely decorative one: the true return does not come from the document, but from the process redesign it forces you to undertake. The initial diagnosis brings to light duplications, redundant controls, blurred responsibilities and recurring points of failure that the organisation had normalised without realising. An SME that uses the implementation to clarify who decides what, where conformity is measured and how an error is closed, obtains an operational benefit that would exist even if the certificate were never hung on the wall. The certification is, in that sense, a disciplinary catalyst rather than an end in itself.
Integration with other management standards
The Harmonized Structure of ISO 9001:2015 makes it possible to build an integrated management system that combines several standards under a single documentary architecture and a single audit calendar. The most common combinations are ISO 9001 (quality) with ISO 14001 (environment) and ISO 45001 (occupational health and safety), forming the well-known "QHSE trio". For technology organisations, integration with ISO/IEC 27001 on information security makes it possible to reuse the same processes for risk management, internal audit and management review, considerably reducing the cost of maintenance compared with three independent systems. An integrated system avoids the duplication of the policy, the process map and the common documentation, and presents the auditors with a single coherent body, which shortens the audit days and, therefore, the fees.
Comparison table: certified company versus non-certified
| Dimension | Without ISO 9001 | With accredited ISO 9001 |
|---|---|---|
| Tenders that require a QMS | Excluded | Admitted |
| Customer audits | Each customer audits on its own | The certificate reduces or replaces audits |
| Handling of errors | Reactive, person by person | Systematic, with root cause |
| Operational knowledge | In the heads of employees | Documented and transferable |
| Improvement | Sporadic | Continuous and measured (PDCA) |
Common mistakes that ruin the return
The cardinal mistake is certifying for the wall and not for the business: setting up a bureaucratic system parallel to the real operation, which exists only to pass the annual audit. That system costs money and generates no return, because nobody uses it. The second is excess documentation; the 2015 version deliberately reduced the mandatory procedures, and insisting on documenting everything creates a burden that the standard itself does not require. The third is delegating the system to a single person: if the QMS is "the quality manager's thing" and management does not get involved (breaching clause 5), the system dies as soon as that person leaves. The fourth is choosing a body not accredited by ENAC or another body in the IAF forum, which invalidates the certificate before serious customers. The fifth is treating the surveillance audits as a formality and ceasing to feed the system between them.
Frequently asked questions
How long does it take to obtain ISO 9001 certification?
For an SME with reasonably orderly processes, between four and nine months from the diagnosis to the certification audit. The factor that most lengthens the timeline is the need for the system to operate for a few months generating records before the Stage 2 audit; it cannot be compressed indefinitely because the auditor needs real evidence.
Does ISO 9001 guarantee that my product is of high quality?
Not directly. The standard certifies the management system, that is, the ability to meet requirements consistently and to improve. A company can make a modest product but make it reliably and in line with what was promised. What ISO 9001 guarantees is consistency and control, not the absolute excellence of the product.
How often does the certificate have to be renewed?
The certificate is valid for three years, conditional on passing the annual surveillance audits. At the end of the three-year period a recertification audit is carried out that restarts the cycle. If a surveillance audit detects major non-conformities that are not resolved, the body can suspend or withdraw the certificate.
Do I need external consultancy to get certified?
It is not mandatory: an organisation with internal knowledge can implement the system on its own. Consultancy provides speed, avoids errors in interpreting the standard and usually pays for itself in SMEs without prior experience. What must be independent of the consultant who implements is the body that certifies, to preserve impartiality.
Conclusion
The return on ISO 9001 certification is not decided in the audit, but in the intent with which it is approached. A company that uses it as a key to access tenders that would otherwise be closed to it and, at the same time, as a discipline to reduce the cost of poor quality—reworks, returns, warranty claims—recovers the investment in a measurable and rapid way. A company that sets up a paper system parallel to its real operation only adds bureaucracy and expenditure with no counterpart. The difference between the two outcomes depends on three factors that the 2015 standard itself underlines: the real involvement of management (clause 5), risk-based thinking applied to concrete decisions and the choice of a body accredited by ENAC whose seal carries weight with third parties. The certificate on the wall contributes nothing; the system behind it, when it is lived, turns quality into a repeatable process and improvement into a measured habit. At Summum Quality we support the diagnosis, the implementation adjusted to the documentation that the standard actually requires and the preparation of the audit, so that your certification is an investment with a return rather than a recurring expense.