ucstoolkitucstoolkitucstoolkit
0
Business owner comparing ISO certification options by business type and toolkit

Which ISO Certification Do I Need for My Business? 2026 Guide

If you have been told to “get ISO certified,” the hardest part is often not the audit. It is working out which ISO certification do I need before you spend money on the wrong standard, the wrong consultant, or the wrong documentation package. A general service business, a SaaS company, a contractor, a medical device manufacturer, and a food business may all need ISO certification for commercial reasons, but they do not all need the same standard. This guide helps you choose the right ISO route by business type, tender requirement, risk profile, and documentation workload.

Quick Answer

The ISO certification you need depends on why you are seeking certification. For most general businesses and tender requirements, ISO 9001:2015 is the starting point because it proves you have a controlled Quality Management System. IT, SaaS, and data-handling companies usually need ISO 27001:2022, while contractors often need an integrated ISO 9001, ISO 14001, and ISO 45001 system.

Specialist sectors need specialist standards: ISO 13485:2016 for medical devices, ISO 15189:2022 for medical laboratories, ISO 22000:2018 for food safety, ISO 41001:2018 for facility management, and ISO 42001:2023 for AI management systems.

In This Guide

What ISO Certification Do I Need for My Business Type?

The fastest way to choose the right ISO certification is to start with the business problem, not the standard number. Ask what you are trying to prove: quality control, information security, safety, environmental performance, food safety, medical competence, or AI governance.

ISO certification is not one universal certificate. It is a management system certification against a specific standard. A certification body such as BSI, Bureau Veritas, DNV, SGS, LRQA, or Intertek audits your documented information, processes, evidence, internal audits, management review, and corrective actions against that chosen standard.

Use this table as a practical first filter:

Business situation Recommended ISO certification Why this standard fits Toolkit angle
General business, manufacturer, service provider, or tender requirement ISO 9001:2015 Shows controlled processes, quality objectives, customer focus, and continual improvement Quality Management System documentation
IT company, SaaS provider, data processor, or cybersecurity requirement ISO 27001:2022 Shows information security risk management and Annex A control implementation ISMS policies, risk assessment, Statement of Applicability, and controls
Construction, contracting, facilities, engineering, or site-based work ISO 9001:2015 + ISO 14001:2015 + ISO 45001:2018 Covers quality, environmental management, and occupational health and safety Integrated Management System documentation
Medical device manufacturer or distributor ISO 13485:2016 Focuses on medical device quality, regulatory expectations, traceability, and product safety Medical device QMS documentation
Medical laboratory ISO 15189:2022 Focuses on laboratory competence, quality, impartiality, and reliable medical testing Laboratory management and technical documentation
Food manufacturer, caterer, processor, or food supply chain business ISO 22000:2018 Combines food safety management, prerequisite programmes, and HACCP principles Food safety procedures, hazard analysis, and control plans
Facility management provider ISO 41001:2018 Shows structured facility management planning, service delivery, and performance control FM management system documentation
AI developer, AI platform, or company deploying AI systems ISO 42001:2023 Shows governance of AI risks, responsibilities, transparency, and system controls AI management system documentation

Quick check: If your client or tender document names a specific standard, start there. If it only says “ISO certified,” ask the buyer which ISO standard they mean before spending money. ISO 9001:2015 is often assumed, but security, safety, and environmental requirements may be separate.

How do I choose the right ISO certification for my company?

