If a customer has asked for ISO certification and you are the whole business, the first question is usually very direct: can a one person company get ISO certified, or do you need employees, an office, and a corporate structure first?
The honest answer is yes, a one-person company can often get ISO certified. But ISO certification is not a certificate for you as an individual. It is certification of a management system operated by your business, even if that business is a sole trader, freelancer, consultant, small SaaS company, contractor, or home-based manufacturer.
Quick Answer
Yes, a one-person company can get ISO certified if it has a defined business activity, a clear certification scope, documented processes, records, and evidence that the management system is being followed. Certification is awarded to the organization or business entity, not to the person personally.
The main challenge is proving independence where required, especially for internal audit under Clause 9.2. A micro-business should keep its ISO system lean: simple procedures, clear records, realistic objectives, and evidence that work is controlled consistently.
In This Guide
- Can a One Person Company Get ISO Certified?
- Can a Freelancer or Sole Trader Get ISO Certification?
- What ISO Standard Is Best for a One-Person Business?
- What Documents Does a One-Person Company Need for ISO Certification?
- ISO Certification Without Employees: How Does Internal Audit Work?
- Can ISO Certification for Small Business Be Done With Templates?
- ISO 9001 for One Person Company: Common Mistakes to Avoid
- Frequently Asked Questions
- Next Steps
Can a One Person Company Get ISO Certified?
Yes, a one-person company can get ISO certified if it can show that it operates as a real business with a management system that can be audited. The number of employees is not the deciding factor. The deciding factor is whether there is a defined scope, controlled work, documented information, records, responsibilities, risks, objectives, internal audit, management review, and corrective action.
Where people get confused is the difference between personal certification and management system certification. ISO 9001:2015, ISO 27001:2022, ISO 14001:2015, and ISO 45001:2018 are management system standards. They are not qualifications for an individual person.
Can an individual be ISO certified?
For the common business standards, an individual is not usually “ISO 9001 certified” or “ISO 27001 certified” personally. The certified entity is the organization, business, sole trader operation, limited company, or defined trading activity.
That distinction matters. A freelance consultant may be the only person in the business, but the certificate should still describe the business activity, such as “provision of software development services” or “consulting and project management services.” It should not simply certify the person as a professional.
Is ISO certification for a person or a company?
ISO management system certification is for a company, organization, or defined business system. That can include a very small business, but there still needs to be a system to audit.
An auditor from a certification body will look for evidence that your business has defined how work is done, how risks are managed, how customer requirements are controlled, and how improvement happens. If everything exists only in your head, certification will be difficult. If your business has clear records and repeatable processes, certification becomes realistic.
Quick check: Can you describe your ISO certification scope in one sentence without using vague words like “all services” or “general consulting”? If not, start there. Clause 4.3 requires the scope of the management system to be defined.
For a small business, the scope should be narrow and accurate. A one-person SaaS company might certify “development, hosting, and support of cloud-based workflow software.” A garage-based manufacturer might certify “custom design and manufacture of precision metal components.” A freelancer might certify “provision of cybersecurity consulting and risk assessment services.”
This is also why early planning matters. A lean ISO system should match the business you actually operate, not the business you hope to become in five years.
Can a Freelancer or Sole Trader Get ISO Certification?
ISO certification for sole trader businesses is possible where the business has a defined legal or trading identity and can provide auditable evidence. A sole trader, freelancer, contractor, or independent consultant may not have employees, but they still have customers, suppliers, risks, records, contracts, equipment, data, and work methods.
The auditor is not expecting a corporate hierarchy. They are expecting a working management system proportionate to the size and risk of the business.
Can a home-based business get ISO 9001 certified?
A home-based business can get ISO 9001:2015 certified if the activities within the certification scope can be audited and controlled. ISO 9001 focuses on quality management, customer requirements, process control, performance evaluation, and improvement. It does not require a traditional office, factory reception, or separate commercial premises.
For a home-based manufacturer or service provider, the practical questions are more specific:
- Where is the work performed?
- What equipment, software, or tools are used?
- How are customer requirements captured and reviewed?
- How are suppliers selected and controlled?
- How are nonconforming outputs handled under Clause 8.7?
- How are records protected and retained?
