Your ISO Questions,
Answered

ISO stands for International Organisation for Standardisation — a Geneva-based independent body that develops internationally agreed standards. ISO has published over 24,000 international standards covering everything from quality and environmental management to food safety and medical devices.

An ISO management system standard provides a structured framework for how an organisation manages a specific area of its operations. ISO 9001 sets requirements for a Quality Management System. Organisations are independently audited against these requirements by an accredited certification body, and when they pass, they receive ISO certification.

ISO certification is not legally mandatory in Malaysia for most industries. However, many government tenders, GLCs, MNCs and international buyers require suppliers to hold ISO 9001 as a minimum qualification. For certain industries (medical devices under ISO 13485, food safety under HACCP), regulatory or buyer requirements effectively make certification essential.

ISO compliance means your organisation follows the standard requirements internally. ISO certification means an accredited third-party body has independently audited your system and issued a certificate confirming compliance. Certification is the recognised, verifiable proof — compliance alone cannot be claimed externally without a certificate.

ISO 9001 (Quality) applies to all industries. ISO 14001 (Environment) suits manufacturing and construction. ISO 45001 (Occupational H&S) covers any workplace. ISO 22000/HACCP is for food and beverage. ISO 13485 is required for medical devices. Contact Cari Consultancy and we will advise which standards match your industry and customer requirements.

For small to medium-sized companies in Malaysia, ISO certification typically takes 6–12 months from initial gap analysis to receiving the certificate. With Cari Consultancy's structured programme, most SMEs achieve certification within 6–9 months. Large organisations or multi-site companies may take 12–18 months.

Stage 1 (Document Review) is conducted at your premises — the auditor reviews your management system documentation and checks your readiness. Stage 2 (Main Audit) is the full on-site assessment where the auditor verifies your system is implemented and effective. Both stages are conducted by your chosen accredited certification body.

A gap analysis is an assessment of your current operations against ISO standard requirements — identifying what you have in place and what needs to be developed. It is the essential first step of any ISO implementation project. Cari Consultancy conducts a thorough gap analysis at the start of every engagement, producing a detailed report and customised roadmap.

Yes. The certification body is separate from your consultant. Common choices in Malaysia include SIRIM QAS International, Bureau Veritas, SGS, TUV SUD, BSI, and Intertek. Cari Consultancy will help you select an appropriate body based on your industry, budget and customer requirements.

ISO certification is valid for 3 years. Your certification body will conduct annual surveillance audits at 12 and 24 months. At the end of 3 years, a recertification audit is required. Cari Consultancy provides ongoing post-certification support — helping you maintain your system and prepare for each audit.

ISO certification costs have two components: the consultancy fee and the certification body audit fee. Consultancy fees vary based on company size, scope, and existing system maturity. Certification body fees depend on audit days (based on headcount) and number of sites. Contact Cari Consultancy for a personalised, no-obligation fixed-scope quotation with no hidden charges.

No — the certification body fee is paid directly to the certification body of your choice and is separate from Cari Consultancy's fee. This is standard industry practice. We guide you in selecting an appropriate body and explain exactly what their fees cover.

Yes. You will pay annual surveillance audit fees to your certification body and a recertification audit fee at the end of the 3-year cycle. Cari Consultancy offers affordable post-certification maintenance packages to keep your system running efficiently between audits.

Yes. ISO certification is very achievable for Malaysian SMEs. Many of our clients are businesses with fewer than 50 employees. The investment is often quickly recovered through winning new tenders, improving operational efficiency, and reducing costly errors. We tailor our programmes to your size and budget.

ISO 9001 is a Quality Management System — ensuring you consistently meet customer requirements. ISO 14001 is an Environmental Management System — helping you manage and reduce environmental impact. ISO 45001 is an Occupational Health and Safety Management System — protecting workers and reducing workplace incidents. All three share the same High Level Structure and can be integrated into a single Integrated Management System (IMS).

