Your ISO certification has just expired. Your boss asks when you'll be recertified. Your customers are asking if you're still compliant. Your team is confused about whether your management system still works. The silence from your certification body has been deafening. This moment, if not handled correctly, can unravel years of effort to build a functioning ISO management system. But it doesn't have to. Understanding what happens after your certification expires, and more importantly what you need to do about it, is the difference between maintaining organisational credibility and damaging it.
On this page
Understanding the Certification Expiry Timeline
ISO certifications are issued for three years. This is a standard across all major certification schemes including Exemplar Global and IRCA accredited bodies. When auditors conduct your certification audit, they issue a certificate with a specific expiry date printed clearly on it. Most organisations treat this date as a deadline they'll address "eventually", often waiting until the last few months to even think about renewal.
The reality is more nuanced. Your certification doesn't simply switch off at midnight on the expiry date. The ISO standards themselves remain in force. Your management system should still be functioning, your internal audits should still be happening, your management reviews should still be occurring. What expires is your organisation's third party verification of compliance. This distinction matters enormously for your business operations and customer relationships.
In practical terms, many Australian organisations have found themselves in a precarious position when certification expired unexpectedly. A manufacturing business in Victoria discovered mid year that their quality management system certificate had expired six months earlier. They hadn't realised because the certification body's expiry reminder had gone to an inbox that no longer existed. Another organisation in Queensland had their certificate lapse because they'd changed auditors and assumed the new certification body would automatically manage the renewal. Neither scenario is uncommon.
The Legal and Compliance Status After Expiry
Once your ISO certification expires, you no longer hold a valid third party certification. This is not a technical grey area. Your certificate is expired, your organisation is not currently certified, and any claims to certification are false and potentially fraudulent. This matters most when you've made certification a contractual requirement or a key marketing claim.
If you hold contracts that specify "ISO 9001 certified supplier" or similar language, expiry typically constitutes a material breach of contract. Your customers have legitimate grounds to escalate, cancel the relationship, or seek damages depending on how your contract is worded. We've seen organisations lose significant contracts specifically because customers discovered they'd allowed certification to lapse.
For regulated industries such as pharmaceuticals, medical devices, or food manufacturing, certification expiry may trigger regulatory non compliance. The Therapeutic Goods Administration in Australia, for example, expects manufacturers to maintain ISO 13485 certification. Allowing it to expire creates immediate compliance risk with the regulator, not just your customers.
Your management system itself, however, doesn't become invalid or non functional. You can and should continue operating according to your ISO procedures, conducting internal audits, and managing your processes. The expiry affects your right to claim third party verification, not your operational capability. This is a critical distinction that many organisations misunderstand.
What Happens to Your Management System After Expiry
Many organisations assume their ISO management system falls apart when certification expires. In fact, a well constructed system should continue functioning because it's designed to improve operations, not just satisfy auditors. The difference is that nobody external is verifying whether you're actually following it.
This creates a real risk. Without the accountability of an external audit, organisations often drift. Quality procedures get shortcuts. Risk assessments get forgotten. Internal audits become less rigorous because there's no external auditor coming to check them. We've observed this pattern repeatedly in Australian organisations. The first year after expiry, the system usually holds. By the second year, the discipline erodes noticeably.
Your internal audit programme becomes especially important during the gap period between expiry and re certification. A well structured internal audit programme can maintain system integrity and identify drift before it becomes entrenched. If you're approaching expiry without a documented internal audit schedule, this is your signal to establish one immediately.
The other critical element is management review. Under ISO 9001 and equivalent standards, management must conduct periodic reviews of the system's continuing suitability and effectiveness. These reviews should be even more thorough during a period without external certification. They provide the mechanism to catch deterioration and correct course before the next certification audit.
The Gap Period and Business Risk
The period between your certificate expiry and re certification is your vulnerability window. This gap can range from a few months to years depending on how you handle the transition. Most organisations experience at least a three month gap: expiry date passes, then they contact a certification body, then the body schedules the audit, then the audit happens, then the certificate is issued.
During this period you have no valid certification to show customers or regulators. You cannot market yourself as ISO certified. You cannot include "ISO 9001 Certified" on your website, tenders, or correspondence without making a false claim. Some organisations attempt to get around this by claiming they're "in the process of certification" but regulators and customers increasingly see through this language.
For organisations in competitive markets where certification is a differentiator, this gap is commercially damaging. A manufacturing business in New South Wales that allowed their certification to lapse reported losing two potential contracts because prospects specifically required certified suppliers. The organisation had to explain that certification had expired but re certification was underway. The explanation didn't restore confidence.
The gap also represents operational risk. Without external audit discipline, your system discipline typically decreases. You cannot identify non conformities the same way. Your corrective actions may not be tracked as rigorously. If a customer issue arises during the gap period, you may not have the external auditor's observations to support your investigation and correction.
Types of Re Certification Pathways
Once you've allowed your certification to expire, your re certification pathway depends on how long you've been uncertified. The key timeline is 90 days. If you re apply for certification within 90 days of expiry, you can undergo a "re certification audit" which is essentially a standard certification audit conducted by the certification body. This is the fastest path back to certification.
If more than 90 days have passed since expiry, you're technically applying for "certification" again rather than "re certification". The audit process is nearly identical, but administratively and statistically you're counted as a new certification rather than a renewal. This distinction matters for accreditation purposes but not significantly for your audit experience.
Some organisations in genuine hardship have approached certification bodies and regulators requesting extensions or grace periods. The Exemplar Global scheme does allow for limited extensions in exceptional circumstances, but these are rare and must be requested before expiry, not after. Once expired, the normal re certification process applies. Attempting to negotiate an extension after the fact is typically unsuccessful.