If you work from a garage, workshop, spare room, coworking space, or cloud-based environment, the location needs to be described honestly. The certification body may audit remotely, on site, or through a mix of both depending on the standard, risks, and accreditation requirements.
Can a one-person SaaS company get ISO 27001 certified?
A one-person SaaS company can pursue ISO 27001:2022 certification if it operates an Information Security Management System and can show control over information security risks. This is common where enterprise customers require evidence of security before signing contracts.
ISO 27001:2022 is more demanding than simply writing a few policies. You need an ISMS scope, risk assessment, risk treatment plan, Statement of Applicability, information security objectives, internal audit, management review, incident process, and evidence for relevant Annex A controls.
The fact that you are the only person does not remove the need for evidence. It changes the scale. For example, access control records may be simple if only one administrator account exists, but you still need to show how access is approved, reviewed, protected, and removed when tools change.
For broader small-business implementation guidance, see our guide on how an ISO documentation toolkit can help small businesses.
How do you separate business and personal resources for ISO certification?
One-person businesses often mix personal and business resources. That is normal, but ISO certification becomes harder if there is no boundary at all.
You should be able to separate business and personal resources in areas such as:
- Business email accounts and customer communication
- Cloud storage used for business records
- Devices used for customer work
- Financial records and supplier invoices
- Tools, equipment, or calibration records
- Workspace or workshop controls where relevant
- Data backup and access controls
This does not always mean buying separate everything. It means defining what is part of the management system and controlling it. If your personal laptop is also your business device, the ISO question is not “is it personal?” but “is it controlled, secured, maintained, backed up, and suitable for the work?”
Pro tip: For a one-person business, avoid writing procedures that assume departments, managers, and approval chains you do not have. Write “The business owner reviews customer requirements before accepting work,” not “The Sales Department submits contracts to the Quality Manager.”
What ISO Standard Is Best for a One-Person Business?
The best ISO standard for a one-person business depends on why the customer, tender, or market is asking for certification. ISO certification for small business should be driven by commercial need, not by whichever standard sounds most impressive.
If a customer says “we need ISO 9001,” they usually care about quality and consistency. If they ask for ISO 27001, they care about information security. If they ask for ISO 14001 or ISO 45001, they may be managing environmental, contractor, health and safety, or supplier risk.
| Business situation | Most relevant ISO standard | What the auditor will focus on | Typical documentation focus |
|---|---|---|---|
| Freelancer, consultant, agency, manufacturer, or service provider asked for quality certification | ISO 9001:2015 | Customer requirements, process control, supplier control, quality objectives, corrective action | Quality policy, scope, process map, procedures, forms, records, internal audit, management review |
| SaaS, IT services, cybersecurity, managed services, or data handling business | ISO 27001:2022 | Information security risks, Statement of Applicability, access control, incidents, suppliers, Annex A controls | ISMS scope, risk assessment, risk treatment plan, SoA, security policies, asset inventory, audit records |
| Contractor, site-based service provider, installer, maintenance provider, or physical-risk activity | ISO 45001:2018 | Hazards, legal requirements, worker consultation, operational controls, incidents, emergency preparedness | OH&S policy, risk assessment, legal register, procedures, inspection records, incident records |
| Supplier with environmental requirements from public sector, construction, manufacturing, or enterprise customers | ISO 14001:2015 | Environmental aspects, compliance obligations, operational controls, emergency preparedness, monitoring | EMS scope, aspects register, compliance register, objectives, procedures, monitoring records |
| Small company asked for quality, environmental, and health and safety certification together | Integrated IMS for ISO 9001, ISO 14001, and ISO 45001 | Shared processes across quality, environmental, and OH&S requirements | Integrated policy, risk register, objectives, procedures, internal audit, management review |
If ISO 9001:2015 is the customer requirement, our ISO 9001 Documentation Toolkit gives you a structured starting point for the QMS documents and records a small business needs.
ISO 9001 for one person company: when is it the right choice?
ISO 9001:2015 is usually the right standard when the customer is concerned about quality, consistency, contract control, delivery, complaints, and continual improvement. It works for service businesses as well as manufacturing businesses.
For a one-person company, ISO 9001 does not need to become a corporate bureaucracy. The core question is simple: can you show that customer requirements are understood, work is planned, outputs are checked, suppliers are controlled, problems are corrected, and performance is reviewed?
Can a sole trader get ISO 27001 certification?
