Your ISO certification questions.
Answered honestly.

An ISO certification is an officially recognised proof that your company operates according to an international standard — for example ISO 9001 for quality management or ISO 27001 for information security. It signals to customers, clients and authorities that your processes are systematic and reliable.

Common reasons: customer requirements, access to public tenders, insurance benefits, legal obligations (e.g. NIS-2 for ISO 27001), or simply better internal processes.

This depends on your industry, client requirements and strategic goals. As a guide:

• ISO 9001 — foundation for almost all industries, quality management system
• ISO 14001 — environmental management, CSRD preparation, sustainability strategy
• ISO 27001 — information security, NIS-2 compliance, data protection
• ISO 13485 — mandatory for medical device manufacturers and suppliers
• ISO 45001 — occupational health & safety, reduced insurance premiums, accident prevention
• ISO 42001 — AI management system, EU AI Act preparation

In a free initial consultation we'll work out together which standard(s) make sense for you.

An ISO certificate is typically valid for three years. During this period, the certifier conducts annual surveillance audits — a smaller audit confirming the system is maintained. After three years, a recertification audit is performed for the next three-year cycle.

I can support you as an External QMR on an ongoing basis, ensuring surveillance audits go smoothly.

Yes — and it's often recommended when multiple standards are relevant for your company. Since most modern ISO standards share the High Level Structure (HLS), there are significant synergies: many chapters (e.g. context, leadership, risk management, improvement) are developed once and apply to all standards.

Typical combinations: ISO 9001 + 14001, ISO 9001 + 45001 + 14001, ISO 27001 + 42001.

An ISO certification is more than a piece of paper. Typical benefits in practice:

• Market access: Public tenders, automotive supply chains, medical technology — ISO is often mandatory here
• Lower error costs: Systematic error detection saves more over the medium term than certification costs
• Insurance and liability benefits: Documented processes reduce exposure for complaints and product liability
• Scalability: Grow without chaos — new employees onboard faster
• Trust: Customers, banks and authorities recognise ISO as a serious quality credential

Which benefits matter most for your company, we clarify in the initial consultation. All services at a glance →

In practice you only need one main internal contact (usually management or a QMR) plus subject matter experts by area (production, IT, purchasing). The time investment is manageable — I handle documentation, process descriptions and all the structural work.

If you don't want to fill a QMR role internally, I can take on this role permanently as an External QMR.

Total costs consist of two parts:

• Consulting fee (Sternberg Consulting): Fixed price depending on company size, current maturity level and chosen standard. You get the exact price in the free initial consultation.
• Certifier fees: Typically €2,000–6,000 for SMEs. I obtain quotes from several accredited certifiers in advance.

No hidden costs. What the proposal says is what you pay.

Yes — depending on the federal state and programme, up to 80% funding on the consulting fee is possible. Key programmes:

• BAFA "Business Consulting Subsidy" — up to 50% nationwide for SMEs
• State programmes — e.g. SAB (Saxony), TAB (Thuringia), IFB (Hamburg) with often higher rates
• ERDF / ESF — EU co-financed programmes from federal states

Important: most programmes must be applied for before consulting begins. I check your options and handle the application. Learn more about funding →

Very transparent. After the free initial consultation you receive a detailed fixed-price proposal — broken down by service, with no hourly-rate uncertainty. What's in the proposal is what you pay. There are no additional charges.

I also break down certifier costs in advance, so you know total project costs before you decide. Concrete benchmarks per standard: ISO 9001, ISO 27001, ISO 14001.

Generally no — most funding programmes (BAFA, state programmes) only cover consulting fees, not the fees of the accredited certifier. In some state programmes and via ERDF projects, mixed subsidies are possible.

Which programmes are available in your federal state, I check free of charge. All funding options →

The recertification audit is usually slightly cheaper than the initial certification — often 10–25% lower, because the certifier already knows your system. Preparation normally requires only a few consulting hours for a well-maintained system; for neglected systems the effort rises.

If I support you continuously as an External QMR, recertification usually runs on the side — with no additional preparation costs.

