How to Get ISO Certificates from Suppliers

Getting ISO certificates from suppliers requires sending a specific request to the right person, following up persistently, and verifying that what you receive is current and valid. Most companies underestimate how difficult each of those steps is. A Senior Supplier Quality Engineer at a Fortune 100 life sciences company managing 900+ suppliers described the reality: “You reach out 2, 3, 4, 5 times. Nobody responds. You just give up.”

This guide covers what to request, who to ask, how to verify what you receive, and how to handle the suppliers who never respond.

Types of ISO Certificates and What Each Covers

ISO management system standards are published by the International Organization for Standardization. Each standard addresses a specific domain. In regulated manufacturing, you will most commonly need to collect the following:

ISO 9001: Quality Management Systems

The most widely held ISO certification. ISO 9001 establishes a framework for consistent quality in products and services. Nearly every supplier in a regulated supply chain should hold this certificate or an industry-specific equivalent.

ISO 13485: Medical Device Quality Management Systems

Required for suppliers in the medical device supply chain. ISO 13485 builds on the quality management framework of ISO 9001 but adds requirements specific to medical devices, including design controls, risk management, and traceability. If you are in life sciences, this is the certificate you will request most often.

ISO 14001: Environmental Management Systems

Covers environmental impact management, including waste reduction, resource efficiency, and pollution prevention. Increasingly requested as part of ESG and sustainability compliance programs.

ISO 45001: Occupational Health and Safety Management Systems

Addresses workplace health and safety. Relevant when your compliance program or customer requirements extend to labor and working conditions in your supply chain.

ISO 27001: Information Security Management Systems

Covers data security controls. Required when suppliers handle sensitive data, intellectual property, or connect to your IT systems.

Other Common Certificates

Depending on your industry, you may also need IATF 16949 (automotive quality), AS9100 (aerospace quality), ISO 22000 (food safety), or ISO 17025 (testing and calibration laboratories).

What to Request: Be Specific

A vague request like “send us your ISO cert” creates problems. Suppliers hold multiple certificates, and a generic ask often results in the wrong document, an expired copy, or no response at all.

Your request should specify:

  • The exact standard and version (e.g., ISO 13485:2016, not just “ISO 13485”)
  • The scope you need covered (e.g., “manufacturing of injection-molded components,” not just “your facility”)
  • The legal entity name that appears on your purchase orders, since large suppliers may hold certificates under different subsidiaries
  • The specific site or facility if you source from a particular location
  • The format (PDF of the original certificate, not a screenshot or self-declaration)

A complete request reduces back-and-forth and makes it easier for the supplier to pull the right document on the first attempt.

Who to Contact: Quality, Not Sales or Purchasing

The most common reason for non-response is sending the request to the wrong person. Purchasing contacts, sales representatives, and accounts receivable teams typically do not have access to quality certificates and are not motivated to chase them down internally.

A sustainability lead at a Fortune 500 medical device company explained the pattern: “A lot of our purchase orders give us access to the financial folks. But those people change roles, they leave the company. It isn’t a sustainability person. So they just ignore the emails we send.”

The right contact depends on what you are requesting:

  • ISO 9001, ISO 13485, IATF 16949: Quality Manager, Quality Director, or Quality Management Representative (QMR)
  • ISO 14001, ISO 45001: EHS (Environment, Health, and Safety) Manager or Sustainability Manager
  • ISO 27001: Information Security Officer or IT Director

At smaller suppliers (under 100 employees), there may not be a dedicated quality function. In those cases, the General Manager or Plant Manager is typically the person who holds or can access certification records.

How to Verify an ISO Certificate

Receiving a PDF is not enough. You need to confirm the certificate is valid and covers the scope relevant to your supply relationship. Here is what to check:

1. Certificate Dates

Every ISO certificate has an issue date and an expiration date. Most certificates are valid for three years from the date of the most recent certification or recertification audit. Check that the expiration date has not passed. Also confirm the most recent surveillance audit date, which should occur annually.

