ISO Certification Process
Guardian’s ISO certification process comprises six structured steps aligned with ISO/IEC 17021-1: (1) Inquiry & Quotation, (2) Application & KYC, (3) Stage 1 Audit, (4) Stage 2 Audit, (5) Certification Decision, and (6) Surveillance & Recertification. Typical timeline from contract signature to certificate issuance is 8 to 18 weeks depending on tier and complexity. Certificates are valid for 3 years with annual surveillance audits.
The Six Steps — Overview
Guardian’s certification process is built on the foundation of ISO/IEC 17021-1 (Conformity Assessment — Requirements for bodies providing audit and certification of management systems) and applicable IAF Mandatory Documents. The same six-step framework applies across all four certification tiers — Tier 1 (QS-Recognised), Tier 2 (UAF/IAS Accredited), Tier 3 (TNV Partnership), and Tier 4 (Guardian Approved Scheme) — although issuance, decision-making, and verification routes vary by tier.
Step | Stage | Outcome |
1 | Inquiry & Quotation | Indicative scope, timeline, audit duration estimate, and quotation issued. |
2 | Application & KYC | Formal application, customer due diligence under QFC AML/CFTR 2019, contract execution. |
3 | Stage 1 Audit | Documentation review, readiness assessment, audit plan finalized. |
4 | Stage 2 Audit | Full on-site assessment, audit findings, audit report. |
5 | Certification Decision | Independent decision-maker review, certification decision, certificate issuance. |
6 | Surveillance & Recertification | Year 1 + Year 2 surveillance audits; Year 3 recertification audit. |
Each step is described in detail on its own page — linked below. The outcome of each step is documented and provides the input to the next step. Records are retained per the Quality Manual and made available for accreditation-body assessment.
Step 1 — Inquiry & Quotation
What happens
Initial conversation between the prospective client and Guardian Middle East LLC’s Client Affairs function. Scope, sites, headcount, and applicable standard(s) are discussed. Client Affairs identifies the appropriate certification tier (Tier 1, 2, 3, or 4) based on stakeholder requirements, applicable accreditation chain, and standard availability. An indicative quotation is issued covering audit duration (per IAF MD 5 and MD 11), fees, and timeline.
Inputs from the client
- OrganiZation name, commercial registration / trade license.
- Standard(s) of interest.
- Sites in scope (number, locations) and total effective headcount.
- Activities to be certified.
- Stakeholder requirements (e.g., ‘public-sector tender requires QS-recogniZed certification’).
- Existing certifications (if any) — relevant for transfer scenarios.
Outputs to the client
- Indicative tier recommendation.
- Quotation including fees and audit-duration estimate.
- Indicative timeline from contract signature to certificate issuance.
- Information pack on next steps.
Detail page → Inquiry and quotation
Step 2 — Application & KYC
What happens
Once the quotation is accepted, the formal application is processed. Guardian Middle East LLC conducts customer due diligence (CDD) in line with QFC AML/CFTR 2019 and Qatar AML Law No. 20 of 2019. Beneficial-ownership identification under QFC General Rule 8A is verified. Sanctions screening is performed. The certification contract is finalised and executed. The client is admitted to the certification programme.
Compliance framework
- QFC AML/CFTR 2019 — Anti-Money Laundering and Combating the Financing of Terrorism Rules.
- Qatar AML Law No. 20 of 2019 — national anti-money laundering legislation.
- QFC General Rule 8A — Beneficial Ownership requirements.
- ISO/IEC 17021-1 §9.1 — Application requirements.
- Guardian’s risk-based approach — Enhanced Due Diligence applied where indicators warrant.
Outputs
- Executed certification contract.
- Audit team appointment notification.
- Audit schedule confirming Stage 1 and Stage 2 audit dates.
- Pre-audit information request — list of documents required for Stage 1.
Detail page → Application and kyc
Step 3 — Stage 1 Audit (Documentation Review)
What happens
The Stage 1 audit is the first audit phase under ISO/IEC 17021-1 §9.3. It assesses the readiness of the management system for the Stage 2 audit. The Stage 1 audit may be conducted on-site or, where appropriate per IAF MD 4 (Use of ICT for Auditing/Assessment Purposes), partially or fully remotely.