Use a simple decision process before buying templates, hiring a consultant, or booking a certification audit:

  1. Identify the commercial driver: Confirm whether you need certification to win tenders, satisfy a client, enter a regulated market, reduce risk, or improve internal control.
  2. Check the exact wording: Look at contracts, procurement portals, supplier questionnaires, or customer emails. The wording may specify ISO 9001, ISO 27001, ISO 14001, ISO 45001, or another standard.
  3. Match the standard to the main risk: Quality risk points to ISO 9001:2015. Information security risk points to ISO 27001:2022. Worker safety points to ISO 45001:2018. Environmental risk points to ISO 14001:2015.
  4. Define your scope: Decide which sites, services, departments, and activities will be included. Clause 4.3 in many ISO management system standards requires a clear scope.
  5. Run a gap analysis: Compare your current documented information, controls, records, internal audits, and management review against the chosen standard.
  6. Build the documentation system: Prepare policies, procedures, registers, forms, audit schedules, objectives, risk assessments, and evidence records before your Stage 1 audit.
  7. Book certification when evidence exists: Certification bodies will not certify intent. They need evidence that your management system is implemented, reviewed, audited, and improving.

For broad comparison shopping, browse the full range of ISO documentation toolkits and match the toolkit to the standard your buyer, regulator, or risk profile actually requires.

Do I need ISO 9001 or ISO 27001 first?

Choose ISO 9001:2015 first if the main requirement is general quality, customer satisfaction, process control, or tender eligibility. Choose ISO 27001:2022 first if the main requirement is information security, cloud security, data protection, enterprise vendor approval, or cyber risk management.

A software company may need ISO 27001:2022 before ISO 9001:2015 because enterprise clients care more about data security than general quality procedures. A manufacturer, maintenance provider, logistics company, or professional service business may need ISO 9001:2015 first because buyers want confidence that orders, service delivery, complaints, and corrective actions are controlled.

Which ISO Certification Is Best for Small Businesses?

For most small businesses, ISO 9001:2015 is the best first ISO certification because it is the most widely recognised general management system standard. It applies across industries, including services, manufacturing, trading, maintenance, consulting, training, engineering, and administration.

ISO 9001:2015 does not require a large team or complex software. A 20-person company can implement it if responsibilities are clear, processes are documented, objectives are measurable, internal audits are performed, and management review is recorded. The standard asks you to control the way work is planned, delivered, checked, improved, and evidenced.

What does ISO 9001 certification prove for a small business?

ISO 9001:2015 proves that your business has a structured Quality Management System. In practical terms, it shows that you understand customer requirements, control your processes, handle nonconformity, review performance, manage risks and opportunities under Clause 6.1, and improve based on evidence.

This is why ISO 9001:2015 appears so often in supplier approval forms. Buyers use it as a shortcut for basic operational maturity. It does not guarantee perfection, but it tells procurement teams that your business has been audited against an international quality framework.

If ISO 9001:2015 is your starting point, the ISO 9001:2015 Documentation Toolkit helps you build the core policies, procedures, forms, and records needed for a quality management system without starting from a blank page.

Pro tip: Small companies often over-document ISO 9001. Auditors expect control, not bureaucracy. A clear process map, risk register, quality objectives, internal audit programme, management review minutes, and corrective action records are more useful than a 100-page manual nobody uses.

Can a small business get ISO certified without a full-time compliance manager?

Yes, but someone must own the system. In a small business, the ISO project is often managed by an operations manager, quality coordinator, office manager, director, or business owner. The key is not job title; it is authority, time, and access to evidence.

Be realistic about workload. A small business can often prepare for a straightforward ISO 9001 certification project in 8–16 weeks if processes already exist and leadership responds quickly. More complex standards such as ISO 27001:2022 or ISO 13485:2016 usually take longer because risk assessment, technical controls, validation, traceability, or regulatory evidence may be deeper.

Which ISO Certification Do I Need for Tenders and Contracts?

For tenders and contracts, the ISO certification you need is the one named in the procurement document. If the tender asks for ISO 9001:2015, ISO 14001:2015, or ISO 45001:2018, you should not substitute a different standard unless the buyer confirms it will be accepted.

Public sector, construction, oil and gas, infrastructure, facilities, healthcare, education, and enterprise procurement teams often use ISO certification as a prequalification filter. Missing the required standard can make your bid non-compliant before anyone reviews your price or technical proposal.

What ISO certification do clients usually ask for?

