Whether it is the certification Roadmap of any of the various management systems, the certification provides evidence to interested parties that you are compliant to international standard(s). With this being said, where should you start the road to achieving certification, more profitable, and sustainable business?

For each company, the IT certification roadmap process will vary depending on the organization’s current processes and which management standard they are seeking. Below is an example of the process that would be taken for certification of a management system in any of the ISO standards. For more details about any of the specific ISO Certifications, please visit the specific standard to find out more.

What does the initial preparation look like?

Upon deciding the management system you wish to implement, there are certain initial steps that need to follow to ensure your success. The following are some simple tips that have proven invaluable to companies that are pursuing certification roadmap.

Make sure you begin the process with the right attitude.

  • Have a complete understanding of the concept set forth in the standard, and use the standard as a guide template to define your management system.
  • Know what application and implications of the standard will mean to your company.
  • Use the standard as a tool for improvement.
  • Have an understanding of the risks and processes that affect your organization’s ability to realize its business strategy.
  • Select your partner (certification body/registrar) carefully.
certification roadmap | Ksqa

What steps should I follow?

Below you will find 10 general steps that will take you down the road to certification:

it audit certification roadmap | Ksqa

1. Obtain the Standard

Obtain and read a copy of the standard to familiarize yourself with the requirements, and decide if certification road map/registration to this standard makes good sense for your organization.

2. Review Literature and Software

There is a large amount of published information available that is designed to assist you in understanding and implementing a standard. Note also that for some standards there are guidelines developed for how to implement the requirements within an organization (e.g. ISO/TS 9002 for ISO 9001 and ISO 14004 for ISO 14001). Use some time to investigate what is available and identify which could be of support for your implementation process.

3. Assemble A Team and Define Your Strategy

The adoption of a management system needs to be the strategic decision of the whole organization. It is vital that your senior management is involved in the decision and creation process. They decide the business strategy that an efficient management system should support. In addition, you need a dedicated team to develop and implement your management system.

4. Determine Training Needs

Your team members responsible for implementing and maintaining the management system(s) will need to know the full details of the applicable standard(s). There is a wide range of courses, workshops, and seminars available designed to meet these needs. We provide a number of public training courses around the world. Contact your local KSQA office for more information.

5. Review Consultant Options

Independent consultants will be able to advise you of a workable, realistic, and cost-effective strategy plan for implementation.

6. Develop Your Management System Documentation

Decide an appropriate platform for your management system documentation (e.g. specific software, process-map based, SharePoint-based). The right platform is important to ensure effective management, communication, and implementation of your management system. Your management system should describe the policies and operations of your company. The documentation includes relevant processes and other documented information needed to support you in meeting your intended outcomes and the requirements of the applicable standard.

7. Determine, Manage, and Document Your Processes

An important step in establishing your management system is to determine the needed processes and their interactions in accordance with your policies, strategy, and objectives. These processes should cover areas such as:

  • Product and service realization (operational processes)
  • Meeting relevant needs and expectations of customers and other stakeholders
  • Management processes, including measurement, analysis, improvement, and innovation

8. Implement Your Management System

Communication and training are key to successful implementation. During the implementation phase, your organization will be working according to the established processes and connected criteria to document and demonstrate the effectiveness of the management system.

9. Consider A Pre-Assessment

You can choose to have a preliminary evaluation of the implementation of your management system by a certification body/registrar. The purpose is to identify areas of non-conformance or weaknesses and allow you to correct these areas before you begin the accredited certification process. Receiving a non-conformance means that a particular area of your management systems is not compliant with the requirements of the standard.

10. Select A Certification Body/Registrar

Your business relationship with the certification body/registrar will exist for many years, as your certification has to be maintained. To have an efficient management system, continual improvement is key. KSQA will help you get the maximum value out of the certification process, evaluating strengths and improvement opportunities.

Certification Road Map Process

Initial Audit and Certification

Upon acceptance of the application, KSQA conducts a two-staged initial audit which will consist of Stage 1 and Stage 2 audit.

Stage 1 is performed to evaluate submitted documentation against the requirements of the management system standard. The internal audits, management review meetings, and other requirements will also be reviewed in accordance with the standard.

If any areas of concern are identified during the Stage 1 audit, the concerns are communicated to the client at the conclusion of Stage 1 and any necessary time to allow adequate correction is determined.

The maximum time allowed between Stage 1 and Stage 2 audit is three (3) months.

The Stage 2 audit is to gather objective evidence to substantiate the effective implementation of the management system to form the conclusion on whether or not to grant the certification.

Where KSQA cannot verify and close out all the corrective actions for addressing the findings raised during the Stage 2 audit within six (6) months, another Stage 2 audit will be conducted. As long as the client can close the findings from Stage 2 then KSQA will grant certification.

Surveillance Activities

KSQA conducts onsite or remote surveillance audits at planned intervals to maintain the confidence that the certified management system continues to fulfill the cybersecurity certification roadmap requirements.

The first surveillance audit is conducted within twelve (12) months from the date of the certification decision.

