ISO consultant vs certification body: do you need one?

·

When a company decides to obtain an ISO certificate, the first question that arises is usually: who do I hire? The answer is not as straightforward as it seems, because two types of organisations with completely different roles are involved in the certification process: the ISO consultant and the certification body. Confusing them — or thinking they are the same thing — is the most common mistake companies make when embarking on this journey for the first time. This article gets to the root of it.

What exactly does a certification body do?

A certification body is a third-party organisation that independently audits whether your management system meets the requirements of the relevant ISO standard. If the audit is favourable, it issues the certificate. If not, it identifies the nonconformities you must address.

In Spain, the main certification bodies accredited by ENAC (the National Accreditation Body) include AENOR, Bureau Veritas (BV), SGS, TÜV Rheinland, Lloyd's Register, and DNV, among others. The body that issues the certificate cannot have been involved in the design or implementation of your system: this is expressly prohibited by ISO/IEC 17021-1, which governs how these bodies must operate. This separation exists to guarantee the impartiality and credibility of the certificate for clients, public authorities, and international markets.

In short: the certification body judges. It does not teach, does not help build the system, and does not draft procedures. It only evaluates.

What does an ISO consultant do?

An ISO consultant is the firm that accompanies you throughout the entire process leading up to the certification audit. Their work consists of designing, implementing, and maturing your management system so that, when the certification body's auditor arrives, your company is ready.

The specific tasks of a consultant vary depending on the standard and the company's starting point, but they typically include: gap analysis against the standard's requirements, design of the documentary system (policy, objectives, procedures, records), team training, support during the actual implementation of processes, conducting the prior internal audit, and correcting deviations before the certification body arrives.

At Summum Calidad we have been accompanying companies in Castilla y León and the Canary Islands through certification projects since 2007. Our ISO 9001 consultancy service covers the complete process from the analysis phase through to audit day, with a team that has first-hand knowledge of how the main certification bodies in the Spanish market work. The certificate is issued by the accredited body you choose; we prepare you to arrive with a solid system.

The key difference: who certifies and who prepares

The distinction is structural, not just a matter of role. A certification body cannot act as consultant to the same client due to conflicts of interest (ISO/IEC 17021-1, clause 5.2). A consultant does not issue certificates because it is not accredited to do so. These are two functions that, by design of the international standardisation system, must be carried out by different organisations.

Criterion ISO Consultant Certification Body
Main function Design and implement the management system Audit and certify the implemented system
Relationship with the client Collaborative: works alongside the teams Independent: impartial evaluation
Issues the certificate? No Yes, if the audit is favourable
Accreditation required Not mandatory (though a verifiable track record is advisable) Yes, by ENAC or an equivalent body (IAF)
Can do both? No. ISO/IEC 17021-1 prohibits consultancy to the same client being certified
Cost Variable depending on scope and starting point Audit fee + annual maintenance
When they step in Before the certification audit At the end of the process, to evaluate
Examples in Spain Summum Calidad, sector-specific consultants AENOR, Bureau Veritas, SGS, TÜV, DNV

Do you need to hire a consultant to get certified?

Technically, it is not mandatory. You can go directly to a certification body, which will audit you once you declare yourself ready. In practice, most companies that try without external support drag out the process for months or even years, accumulate avoidable nonconformities in audits, and end up paying more in re-audits and internal team time than a consultancy from the outset would have cost.

When does it make more sense to go without a consultant? When the company already has prior experience with ISO management systems, the internal team has dedicated time and technical knowledge of the standard, and the scope is limited. This is the case for companies extending the scope of an existing certificate or migrating from an earlier version of the standard.

When does a consultant add the most value? When the company is seeking certification for the first time, when management has no experience with the particular ISO standard, when the team cannot take on the additional workload, or when the standard is complex (ISO 27001, ISO 13485, IATF 16949). In those cases, the return on hiring a consultant is clear: shorter time to certificate, a higher first-audit success rate, and a system that actually works rather than one that exists only on paper.