Planning Your Re Certification Audit
The re certification audit is essentially a full certification audit conducted by your certification body. If you've allowed a significant gap, the auditors will be especially focused on whether your system actually functioned during the period without certification, and whether you've now re established control.
Your preparation should begin at least three months before you want certification to be active again. This gives you time to schedule the audit, address any obvious gaps that have emerged, and conduct internal audits to verify system functionality. Too many organisations contact their certification body weeks before they need the certificate, discover the body can't schedule an audit for months, and then face a crisis.
You should prepare documentation that demonstrates system continuity. This includes internal audit reports and corrective actions from the gap period, evidence of management reviews, records of training and awareness activities, and documented changes made to the system. If your system has deteriorated significantly, you may need to conduct corrective actions before the certification audit rather than relying on the certification audit to identify the gaps.
Preparing your organisation for an external audit after a gap period is slightly more intensive than preparing for a standard surveillance audit. Auditors will naturally be more inquisitive about what happened during the period without certification. They may ask specifically about processes that were dropped, controls that lapsed, or decisions made without the discipline of external verification.
Cost and Resource Implications
Re certification costs are typically higher than maintenance audits. Certification bodies usually charge higher fees for certification audits than for surveillance audits. If you've had a long gap, the audit scope may be expanded because auditors need to verify that your entire system still functions, not just sample it. Plan for certification audit costs to be 30 to 50 percent higher than your previous year's surveillance audit fee.
You'll also incur internal costs to prepare for the audit. If your management team and team leaders have rotated, they'll need briefing on your system. If your system documentation has drifted from reality, you may need to invest time either updating the documentation or bringing the practices back into alignment with the documented system. Neither option is free.
Internal audit training becomes valuable at this point. If your team has been conducting internal audits throughout the gap period, their competence should remain current. If the gap period was long and internal auditing has lapsed, you may want to refresh training before the certification audit. Learning how to become an ISO internal auditor or refreshing auditor skills is an investment that pays dividends when preparing for external audits.
Preventing Future Expiry
Once you've navigated the crisis of expiry and re certification, establish systems to prevent it happening again. The simplest mechanism is a calendar reminder. This sounds obvious, but spreadsheets tracking certificate expiry dates, with reminders set months in advance, prevent approximately 80 percent of accidental expirations we observe in Australian organisations.
Better still, designate someone as the "certification owner" with explicit responsibility for managing the certification cycle. This person should be in a stable role, not someone likely to leave in the next three years. They should have a documented procedure for managing certification dates, notifying senior management of upcoming audits, coordinating with your certification body, and escalating any delays.
Communicate your certification dates to your certification body and ask them to manage reminders. Most bodies will proactively contact you as your expiry approaches if you've provided explicit permission and clear contact details. The problem usually isn't that certification bodies don't send reminders; it's that those reminders go to email addresses that no longer exist or inboxes that aren't monitored.
Schedule your re certification audit at least four to six months before expiry. This means contacting your certification body around the 30 month mark of your three year certification. Scheduling early gives you flexibility if the initial audit date doesn't work, or if the audit identifies major gaps that need remediation before certification can be granted.
Maintain your internal audit discipline continuously. Don't let internal audits become something you do "when the certification audit is coming". They should be embedded in your regular management system activity. Organisations that conduct thorough internal audits every six to twelve months experience fewer surprises at certification audits and maintain better system discipline during gap periods.
Customer and Stakeholder Communication
If your certification has expired or is approaching expiry, decide whether and how to inform customers and stakeholders. For some organisations, certification is so integrated into customer contracts and marketing that silence creates greater damage than transparency. Others can manage a gap period without external notification.
If you're in a regulated industry or serve customers who specifically require certification, transparency is usually better than discovery. Contact key customers proactively. Explain that you're transitioning from your current certification to renewed certification. Provide a timeline for when your new certificate will be active. Customers typically understand that certifications are renewed; they don't understand finding out by accident that you're uncertified.
In your communication, emphasise that your management system continues to operate throughout the transition period. Your processes, controls, and quality discipline don't change. What's changing is the third party verification schedule. This reassures customers that you're maintaining operational standards even without external certification during the gap period.
For non critical customers or stakeholders, you may decide that immediate notification isn't necessary, but you should have a consistent answer ready if anyone asks about your current certification status. Saying "our certificate is currently being renewed and we expect the new certificate in June" is far more credible than appearing to discover mid conversation that you're expired.
Managing the Surveillance Audit Cycle After Re certification
Once you've achieved re certification, establish a clear surveillance audit schedule. Most organisations have surveillance audits conducted annually, with a re certification audit due in year three. Some certification bodies offer different schedules, such as audits in months 12 and 24, with re certification in month 36. Understand your body's specific schedule and mark those dates in your calendar.
Surveillance audits are less intensive than certification audits. Auditors focus on sampling and verification rather than comprehensive assessment. However, they serve the critical function of keeping your organisation accountable to the standard. The knowledge that an auditor is coming in six months tends to maintain discipline far more effectively than any internal process can.
Use the time between surveillance audits for continuous improvement. Conduct internal audits, implement corrective actions, and prepare for the next external audit. When auditors arrive for surveillance, they should find evidence of an organisation actively managing and improving its system, not just maintaining it. This distinction between "compliant" and "actively improving" is what auditors and certification bodies are looking for.
Audit Workshop offers accredited ISO Lead Auditor and Internal Auditor training that prepares you for every stage of external certification audits. Our courses are Exemplar Global recognised and delivered online for working professionals.