A sole trader can seek ISO 27001:2022 certification where there is a business entity or trading activity that can be scoped and audited. This is most relevant for IT consultants, SaaS founders, cloud service providers, software developers, penetration testers, virtual CISOs, and managed service providers.
The key challenge is evidence. You need to show that information security risks are assessed, controls are selected, records are retained, and security performance is reviewed. A one-person business may have fewer systems than a large company, but the ISMS still needs to be complete.
When do ISO 14001 and ISO 45001 matter for a one-person contractor?
ISO 14001:2015 and ISO 45001:2018 matter when your work creates environmental or health and safety risk, or when customer procurement requires it. A one-person contractor may still use chemicals, vehicles, tools, lifting equipment, subcontractors, or site access arrangements.
If your work is purely desk-based, ISO 14001 or ISO 45001 may be unnecessary unless a client specifically requires it. If your work involves physical site activity, construction, installation, maintenance, logistics, or public sector supply chains, these standards may become commercially important.
What Documents Does a One-Person Company Need for ISO Certification?
A one-person company needs enough documented information to prove the management system is planned, implemented, checked, and improved. It does not need a giant manual with 60 procedures unless the business risk justifies it.
ISO standards use the term “documented information.” In practice, that means a combination of policies, procedures, registers, forms, records, logs, meeting notes, audit reports, and evidence from normal business tools.
How much ISO documentation does a micro-business need?
A micro-business needs documentation that matches its scope and risk. For ISO 9001:2015, that usually includes a quality policy, scope statement, process map, risk and opportunities register, quality objectives, customer requirement review process, supplier controls, nonconformity and corrective action process, internal audit records, and management review records.
For ISO 27001:2022, you should expect more security-specific documentation, including an ISMS scope, information security policy, risk assessment methodology, risk treatment plan, Statement of Applicability, asset inventory, access control records, incident procedure, supplier security review, internal audit, and management review.
Clause 7.5 is the key documentation clause across many modern ISO management system standards. It requires documented information to be controlled, available where needed, suitable for use, protected, and updated when necessary.
What records does an ISO auditor expect from a one-person business?
An auditor will usually ask for evidence that the system is not just written but operating. For a one-person company, records might be simple, but they still need to exist.
- Scope statement and process map
- Risk register or risk assessment
- Objectives and progress updates
- Customer requirement reviews or approved quotations
- Supplier evaluations or approved supplier list
- Training and competence records, even if the only worker is the owner
- Monitoring records, inspection results, service checks, or project reviews
- Internal audit report under Clause 9.2
- Management review record under Clause 9.3
- Corrective action records under Clause 10.2
Many one-person companies already have some of this evidence scattered across email, accounting software, CRM tools, ticketing systems, cloud folders, project boards, or supplier invoices. The ISO work is often about organizing and controlling what already exists.
Quick check: Pick one completed customer job from the last 3 months. Can you show the enquiry, agreed requirements, delivery evidence, quality check, invoice, and any customer feedback? That single job can reveal most documentation gaps quickly.
How do you keep ISO documentation simple for a one-person company?
The best approach is to write procedures around real work. If you quote work by email, say that. If you manage tasks in Trello, Asana, Monday, Jira, or a spreadsheet, reference that. If you review suppliers once a year, define that frequency and keep the record.
Do not create fake complexity. A one-person business does not need separate procedures for sales, operations, purchasing, customer service, and management if one controlled workflow covers the actual process.
A simple ISO system should answer four practical questions:
- Define what is covered: Write a narrow scope that states the business activity, location or remote setup, and any exclusions or boundaries.
- Document how work is controlled: Create short procedures for quoting, customer requirements, delivery, supplier control, records, and corrective action.
- Keep evidence as you work: Save records from real projects, audits, reviews, risk assessments, supplier checks, and customer feedback.
- Review and improve the system: Run internal audit, management review, and corrective action before the certification audit.
This is where templates can save a lot of time. The risk is not using templates. The risk is using templates without tailoring them to the way your business actually operates.
ISO Certification Without Employees: How Does Internal Audit Work?
ISO certification without employees is possible, but internal audit is usually the hardest part. Clause 9.2 requires the organization to conduct internal audits at planned intervals to check whether the management system conforms to requirements and is effectively implemented.