Yes — I deliberately specialise in SMEs. For small companies certification is often particularly valuable: it gives you market access that larger competitors already have, without building an internal QM department.

The effort stays small because you typically have only a few processes. Funding programmes often cover 50–80% of consulting costs — which makes ISO especially cost-effective for small companies. Check funding options →

It depends on your starting point and your goal:

• Fast-track certification: From approximately 6 weeks — with good prerequisites and focused collaboration
• Standard project: 2–4 months — realistic for most SMEs
• Complex projects: 4–8 months — for integrated management systems or high build-up requirements

In the free gap analysis I give you a realistic estimate for your specific company.

No. I obtain quotes from multiple accredited certifiers, recommend the right one for you and coordinate all appointments. You don't need to handle this part.

I accompany you through the audit itself — so there are no surprises and you get through Stage 1 and Stage 2 with confidence.

To date, all of my clients have passed their initial certification audit — that's not a marketing claim, that's my personal track record. I prepare companies so that nonconformities are identified and resolved internally before the auditor arrives.

Should a nonconformity be identified during the audit, I accompany the remediation right through to the successful follow-up check.

Your certificate is valid for three years, with annual surveillance audits. I can support you long-term as an External QMR — maintaining the management system, preparing surveillance audits and conducting the management review.

Alternatively: ad-hoc support as needed. You decide after certification which model fits.

In the gap analysis we compare your current state with the requirements of the target standard. The result: an honest assessment of what already works, what's missing and how much effort towards certification is realistic.

For SMEs this typically takes 30–60 minutes and is non-binding. You gain concrete direction — even if you ultimately don't work with me afterwards. Arrange a gap analysis →

Less than most people think. Typically:

• Initial consultation & kick-off: 2–3 hours
• Ongoing meetings: 1–2 hours per week during the active project phase
• Two management reviews: approx. 2 hours each (ISO requirement, but I prepare everything)
• Audit: 1–2 days on-site (you, QMR and relevant employees)

I take on the documentation work — you provide input, I build the system from it.

Initial certification runs in two stages:

• Stage 1 (documentation review): The auditor reviews management system documents, policies and the maturity of your process structure. Usually takes 1 day.
• Stage 2 (system audit): The auditor visits your company, speaks with employees and checks whether the system is actually lived in practice. Takes 1–3 days depending on company size.

I accompany you through both stages on-site or remotely — you're never alone with the auditor.

ISO 9001 is the universal foundation — it applies across industries and establishes the basis for systematic quality management. Almost all other management system standards (14001, 27001, 45001, 42001) share the same structural principles.

If you're starting with ISO certification, I usually recommend ISO 9001 as the first standard — or a combination with a second one if customer requirements call for it. Learn more about ISO 9001 →

NIS-2 doesn't mandate ISO 27001 certification — but it does require an adequate information security management system (ISMS). ISO 27001 is the internationally recognised standard for this and the most direct path to demonstrating NIS-2 compliance.

If you fall under NIS-2 (mid-sized companies in critical sectors), I recommend ISO 27001 as a solid proof of compliance. Learn more about ISO 27001 →

ISO 42001 is the world's first management system standard specifically for AI. It helps organisations introduce AI systems responsibly — with risk assessments, transparency requirements and governance structures.

Relevance: EU AI Act preparation, building trust with clients and partners, internal control of AI risks. ISO 42001 is particularly valuable for companies actively developing or deploying AI. Learn more about ISO 42001 →

In many cases, yes. Medical device manufacturers increasingly require their suppliers to provide proof of ISO 13485 — or at least ISO 9001 with additional quality credentials. Anyone supplying components, sterile packaging, software or services for medical devices can be pushed out of the market without an appropriate quality credential.

Whether 13485 or an ISO 9001 solution with medical device add-ons is sufficient, we clarify in the initial consultation. Learn more about ISO 13485 →

Not mandatory — ISO 14001 doesn't require a formal CO₂ footprint. But you do need to know and evaluate your significant environmental aspects. Energy consumption, emissions, waste and water are mandatory topics.