The most common client-requested certification is ISO 9001:2015 because it applies to quality management across almost any sector. Environmental and safety requirements are also common where site work, emissions, waste, worker safety, or subcontractor control matter.

In IT, SaaS, outsourcing, finance, healthcare technology, and data processing, ISO 27001:2022 is often the standard clients ask for because it demonstrates an Information Security Management System. ISO 27001:2022 includes 93 Annex A controls grouped across organisational, people, physical, and technological control themes.

What ISO certification do I need to win tenders?

You need the ISO certification that removes the tender barrier. For many SMEs, that means ISO 9001:2015 first. For contractors, it often means ISO 9001:2015, ISO 14001:2015, and ISO 45001:2018 together. For IT vendors, it may mean ISO 27001:2022 or SOC 2, depending on the buyer’s market and security expectations.

Check whether the tender asks for certification, compliance, or a documented management system. These are not the same. “Certified to ISO 9001” usually means an accredited certification body has audited and issued a certificate. “Compliant with ISO 9001” may mean you follow the requirements but are not independently certified.

Quick check: Before bidding, confirm whether the buyer requires accredited certification. A certificate issued under a recognised accreditation body such as UKAS, ANAB, DAkkS, or JAS-ANZ usually carries more weight than an unaccredited certificate.

Which ISO Certification Do I Need for IT and SaaS Companies?

IT and SaaS companies usually need ISO 27001:2022 if customers are asking about cybersecurity, vendor risk, cloud hosting, data protection, access control, incident management, or enterprise procurement. ISO 27001:2022 is built around information security risk management, not just IT policies.

The core deliverables include an ISMS scope, information security policy, risk assessment methodology, risk treatment plan, Statement of Applicability, internal audit programme, management review, and evidence that selected controls are implemented. Certification bodies will check whether security risk decisions are justified and supported by records.

When does a SaaS company need ISO 27001 certification?

A SaaS company usually needs ISO 27001:2022 when it sells to enterprise clients, handles personal data, stores customer information, processes sensitive business data, or appears in supplier security reviews. Many enterprise buyers now ask for ISO 27001, SOC 2, penetration test summaries, business continuity evidence, and data protection controls before contract approval.

ISO 27001:2022 is especially useful when your sales cycle is slowed by repeated security questionnaires. Instead of answering every control from scratch, certification shows that your Information Security Management System has already been independently audited.

The ISO 27001:2022 Documentation Toolkit gives IT and SaaS teams a structured starting point for ISMS policies, risk assessment, Statement of Applicability, audit records, and required documented information.

Do IT companies need ISO 27001 or SOC 2?

Choose ISO 27001:2022 if customers ask for an internationally recognised information security management system certification. Choose SOC 2 if US-based customers specifically ask for a Trust Services Criteria report. Some SaaS companies eventually need both, but they are not identical.

ISO 27001:2022 is certification against a management system standard. SOC 2 is an assurance report issued by a CPA firm. If your customers are in Europe, the Middle East, Asia, public sector supply chains, or multinational enterprise procurement, ISO 27001:2022 is often the clearer first choice. If your buyers are US technology companies, SOC 2 may be requested more often.

Which ISO Certification Do I Need for Construction Companies?

Construction companies usually need ISO 9001:2015, ISO 14001:2015, and ISO 45001:2018 together. This combination is often called an Integrated Management System or QHSE system because it covers quality, environmental management, and occupational health and safety in one coordinated framework.

Construction work creates quality risk, environmental risk, and safety risk at the same time. A contractor may need to prove that materials are controlled, subcontractors are evaluated, waste is managed, site hazards are assessed, incidents are recorded, and corrective actions are followed through.

Can I use one integrated toolkit for ISO 9001, ISO 14001, and ISO 45001?

Yes. ISO 9001:2015, ISO 14001:2015, and ISO 45001:2018 share a common management system structure, including clauses for context, leadership, planning, support, operation, performance evaluation, and improvement. That makes integration practical.