Surveillance audits are not necessarily full system audits; thus surveillance audits are generally one-third of the time as the initial audit.

There are a total of two Surveillance audits prior to the Recertification Audit.


Prior to the expiration of the certification, the certified client will indicate to KSQA their intention to continue with the certification and KSQA will then provide a new quotation for recertification.

The recertification audit is conducted to evaluate the fulfillment of the requirements of the certification.

KSQA will ensure the decisions for renewing certifications are prior to the certificate expiring.

If KSQA has not completed the recertification audit or is unable to verify the implementation of corrections and corrective actions for MAJOR non-conformities prior to the expiry date of the certification, then recertification will not be recommended.

KSQA may restore certification within six (6) months following the expiration of certification, provided that the outstanding recertification activities are completed. The effective date on the new certification is on or after the recertification decision by Technical Reviewer and the expiry date is based on prior certification cycle.

Special Audits

KSQA shall in response to a request by a certified client for modification of the scope of certification, review the request and determine any audit activity necessary to decide whether or not the modification may be granted.

When necessary, KSQA may conduct short notice audits for its certified clients in response to complaints, changes affecting the system, or as follow up on suspended certified clients.

Suspending, Withdrawing or Reducing the Scope of Certification

KSQA will suspend, modify (extend or reduce scope), or withdraw the certification if the certified client violates his/her certification contractual or financial obligations with KSQA. Below are some of the reason a KSQA may suspend certification:

  • the certified client has persistently or seriously failed to meet requirements;
  • financial requirements not met;
  • the certified client has requested to voluntarily suspended;
  • the required surveillance or recertification audit not performed at the prescribed frequency.

While under suspension, the certified client’s certificate is temporarily invalid. During this time the client cannot promote the certification. Additionally, KSQA will also make it known through the KSQA website that the certificate status is “suspended”.

Suspension can last up to a maximum of six months. The client must resolve the issues or the suspension will result in the withdrawal or reduction of the scope.

Clients must notify their customers of their reduced or withdrawn certification. KSQA will remove the certified company from its list of certified companies. The client may appeal to any actions through the appeal process.


KSQA follows a procedure to resolve disputes/appeals with their clients or third parties regarding its actions and decisions around the certification roadmaps. KSQA takes every reasonable effort to resolve all appeals and disputes related to its activities. We are responsible for all decisions at all levels of the handling of appeals.

Personnel involved in the appeal process are not part of the audit or certification decisions.

The submission, investigation and decision will not result in any discriminatory actions against the person filing the appeal.

When an appeal is received, KSQA will acknowledge the receipt of the appeal and provide progress reports to the appellant and the final outcome.

The disputes/appeals include the following elements and methods:

  • Receiving, validating and investigation. Actions are taken related to appeal, considering previous similar situations;
  • logging and retaining all appeals, including the actions to resolve;
  • ensuring that if required any appropriate corrections and corrective actions are taken

When KSQA receives an appeal, KSQA is responsible to collect & verify all information to allow the appeal to be validated.

The final outcome and decisions are communicated to the appellant by, or reviewed and approved by, personnel not involved in the subject of the appeal.

KSQA gives the appellant formal notification of the end of the appeal process.


KSQA is responsible for all IT certification roadmap 2023 decisions at all levels of the complaints-handling process. All formal complaints related to the certification roadmap activities of KSQA or if the complaint involves a certified client, the complaint can be emailed to contact@ksqa.org or click on the here to be directed to our “Contact Us” page.

The submission, investigation and decision will not result in any discriminatory actions against the person filing the appeal.

Upon receiving the complaint, KSQA will confirm if the complaint relates to certification activities that KSQA is responsible for. If KSQA is responsible and involves a certified client, then KSQA will examine the complaint & determine the effectiveness of the certified management system.

If determined to be a valid complaint about a certified client, KSQA will inform the client at the appropriate time.

The process for receiving, evaluating, and decisions on complaints is documented in a documented procedure. The process is subject to KSQA requirements for confidentiality related to the complainant and the subject of the complaint.

Use of KSQA’s Name, Certification Mark or Logo

Certified clients may use KSQA’s name, Certification Mark or log in accordance with the following rules.

  • The IAS Accreditation body mark may NOT be used by any of our clients;
  • The client shall only make reference to the certification status in communication such as the internet, advertising or other media;
  • The certification mark or logo is not used with misleading statements regarding the certification.
  • The client does not use or allow the use of any certification document or any part in a misleading manner.
  • If status certification becomes withdrawn, the client shall discontinue using all advertising material that references certification
  • Amends advertising matters when the scope of certification has been reduced or withdrawn.
  • The management system certification road map does not allow reference to be used in a way to imply that KSQA certifies a product, service or process.
  • The certification does not allow reference that applies to activities and sites outside the scope of certification.
  • The client does not use the certification in a manner that would bring the KSQA and/ or certification into disrepute or cause KSQA to lose public trust.

For more details on the use of the KSQA’s Name, use of Certification Mark or Logo, please see our procedure. PR-8.3-1