Blog / Article

Stage 1 and Stage 2 Certification Audits

:When Should a Certification Body Postpone Stage 2?

Understanding ISO/IEC 17021-1 Requirements and Auditor Judgment

One of the most frequently misunderstood aspects of management system certification is the purpose of Stage 1 and Stage 2 audits during an initial certification audit.

Many organizations assume that once they have completed an Internal Audit and a Management Review, they are automatically ready for Stage 2 certification. However, this is not always the case.

The requirements of ISO/IEC 17021-1 make it clear that the objective of Stage 1 extends beyond reviewing documents. The certification body must determine whether the management system has been implemented to a level that substantiates readiness for Stage 2.

This distinction is particularly important in Occupational Health & Safety Management Systems (ISO 45001), Environmental Management Systems (ISO 14001), Quality Management Systems (ISO 9001), and other management system standards where certain core processes form the foundation of the entire system.

What Does ISO/IEC 17021-1 Require?

According to ISO/IEC 17021-1, the initial certification audit is conducted in two stages:

Stage 1 Audit

The objectives include:

• Reviewing documented information.
• Evaluating site-specific conditions.
• Assessing the organization's understanding of standard requirements.
• Reviewing key processes, objectives, and controls.
• Evaluating statutory and regulatory requirements.
• Reviewing Internal Audit and Management Review activities.
• Determining whether the organization is ready for Stage 2.

One of the most important requirements appears in Clause 9.3.1.2.2(g):

The certification body shall evaluate whether the internal audits and management reviews are being planned and performed, and whether the level of implementation of the management system substantiates that the client is ready for Stage 2.

Notice that the requirement is not simply to verify that Internal Audits and Management Reviews have been conducted.

The certification body must determine whether the management system has been implemented effectively enough to proceed to Stage 2.

The ISO 45001:2018 Example

Consider an organization seeking ISO 45001:2018 certification.

During Stage 1, the auditor finds:

Positive Findings

✓ OH&S Policy established

✓ Objectives established

✓ Legal register maintained

✓ Internal Audit completed

✓ Management Review conducted

✓ Organizational context determined

Significant Concerns

✗ Hazard Identification and Risk Assessment (HIRA) incomplete

✗ Significant workplace hazards not identified

✗ Risk assessments superficial

✗ Critical controls not established

✗ Contractor risks not evaluated

✗ Work-at-height hazards overlooked

✗ Chemical exposure risks not assessed

At first glance, the organization appears to have implemented the management system. However, a closer examination reveals a fundamental weakness.

Why Hazard Identification Matters

In ISO 45001, Hazard Identification and Risk Assessment is not merely another process.

It forms the foundation upon which:

• Operational controls are established.
• Training requirements are determined.
• Emergency preparedness plans are developed.
• Legal compliance obligations are addressed.
• Objectives and improvement plans are created.
• Performance monitoring is conducted.

If significant hazards have not been identified, the organization cannot reliably determine appropriate controls.

As a result:

• Workers may be exposed to unacceptable risks.
• Legal obligations may not be adequately addressed.
• Internal audit conclusions may be unreliable.
• Management review decisions may be based on incomplete information.

In such circumstances, the effectiveness of the entire management system becomes questionable.

Does Completing Internal Audit and Management Review Prove Readiness?

No.

This is one of the most common misconceptions encountered during certification audits.

The existence of Internal Audit records and Management Review minutes does not automatically demonstrate readiness for certification.

In fact, if a severely deficient Hazard Identification and Risk Assessment process was not detected during Internal Audit and was not challenged during Management Review, this raises concerns about the effectiveness of both processes.

A competent auditor should ask:

If the organization's most critical risks have not been identified, how effective were the Internal Audit and Management Review activities?

The answer may indicate that the management system is not yet mature enough for Stage 2.

When Should Stage 2 Proceed?

Scenario 1: Minor Weaknesses

Suppose the organization has:

• Identified most workplace hazards.
• Established appropriate controls.
• Implemented a generally effective methodology.
• Missed only a few low-risk activities.

In this case, the auditor may identify Areas of Concern and recommend corrective actions before Stage 2.

The organization may still be considered ready for Stage 2.

Scenario 2: Fundamental Process Failure

Suppose:

• Major hazards have not been identified.
• Risk assessment methodology is ineffective.
• Significant risks remain uncontrolled.
• Worker safety may be compromised.

In this case, the management system implementation does not substantiate readiness for Stage 2.

The certification body should consider postponing Stage 2 until corrective actions have been implemented and effectiveness demonstrated.

What Does ISO/IEC 17021-1 Say About Postponement?

Clause 9.3.1.2.3 requires the certification body to communicate documented conclusions regarding readiness for Stage 2, including any areas of concern that could become nonconformities during Stage 2.

Clause 9.3.1.2.4 further states:

The results of Stage 1 may lead to postponement or cancellation of Stage 2.

This requirement exists to protect the integrity and credibility of the certification process.

Certification should not proceed simply because documents exist or because audit schedules have already been planned.

Certification should proceed only when sufficient evidence demonstrates that the management system has been effectively implemented.

A Practical Question for Auditors

An experienced Lead Auditor often asks a simple but powerful question:

"If I were conducting Stage 2 tomorrow, would I expect to raise a Major Nonconformity against a fundamental requirement of the standard?"

If the answer is yes, Stage 1 should identify this as a significant area of concern.

The organization should address the issue before Stage 2 is conducted.

This approach protects:

• Employees and stakeholders.
• Certification body credibility.
• Accreditation integrity.
• Confidence in accredited certification.

The True Purpose of Stage 1

Stage 1 is not a paperwork review.

Stage 1 is a readiness assessment.

The objective is to determine whether the organization has implemented its management system sufficiently to justify a full effectiveness audit during Stage 2.

Internal Audits and Management Reviews are important indicators of maturity, but they do not, by themselves, demonstrate readiness.

The certification body's responsibility is to evaluate the overall implementation and effectiveness of the management system and make an objective decision regarding Stage 2 readiness.

When significant weaknesses exist in critical processes such as Hazard Identification, Risk Assessment, Legal Compliance Evaluation, Environmental Aspect Evaluation, or Process Controls, postponing Stage 2 may be the most professional and responsible decision.

Ultimately, credible certification is not about issuing certificates.

It is about providing confidence that the management system is capable of consistently achieving its intended outcomes while protecting people, organizations, customers, and society.

My Final Thought

A certificate should never be awarded because documents exist.

A certificate should be awarded because the management system works.

That is the true intent of ISO/IEC 17021-1, the management system standards, and the accreditation process that supports confidence in certification worldwide.