Generic information about management system audit and certification process.

What is a management system?

It is a set of elements that are interrelated or in interaction (policies, processes and procedures) used by an organization to achieve its objectives and fulfill its tasks. A management system can address a single discipline (e.g. quality management system or information security management system) or multiple disciplines in an integrated management system. It’s the choice of the organization to decide what type of management system it intends to implement.

For each discipline there are management system standards (e.g. ISO 9001, ISO 14001) that set the requirements for the management system and, the organization shall follow those requirements to achieve conformity.

Regardless of type, all management systems require the organization to have documented information (policies, procedures, internal instructions, codes, etc), to define roles and responsibilities of personnel, to define objectives and actions to achieve those objectives and to demonstrate controlled operation of processes.

The management system is designed, documented and implemented by the organization using own forces or external help (i.e. from a consultant). Subsequently the management system needs to be maintained and improved.

It is important that the management system is regarded as an integral part of the activities and processes and not as a separate set of requirements. Support from the top management is vital for the good functioning of a management system within an organization.


What represents the certification of a management system?


Certification is an attestation from a third party (i.e. certification body) that the management system implemented by an organization fulfills the requirements of the standards or documents that the organization requests certification to.

So it is not exactly the company that is certified but its management system.


How does the certification process work?


Certification process begins with an application from the organization interested in obtaining the certification. The application is needed by the certification body to understand what it is required by the potential client and to plan its resources to provide the service as requested.

A contract for the certification services is concluded between the certification body and the client organization.

A certification audit is performed at the premises of the client organization in order to evaluate whether the management system implemented fulfills the requirements of the standards or documents applicable. There is an audit team that performs the audit (it can be made up of one or several members) and the audit period depends on a number of factors.

In case the conclusions of the audit and subsequent evaluations are favorable the certification body grants the certification and issues a certificate.


How long is the certification valid?


Management system certification is valid for three years but only under the condition of successfully performing surveillance audits in the first and second year after certification. The surveillance audits are meant to evaluate whether the certified organization continues to operate and to adhere to its management system.

A program of surveillance audits is given to the organization following certification and it should be followed in order to maintain certification.

In the third year, before the expiration of the certification, a recertification audit is performed that will allow for another three years of certification in similar conditions.


What happens if surveillance audits are not performed?


In case surveillance audits are not performed as planned* the certification is suspended. During suspension the certification is temporary invalid. Suspension may not exceed 6 months. After the suspension period, if the situation has not been resolved, the certification is withdrawn.

*there may exist some delays in performing surveillance audits but they have to be justified and agreed between the RIGCERT and the client.



Is there an evidence of certifications?


The status of any certification (valid, suspended, cancelled, expired) can be consulted here.

Anyone can request information about a certain certification by contacting RIGCERT at


What is accreditation? Is there a difference between certification and accreditation?


While certification is the service provided by certification bodies to client organizations, accreditation is provided by accreditation bodies to the certification bodies as well as to laboratories. Accreditation is a confirmation from the accreditation body that a certain certification body is competent to provide certification.



What is the process to treat appeals and complaints?


Appeals refer to RIGCERT decisions regarding a certain certification (e.g. not granting, suspending, withdrawing, etc) while complaints may refer to a range of aspects like: the personnel acting on behalf of RIGCERT, activities of organizations that have certifications from RIGCERT, activities of third parties connected to RIGCERT, etc.

Appeals and complaints may be submitted to RIGCERT at and are treated as confidential.

People from RIGCERT reviewing the appeal or complaint have not been involved in the activities in discussion.

The review may include different supplementary actions like special audits, requesting information or opinions and is finalized with a decision that is communicated to the appellant/ complainant.

More information about the process of handling appeals and complaints can be found in the document General rules for the certification of management systems.