2. Accreditation Body

A legitimate ISO certificate is issued by a certification body that is itself accredited. The certificate should display the logo and name of the accreditation body (e.g., ANAB, UKAS, DAkkS, JAS-ANZ). You can verify the certification body’s accreditation status through the IAF (International Accreditation Forum) database or the specific accreditation body’s website.

3. Scope of Certification

The certificate will list the activities covered. Confirm that the scope matches what the supplier actually does for you. A supplier may hold ISO 9001 for “distribution of electronic components” but not for “manufacturing of electronic components.” If you source manufactured parts from them, the distribution-only scope does not apply.

Confirm that the legal entity name on the certificate matches your supplier record. Also verify the site address. Multi-site certificates exist, but if your supplier ships from a facility not listed on the certificate, the certification may not cover your supply.

5. Certification Body Lookup

If anything looks unusual, you can verify the certificate directly with the certification body. Most major certification bodies (BSI, TÜV, SGS, Bureau Veritas, DNV) have online certificate lookup tools. Enter the supplier’s name or certificate number to confirm authenticity.

Common Reasons Suppliers Do Not Respond

Understanding why suppliers ignore certification requests helps you design a process that actually works.

Wrong Contact

As described above, the request lands with someone who cannot help and does not forward it. This is the single most common failure mode.

Email Decay

People leave companies, change roles, and switch email addresses. A Senior SQE at a Fortune 100 life sciences company put it directly: “3 to 4 hours a day is spent sending emails… you pull their email and hope to God that email is still active.” The same SQE raised a second concern: “What if those people leave the company? What if there’s a mass firing? All my attempt to reach out to you… it’s not going to work.”

No Perceived Priority

Your certification request is competing with the supplier’s daily operations. Unless the supplier understands the commercial consequence of non-compliance, your email sits in a queue indefinitely.

Certificate Is Lapsed or Missing

Some suppliers simply do not hold the certificate you are requesting. Rather than admit this, they go silent. This is important information for your compliance program, but you only discover it after weeks of follow-up.

Volume and Fatigue

A Senior SQE described the scale problem: “The auditor only found three. But then you realize that out of the 116, you have 60 or 64 that doesn’t have the compliance certificates, because someone tried to reach out to maybe 20 of them and gave up.” When the gap is dozens or hundreds of suppliers, the team simply cannot keep up.

Follow-Up Cadence and Escalation

A single email almost never works. Plan for multiple touches:

  1. Initial request: Clear, specific email to the quality contact with the exact certificate needed, the deadline, and a brief explanation of why you need it.
  2. First follow-up (5-7 business days): Re-send the original request. Reference the date of your first email.
  3. Second follow-up (10-14 business days): Escalate tone slightly. Mention the compliance requirement and any downstream consequences (e.g., “this certificate is required for your continued approval as a supplier”).
  4. Third follow-up (21 business days): Escalate to a senior contact at the supplier, or loop in your own procurement team to apply commercial leverage.
  5. Final notice (30 business days): Formal notification that failure to provide the certificate will result in a specific action (supplier hold, removal from approved supplier list, escalation to your leadership).

Document every touchpoint. If an auditor asks, you need to show that you made a reasonable effort.

When a Supplier Cannot Provide the Certificate

If a supplier confirms they do not hold the certificate, or if they never respond despite escalation, you have several options:

  • Require certification as a condition of continued business, with a defined timeline for the supplier to achieve it.
  • Accept an alternative, such as a second-party audit or a self-assessment, depending on your regulatory framework and risk tolerance.
  • Reclassify the supplier’s risk level in your system and increase oversight through incoming inspection or other controls.
  • Source from an alternative supplier that holds the required certification.

The right choice depends on the criticality of the supplier, the regulatory requirement, and the availability of alternatives.

Where Bridgecurrent Fits

Bridgecurrent automates the process described in this guide: finding the right quality contact at each supplier, sending the specific certificate request, following up persistently, and tracking what comes back. Instead of spending hours per day on emails, teams set up a campaign and let Bridgecurrent handle the outreach and collection. Learn how it works.