An integrated approach avoids three separate policy systems, three audit programmes, three management reviews, and three corrective action logs. You still need standard-specific content, such as environmental aspects for ISO 14001 and hazard identification for ISO 45001, but the system can be managed as one framework.

For contractors, engineering companies, and site-based service providers, the Integrated IMS Documentation Toolkit for ISO 9001, ISO 14001, and ISO 45001 is usually more efficient than building three separate systems.

Pro tip: Integrated certification can reduce duplication, but it does not reduce responsibility. Your internal audit under Clause 9.2 still needs to test quality, environmental, and occupational health and safety requirements, not just generic management system controls.

What ISO certification do contractors need for health and safety?

Contractors that need a recognised occupational health and safety management system usually choose ISO 45001:2018. This standard focuses on hazard identification, legal and other requirements, consultation and participation of workers, operational controls, emergency preparedness, incident investigation, and continual improvement.

If your work involves site access, plant and equipment, working at height, electrical work, lifting operations, confined spaces, subcontractors, or field teams, ISO 45001:2018 is often commercially valuable even when it is not legally required. It gives clients confidence that health and safety risks are being managed systematically.

Which ISO Certification Do I Need for Medical, Food, or Laboratory Businesses?

Medical, food, and laboratory businesses should not choose ISO 9001:2015 by default. These sectors often need specialist standards because the risks involve patient safety, product safety, test reliability, hygiene, traceability, regulatory expectations, or technical competence.

ISO 9001:2015 may still be useful as a general quality framework, but it is often not enough on its own for regulated or high-risk sectors. Choose the sector-specific standard first when buyers, regulators, accreditation bodies, or customers expect it.

What ISO certification does a medical device company need?

A medical device company usually needs ISO 13485:2016. This standard focuses on quality management for medical devices, including regulatory requirements, risk-based controls, design and development where applicable, purchasing, production, traceability, customer feedback, complaint handling, and corrective action.

Medical device businesses should not treat ISO 13485:2016 as a cosmetic version of ISO 9001. The documentation expectations are more controlled, especially around product safety, validation, records, outsourced processes, and regulatory interfaces. The ISO 13485 Documentation Toolkit is built for this specialist medical device QMS route.

What ISO certification does a medical laboratory need?

A medical laboratory usually needs ISO 15189:2022. This standard is designed for medical laboratories and focuses on both quality management and technical competence. It covers areas such as impartiality, confidentiality, personnel competence, equipment, reagents, sample handling, examination processes, reporting, nonconforming work, internal audit, and management review.

For laboratories, the key question is often accreditation rather than simple certification. Many medical laboratories pursue recognition through an accreditation body because clients and regulators need confidence in technical competence, not only management system discipline.

What ISO certification does a food business need?

A food business usually needs ISO 22000:2018 when it must demonstrate food safety management across the food chain. This applies to food manufacturers, processors, caterers, packaging suppliers, storage providers, transporters, and related service providers.

ISO 22000:2018 combines management system requirements with food safety principles, including hazard analysis, prerequisite programmes, operational prerequisite programmes, control measures, traceability, emergency preparedness, verification, and continual improvement. If customers mention HACCP, food safety certification, supplier approval, or export requirements, ISO 22000:2018 may be the right route.

What ISO certification does an AI company need?

An AI company should consider ISO 42001:2023 if it develops, provides, deploys, or governs AI systems and needs to show responsible AI management. This standard is increasingly relevant for AI platforms, AI-enabled SaaS products, machine learning providers, automation tools, and companies using AI in high-impact decisions.

ISO 42001:2023 focuses on AI governance, responsibilities, risk assessment, impact assessment, lifecycle controls, transparency, human oversight, and continual monitoring. It is not only for large technology companies. Any organization commercialising AI may need structured evidence that AI risks are identified and controlled.

Can I Use an ISO Documentation Toolkit Instead of Hiring a Consultant?