Audit objectives
- Review of management system documentation (policy, manual, procedures, records).
- Evaluation of the client’s readiness for Stage 2.
- Confirmation of the audit scope and applicable standard requirements.
- Identification of areas requiring focused attention in Stage 2.
- Discussion of the Stage 2 audit plan.
- Identification of statutory and regulatory requirements applicable to the management system.
Audit standards
- ISO/IEC 17021-1 §9.3.1 — Stage 1 audit requirements.
- IAF MD 5 — Audit duration calculation.
- IAF MD 11 — Sector-specific application requirements.
- IAF MD 4 — Use of ICT for auditing where applicable.
Outputs
- Stage 1 audit report identifying readiness status.
- Areas of concern requiring attention before Stage 2.
- Confirmed Stage 2 audit plan, dates, and scope.
- If significant nonconformities are identified, Stage 2 may be deferred until resolved.
Detail page → /process/stage-1-audit/
Step 4 — Stage 2 Audit (Full Assessment)
What happens
The Stage 2 audit is the full on-site assessment of the management system in operation, conducted under ISO/IEC 17021-1 §9.3.2. The audit team evaluates conformity with all applicable requirements of the standard, gathers objective evidence, and identifies nonconformities (if any). Stage 2 is typically conducted on-site, with remote elements applied selectively per IAF MD 4.
Audit objectives
- Verification that the management system is implemented and effective.
- Evaluation of management commitment, leadership, and management review.
- Assessment of the client’s performance against measurable objectives.
- Verification of internal audit programme, corrective actions, and continual improvement.
- Audit-trail sampling of records, processes, and outcomes.
- Site visits to confirm scope coverage.
Nonconformity classification
- Major nonconformity — failure to fulfil one or more requirements of the management system standard, or a situation that raises significant doubt about the ability of the management system to achieve intended outputs.
- Minor nonconformity — non-fulfilment of a requirement that does not affect the capability of the management system to achieve intended outputs.
- Opportunity for improvement — observation that does not constitute a nonconformity but could enhance effectiveness.
Outputs
- Stage 2 audit report including audit findings, nonconformities, and recommendations.
- Closing meeting with the client to communicate findings.
- Corrective action plan agreed for any nonconformities raised.
- Audit team recommendation to the certification decision-maker.
Detail page → /process/stage-2-audit/
Step 5 — Certification Decision & Issuance
What happens
The certification decision is made by an appointed decision-maker who is structurally independent of the audit team that conducted the underlying audit. The same individual cannot serve as audit team leader and decision-maker for the same certification engagement. The decision is documented to the level required by ISO/IEC 17021-1 §9.5.
Decision-making framework
- Structural independence — decision-maker not a member of the audit team.
- Documented review — review of audit findings, nonconformity classifications, corrective action evidence (where required), and audit team recommendations.
- Decision options — grant certification, defer pending corrective action, or refuse certification.
- Records retention — under Guardian’s Quality Manual, available to the accreditation body.
Tier-specific decision authority
- Tier 1, Tier 2 (excluding ISO 22301) — decision-maker appointed by Guardian Assessment Pvt Ltd; certificate issued by Guardian Assessment Pvt Ltd.
- Tier 2 (ISO 22301 only) — decision-maker appointed by the Third-Party CB (IAS MSCB 154); Guardian Middle East LLC coordinates as local representative.
- Tier 3 — decision-maker appointed by TNV Global Limited; certificate issued by TNV Global Limited; Guardian Middle East LLC coordinates as local representative.
- Tier 4 (Guardian Approved Scheme) — decision-maker appointed by Guardian Middle East LLC; certificate / attestation issued under Guardian’s internal scheme.
Outputs
- Certification decision (or attestation decision for ISO 26000).
- Certificate / attestation issued.
- IAF CertSearch listing initiated for accredited certificates (Tier 1, 2, 3).
- Certificate register updated.
