Certification FAQs

We realise that the world of certification can be a little overwhelming and confusing at times and we often receive those ‘not so silly’ questions from our clients and prospective clients. As a helping hand, we have put together a list of common FAQs.

If you have a question about management system certification which is not covered below, please drop us a line by clicking here.

How do I transition my ISO/IEC 27001 to the 2022 version?

There are some mandatory deadlines for existing clients certified to ISO/IEC 27001, as follows:

  • All accredited certifications to ISO/IEC 27001:2013/2017 must have transitioned to the 2022 version by 31st October 2025
  • All ISO/IEC 27001 recertification audits must be to the 2022 version from 30th April 2024

ACL have developed a straight-forward process for clients wishing to transition to the 2022 version of the standard. Equally, transferring your certification to us to take advantage of our approach is also very straight forward and free of charge. If you would like to know more please contact us.

What does the certification process involve?

If your organisation has developed a management system based on the requirements of an internationally recognised standard (for example: ISO 9001), then the next step is to seek certification.

The first step is to provide us with key information about your company and its management system, click here.

We will review your information and give you a call or drop you an email to confirm the information and maybe ask for additional details. This will be proceeded with a quotation for you to consider.

If you accept the quotation we will ask you to sign our Terms of Business.

After this we will begin the audit process:

  • Stage 1: this is a gap analysis style audit which determines that your management system is aligned to the respective standard.
  • Stage 2: this audit is to test the effective implementation of your management system.
  • Certification: if both Stages 1 and 2 are approved, then your organisation will become certified for a period of 3 years.
  • Surveillance: during the 3 year certification period, we must conduct surveillance audits (at least once per year). The purpose of surveillance audits are to ensure the continued maintenance of your management system in accordance with the respective standard and to conduct sampled evidence of operational controls.
  • Recertification: Towards the end of the 3 year certification period we will need to conduct a recertification audit which is similar to a Stage 2 audit.

See our 5 steps to certification page.

Can I transfer my certification to to ACL?

Yes. If you wish to transfer your certification to ACL then please click here. Also please read our article about Choosing a Certification Body.

Of course there are some rules about the transfer of certification from one certification body to another, but ultimately this will be based on your organisation’s decision to transfer and the terms and conditions associated with your existing provider. ACL will guide you through this process to ensure that any transfer is compliant with accreditation rules.

See our guide for transferring certification to us.

How can I display the certification logos to promote that my organisation is certified?

You’ve worked hard to become certified and therefore it is only right that you would want to promote it. You are allowed to display the ACL certification logos on marketing materials, websites, letterheads, etc. Please refer to our Use of Certification Logos guide for the do’s and don’ts.

Nonconformities. Should I be worried and what if I don’t agree?

Actually ACL refer to nonconformities as Mandatory Actions. But either way, this is a mechanism to maintain conformance to the applicable standard (for example: ISO 9001) and the requirements of your own management system. When a mandatory action is identified during an audit this is generally to improve your management system and ensure alignment with the standard is restored.

When a mandatory action is raised you will need to provide some information and evidence before it can be closed out, this will include: correction, cause and effect and corrective action. Depending on the severity and complexity of the mandatory action, we may need to conduct an extra visit – but this will always be on a case-by-case basis.

Mandatory actions are graded (minor and major) and you can read more about these in the ACL Certification Rules.

If you don’t agree with a mandatory action which an ACL auditor has raised, then you can lodge an appeal.

What if I need to cancel a booked audit?

We appreciate that our client’s may occasionally have organisational difficulties which may necessitate the cancellation of a booked audit. We also have a lot to juggle in terms of auditor resources and sometimes a short notice cancellation may have a financial implication on us. On this basis we have set out some default fees if the audit is cancelled in less than 30 days prior to the booked date. You can find out more about this in the Certification Agreement signed by your organisation and ACL.

Can ACL auditors help me with the development of my management system?

Of course we will always be as helpful as possible but we must do so in an impartial manner. ACL follow stringent rules which mean that the audit process must be impartial and without conflict of interest. However, we do understand that finding the right people to help is a challenge; this is why we have built a network of recommended management system consultants. We have worked alongside these consultants during our audits and certified organisations have provided recommendations. Find a consultant.

Does every audit need to be carried out on-site?

Not necessarily. We will apply accreditation rules and a risk-based approach to determine which audits must be conducted on-site and those which may be appropriately conducted using remote methods. We must ensure that full and effective audits are achieved using a combination of auditing methods such as site tours, discussions with personnel, observations of activities and review of documented information for example. Over the three-year certification period, we must maintain confidence in the effective implementation of your management system based on the applicable standard. Your Account Manager will assess the applicable rules and associated risks to determine if remote options are appropriate.