HACCP (Hazard Analysis and Critical Control Points) is a systematic approach to identifying and controlling food safety hazards. ISO 22000 is a full Food Safety Management System that incorporates HACCP principles along with management system elements such as planning, communication and continual improvement. Most Malaysian food businesses implement both together.

FSSC 22000 is a comprehensive food safety certification scheme built on ISO 22000 with additional sector-specific prerequisite programmes. It is often required by major international food retailers and buyers. Think of FSSC 22000 as ISO 22000 plus additional sector requirements. Cari can help you decide which is appropriate for your export markets.

Yes — and this is very common. Many Malaysian manufacturers hold ISO 9001, ISO 14001 and ISO 45001 simultaneously as an Integrated Management System. Since these standards share the same High Level Structure, they can be implemented and audited together, significantly reducing duplication of effort and cost.

ISO 13485 is the Quality Management System standard for the medical devices industry. It is required by manufacturers, importers and distributors of medical devices operating in Malaysia and internationally. It is closely linked to Malaysia's Medical Device Act 2012 (MDA). If your business manufactures, imports, distributes or services medical devices, ISO 13485 is likely required.

Our full implementation service includes: initial gap analysis and roadmap, documentation development (policies, procedures, work instructions, forms), staff training and awareness sessions, internal audit programme, management review facilitation, pre-audit assessment, and on-site support during your Stage 1 and Stage 2 certification audits. Post-certification maintenance support is also available.

Yes. While our office is in Shah Alam, Selangor, we serve clients throughout Malaysia — Kuala Lumpur, Selangor, Penang, Johor Bahru, Melaka, Perak, Kedah, Sabah and Sarawak. For clients outside the Klang Valley we combine on-site visits with remote consultation to manage projects efficiently.

ISO implementation requires genuine commitment from management and key staff — particularly your management representative and department heads. We handle the heavy lifting on documentation and system design, but your team needs to understand and own the processes. We work around your schedule and keep meetings focused and productive.

We cannot guarantee the outcome of an independent third-party audit — and any consultant who does should be viewed with caution. What we do guarantee is that we will not submit you for certification until we are confident your system is ready. Our clients consistently pass their Stage 1 and Stage 2 audits on the first attempt.

After receiving your ISO certificate, surveillance audits are required annually — at 12 months and 24 months after initial certification. A full recertification audit is required at the end of the 3-year cycle. Failing to schedule surveillance audits on time can result in your certificate being suspended or withdrawn.

An internal audit is an audit of your own management system conducted by trained personnel within your organisation. ISO standards require internal audits at planned intervals — typically once or twice per year for most Malaysian SMEs. The purpose is to verify your system is working as intended before your external certification body audits you.

If nonconformities are found during a surveillance audit, you are given a timeframe (typically 30–90 days) to implement corrective actions. Minor nonconformities are common and manageable. Major nonconformities may result in your certificate being suspended. Cari Consultancy can support you in preparing for surveillance audits and implementing corrective actions.

Absolutely. We regularly help organisations whose previous consultant has stopped supporting them or whose system has deteriorated. We assess your current system, identify gaps, and put a maintenance programme in place — whether you are preparing for a surveillance audit or need to revitalise a neglected management system.

We offer ISO Internal Auditor Training (covering ISO 9001, 14001, 45001 and 22000), ISO Awareness Training for all staff levels, and HACCP and Food Safety Training. All programmes are available as public courses or customised in-house sessions at your premises. Visit our Training page for full details.

All participants who complete a Cari training programme receive a CPD Certificate of Attendance. This certificate serves as documented evidence of training and competency in your ISO management system records — satisfying the competency requirements of ISO standards.

Yes. All training programmes are available in English, Bahasa Malaysia, or bilingual delivery. For in-house training we agree on the preferred language during planning to ensure all participants can fully benefit from the session.

Basic familiarity with the relevant ISO standard is helpful but not required — we cover the key clauses during the course. For Awareness Training, no prior knowledge is needed at all. Our trainers are experienced consultants who explain concepts clearly regardless of participants' background.