Considerations in Achieving ISO Certification

There has been a great deal of confusion concerning whether being in compliance with the medical device Good Manufacturing Practices (GMP) would successfully lead to obtaining ISO certification (with minimum changes and costs), or whether achieving ISO certification is going to be a long, expensive road. The ultimate success of your ISO program will not depend solely on how well defined your quality system is, but rather your company’s commitment to achieving certification.

GMP vs ISO: Which Road to Quality?

Both GMP and ISO are quality systems in their own right. As the revised GMP became final in June 1997, the two systems became closer in how they are written and how a company should be achieving quality. There is, however, a real difference between GMP compliance and ISO certification.

The GMPs are a regulatory requirement mandated by law, and if you are manufacturing medical devices for U.S. distribution, you must be in compliance with these regulations. ISO, on the other hand, is a voluntary certification obtained by a company when they determine that the certification is beneficial to their operations and/or marketing strategies. (At the present time ISO is the accepted quality system standard for the European Community, Australia, and South America. Other countries are also planning on accepting the ISO 9000 standard as their standard for a quality system.)

So, which came first, the chicken or the egg?

GMPs for medical device manufacturers were instituted in 1978, and the ISO 9000 standard became effective in 1987. The ISO 9000 standard is not specific for any industry or service, while GMP is specific for medical device, drug, blood bank, and low acid canned food industries.

Will the revised GMP bring the GMP and ISO closer together?

The revised GMP includes design review, management review, vendor qualification, and corrective and preventive action. So, could it be assumed that the revised GMP will make ISO certification easier to obtain? The answer is that it depends. You must remember that ISO is precision, while GMP is compliance. Precision is the ability to repeat a task time after time and obtain the same results. An ISO certification audit certifies that your system is in place, assuring capability of providing precision. If precision cannot be achieved, policies and procedures will address these issues.

The GMPs are supposed to assure the ability to repeat operations accurately. However, the FDA’s main focus (in the GMP audit review) is preventing adulterated products from entering the marketplace, not assuring that your present system will successfully handle problems after they occur.

The fundamental difference between GMP and ISO is that both have different agendas. Once this is understood, the road to achieving ISO certification for a medical device company (who is in GMP compliance) will be much easier, faster, and less expensive.

How does a company go from GMP compliance to ISO certification?

Point #1: Understand ISO 9000 requirements.

Though the revised GMP and ISO are now closer in determining how a quality system should be implemented, the manner in which both accomplish the task are different. Look at the ISO standard and become familiar with it (including each and every paragraph of each section, since the audit covers how your company is complying with this standard down to each paragraph).

Point #2: See where your GMP quality system complies with the ISO quality.

Once you understand the ISO standard, take your present quality system for GMP compliance and review it to ensure it covers each paragraph of the ISO standards. You will then be able to determine what you will be required to write and implement in meeting the ISO standard.

Point #3: A good mental attitude: GMP to ISO is a lot easier than you think.

A good mental attitude is critical in structuring your project to achieve ISO certification. The individuals must be properly instructed to assure that responsible time frames are met.

Point #4: If your company has achieved GMP compliance, then you already meet 75% of the ISO requirements.

The side-by-side review of your GMP quality system and the ISO standard may indicate that you are probably already meeting 75% of the ISO standard. If your company has been implementing the revised GMP, raising that to approximately 80% compliant with the ISO standard is a realistic goal.

Point #5: A GMP mentality provides the necessary environment for successful ISO certification.

In a regulated industry, maintaining documents and records requirements has been ingrained in the thought processes of responsible individuals. The ISO standard requires such discipline, therefore, being GMP compliant is an ideal environment for achieving ISO certification without much deviation in your organization’s mindset.

Point #6: The GMPs provide the basis of a quality system.

Having a quality system in place facilitates the achievement of ISO certification. The main basis of the ISO standard is the preparation, acceptance, and implementation of a quality system. Adjusting your system to meet the ISO standard will be much easier than starting from scratch.

Point #7: ISO is an independent certification and is audited to conformity.

The ISO certification audit determines your quality system’s uniformity to the ISO standard. Each and every section, as well as the subsections, of the standard will be audited to assure conformity. This is entirely different than an FDA GMP audit. The FDA audit is predetermined based on the FDA’s areas of concern, manpower, and economics. The FDA may spend two weeks in one company conducting an initial inspection and may only spend one day during the follow-up inspection of the same company. In contrast, the ISO auditor’s schedule is based on firm size and number of employees. This assures uniformity of the certified bodies and ensures that all aspects of the standard are covered during the audit.

 Point #8: The ISO is a checklist audit, and each point is checked to assure


As in Point #7, understanding how the ISO audit will be conducted is critical. The audit is conducted as a checklist audit. The ISO auditor will go down the standard and make sure that each section and subsection is covered in your quality system and that procedures are being implemented correctly.