Yes, many organizations can use an ISO documentation toolkit instead of hiring a consultant, especially when the standard is clear, the business has someone internally who can lead the project, and the main bottleneck is writing documented information from scratch.

A toolkit does not replace leadership commitment, implementation, evidence, internal audit, management review, or certification body assessment. What it does replace is the blank-page problem: policies, procedures, forms, registers, audit templates, and records that would otherwise take weeks to build.

When is an ISO documentation toolkit enough?

A toolkit is usually enough when your business has stable processes, clear responsibilities, access to records, and someone competent to customise templates. This is common for SMEs seeking ISO 9001:2015, ISO 14001:2015, ISO 45001:2018, ISO 27001:2022, ISO 22000:2018, ISO 41001:2018, or similar management system standards.

The best use of a toolkit is to customise it around your real scope, risks, interested parties, objectives, operational controls, and evidence. Certification auditors can quickly spot documents that still contain generic wording, irrelevant responsibilities, or procedures your team does not follow.

When should I hire an ISO consultant?

Hire a consultant when your organization is highly complex, multi-site, regulated, under severe deadline pressure, or lacking internal ownership. Consultants are also useful when you need hands-on gap analysis, employee interviews, process redesign, risk workshops, supplier control reviews, or support during external audits.

Many SMEs use a hybrid route: they buy a documentation toolkit, customise the system internally, then bring in a consultant for a targeted gap review or internal audit. That keeps the project practical without committing to a full consulting engagement that can cost thousands.

Quick check: A toolkit prepares documentation; certification proves implementation. Before Stage 1 audit, make sure you have records showing that the system has actually operated — internal audit, management review, objectives tracking, risk review, corrective actions, and training evidence.

What Mistakes Should I Avoid When Choosing an ISO Certification?

The biggest mistake is buying or implementing the standard you recognise instead of the standard your customer, tender, regulator, or risk profile requires. ISO 9001:2015 is valuable, but it will not satisfy a client asking for ISO 27001:2022. ISO 27001:2022 is powerful, but it will not replace ISO 45001:2018 for site safety requirements.

Why choosing the cheapest ISO certificate is risky?

Cheap certification can become expensive if the certificate is not accepted by your customer. Always check whether the certification body is accredited and whether the buyer recognises the accreditation body. Some procurement teams reject certificates that are not issued under a recognised accreditation framework.

Also check the scope statement on the certificate. A certificate for “administrative services” may not satisfy a tender for construction, software development, laboratory testing, food production, or medical device manufacturing. Scope matters because it defines what the certification actually covers.

Why copying another company’s ISO documents can fail an audit?

Copied documentation usually fails because it does not match your scope, processes, legal requirements, roles, risks, interested parties, objectives, suppliers, or evidence. Auditors do not only read procedures. They test whether people understand them and whether records prove they are followed.

For example, Clause 9.3 management review requires top management to review system performance, audit results, customer feedback, objectives, changes, risks, opportunities, and improvement actions. A copied management review template with no real inputs will not satisfy an auditor.

Why getting more than one ISO certification at the same time needs planning?

Getting more than one ISO certification at the same time can be efficient, especially when standards share structure. But it needs planning because each standard still has its own technical requirements, evidence, competence needs, legal obligations, and operational controls.

For example, ISO 9001:2015, ISO 14001:2015, and ISO 45001:2018 can be integrated, but ISO 14001 still needs environmental aspects and compliance obligations, while ISO 45001 still needs hazard identification and worker consultation. Integration reduces duplication; it does not remove standard-specific work.

Frequently Asked Questions

What ISO certification do I need for my company if I am not sure where to start?

If you are not sure where to start, ISO 9001:2015 is usually the first ISO certification to consider because it applies to general quality management across most industries. However, choose ISO 27001:2022 if the main issue is information security, ISO 45001:2018 if worker safety is the driver, ISO 14001:2015 if environmental control matters, and a specialist standard such as ISO 13485:2016, ISO 15189:2022, or ISO 22000:2018 if your sector requires it.