Anyone planning CSRD preparation or sustainability reporting sensibly builds the CO₂ footprint at the same time — one project then covers both. Learn more about ISO 14001 →

ISO 45001 is the internationally recognised standard for occupational health and safety management systems. SCC is more of a contractor standard for the chemical and petroleum industries; DGUV obligations are the German foundations for occupational safety. ISO 45001 integrates both structurally into a modern management system — and is usable internationally.

Benefits: reduction of employer liability insurance contributions, improved legal certainty, international recognition. Learn more about ISO 45001 →

ISO 27001 is the international standard for information security management systems (ISMS). TISAX is an industry-specific assessment catalogue for the automotive industry that builds on ISO 27001 but adds additional requirements around prototype protection, information security for development service providers and data classification.

If you work for automotive OEMs, you need TISAX. If you want to demonstrate general IT security or fall under NIS-2, ISO 27001 is the better fit. Both in parallel is possible. Learn more about ISO 27001 →

A Quality Management Representative (QMR) is responsible under most ISO standards for overseeing and maintaining the management system. Tasks include: coordinating internal audits, preparing the management review, tracking corrective actions and keeping the system up to date.

As an external QMR I take on this role for your company — reliably, experienced and without internal hiring. Learn more about external QMR →

Yes. The external QMR role is accepted by certifiers provided it has been formally appointed in writing, responsibilities are clearly documented, and the person demonstrably holds the required qualifications. I provide all necessary documentation for the certifier.

Particularly useful for SMEs (10–200 employees) that:

• Don't have internally qualified staff for the QMR role
• Want to avoid personnel costs for a full-time hire
• Want a professional, audit-stable management system without in-house ISO expertise
• Need to ensure continuity despite staff changes

Details on scope of service →

We handle most tasks remotely — regular alignment calls, document maintenance, preparing the management review. On-site visits make sense for internal audits, incident investigations or major changes and are fixed in the annual schedule (usually 2–4 days per year).

For surveillance and recertification audits, I'm happy to be on-site to accompany you directly with the auditor.

Yes. As a certified Lead Auditor I conduct your internal audits to standard — with audit plan, assessment report, nonconformity documentation and tracking of corrective actions. For many SMEs that's the main reason for hiring an external QMR.

Important: an auditor must be independent from the area under review. As an external consultant I bring this independence automatically.

Remote-first — this applies to workshops, documentation work, audit accompaniment and regular check-ins. It saves time and travel costs without sacrificing quality. On-site visits are always possible and planned when needed (e.g. for internal audits or kick-off workshops).

I serve clients across Germany — from Flensburg to Munich.

Yes — always. I don't run junior teams and don't delegate tasks to subcontractors. You have my direct contact details and communicate with me personally at every project stage. This is my deliberate choice to maintain the quality of my consulting.

Simply book a free initial consultation via the contact form. In the first meeting (approx. 30–45 minutes) we discuss your starting point, your goals and which standards make sense. You then receive a concrete proposal — with no obligation.

Yes. For internal auditors, QMRs, leadership and your entire workforce there are suitable formats — in-house workshops, remote training or asynchronous learning content. Typical topics: foundations of an ISO standard, internal auditor qualification, leadership in a QM system, risk management.

View training offers →

Focus areas: manufacturing, medical technology, IT and software companies, professional services, skilled trades with commercial structure and engineering firms. Independent of industry are ISO 9001 and ISO 14001, while ISO 13485 and ISO 27001 cover specific industries.

More on my approach and background: About Sternberg Consulting →

Implementation projects run as fixed-price projects with a clearly defined end (certificate obtained). Ongoing consulting or External-QMR contracts can be terminated monthly with short notice. No minimum terms, no lock-in contracts.

Trust has to work in both directions — and that only works when no one is bound who doesn't want to stay.

Happy to help. Typical scenarios: recertification is coming up, the previous QMR is leaving, a new standard is being added, or the existing system is outdated and needs cleaning up. I come in flexibly — as ad-hoc support, temporary project QMR or ongoing external care.

All services at a glance →