Your Customer Requires ISO Certification — Now What?

A customer, a prime contractor, or an RFP just told you that certification is required. You did not plan for this. You do not have a management system. And the timeline feels aggressive. This is the most common way organizations begin their certification journey.

Why Customers Require Certification

Understanding why your customer is asking for certification helps you understand what they actually need — and what will satisfy them.

The most common reason is risk transfer. When a customer qualifies a supplier and requires certification, they are creating documented evidence that they exercised due diligence in their supplier selection. If your product or service fails and creates a problem for them, their ability to demonstrate that they selected a certified, audited supplier is a meaningful defense. The certificate is evidence of their process, not just yours.

Supplier qualification programs are the second reason. Large organizations — manufacturers, healthcare systems, government agencies — maintain approved supplier lists with defined qualification criteria. ISO certification is often a threshold requirement for the approved supplier list. No certificate, no consideration. This is not a negotiating position — it is a system requirement.

Regulatory compliance is the third reason. In some industries, the regulatory framework requires that suppliers hold certification. Medical device manufacturers that supply to OEMs need ISO 13485 certification because their customer's regulatory compliance depends in part on the quality systems of their supply chain. Aerospace subcontractors need AS9100 certification for the same reason.

Whatever the reason, the customer's requirement is real and is not going away. The question is how to get there.

What They Are Actually Asking For

The first thing to do when a customer requirement arrives is read it carefully — because "get certified" can mean several different things.

Which standard are they requiring? ISO 9001 is the most common. AS9100 for aerospace. ISO 13485 for medical devices. ISO 27001 for information security. SOC 2 for U.S. software and services. If the requirement does not specify, ask — because the wrong standard means months of work in the wrong direction.

What scope do they expect the certification to cover? Some customers require your entire organization to be certified. Others require only the specific facility, product line, or service that they are buying from you. Scope affects how complex your system needs to be and how long implementation takes. A narrower scope is often faster and less expensive — and if the customer's concern is about the specific work they are receiving, a narrower scope may satisfy their requirement entirely.

What is their timeline? Customers frequently state a requirement without specifying a deadline, or specify a deadline that is not achievable. Understanding whether the timeline is a hard contractual requirement or a preference changes how you respond and what you commit to.

Realistic Timelines by Standard

This is where most reactive buyers run into trouble — not because certification cannot be achieved, but because the timelines required are longer than the pressure feels.

ISO 9001 Consultant certification for a small to mid-size organization typically takes four to six months from gap assessment to certification audit. A larger organization or one with complex, multi-site operations takes longer — six to nine months is common.

AS9100 Certification Consultant typically takes eight to twelve months. The standard is more demanding than ISO 9001, and aerospace certification bodies tend to have longer scheduling lead times for audit slots.

ISO 13485 Consultant Services takes eight to twelve months for most device companies. The medical device regulatory environment adds complexity that cannot be compressed.

ISO 27001 Consultant takes five to eight months for most organizations. Smaller organizations with simpler environments and existing security controls move faster. Organizations with complex environments or significant control gaps take longer.

SOC 2 Compliance attestation timelines depend on whether you are pursuing Type I — a point-in-time report — or Type II — a report covering a defined observation period, typically six to twelve months. Type I can be completed in three to five months. Type II requires completing the observation period before the audit can be finalized.

These timelines assume proper implementation — not template shortcuts. An organization that tries to compress a six-month implementation into two months typically fails the certification audit and ends up spending more time, not less, getting to the certificate.

The Fastest Path That Still Works

The fastest path to certification is not the cheapest or the most aggressively scoped. It is the one that produces a system that actually holds up under audit.

Start with an ISO Gap Assessment. This tells you what you already have that can be formalized and what needs to be built. Organizations that skip the gap assessment and go directly to documentation frequently build the wrong things and discover the gaps at audit.

Define the scope tightly. If the customer's requirement can be satisfied by certifying a specific facility or a specific service line, define the scope accordingly. A tight, well-defined scope is easier to build, easier to implement, and easier to audit than a scope that encompasses the entire organization.

Assign a real internal champion. Implementation requires someone inside the organization with the time and authority to move the project forward. A project that sits alongside someone's existing full-time job will stall. A project with a dedicated champion who can make decisions and engage process owners will move.

Engage external support early. An experienced Certification Consulting engagement compresses the learning curve significantly — not because the consultant does the work for you, but because they know exactly what the certification body will look for, which gaps are critical and which are minor, and how to sequence the implementation work to reach audit readiness efficiently.

What to Tell Your Customer

This is the conversation that most reactive buyers handle poorly — either by promising a timeline they cannot achieve, or by going silent while they figure out what to do.

The right approach is to respond quickly with a credible plan rather than a commitment to a specific date you are not sure you can meet. Something like: "We have confirmed your requirement and are beginning the certification process immediately. We expect to achieve certification within [realistic timeline based on the standard]. We will keep you informed of progress milestones." This signals competence and commitment without overpromising.

If the customer's timeline is shorter than what is achievable, have the conversation directly. Explain the standard's requirements, what a proper implementation takes, and what the risk is of trying to shortcut it — a system that fails audit does not produce a certificate faster; it produces a delay. Most customers who understand the process respect a realistic timeline over an unrealistic promise.

Some customers will accept a supplier qualification letter, a letter of intent to certify, or an interim audit report from a certification body as a placeholder while certification is in progress. Ask whether that option exists — it sometimes resolves the immediate commercial pressure while the certification process runs its proper course.

How We Help

We work with organizations responding to customer certification requirements every day. It is the most common engagement entry point we have — and we know how to move efficiently without cutting corners.

Engagements start with an ISO Gap Assessment that produces a realistic timeline and a prioritized implementation roadmap. From there, Implementing a System moves through process design, documentation, implementation, and audit preparation on a defined schedule. Certification Consulting covers the certification audit itself and any corrective action follow-up.

For organizations that need to demonstrate progress to a customer before the certificate is in hand, we can help structure that communication and, where relevant, coordinate with certification bodies on interim documentation options.

Related Standards & Services

The standard that applies to your situation depends on your industry and your customer's specific requirement. The most common starting points for reactive buyers are ISO 9001 Consultant, AS9100 Certification Consultant, ISO 13485 Consultant Services, ISO 27001 Consultant, and SOC 2 Compliance.

For services, customer-driven certification engagements involve ISO Gap Assessment, Implementing a System, and Certification Consulting — often on an accelerated schedule that requires focused engagement from the start.