In brief: An ISO certification body is the independent organisation that audits your company and issues the certificate; it is not the same as the consultancy that prepares you for the audit. For your certificate to carry real value, the certification body must be accredited by ENAC (Entidad Nacional de Acreditación — the National Accreditation Body of Spain) for the standard and sector you need. In this article I explain how to verify that accreditation in the official ENAC search tool, what criteria to look at (scope, sector, price, and proximity), how the certification process works step by step, and the most common mistakes to avoid. If you would like help preparing your system before the audit, my ISO consultancy will accompany you throughout the process.
What an ISO certification body is and what ENAC is
When a company wants to become certified against an ISO standard (for example, ISO 9001 for quality, ISO 14001 for the environment, or ISO 27001 for information security), it needs an independent third party to verify that its management system meets the requirements of that standard. That third party is the certification body, also called a certification organisation or certification entity.
The certification body sends its auditors to your company, reviews your documentation, interviews your staff, checks that you do what you say you do, and — if everything is in order — issues the ISO certificate. It is important to understand that the certification body does not prepare you or tell you how to build your system: its role is to audit impartially. In fact, by independence requirements, the same entity cannot consult for you and certify you at the same time.
This is where ENAC comes in. ENAC (Entidad Nacional de Acreditación) is the body designated by the Spanish Government, under European Regulation 765/2008, to accredit certification entities. Simply put: ENAC does not certify companies — it verifies that certification bodies are competent, impartial, and operating correctly. It is the guardian that watches over whoever audits you.
The chain of trust works like this: ENAC accredits the certification body → the certification body audits and certifies you. When that chain is complete, your certificate carries the combined mark of the certification body and ENAC, and that gives it national and international recognition.
Certification body vs consultancy: do not confuse them
This is the most common confusion and it is worth clearing up from the start:
- The ISO consultancy (such as my service) helps you understand the standard, design and document your management system, implement it, train your team, and arrive well prepared for the audit. It works on your side.
- The certification body is independent, comes from outside, audits, and decides whether to issue the certificate. It cannot advise you on how to resolve findings — it can only flag them.
They are two separate and complementary roles. Engaging a good consultancy saves you time and problems; engaging an ENAC-accredited certification body ensures the certificate has real value. If you want to go deeper on how to choose the former, there is this guide on how to choose an ISO consultancy in Spain.
Why it matters that the certification body is accredited by ENAC
In Spain, getting certified against an ISO standard does not legally require using an ENAC-accredited body. There are certification bodies that issue certificates without that accreditation, or accredited by little-recognised foreign bodies. Does the difference matter? Enormously.
A certificate issued by an ENAC-accredited certification body provides several guarantees:
- Official recognition. ENAC signs mutual recognition agreements (through EA, IAF, and ILAC), so your certificate is accepted in other countries without being re-audited.
- Validity with clients and public bodies. Many public tender specifications and many large clients expressly require "a certificate accredited by ENAC or an equivalent body signatory to multilateral agreements". If yours is not, you may be excluded.
- Rigorous audits. ENAC periodically supervises certification bodies: it checks auditor competence, impartiality, and audit quality. That raises the standard of the audit you will receive.
- Defence against "window-dressing certification". A certificate without accreditation can be nothing more than an impressive piece of paper. An accredited one demonstrates that you genuinely comply with the standard.
The risk of choosing a non-accredited certification body is investing time and money in a certificate that then does not serve the purpose for which you needed it: winning a tender, entering a demanding client's supply chain, or exporting. This is also one of the points I cover in the guide on ISO certification in Spain, certification bodies, and costs.
How to verify whether a certification body is accredited by ENAC
The good news is that checking is free and you can do it yourself in five minutes. ENAC maintains a public search tool for accredited bodies. Here are the steps:
- Go to the official ENAC website (enac.es) and look for the "Accredited bodies" section or the accreditation search tool.
- Enter the name of the certification body you are considering. You will see its profile if it is accredited.
- Check the scope of the accreditation. This is the key step that almost nobody does properly: just because a certification body is accredited for ISO 9001 does not mean it is accredited for ISO 27001 or for your specific sector. Verify that the scope covers the standard and the activity code (sector) you need.
- Ask for the certificate number and accreditation code. When you receive a quote, request the ENAC accreditation number of the body and verify it in the search tool yourself.
- Look at the mark. An accredited certificate carries the combined mark of the certification body and ENAC's accreditation mark. If you only see the certification body's logo, ask why.
A practical piece of advice: do not take the salesperson's word for "yes, we are accredited". Ask for it in writing and verify it yourself in the ENAC search tool. That is the difference between trusting and verifying.
Special case: ISO 27001 and other sector-specific standards
For standards such as ISO 27001 for information security, specific accreditation matters even more, because the auditors' technical competence in cybersecurity varies enormously between bodies. Make sure the certification body is accredited by ENAC specifically for ISO/IEC 27001 and not just for quality. If you are considering this standard, my complete ISO 27001 guide will be useful.
