What is ISO 9001 and when should you start certification?
18 min read

What is ISO 9001 and when should you start certification?

Written By

There are around 837,000 active ISO 9001 certificates in circulation worldwide, according to the ISO Survey 2023. It is by far the most widely used management system standard in the world. But what exactly is ISO 9001 and do you need it? If you're asking this question, you're probably dealing with a tender, a customer requirement, or a growth phase where quality assurance is suddenly becoming very concrete.

This article explains what the standard involves, who encounters it in practice, what the certification process looks like, and when it makes sense to get started. Including real numbers, a practical example, and an honest answer to the question of when ISO 9001 is not the right choice.

What is ISO 9001?

The definition in plain language

ISO 9001 is the international standard for quality management systems, abbreviated QMS. The ISO 9001 framework describes what you as an organisation need to arrange in order to structurally safeguard quality: in your processes, your products, and your services.

The current version is ISO 9001:2015. ISO 9001 does not dictate what you should make or what your services should look like. The standard does specify how you organise your processes so that you consistently deliver what your customers expect, and so that you can demonstrate that you do.

The Plan-Do-Check-Act cycle as the core of the standard

The logic behind ISO 9001 is the Plan-Do-Check-Act cycle, also known as PDCA. You plan what you want to achieve (Plan), execute it (Do), check whether it works (Check), and adjust where needed (Act). You repeat that cycle continuously.

This sounds straightforward. But most organisations that start with ISO 9001 quickly discover that they systematically skip the "Check" step, or that they have no documentation to show that they go through the cycle at all. That is exactly what ISO 9001 forces: not just doing, but also proving.

ISO 9001:2015 and the upcoming revision in 2026

ISO 9001:2015 is the current version. The new edition, ISO 9001:2026, is expected in Q3 2026. The international working group ISO/TC 176 is working on a Draft International Standard; the exact publication date can be followed via the ISO/TC 176 committee page.

The 2026 version adds attention to quality culture, sustainability and climate context, better alignment with digitalisation, and a new clause for change management. Evolutionary, not revolutionary. More on this in the section on timing.

Who needs ISO 9001?

When is certification practically required?

ISO 9001 is not legally required. In practice, however, there are three situations where you cannot avoid it.

In public tenders, many Dutch municipalities, provinces, and central government purchasing bodies set ISO 9001 as a hard requirement for suppliers. Without a certificate, you won't make it through the selection round.

In enterprise supply chains, large companies impose quality requirements on their suppliers and include ISO 9001 certification in their vendor onboarding. If you as an SME service provider want to be on a supplier list, the certificate is the price of admission.

And in sectors where ISO 9001 has become the standard — construction, manufacturing, IT services, and professional services — the absence of a certificate raises questions among prospects.

Industries where ISO 9001 is the norm

In the construction sector, ISO 9001 is almost universal among contractors bidding on B2B projects. In IT services — system integrators, managed service providers, and software companies — it is a common combination alongside ISO 27001. In professional services, you see it increase as soon as companies make the move to enterprise clients.

For whom is ISO 9001 not the right choice?

The biggest mistake is starting ISO 9001 purely because a competitor has it too. For an early-stage startup that doesn't yet have repeatable processes, certification is premature. You'd be building documentation around something that isn't stable yet.

For companies that only need ISO 27001 for information security, ISO 9001 doesn't automatically come with it. Both standards share the same basic structure, but have a different scope. No customer requirement or tender obligation? Then first calculate whether the investment of €9,000 to €30,000 in the first year can be recouped.

What are the requirements of ISO 9001?

ISO 9001:2015 has 10 clauses. Clauses 1 through 3 are introductory. The substance is in clauses 4 through 10.

Context of the organisation and defining scope (clause 4)

You start by determining the context: which internal and external factors are relevant to your quality management? Think about customer expectations, applicable legislation and regulations, and your organisational structure. From that analysis, you define the scope of your QMS: what falls within it, and what does not.

Leadership and quality policy (clause 5)

ISO 9001 places explicit responsibility for quality with management. That means a documented quality policy, clear roles and responsibilities, and demonstrable management involvement. Not as a formality: auditors actively look at this.

Risk management and planning (clause 6)

Clause 6 requires a systematic risk analysis. You map out which risks threaten the quality of your processes and what you do to manage them. Opportunities — situations where you can improve quality — also need your attention. The output of the risk analysis feeds the rest of your QMS.

