How to Transfer an ISO Certificate

Ever moved somewhere new? It’s a big life change, and of course, it’s important you pack all your belongings and get them moved to your new spot. But it’s not just your stuff that you need to account for—you’ll also be looking for a new local doctor to trust with your medical history, a new mechanic to trust with your car, etc.

It can be done, but you need to make sure you take all the right steps to get what you want and need. The same goes for your ISO certificate.

For whatever reason, you may want to switch external assessors in the middle of your ISO certification term, and while it’s possible, there are certain things you need to do and considerations you should make ahead of time. Like a big move to a different city, this isn’t something you just leap into.

As an ISO Certification Body, we’ve guided many organizations through this process, whether they’re going somewhere else or asking us for their next assessment. In this article, we’ll go over the requirements for transfer, including what’s necessary for the requisite review process, and factors to mull over before moving forward.

Maybe you’re not considering an ISO certificate transfer for now, but should you do so in the future, you’ll be ready with a solid understanding of how it all works.

Can You Transfer Your ISO Certificate?

As you likely already know, to achieve ISO certification for your management system, you must conform to the requirements of your chosen standard. That includes during the initial assessment and then the subsequent necessary reviews, all of which span the three-year term of your ISO certificate.

But during that three-year term, change can occur—it’s quite common. You might introduce new systems to your scope, including various extensions and additional requirements, or you might acquire a whole other organization, which would mean reconfiguring your certification as well.

The good news is that despite all that potential change, your ISO certificate will remain valid during that three-year term, assuming the necessary surveillance assessments are completed and the relevant management system is adjusted to incorporate these changes.

But what if you instead wanted to change external auditors during that three-year term? The short answer is that you can, and thankfully, ISO made this a fairly simple process, but there are a few things you need to confirm first:

  • The issuing certification body—including the certification intended to be transferred—and the accepting certification body all must be accredited by an accreditation body that sits on the IAF.
  • The accepting certification body must also be accredited for the management system standard that is the subject of the transferring certificate.
    • I.e., your new certification body would have to be accredited for ISO 20000-1 to correctly perform a certification transfer for that standard. 
  • The subject certificate must be valid and active for the transfer process to be completed.

With all that confirmed, both certification bodies must also adhere to the requirements of IAF MD-2 when performing the transfer, as there are requirements and responsibilities relevant to both organizations. 

ISO Certificate Transfer Requirements

What is IAF MD-2, you might be asking now, and here’s your answer—it’s the Mandatory Document (MD) containing the requirements necessary for an ISO certification transfer.

Published by the International Accreditation Forum (IAF)—an organization consisting of accreditation bodies throughout the world—this document is also known as IAF MD for the Transfer of Accredited Certification of Management Systems. It features several requirements for a proper handover, including a review of certain elements before anything can be done:

  • The accepting certification body must assess:
    • The issuing certification body’s accreditation, as well as the previous work performed by the issuing certification body;
    • The review of reports and other external audit-related documents; and
  • The accepting certification body must also confirm:
    • That the issuing certification body is accredited for the management system certificate that was issued;
    • That the issuing certification body’s accreditation is active and in good standing; and
    • That the issuing certification body performed its assessments in accordance with the related normative standards. 

The transfer cannot be accepted by an accepting certification body if the issuer has not performed previous audits in conformance with the related normative standards. 

If your organization should fall into a circumstance where a certification transfer cannot be performed, you can still use a different certification body, but then another initial certification (Stage 1 and Stage 2) would have to be performed.

How Does an ISO Certificate Transfer Work?

You’ll note that there’s a lot of scrutinizing of the issuing certification body’s work during a transfer, and that’s because if the recipient body is going to take on your certificate, they’re ultimately relying on the work of the initial issuer to establish confidence in issuing a management system certificate with their mark on it. 

That also means:

  • If you have open nonconformities at the time of the transfer process, the accepting certification body is required to assess your efforts in closing those nonconformities. 
    • Major nonconformities: verification of the implementation of corrections and corrective actions
    • Minor nonconformities: accept the transferring client’s plans for correction and corrective action
  • There may be circumstances that require a deeper review of your management system—either onsite or through additional documentation requests—so that your new certification body can create familiarity with your management system and address any discrepancies noted in the issuing certification body’s work. 

As part of the transfer, the accepting certification body is also required to communicate with the issuing certification body regarding the following to which the issuer must respond before the transfer process can continue:

  • Whether the existing certificate is active and in good standing;
  • Whether the documentation and information provided to meet the requirements of IAF MD-2 is complete (when such documentation is provided by the certified organization and not the issuing certification body);
  • The continuation of the audit program by the accepting certification body; and
  • Your intent to transfer.

Considerations to Make Before Transferring Your ISO Certificate

That last point—your intent to transfer—is critical, because before you make this decision, there are some things you should think about aside from any made decisions to simply switch vendors or consolidate multiple compliance needs under one.

The most important of these other considerations concerns your scope—during a certification transfer, you cannot modify the scope of your management system, including locations. 

When you transfer your certificate, no formal assessment of any scope modifications can be conducted during an individual transfer review—ultimately, the accepting certification body is just taking over the external audit duties of the initial issuer as it is. As such, any modification to the scope—and resulting modifications on the revised certificate-would be covered during a formally scheduled audit, be it a separate scope modification review, surveillance review, or recertification review. 

Moving Forward with Your ISO Certificate Transfer

Whether you decide to or not, organizations should be free to move from vendor to vendor, and IAF MD-2 allows the flexibility for such major change. Better still, the transfer review is designed to be an easy, straightforward process—the majority of the coordination is done between your certification bodies.

Regardless, it’s important to have an understanding of the process while you keep the option open for the future, and now you do.

Should you indeed choose to transfer, the original issuance date and current expiration date for an existing certificate are maintained once the process finishes, with no disruption to the certification term. From that point, it should be business as usual for you as the accepting certification body is required to generally follow the same audit program over the remaining term.

If you’re interested in a potential transfer to Schellman, please contact us today so that we can set up a call with our ISO team and determine if we’re the best fit for you. Otherwise, to learn more about other ISO options you have to better serve your organizational needs, read our other articles detailing other, less-known standards that may be able to help you:

About the Author

Ryan Mackie

Ryan Mackie is a Principal at Schellman & Company, LLC, and has been with the firm since 2005. Ryan supports the regional Florida market and manages SOC, PCI-DSS, ISO, HIPAA, and Cloud Security Alliance (CSA) STAR Certification and Attestation service delivery. He also oversees the firm-wide methodology and execution for the ISO certification services, including ISO 27001, ISO 9001, ISO 20000-1, and ISO 22301 as well as CSA STAR certification services. He has over 25 years of experience. Ryan also is an active member of the CSA and co-chairs the Open Control Framework committee which is responsible for the CSA STAR Program methodology and execution.

More Content by Ryan Mackie
Previous Article
Using the ONC/OCR SRA Tool in Your HIPAA Risk Analysis
Using the ONC/OCR SRA Tool in Your HIPAA Risk Analysis

Searching for a way to simplify your HIPAA risk analysis? The ONC/OCR tool can help--we explain how, as wel...

Next Article
The FedRAMP Assessment Process: What Do You Need to Provide?
The FedRAMP Assessment Process: What Do You Need to Provide?

Considering FedRAMP but not sure what it'll take to achieve? We break down 3 aspects of what you'll need to...


First Name
Error - something went wrong!