Detail page → Certification decision
Surveillance & Recertification
What happens
Following initial certification, the client enters the 3-year certification cycle. Year 1 and Year 2 of the cycle each require a surveillance audit. Year 3 requires a recertification audit. Successful recertification triggers issuance of a new 3-year certificate, beginning the next 3-year cycle.
Surveillance audit objectives
- Confirmation that the management system continues to fulfil applicable requirements.
- Verification that the client maintains effective management of changes affecting the certified scope.
- Audit of nominated processes and elements (sampled across the cycle).
- Review of the use of certification marks and reference to certification.
- Review of the client’s response to changes in standards, regulatory environment, or accreditation requirements.
Recertification audit objectives
- Comprehensive evaluation of the management system over the 3-year cycle.
- Assessment of the system’s continued effectiveness and improvement.
- Review of all audit findings, nonconformities, and corrective actions over the 3-year cycle.
- Decision to renew certification for a further 3-year cycle.
Other events during the cycle
- Scope variation — changes to certified scope require formal application and may trigger additional audit days.
- Site additions / closures — material site changes require notification and may require special audit.
- Suspension — for material nonconformities not addressed within agreed timelines.
- Withdrawal — for unresolved suspension or material breach of the certification agreement.
- Transfer — clients transferring from another certification body — see /process/certification-transfer/ in Wave 2.
Detail page → Surveillance and Recertification
Typical Timeline
The total timeline from contract signature to initial certificate issuance varies by tier and complexity. Indicative timelines:
| Tier | Typical Timeline | Driver of Variation |
|---|---|---|
| Tier 1 (QS-Recognised) | 8 to 16 weeks | Headcount, complexity, scope, and integration of management systems. |
| Tier 2 (UAF / IAS) | 10 to 18 weeks | Risk-assessment artefacts, especially ISO/IEC 27001 and ISO 22301. |
| Tier 3 (TNV Partnership) | 12 to 20 weeks | Sectoral complexity, including medical devices, AI, and energy reviews. |
| Tier 4 (Guardian Approved Scheme) | 8 to 14 weeks | No external-accreditation-related steps; otherwise as Tier 1. |
Audit duration itself is a function of effective headcount, complexity, sites, sectoral risk, and integration of management systems — calculated under IAF MD 5 (QMS, EMS, OHSMS, FSMS) and IAF MD 11 (Sector-Specific Application). Specific durations are provided in the audit team appointment notification before each audit.
Records, Confidentiality, and Information Security
Throughout all six steps, records of audit information, client documentation, and personal data are handled with strict confidentiality and information-security controls aligned with ISO/IEC 17021-1 §8.5, ISO/IEC 27001 controls, and Qatar PDPPL Law 13/2016 / QFC Data Protection Regulations.
- Audit information — collected, transmitted, processed, and retained under controlled access.
- Personal data — handled under documented privacy notices, with data subject rights respected.
- Personal Data Breach — notification to the QFC Data Protection Office within 72 hours of becoming aware.
- Confidentiality of audit findings — disclosed only to the client and persons authorised by Guardian’s procedures, except where disclosure is required by law, regulator request, or accreditation body assessment.
- Records retention — per Guardian’s Quality Manual, typically 3 cycles (9 years) for audit records, longer for legal-hold matters.
COMPLAINTS & APPEALS
Guardian operates an independent complaints and appeals process compliant with ISO/IEC 17021-1:2015.
Full process: → /complaints-appeals/
Frequently Asked Questions
Typical timeline from contract signature to initial certificate issuance is 8 to 18 weeks depending on tier, scope, and organisational maturity. Tier 1 (QS-Recognised) typically 8 to 16 weeks; Tier 2 (UAF/IAS) typically 10 to 18 weeks; Tier 3 (TNV Partnership) typically 12 to 20 weeks; Tier 4 (Guardian Approved Scheme) typically 8 to 14 weeks. Audit duration follows IAF MD 5.