Point #9: A quality policy manual must be written.

For GMP compliance, the FDA has not mandated a company quality policy manual, only a quality procedure manual. Many companies have outlined their policy statements in each section of the procedures manual. However, for ISO certification, a policy statement is a requirement. If there are certain sections of the policy manual that are not necessary for operations, then it must be stated that the section does not apply.

Point #10: Outlining and following a systematic plan with milestones and time frames is critical.

ISO is a process that must be accomplished over an extended period of time. In order to gain staff acceptance for this project, a systematic plan (with milestones and time frames) should be prepared and then everyone should be committed to the plan. The project leader must hold people accountable to time frames. If the plan cannot be met, then the project should be placed on hold. The plan should be prepared like a PERT chart (working from the goal back) to assure that time frames are attainable and realistic.

Once the ten points outlined here have been reviewed, fully understood, and implemented, then defining the objective is next.

ISO 9000? If you’re conducting design review, then you must be certified to ISO 9001, otherwise ISO 9002 would be advisable.

CE mark? If you are intending to distribute your company’s device in Europe, then obtaining CE mark certification is required. It is necessary to determine which class your device category falls under and whether ISO certification will be required as part of the CE mark certification. The CE mark and ISO certification audits can be completed at the same time.

Which certifying body? A certified body must be chosen. This decision should be dependent upon the certified body experience with your product(s) type. In order to assure that the audit goes smoothly, it is critical to ensure that you are assigned an auditor who understands your product.

European address? One of the requirements of obtaining a CE mark is that you have an address in Europe where all complaints (and events involving your device) can be reported. You could use your distributor, but in the event you change distributors, the address will still be on the labels, and all problems regarding your products will be forwarded to them. Obviously, this could cause some problems. It may be advisable to use an independent company that is set up contractually to act only as your CE mark address.

Costs? This is a difficult area to address. Determining whether this project will be conducted in-house or outside is necessary. The amount of time allocated by your staff (and the various departments), as well as training costs, should be accounted for in the cost analysis.

Once the objectives have been established, the next step is establishing the project approach. The following should be considered in developing your approach:

Appoint a project leader/management representative.

The project’s success is dependent upon the project leader. This individual should have quality systems experience and be a respected staff member. The project leader must assure that time frames are met. In the ISO standard (as well as in the revised GMP), a management representative must be appointed to work with the ISO auditor (and be involved in the various aspects of the Quality System). Usually the management representative serves as the project leader because of his/her intimate knowledge of the Quality System, ISO requirements, and required documentation.

Form a committee.

Depending on company size, forming a committee to work with the project leader is beneficial. The committee should be represented by various disciplines. This helps when obtaining input from various departments when the program is implemented. Committee meetings should be scheduled on a regular basis, kept short, and have a written agenda. Meeting minutes should be kept.


Once the committee is established, members should be trained in basic ISO requirements so that everyone has a clear understanding of the requirements, how they apply to the company, and what tasks must be accomplished in order to achieve ISO certification. Furthermore, such knowledge is valuable in constructing milestone and time-frame charts.

Gap analysis. 

The next step is conducting a gap analysis of the present system and determining what is missing and what is required to achieve compliance with the standard.

Set the milestone chart.

Once the committee has been established, members trained, and gap analysis completed outlining what is required to achieve compliance, the next priority is determining the milestone chart for the project. Each step and procedure needed (as determined by the gap analysis) should be defined on the chart. The more detailed the chart, the greater probability of the project’s success.

Set the time frames.

Once the milestone chart has been prepared, it is necessary to define time frames for accomplishing tasks. Time frames must be realistic and adhered to. Take into consideration that your company manufactures a product and the staff cannot stop everything else to work exclusively on the ISO program. Schedule time for unanticipated events.

Obtain consensus and commitment.

At this point, the committee must agree on the milestone chart and time frame requirements. The agreement should be in writing, signed off, and all appropriate personnel should be given a copy.

Time frames must be realistic. Each time frame may have many components. The following are considerations in establishing your project’s time frames:

Commitment dependent.

This is the most critical part of achieving time frames. Without the commitment of the committee (and especially of top management), the project will not meet defined time frames. If the project leader keeps the project on target, the commitment of the committee members should remain firm.

Necessity dependent.

If your company is presently marketing to Europe (or desires to enter the European market), obtaining the CE mark and ISO certification is a necessity which serves as a catalyst for the project’s success.

Finance dependent.

A company’s financial condition plays a major role in successfully achieving ISO certification within the projected time frames. Without the company’s financial support for training and additional assistance (i.e. consultants), time frames are in jeopardy.

Resources dependent.