How to choose the right ISO consultant

Not all consultants have the same level of specialisation or the same way of working. These are the criteria that matter most:

The real process: how the consultant-certification body relationship works

A standard certification project follows this sequence:

  1. Gap analysis. The consultant assesses your company's starting point against the standard's requirements. It identifies what you already comply with, what is missing, and the priority of each gap.
  2. Design and implementation. Processes are designed or adapted, the necessary documentation is drafted (the minimum that is useful, not thousands of pages), and the involved team is trained.
  3. Internal audit. Before calling in the certification body, the consultant conducts an internal audit simulating the real audit. Pending nonconformities are identified and corrected.
  4. Management review. Senior management reviews the system, approves objectives and resources, and demonstrates their leadership as the standard requires.
  5. Certification audit (Stage 1 and Stage 2). The certification body first conducts a document review (Stage 1) and then the on-site audit (Stage 2). If the outcome is favourable, it issues the certificate.
  6. Surveillance audits and renewal. The certificate is valid for three years, with annual surveillance audits. The consultant can also support you in this maintenance phase.

The consultant is present in steps 1 to 4. The certification body enters at step 5. They are distinct worlds that complement each other.

Accredited certification bodies in Spain: how to choose?

Once your system is ready, you will need to engage a certification body. In Spain, all bodies that can issue ISO certificates must be accredited by ENAC for the relevant certification scheme. ENAC in turn is a member of the IAF (International Accreditation Forum), which guarantees international recognition of the certificate through multilateral recognition agreements (MLA).

Criteria for choosing a certification body include: audit cost, sector recognition (AENOR carries more weight in Spanish public tenders; Bureau Veritas, TÜV, or SGS may be preferable if you export or have multinational clients), speed in scheduling audits, and quality of customer service. Your consultant should help you make this decision objectively, without commercial bias.

What happens if the certification body finds nonconformities?

This is most common, especially in initial audits. Nonconformities can be minor (isolated deviations that do not compromise the system) or major (systemic failures that prevent certification until they are addressed). A major nonconformity delays the certificate: the company must correct it and demonstrate the correction before receiving approval.

Good consultancy preparation minimises — though does not eliminate — nonconformities. In our ISO 9001 projects, the prior internal audit is precisely the filter that allows companies to reach the certification body with a consolidated system and no surprises. With more than 200 ISO certification processes accompanied since 2007, we know where the most common gaps tend to appear in each standard.

Frequently asked questions

Can I hire the consultant and the certification body at the same time?

You can make contact with both in parallel, but in practice the services are consecutive. It is advisable to have the certification body chosen from the outset (to align the documentary system with their usual audit criteria), but the formal audit should only be requested once the system is implemented and has passed the internal audit. There is no point paying for the certification audit while you are still in the implementation phase.

How long does it take to obtain an ISO certificate?

It depends on the standard, the size of the company, and the starting point. For ISO 9001 in an SME of 10–50 people, the typical timeframe in Spain is 4 to 9 months from the start of consultancy to the certification audit. More complex standards such as ISO 27001 (information security) or ISO 13485 (medical devices) usually require between 9 and 18 months. The certification body typically takes 4 to 8 weeks from the application to the audit date.

Who gives me the ISO certificate — the consultant or the certification body?

Always the certification body. The consultant cannot issue certificates because it is not accredited to do so, and even if it were, doing so for a client it has advised would constitute a conflict of interest that would invalidate the certificate's value. If anyone offers you an «ISO certificate» without involving an ENAC-accredited or equivalent body, it is not a valid ISO certificate.

Is a certificate from any certification body worth the same?

The technical value is equivalent if the certification body is accredited by ENAC (or by an IAF member body with a multilateral recognition agreement). In practice, however, brand recognition varies: in Spanish public tenders, AENOR has a stronger presence; in sectors with international supply chains, multinational clients may prefer Bureau Veritas, SGS, TÜV, or DNV. Before deciding, check the requirements of your main clients or the tender specifications for the contracts you bid for.