The difficulty is independence. If you are the only person in the business, you may own every process. Auditing your own work creates a conflict because you are checking decisions you made yourself.
Who can do the internal audit for a one-person company?
For a one-person company, the safest option is usually to use an external competent person for the internal audit. This could be an ISO consultant, another qualified auditor, a trusted professional with audit competence, or a separate contractor who understands the standard and is independent of the work being audited.
Some certification bodies may accept a carefully managed self-audit in very limited circumstances, but you should not assume that. Ask your certification body before relying on it. A minor shortcut here can become a nonconformity during Stage 1 or Stage 2 audit.
If ISO 9001 is your target, an ISO 9001 internal audit template can help you structure the audit questions, evidence review, findings, and corrective actions.
Can I do my own ISO internal audit if I am the only person?
You can prepare for internal audit yourself, but you should be cautious about performing the entire audit independently if you own all the processes. ISO auditors look for objectivity and impartiality in the audit process.
A practical compromise is to complete a self-assessment first, fix obvious gaps, then ask an external person to perform or review the formal internal audit. That gives you both preparation and independence.
What happens during Stage 1 and Stage 2 audits for a micro-business?
Most certification audits are split into Stage 1 and Stage 2. Stage 1 checks readiness: scope, documented information, key records, internal audit, management review, and whether the business is ready for full assessment. Stage 2 checks implementation in more detail.
For a one-person company, the audit may be shorter than for a larger organization, but it is not automatically easy. The auditor may ask very direct questions because there are fewer people to interview and fewer records to sample. If the system is only theoretical, that becomes obvious quickly.
Pro tip: Complete internal audit and management review before applying for the Stage 1 audit. For a small business, these two records often make the difference between “ready to proceed” and “not enough evidence yet.”
Can ISO Certification for Small Business Be Done With Templates?
ISO certification for small business can be done with templates, provided the templates are customized and implemented. A certification body does not certify your template pack. It certifies your management system.
Good templates give you structure. They help you avoid starting from a blank page, missing required clauses, or writing inconsistent documents. For a one-person business, that can be the difference between a realistic project and a project that stalls for months.
Can a small business use ISO templates instead of a consultant?
A small business can use ISO templates instead of a consultant when the business is relatively simple, the owner has time to customize the documents, and the standard is not being implemented under extreme deadline pressure. This is especially common for ISO 9001:2015 and some straightforward ISO 27001:2022 implementations.
A consultant may still be useful when the scope is complex, multiple sites are involved, customer deadlines are tight, legal compliance is difficult, or the internal team does not have time to manage the project.
For a deeper explanation of what a toolkit includes and how to use one properly, read our guide to ISO toolkits explained.
What should ISO templates include for a one-person company?
For a one-person company, ISO templates should include editable Word documents, practical registers, forms, audit tools, management review templates, and guidance notes that help you tailor the system. Avoid template packs that assume large departments, complex approval chains, or dozens of roles you do not have.
Look for templates that cover:
- Scope and context of the organization
- Interested parties and requirements
- Risk and opportunity management
- Objectives and planning
- Documented information control
- Operational procedures
- Supplier and outsourced process control
- Internal audit
- Management review
- Corrective action and continual improvement
When does a one-person company need ISO consulting support?
A one-person company may need consulting support if the customer deadline is close, the certification scope is unclear, multiple ISO standards are required, or the business handles high-risk activities such as sensitive data, hazardous work, regulated products, or complex supplier chains.
Consulting support can also help with internal audit independence, gap analysis, and certification body selection. The important point is to use help where it adds value, not to overbuild the whole system just because the business is small and nervous.
ISO 9001 for One Person Company: Common Mistakes to Avoid
ISO 9001 for one person company projects usually fail for practical reasons, not because ISO 9001:2015 is impossible for small businesses. The most common issue is overcomplication. The owner tries to build a corporate QMS, then cannot maintain it.
The second common issue is the opposite: writing a few policies but keeping no evidence. ISO certification sits between those extremes. You need enough structure to prove control, but not so much documentation that the system becomes unusable.
What are the most common ISO mistakes for one-person businesses?
- Trying to certify the person instead of the business: The certificate scope should describe the business activity, not your personal skillset.
- Writing procedures for departments that do not exist: Keep roles realistic. “Business owner” is often enough.
