Choosing a certification body seems like an administrative formality. It is not. That decision defines the credibility of your certification, the depth of the audit you will receive, and ultimately whether the certificate on your wall carries real value for your clients, regulators, and business partners.
In 15 years working as an independent auditor in Latin America, I have seen organizations invest months preparing a management system compliant with ISO 9001 or ISO 27001 and end up with a certificate issued by a body without valid accreditation. The result: rejection in international tenders, distrust from multinational clients, and an expense that generated no competitive advantage.
Certification and accreditation are not the same
This is the first point every organization needs to understand. Certification is granted by a certification body (CB) that audits your management system and verifies it meets the standard's requirements. Accreditation, on the other hand, is the process by which a national accreditation body (NAB) verifies that the CB has the technical competence, impartiality, and processes to issue trustworthy certificates.
All NABs operate under the rules of the International Accreditation Forum (IAF) and the International Laboratory Accreditation Cooperation (ILAC), the two global organizations that articulate the mutual trust system between countries.
What to verify before contracting
These are the minimum checks every organization should perform before signing a contract with a CB:
- Current accreditation for the specific scope: A CB may be accredited for ISO 9001 but not for ISO 27001. Verify that accreditation covers exactly the standard you need.
- IAF recognition: If you operate in international trade, your certificate needs recognition under the IAF Multilateral Recognition Arrangement (MLA).
- Real independence from the consultant: ISO/IEC 17021-1 requires the certification body to be independent from whoever implemented the system.
- Audit team with sector competence: Ask about the profiles of assigned auditors and their industry experience.
- Sanctions history: NABs publish resolutions on suspensions and accreditation withdrawals. Review them.
Red flags you should not ignore
- Guaranteed certification promise: No serious CB can guarantee an audit result before conducting it.
- Unrealistic timelines: An ISO 27001 certification audit for a 200-person organization cannot be done in two days.
- Absence from public registries: If you cannot find the CB in the NAB database or the IAF directory, do not contract.
- Disproportionately low price: A price 60% below market implies cuts in audit quality.
- Bundled consultancy + certification offer: This directly violates ISO/IEC 17021-1.
The role of the independent assessor
Before the certification audit, there is a prior step many organizations skip: the independent readiness assessment. A 72-hour gap assessment shows you exactly where the findings are that a competent auditor will detect.
Questions your board should ask
- Is the CB accredited by an IAF MLA signatory NAB for our specific standard?
- Do assigned auditors have demonstrable experience in our sector?
- Is there any commercial relationship between the CB and our implementation consultant?
- What is the schedule for surveillance and recertification audits?
- Have we conducted an independent readiness assessment before the audit?
ISO certification is not an end in itself. It is a trust tool. And trust starts by choosing a certification body that operates with the same standards of rigor the norm demands.