Criteria for choosing an ISO certification body
Once you have confirmed that the certification body is accredited by ENAC for your standard, other factors come into play. Not all accredited bodies are equally right for your case. These are the criteria I recommend assessing:
1. Scope of accreditation
We have already covered this, but it is the first filter: the body must be accredited for the standard and the economic sector of your company. Without this, nothing else matters.
2. Experience in your sector
A certification body with auditors who know your activity (construction, healthcare, technology, food, etc.) will carry out a more useful and less bureaucratic audit. Ask how many companies in your sector they certify and whether the assigned auditors have experience in it.
3. Price and transparency
The cost depends on the size of the company, the number of sites, the number of employees, and the standard. As a guide, quotes are usually structured as an initial audit (Phase 1 and Phase 2) plus annual surveillance audits and a renewal after three years. Always ask for the total cost of the full three-year cycle, not just year one, and be wary of abnormally low prices: they may conceal superficial audits or hidden costs. I will not invent specific figures because they vary greatly depending on your situation; what matters is comparing like-for-like quotes.
4. Proximity and availability
The auditor's geographic proximity affects travel costs (which are sometimes invoiced separately) and the ease of scheduling audits. Availability of dates also counts: some certification bodies have long waiting lists at certain times of year.
5. Reputation and impartiality
Look for references, reviews from other clients, and the body's track record. A serious certification body maintains its impartiality and does not mix consultancy with certification.
Quick checklist for choosing an ISO certification body
| Criterion | What to check | Met? |
|---|---|---|
| ENAC accreditation | Appears in the official ENAC search tool | ☐ |
| Correct scope | Accredited for your standard (ISO 9001, 14001, 27001…) | ☐ |
| Sector | Accredited for your activity code | ☐ |
| Sector experience | Auditors with experience in your activity | ☐ |
| Full-cycle price | Three-year quote, not just year 1 | ☐ |
| Travel costs | Included or itemised separately | ☐ |
| Date availability | Audit timelines compatible with your objective | ☐ |
| Impartiality | Has not provided prior consultancy to you | ☐ |
| Accredited mark | Certificate will carry combined mark + ENAC | ☐ |
The certification process step by step
Understanding how the audit works helps you choose better and arrive prepared. This is the typical process with an accredited certification body:
- Application and quote. You provide the certification body with your company details (activity, number of employees, sites) and they prepare a quote and audit plan.
- Phase 1 audit. A first review, typically documentary, to check that your management system is implemented and that you are ready for Phase 2. This is where outstanding "homework" is identified.
- Phase 2 audit. The full on-site audit: auditors check that the system genuinely works day to day. Non-conformities — major or minor — may arise.
- Resolution of non-conformities. If findings are raised, you submit a corrective action plan. Major non-conformities must be resolved before the certificate is issued.
- Certificate issuance. If everything is in order, the certification body issues your accredited ISO certificate, typically valid for three years.
- Surveillance audits. Each year (normally at year one and year two) the certification body reviews that you are maintaining the system.
- Renewal. After three years a renewal audit is carried out to keep the certificate current.
Arriving well prepared for Phase 2 is where a good ISO consultancy makes the difference: it reduces non-conformities and avoids repeated audits that cost time and money.
Common mistakes when choosing an ISO certification body
These are the most frequent errors I see, and they are worth avoiding:
- Confusing the consultancy with the certification body. Thinking that whoever helps you also certifies you. It cannot be the same entity — impartiality would be compromised.
- Not verifying ENAC accreditation. Trusting the logo or the salesperson's word without checking the official search tool.
- Overlooking the scope. Choosing an accredited body… but not accredited for your standard or your specific sector.
- Looking only at year-one price. The relevant cost is the three-year cycle, including surveillance audits and travel.
- Choosing on price alone. A cheap, superficial audit can leave you with a certificate that later fails to meet the demands of a client or a tender.
- Not checking sector experience. An auditor who does not know your activity generates more cumbersome and less valuable audits.
- Accepting certificates from unrecognised foreign bodies. If they are not within the mutual recognition agreements, their validity may be questioned.
Choosing the right certification body is just as important as implementing the system correctly. Both decisions determine whether your ISO certificate becomes a business tool or just an expense.
Conclusion
To summarise what is essential: the certification body is who audits you and issues the certificate, and it must be accredited by ENAC for your standard and your sector for that certificate to carry real value. Always verify this yourself in the official ENAC search tool, compare quotes for the full three-year cycle, and assess the auditor's sector experience and proximity. And remember that the certification body does not prepare you — that is what a consultancy is for.
If you would like to arrive at the audit with a solid management system and no nasty surprises, I can accompany you through the entire process. Tell me about your case and I will guide you with no strings attached.