- Choosing a scope that is too broad: A narrow scope is easier to audit and maintain.
- Skipping internal audit independence: Clause 9.2 still matters, even if there is only one worker.
- Holding no management review: Clause 9.3 requires management review, and for a one-person company that can be a structured owner review.
- Keeping no records: Policies alone do not prove implementation.
- Buying templates and not customizing them: Auditors can usually spot generic documents quickly.
How can a one-person company prepare for an ISO certification body audit?
Start by confirming the standard, certification scope, business address, audit method, and expected audit duration with the certification body. Ask whether remote audit is possible, what evidence they expect before Stage 1, and how they handle one-person organizations.
Then run a gap analysis against the clauses of the chosen standard. For ISO 9001:2015, pay close attention to Clause 4.3 scope, Clause 6.1 risks and opportunities, Clause 7.5 documented information, Clause 8 operation, Clause 9.2 internal audit, Clause 9.3 management review, and Clause 10.2 corrective action.
If you are certifying in a specific market, requirements and expectations may also vary by customer sector and certification body. For UAE-based businesses, our ISO 9001 certification UAE guide explains the local certification process in more detail.
What evidence should a one-person company collect before ISO audit?
Collect evidence from real work, not invented examples. Auditors prefer genuine records from recent jobs, tickets, projects, quotations, supplier reviews, risk reviews, inspections, customer feedback, and corrective actions.
Before the certification audit, make sure you can show:
- At least one completed internal audit
- At least one completed management review
- Current scope statement and policy
- Current risk and opportunities register
- Objectives with measurable progress
- Records from actual customer work
- Evidence of supplier or outsourced process control
- Corrective action records, even if only minor issues were found
Quick check: If every ISO record was created in the same week, the auditor may question whether the system is mature enough. Build evidence over several weeks or months where possible, especially before Stage 2.
Frequently Asked Questions
Can a one-person company get ISO 9001 certified?
Yes, a one-person company can get ISO 9001:2015 certified if it has a defined business scope, documented quality management system, records, internal audit, management review, and evidence that customer requirements are controlled. The certificate applies to the business management system, not the person as an individual professional.
Can a freelancer get ISO certification for their business?
Yes, a freelancer can get ISO certification for their business if the freelance activity is structured as an auditable organization or trading entity. The freelancer must define the certification scope, document how work is controlled, keep records, manage risks, complete internal audit, and pass assessment by a certification body.
Can a sole trader get ISO 27001 certification?
Yes, a sole trader can pursue ISO 27001:2022 certification if the Information Security Management System has a clear business scope and enough evidence to audit. The sole trader will need an ISMS scope, risk assessment, risk treatment plan, Statement of Applicability, policies, records, internal audit, and management review.
Can I get ISO certified without employees?
Yes, you can get ISO certified without employees if the business has a management system that can be audited. ISO standards do not require a minimum employee count for certification, but they do require defined responsibilities, controlled documented information, evidence of implementation, internal audit, management review, and corrective action.
Can I do my own ISO internal audit if I am the only person?
You can prepare for your own ISO internal audit, but a one-person company should be careful about auditing its own work because ISO internal audits should be objective and impartial. The safest approach is often to use an external competent auditor or have an independent person review the formal internal audit.
How much does ISO certification cost for a one-person company?
ISO certification cost for a one-person company depends on the standard, scope, certification body, audit duration, country, and whether you use a consultant. The main costs are certification body audit fees, documentation preparation, internal audit support, and any corrective actions needed before certification.
Can ISO documentation templates work for a small business?
Yes, ISO documentation templates can work well for a small business if they are edited to match the actual scope, processes, risks, roles, and records of the company. Templates save time, but they must be implemented. A certification body will audit the working management system, not the template pack itself.
Next Steps
So, can a one person company get ISO certified? Yes — if the business has a real scope, a simple but complete management system, controlled documented information, audit evidence, management review, and a practical way to handle internal audit independence.
Keep the system lean. Do not copy corporate procedures if you are a freelancer, sole trader, or micro-business. Define what you do, document how you control it, keep records from real work, and prepare properly before the certification body audit.
Ready to build the documentation without starting from a blank page? Browse our full range of ISO documentation toolkits to find the right package for ISO 9001, ISO 27001, ISO 14001, ISO 45001, or an integrated management system.