Stage 1 is the documentation review and readiness assessment under ISO/IEC 17021-1 §9.3.1 — it confirms the management system is ready for full assessment. Stage 2 is the full on-site assessment of the system in operation under §9.3.2 — it identifies nonconformities and produces the audit report on which the certification decision is based. Stage 1 may be remote in part; Stage 2 is typically on-site.
Certification decisions are made by an appointed decision-maker who is structurally independent of the audit team that conducted the audit. The same individual cannot serve as audit team leader and decision-maker for the same engagement. The decision-maker reviews audit findings, nonconformities, corrective action evidence, and the audit team recommendation before making the decision.
Accredited management system certifications have a 3-year validity. The cycle comprises Year 1 (initial certification — Stage 1 + Stage 2 + decision), Year 2 (surveillance audit), and Year 3 (surveillance OR recertification audit). Successful recertification at Year 3 issues a new 3-year certificate. Tier 4 follows the same cycle for management system standards; ISO 26000 attestation is annual.
Where appropriate and aligned with IAF MD 4 (Use of ICT for Auditing/Assessment Purposes), portions of audits may be conducted remotely. Stage 1 is more readily delivered remotely than Stage 2. Determination is case-by-case considering risk, sector, complexity, and the client's information security posture. Most ISO/IEC 27001 audits include significant remote review of policies, procedures, and technical controls.
Major nonconformities require corrective action evidence before the certification decision can be made — additional audit time may be required to verify closure. Minor nonconformities are addressed through documented corrective action plans, with verification at the next surveillance audit. Opportunities for improvement do not require formal corrective action but are recorded for management consideration.
Audit duration is calculated under IAF MD 5 (Audit Duration of QMS, EMS, OHSMS, FSMS) and IAF MD 11 (Sector-Specific Application). Inputs include effective headcount, sites, complexity, sectoral risk, and integration of management systems. Standard-specific Mandatory Documents (e.g., IAF MD 9 for ISO 13485, IAF MD 22 for ISO/IEC 27001) apply additional rules. Specific durations are confirmed in the audit team appointment notification.
Yes. Audit information, client documentation, and personal data are handled under strict confidentiality controls aligned with ISO/IEC 17021-1 §8.5 and Qatar PDPPL Law 13/2016 / QFC Data Protection Regulations. Records are accessed only by personnel authorised under Guardian's procedures, except where disclosure is required by law, regulator request, or accreditation body assessment.
Audit findings can be challenged on the spot during the audit closing meeting — the audit team will reconsider findings against objective evidence. Disagreements that cannot be resolved at audit level can be raised through Guardian's formal Complaints and Appeals process at /legal/complaints-and-appeals/. The Complaints and Appeals process is independent of the audit team and the certification decision-maker.
Yes, subject to applicable IAF MLA transfer rules and ISO/IEC 17021-1 §9.1.3. Transfer eligibility depends on the existing certificate's accreditation status, validity, and absence of major outstanding nonconformities. Transfer typically requires a transfer review including verification of the existing certificate, reasons for transfer, and the most recent audit reports. Detail in Wave 2 at /process/certification-transfer/.
No. Under ISO/IEC 17021-1 §5.2 and applicable IAF Mandatory Documents, certification bodies must be impartial. Guardian Middle East LLC does not provide consultancy, advisory, training, gap-analysis, or implementation services to clients seeking certification. Free, generic Implementation Kits at /resources/implementation-kits/ are not consultancy. Clients seeking pre-audit support should engage independent consultants.
Multi-site organisations can be certified under a single integrated certificate with site-specific scope statements, subject to IAF MD 1 (Multi-Site Sampling). Sampling rules govern how many sites are visited per audit cycle, based on total site count, headcount distribution, and sectoral risk. Specific multi-site sampling plans are agreed at audit team appointment and documented in the audit plan.
Compliance Notes
Guardian Middle East LLC is a QFC-licensed entity under QFC Licence 03870. The information on this page is published in the interests of transparency and is consistent with the QFC Licence and Certificate of Incorporation issued by the QFC Authority and Companies Registration Office on 21 August 2025. For the authoritative public record of QFC-registered entities, visit the QFC Public Register at qfc.qa.