Recently, one of our readers asked, “What does it mean when a company says they operate under a Quality Management System that is in compliance with ISO 9001:2000? I’m assuming they are not ISO certified. If not, isn’t this a claim that just anyone can make?”
Right off the bat, the statement that company has “a Quality Management System that is in compliance with ISO 9001:2000” is dubious, because the current revision of the ISO 9001 standard is 2008 (hence the title ISO 9001:2008). The 2000 version was officially made obsolete a few years back. Anyone claiming to be compliant with the ISO 9001:2000 standard is behind the times. Leaving that aside, however, let’s take a closer look at the difference between compliance and certification.
Compliance vs. Certification
While they sound similar, these terms are easy to differentiate. Compliance means that your management system fully adheres to the requirements of the standard. Certification means that your management system has actually been certified to be in conformance (compliance) with all the requirements of the standard. In essence, certification is proof of a basic compliance claim, similar to a diploma, certificate or stamp. Of course, you could have a certificate that says you are compliant. However, being certified should be seen as a step above just being compliant, because certification is provided by a third-party entity.
In the statement presented, the company’s quality management system is clearly not certified, but just compliant. If the company was certified, there would be no reason why they wouldn’t state that, since being certified carries that additional value.
By the way, there is a difference between compliance and conformance, and some would argue this in great detail. But for our purposes here, I’m considering the compliance statement as conformance, not certification.
Compliant? Says Who?
When a company claims compliance, it is more than likely a self-claim. However, a third-party could verify their claim. For example, if the company’s statement read: “Mireaux Management Solutions has deemed our quality management system to be in compliance with the ISO 9001:2008 standard,” it would still be clear that the company is not certified, but at least there would be a third party to attest to their compliance.
The trick here is to figure out who Mireaux Management Solutions is. If the company making the claim is reputable, then this third-party compliance proclamation should have a lot more weight than a self-proclamation would have. If the company is unknown and untested, then one could argue, “Who the heck are they, and what gives them the authority to make that claim?”
Being certified, on the other hand, is a black and white issue. If you are ISO certified by BSI, DNV, or Bureau Veritas for example, then you have substantiated proof, in the form of a diploma, certificate or mark given to your organization by such entity, that your organization is completely compliant. It would be easy to view that certificate and know exactly who “certified” your company. In the ISO world, these companies (DNV, BSI, Bureau Veritas, etc.) are called registrars or certification bodies, which have to be accredited by a regulatory body. Of course, some registrars are not accredited, which renders their certifications about as valid as a compliance proclamation. But that’s another story (For more on unaccredited registrars, forged certificates, and other shady doings, take a look at my previous post, “This certificate smells fishy: How to find out if an ISO certificate is forged or valid.”).
Can anybody claim compliance to ISO?
Of course anybody could do this. Would that be dishonest? Not necessarily. If you feel your quality management system is truly in compliance, then you can claim you are in compliance. In fact, sometimes I recommend our smaller clients with limited budgets to wait for certification until their budgets allow. If they can implement the requirements of the standard (with our help of course) and conduct their internal audit and management review (both absolute requirements), we can actually say that they’re compliant.
However, whenever you see a compliance claim, it’s wise to verify who is making the claim and what they’re claiming, so you can decide whether the compliance claim is actually valid. If someone is claiming compliance falsely, it shouldn’t be very difficult to figure out, either by questioning them or by conducting an on-site audit. Of course, when a company is certified by a reputable registrar, there are fewer questions to ask, because they have proof of certification.