Determining staff requirements needed to prepare, review, train, and implement all documentation necessary for achieving ISO certification is necessary. If the company does not have the necessary staff and is not willing to go outside for additional assistance, this may affect established time frames.

The following should be considered in determining time frames for achieving ISO certification:

Meet requirements.

Manuals must be in place and all procedures must be prepared to assure that your company can meet ISO requirements.

Operate under the guidelines.

Prior to the certification audit it is recommended that you operate under the procedures for three months. This is to provide the ISO auditor assurance that you have implemented the procedures and are in compliance with the standard. During this time frame, you have also been operating under the GMP. The GMP requires most of the same documentation as the ISO standard. This three month period of ISO documentation could possibly eliminate requesting the certification audit.

Assure compliance.

Once you have been operating in compliance with the standard for three months or so, you should have a preassessment audit conducted assuring that your company will be capable of passing the ISO certification audit. As your company has spent a great deal of time, money, and energy in assuring compliance and preparing for the audit, a preassessment audit is a valuable tool and a good exercise for testing your quality system.

Based on personal experience with companies that wished to obtain ISO certification and were already considered to be in compliance with GMP, ISO certification was obtained in the following time frames. (Be aware that these companies were committed to the project and had achieved a well-defined level of GMP compliance before ISO certification was started.)

Less than 15 employees 6 months

15 – 30 employees 9 months

31 – 60 employees 12 months

61 – 100 employees 12 to 15 months

Over 100 employees dependent upon the organization’s commitment and the complexity of the operations.

A critical consideration in successfully achieving ISO certification is deciding whether to hire a consultant to assist with the project. The management team should make this decision based on the company’s resources and time frames in accomplishing this project. If a company is in need of information, interpretation, and staff assistance, and they have the resources, then hiring a consultant could prove very beneficial. The following are some criteria in selecting a consulting firm:

Their knowledge of GMPs and the ISO standard

To achieve ISO certification in the quickest and most economical manner and still maintain GMP compliance, your consultant should not only have intimate knowledge of ISO standards, but a thorough understanding of the GMPs and, more important, how the FDA is enforcing the regulations. There should be one quality system that incorporates both standards and addresses the issues.


As with any vendor, the costs should be competitive. Review all costs and make sure that you are comparing "apples with apples and not oranges." Each bid for the project must be reviewed based on the deliverables they are responsible for providing. Proposals should be based on the project at hand and not on an hourly or daily basis. A project-based proposal is goal oriented and provides no incentive to have the project extended. If the proposal is based on an hourly or daily basis, there is no incentive in meeting objectives in any defined time frame.

Billing practices?

As with costs, billing practices are important. Usually the time required for the project is intensive at the start and end of the project. Billing should reflect the initiation fee, a monthly billing schedule, and incentive for completing the goal: ISO certification.


Is the consulting company staffed by lead assessors and GMP experts? In assuring that your objects are achieved within desired time frames, consultants should possess both these qualifications.

Number of successful certifications, references?

Determine the experience of the consulting company in implementing quality systems for ISO certification and how many companies they have been able to obtain certification for. A good idea is obtaining references from other companies to determine how the consultants interact with the management team, convey and provide information, and meet defined goals.

Defined goals?

Does the consulting company set up a defined goal in the project plan using a milestone chart for the company? These defined goals are for both the company and the consultant, and they should be signed and agreed upon by both parties. If there are delays, these should be explained and documented in the project plan.

Do they practice what they preach: Are they ISO certified?

The consulting firm you ultimately choose should be ISO certified. If a consulting company has been operating under the ISO standard or Certified Body, it means they have hands on experience in how the program works and an understanding of the real value of the standard. This is especially true when related to the quality of customer service. Also, if the consulting company is ISO certified, it will make qualifying them easier as part of your vendor qualification program.


The road traveled from GMP compliance to ISO certification is not just a matter of adding additional documents, but involves a mind set and an understanding of how quality systems are the same and how they differ. The process of obtaining ISO certification for a company already in GMP compliance does not have to be a daunting task of mass proportions. It is unfortunate that there are two standards that have to be dealt with but, for the most part, the GMP and the ISO standards for quality have the same ideas and requirements. Successful completion should be achieved without much pain.

About the Author

Alan P. Schwartz is Executive Vice President of mdi Consultants, Inc., Great Neck, NY. He has been providing consulting services to the medical device industry since 1978. Prior to mdi, Schwartz was an FDA Supervisor of Field Investigations. He has been to more than 700 companies worldwide and set up over 350 quality programs. mdi has six offices throughout the US, as well as offices in Mexico, Brazil, Thailand, Taiwan, Pakistan, and Egypt. He can be contacted by phone at 516-482-9001, by fax at 516-482-0186, and e-mail at


Return To Previous Page

Copywrite Journal of GMP Compliance, Institute of Validation Technology, April, 1998