Documented procedures and evidence (clauses 7–8)

This is where a large part of the practical work lies. You record policy documents and procedures for your core processes, ensure employees know what is expected of them, and build evidence that your processes actually run as documented. Clause 8 covers operational execution: how do you deliver your product or service, how do you handle changes, how do you deal with non-conforming output?

With Tidal's policy center, you manage all ISO 9001-required procedures and policy documents in one place, including version history and approval workflows, so you can always show up-to-date documentation during an audit.

Internal audit, management review, and improvement (clauses 9–10)

Clauses 9 and 10 cover the "Check" and "Act" parts of the PDCA cycle. You conduct at least one internal audit per year, hold a management review, and systematically record improvements. Tidal's controls management module lets you record the corresponding controls per ISO 9001 clause and collect evidence, which significantly reduces preparation time for the Stage 1 and Stage 2 audits.

What does the ISO 9001 certification process look like?

Step 1: Scope and gap analysis

Start by determining your scope: which processes, departments, or locations fall under the certification? Then carry out a gap analysis: compare your current situation with the requirements per clause and note what is missing. This is the most valuable moment of the process. Here you discover whether you already have more in place than you think, or whether you're starting from scratch.

Step 2: Set up your QMS

Based on the gap analysis, you build your quality management system. Document quality policy and objectives, write procedures for your core processes, define roles and responsibilities, and create a risk register. Make sure the documentation reflects reality: a neat folder of procedures that nobody uses will fall apart during an audit.

Step 3: Run processes and collect evidence

ISO 9001 requires you to demonstrate that your QMS actually works, not just on paper. That means at least three months of operational evidence: measurement results, complaint logs, meeting minutes, completed checklists. The clock starts running as soon as your QMS is active.

Step 4: Conduct an internal audit

Before going to the external auditor, you conduct an internal audit: review every clause, document deviations, and implement corrective actions. An internal audit is not a formality. Auditors from the certification body see the results and check whether findings have been addressed seriously.

Step 5: Choose a certification body and schedule the Stage 1 audit

Choose an accredited certification body via the Dutch Accreditation Council (RvA). The Stage 1 audit is a documentation review: the auditor assesses whether your QMS meets the standard on paper. You receive findings — minor or major non-conformities — which you resolve before the Stage 2 audit.

Step 6: Stage 2 audit on-site

For the Stage 2 audit, the auditor visits your location. They look not only at documentation but also interview employees and verify that practice matches what you have documented. If the findings are manageable, the certification decision follows. Your certificate is valid for 3 years, with annual surveillance audits in years 2 and 3.

How long does ISO 9001 certification take and what does it cost?

Timeline

Most SMEs that already work in a structured way achieve ISO 9001 in 3 to 6 months. Those starting from scratch — without documented procedures, a risk register, or an internal audit process — should plan for 6 to 12 months.

The 3 months of evidence is the bottleneck. That's hard to compress: in practice, auditors expect at least three months of evidence — this is not a hard normative requirement, but a common audit convention. The sooner you start, the sooner you can get that clock running.

Costs for an SME

For an SME with up to 25 employees, costs in the first year are between €9,000 and €30,000. That covers audit fees at the certification body plus any consultancy and software. Over the 3-year period, including annual surveillance audits of €1,500 to €2,500 per year, you end up at €12,000 to €35,000. The difference depends on your scope and the level of external support.

Companies that already have a lot in order and document themselves will be at the lower end of that range. Those who buy in support for gap analysis, documentation, and audit preparation pay more, but also get more time back.

Nedscaper: ISO 27001 and ISO 9001 at the same time in 12 weeks

Nedscaper, a Dutch IT services provider, was facing an ISO 27001 recertification audit and also wanted to add ISO 9001. Both certificates had to be obtained before a hard audit deadline, which meant working through the entire summer.

With Tidal and consulting partner Fendix, they rebuilt their complete QMS and ISMS from scratch and obtained both certificates in 12 weeks. Project lead Maurits Broers: "The structured guidance from Tidal and Fendix, combined with the templates and workflows in the tool, made it possible to succeed."

Afterwards, Nedscaper built a decentralised compliance setup to reduce single-point-of-failure risk. Broers noted that after certification they were "looking forward to additional certifications." Read the full story: how Nedscaper obtained ISO 27001 and ISO 9001 in 12 weeks.

ISO 9001 and ISO 27001: what is the difference and can you combine them?

