How do you check if a supplier’s ISO certificate actually means anything?

How do you check if a supplier’s ISO certificate actually means anything?

by Ahmed Al-Janabi -

I’ve been seeing more companies mention ISO certification in tenders, supplier profiles, and company presentations, but I’m starting to wonder how often people actually ...

more...

I’ve been seeing more companies mention ISO certification in tenders, supplier profiles, and company presentations, but I’m starting to wonder how often people actually check what the certificate covers.

For example, a supplier might say they are “ISO certified,” but that can mean very different things depending on the standard, the certified scope, the location covered, and who issued the certificate. A company could be certified for one specific service or branch, while buyers may assume the whole business is covered.

The practical problem is this: when you are reviewing a vendor or contractor, what should you ask for beyond just “send us your ISO certificate”?

A few things I’ve started looking at are:

  • The exact ISO standard and version listed on the certificate

  • The certified company name and whether it matches the legal entity you are dealing with

  • The scope of certification, especially whether it covers the service being offered

  • The issuing certification body

  • Any accreditation details or verification route

  • Issue date, expiry date, and certificate number

  • Whether surveillance audits are mentioned or traceable

For anyone who is new to the difference between certification, accreditation, scope, and verification, this iso certification guide gives a useful starting point without making it too complicated.

I’m curious how others handle this in real procurement or supplier approval situations. Do you verify certificates yourself, ask the supplier for supporting documents, or leave that to the quality/compliance team?

Also, have you ever seen a certificate that looked valid at first but turned out to have a vague scope, expired status, or no proper verification trail?