Choosing an ISO consultancy is one of the more consequential decisions in your certification journey. The right consultant shortens your path to certification, builds a system that actually works for your business and prepares you well for the audit. The wrong one builds a document set that satisfies the auditor once and then sits in a folder unused; leaving you with nonconformities at your first surveillance audit and no real understanding of how to maintain the system.
In Australia’s ISO consulting market, there is significant variation in quality, experience and approach. Here are seven questions worth asking before you sign anything.
- Are you accredited or affiliated with a JAS-ANZ recognised body and do you issue the certification yourselves?
This question matters because there is a critical distinction in the Australian market between ISO consultants and certification bodies and some businesses don’t realise they’re different things.
ISO consultants help you build, implement and prepare for certification. Certification bodies conduct the audit and issue the certificate. Under JAS-ANZ requirements and the integrity of the ISO certification process, a consultancy cannot both implement your management system and certify it. If a company is offering to certify you directly without involving a separate, independent JAS-ANZ accredited Conformity Assessment Body (CAB), that’s a significant red flag. Your certificate won’t be internationally recognised.
The consultant you hire should be able to recommend reputable JAS-ANZ accredited certification bodies but should have no financial relationship with them that creates a conflict of interest.
Ask directly: who certifies us, and what is your relationship with them?
- Have you worked with businesses in our industry and of our size?
ISO 9001, ISO 14001 and ISO 45001 apply across every sector but how the standards translate into practical management systems varies significantly depending on whether you are a five-person professional services firm, a 200-person construction contractor or a manufacturer running multiple shifts.
A consultant who mostly works with large organisations may build a QMS that is far more complex than a smaller business needs. This only creates a documentation burden without proportionate value. Conversely, a consultant without experience in higher-risk industries may not understand the depth of hazard management documentation that an ISO 45001 audit in a construction or resources context demands.
Ask for examples of similar clients in same industry, comparable size and comparable risk profile. Ask what challenges came up during those implementations and how they were handled. The answers usually tell more than a credentials list.
- What does your implementation process look like, and how involved will our team need to be?
There are broadly two implementation models in the Australian ISO consulting market.
The first is a “done for you” model where the consultant builds most of the documentation and the client team’s role is primarily to review and approve. This can be efficient for the implementation phase, but it creates a risk. Like your team doesn’t develop the understanding needed to maintain the system after certification. At surveillance audit time, staff who weren’t involved in building the system often can’t explain how it works.
The second is a collaborative model where the consultant guides the process and builds the framework, but the client team develops the content for their specific operations. This takes more of your team’s time during implementation but produces a system that is genuinely understood and more likely to be maintained effectively.
Neither model is inherently wrong but the right fit depends on your team’s capacity and your goals. But understanding which model a consultancy uses, and whether it matches your situation, is important before you commit.
One more important thing to ask: what happens after certification? Do you offer ongoing support for internal audits, management reviews, or surveillance audit preparation?
Some consultancies disengage entirely after the certificate is issued. Others offer retained support. Know what you are buying before committing.
- How do you handle the gap analysis, and what does it include?
The gap analysis is an assessment of your current operations against the requirements of the relevant ISO standard. A thorough gap analysis tells you how much work the implementation will require, where the priority areas are and what already exists in your organisation that can be formalised rather than built from scratch.
A weak gap analysis produces an inaccurate scope and project timeline. It is also a signal about how the consultant works: if the gap analysis is superficial, the implementation probably will be too.
Ask what the gap analysis covers, how it’s conducted (on-site assessment vs. a questionnaire), who conducts it and what the output looks like. A credible consultant should produce a written gap analysis report that maps your current state against the standard’s clauses and not a verbal overview or a one-page summary.
For businesses pursuing multiple standards simultaneously like ISO 9001 and ISO 14001, or a full QHSE system covering ISO 9001, 14001, and 45001 should ask whether the gap analysis addresses all standards in an integrated way or treats each one separately. Given that all three standards share the same High Level Structure, an integrated gap analysis is both more efficient and more useful.
- What is your approach to documentation and will it work for our business after you leave?
The documentation question is where the real quality difference between consultants shows up.
Some consultancies use generic template libraries like pre-built procedures and forms that are adapted with your company name and minor customisation. This approach is fast, but it often produces documentation that doesn’t reflect how your business actually operates. Procedures that describe an idealised process rather than a real one are exactly what experienced auditors probe during Stage 2 and surveillance audits.
“How does this procedure work in practice?” is a question your team needs to be able to answer confidently.
The better approach is documentation built around your actual processes using your existing terminology, your operational structure, your real workflows. This takes longer but produces a system that staff can follow and that auditors can verify against observable reality.
Before engaging any ISO certification consultancy, ask to see a sample of documentation they have produced for a similar client. Ideally an actual procedure and not just a summary. Seeing how closely does it reflect the client’s actual operations or does it read like a generic template can help you decide.
One more thing to ask. What format is the documentation delivered in and how do we update it? A system delivered as a static PDF set is harder to maintain than one delivered in editable formats that your team can update as processes change.
- How do you prepare us for the certification audit, and what’s your track record?
Passing the Stage 2 certification audit is the immediate commercial goal. A good consultant should have a clear approach to audit preparation and not just delivering documentation and wishing you luck.
This includes conducting or facilitating the internal audit required under Clause 9.2, reviewing the management review process before the external audit, preparing staff for auditor interviews (what to expect, how to respond, what records to have ready), and addressing any Stage 1 audit findings before Stage 2 proceeds.
Ask directly: what is your certification pass rate on first attempt for clients you have taken through the full implementation process? A credible consultancy should be able to answer this without hesitation. First-attempt certification isn’t guaranteed. Auditors are independent and rigorous but a consultant with a strong implementation process should have a high first-attempt success rate.
Also good to ask what happens if the audit produces major nonconformities. Do they support you through the resolution process or does that fall back on you?
- Do you work nationally and do you understand how the standards apply across different Australian states?
For businesses operating across multiple states or planning to do so, the consultant’s national capability matters.
While ISO 9001, ISO 14001, and ISO 45001 are international standards with consistent requirements, the compliance obligations that feed into ISO 14001 and ISO 45001 in particular are shaped by state and territory legislation. Environmental obligations under ISO 14001 are governed by state environmental protection acts. So what applies in Western Australia differs from New South Wales. Work health and safety obligations under ISO 45001 are largely harmonised through the model WHS Act, but implementation differences between jurisdictions still exist and your compliance obligations register needs to reflect where you actually operate.
A consultant who has only worked with businesses in one state may not have the depth of knowledge needed to build a compliance obligations register that covers your full operational footprint.
This is particularly relevant for Perth-based businesses expanding nationally. If you are entering the Sydney or Melbourne markets and need your certification to support that expansion, working with a ISO certification consultancy in Sydney that has genuine national experience is worth the extra scrutiny in your selection process.
ISO consultancy fees in Australia vary widely. From a few thousand dollars for template-based implementations to significantly more for comprehensive, tailored engagements with larger or more complex businesses. The cheapest option is rarely the best value when the output is a system that doesn’t survive its first surveillance audit.
The right question isn’t “how much does it cost?” in isolation but it’s “what am I getting for that cost and what will it cost me to fix if it’s not done well?”
A management system built properly the first time is less expensive over three years than one that requires significant rework before surveillance and recertification audits.
Ask the questions above, compare the answers, and make the decision with that full picture in mind.