ISO 9001 = quality of processes, ISO 27001 = security of information

ISO 27001 certification focuses on information security: protecting data against unauthorised access, loss, or leaks. ISO 9001 focuses on quality management: consistently delivering what your customers expect.

The scope is different, the risks are different, and the audience requiring it of you is different. ISO 27001 is requested by clients who want to assess your information security. ISO 9001 is requested by clients and contracting parties who want to assess your quality processes.

The same basic structure makes combined implementation efficient

Both standards use the High Level Structure (HLS), also known as Annex SL or Harmonized Structure. This is the shared framework that ISO uses for all management system standards. Clauses such as "context of the organisation", "leadership", "planning", and "improvement" are present in both standards and largely overlapping.

If you're already working on planning your ISO 27001 journey, implementing ISO 9001 at the same time is more efficient than two separate projects. You share the internal audit, the management review, the policy document, and part of the risk assessment. As Nedscaper showed, the additional costs for the second standard can be significantly lower than when you run two completely separate projects.

When does your company need both certificates?

If you operate in IT services and work in B2B markets where both information security and quality requirements are at play, the combination has become the standard. Most technology companies aiming to serve enterprise clients or government contracts work towards both certificates.

When is the right time to start?

Signals that you're ready to get started

You're ready to start if at least one of the following situations applies: a client or potential client is specifically asking for ISO 9001, you're bidding on tenders where certification is a selection requirement, or you're growing into a phase where enterprise clients or government contracts are becoming a structural part of your pipeline.

If none of these three apply, ISO 9001 is probably not yet the priority. Start by documenting your processes as preparation: that work is never wasted.

ISO 9001:2026 is coming — is waiting a smart move?

Short answer: no. The 2026 revision, expected in Q3 2026, is not a revolution but an evolution. The changes — attention to sustainability, quality culture, digitalisation, and change management — are additions to the existing structure, not a complete overhaul. NEN confirms this in their analysis of the upcoming revision.

After publication of ISO 9001:2026, there will be a transition period of approximately 3 years. Existing 2015 certificates will not immediately become invalid. Starting with the 2015 version now is the right choice: you build a working QMS, obtain your certificate, and then adapt to the 2026 requirements during the transition period. Waiting costs you at least a year extra and solves no practical problem.

Want to know if your organisation is ready for ISO 9001?

Not sure whether your organisation is ready? Take the free Quickscan and get insight into your current quality maturity in 5 minutes — and what you need to tackle first.

Take the free Quickscan!

Frequently asked questions about ISO 9001

Is ISO 9001 mandatory?

ISO 9001 is not legally required in the Netherlands. But in practice, it is effectively mandatory if you bid on public tenders, want to be included in enterprise supplier lists, or operate in sectors such as construction, manufacturing, or IT services where certification has become the market standard. The commercial consequence of not certifying is concrete: you drop out during selection.

How long does ISO 9001 certification take on average?

SMEs that already work in a structured way achieve ISO 9001 in 3 to 6 months. Those starting from scratch should plan for 6 to 12 months. The timeline is usually determined by how quickly the organisation can absorb and adopt the implementation of a quality management system, but auditors will generally express doubt about management systems that have been running for less than 3 months. Nedscaper obtained ISO 27001 and ISO 9001 simultaneously in 12 weeks with targeted guidance and software support.

What does ISO 9001 certification cost for an SME?

For an SME with up to 25 employees, the first year costs between €9,000 and €30,000. This covers audit fees at an accredited certification body, plus any consultancy and software. Over the 3-year period, including annual surveillance audits of €1,500 to €2,500, you end up at €12,000 to €35,000. Companies that start ISO 27001 at the same time share documentation and audits and see the additional costs for the second standard decrease.

What is the difference between ISO 9001 and ISO 27001?

ISO 9001 is about quality management: consistently delivering what your customers expect. ISO 27001 is about information security: protecting data and systems. Both standards share the same structure (HLS), making combined implementation more efficient than two separate projects. For technology companies serving B2B markets, the combination has become the norm.

What changes with ISO 9001:2026?

ISO 9001:2026 is expected in Q3 2026. The changes are evolutionary: attention to quality culture, sustainability, digitalisation, and a new clause for change management. The structure of the standard remains intact. After publication, a transition period of approximately 3 years follows. Organisations starting now with the 2015 version do not need to wait: they obtain their certificate and adapt later during the transition.

Subscribe now for monthly updates: what's new at Tidal, framework news, and compliance resources.

By submitting your email you agree to our Privacy Policy.