The three-year certification cycle
Accredited certification follows a fixed rhythm defined by ISO/IEC 17021-1. Year 0: initial certification through Stage 1 and Stage 2 audits. Years 1 and 2: surveillance audits, usually annual and shorter than the initial audit, sampling different parts of your system each time. Year 3: a recertification audit, more thorough than surveillance, before the certificate's expiry date. Miss that window and the certificate lapses; you may have to restart with a full initial audit.
How certificates die early
- Suspension. If surveillance raises major nonconformities you fail to close, or you refuse to schedule audits, the certification body suspends the certificate. Suspended status is publicly visible and usually recoverable within a defined period.
- Withdrawal. Persistent failure, misuse of the certification mark, or serious integrity issues end the certificate entirely.
- Scope reduction. If part of your operation no longer conforms, the body can shrink the certified scope rather than kill the whole certificate.
Standard revisions also force transitions
When ISO publishes a new edition of 9001, certified organizations get a transition period (historically three years) to upgrade their systems and pass a transition audit. Certificates against the old edition become invalid at the deadline regardless of their printed expiry date. With a new edition of ISO 9001 in development, build revision-watching into your management review inputs now; the organizations that suffer in transitions are the ones that start reading the new requirements in the final six months.
Practical upkeep between audits
Surveillance audits always sample internal audits, management review, corrective actions, and use of the certification mark. Keep those four alive year-round and the cycle looks after itself. Systems that hibernate between audits are obvious to any experienced auditor within the first hour, usually from record dates alone.