Do I need ISO 9001:2015 or ISO 27001:2022 for my business?

You need ISO 9001:2015 if the main requirement is quality management, process control, customer satisfaction, or general tender eligibility. You need ISO 27001:2022 if customers are asking about information security, cybersecurity, cloud hosting, data protection, access control, or vendor risk. Some companies need both, but the first choice should match the strongest buyer requirement or operational risk.

How long does ISO 9001 or ISO 27001 certification take for a small business?

A small business can often prepare for ISO 9001:2015 certification in 8–16 weeks if processes already exist and management responds quickly. ISO 27001:2022 often takes longer, commonly 3–6 months, because information security risk assessment, Statement of Applicability, Annex A controls, internal audit, and evidence collection require more technical input. The timeline depends on scope, staff availability, and current maturity.

What ISO certification do I need to win tenders: ISO 9001, ISO 14001, or ISO 45001?

For tenders, you need the standard named in the tender document. ISO 9001:2015 is commonly required for quality management, ISO 14001:2015 for environmental management, and ISO 45001:2018 for occupational health and safety. Contractors, facilities providers, engineering firms, and site-based service companies are often asked for all three as an integrated QHSE management system.

Can I get ISO 9001, ISO 14001, and ISO 45001 certified at the same time?

Yes, you can get ISO 9001:2015, ISO 14001:2015, and ISO 45001:2018 certified at the same time using an Integrated Management System. This is common for construction, contracting, manufacturing, maintenance, and facilities businesses. The shared structure allows one scope, policy framework, internal audit programme, management review process, and corrective action system, while still including standard-specific requirements.

Can I use one integrated ISO 9001, ISO 14001, and ISO 45001 toolkit?

Yes, one integrated ISO 9001, ISO 14001, and ISO 45001 toolkit can be used if it properly covers quality, environmental, and occupational health and safety requirements. The toolkit should include shared management system documents plus separate controls for environmental aspects, compliance obligations, hazard identification, worker consultation, emergency preparedness, objectives, internal audit, and management review.

Can I get ISO 27001 certified without a consultant?

Yes, some organizations can get ISO 27001:2022 certified without a consultant if they have internal security knowledge, clear ownership, enough time, and a structured documentation toolkit. You still need to complete the ISMS scope, risk assessment, risk treatment plan, Statement of Applicability, control evidence, internal audit, management review, and corrective actions. A consultant is useful when the scope is complex or internal expertise is limited.

Next Steps

The question “which ISO certification do I need” has a practical answer: choose the standard that matches your buyer requirement, tender wording, sector risk, and certification scope. ISO 9001:2015 is the common starting point, ISO 27001:2022 is the security route, and ISO 9001 + ISO 14001 + ISO 45001 is the usual QHSE route for contractors.

Ready to choose the right documentation package? Browse all UCS Toolkit ISO standards to find the toolkit that matches your business type, certification goal, and audit preparation needs.

QHSE Integrated Management System Documentation ChecklistBack to blogCan a One-Person Company Get ISO Certified? 2026 Guide

Related Articles

Can a One-Person Company Get ISO Certified? 2026 Guide

QHSE Integrated Management System Documentation Checklist

ISO 15189:2022 SOP Templates: Documentation Checklist

ISO 20000-1 Documentation Requirements: 2026 Checklist

SMS Onboard Ship: 5 Reasons Proper Systems Matter in 2026

Sunday,Monday,Tuesday,Wednesday,Thursday,Friday,Saturday
January,February,March,April,May,June,July,August,September,October,November,December
Not enough items available. Only [max] left.
Shopping cart

Your cart is empty.

Return To Shop

Enable cookies to use the shopping cart
Add Order NoteEdit Order Note
Add A Coupon
Subtotal:
$0.00

View cart

Add A Coupon

Coupon code will work on checkout page

Shop
Sidebar
0Cart
Filter
Search
Menu