ISO 29110 EP2: Certification & Audit Process

EP2 answers these questions one by one — covering the 6 phases of certification, what auditors actually look at, common reasons teams fail, and the time/budget you need to plan for.

This article is for:

• Software development teams preparing for certification
• Government agencies selecting vendors who claim ISO 29110
• Executives deciding whether to invest in ISO 29110

The 6-Phase Structure

Phase	Main work	Typical duration
1. Pre-assessment / Gap Analysis	Compare current state to standard	2-4 weeks
2. Process Implementation	Write/refine process + documentation	2-4 months
3. Internal Audit	Self-audit before external	2-3 weeks
4. Stage 1 Audit (Document Review)	CB reviews documentation	1-2 weeks
5. Stage 2 Audit (On-site)	CB reviews actual implementation	2-3 days on-site + report
6. Issuance + Surveillance	Certificate + annual surveillance	3 years before re-cert

Note: CB = Certification Body — organizations like TÜV NORD, SGS, BV, or local CBs accredited by national accreditation bodies (e.g. NAC under TISI in Thailand).

Phase 1 — Pre-assessment / Gap Analysis

Start by comparing your current state to the standard — using ISO/IEC 29110-5-1-2 (Management and engineering guide) as the checklist.

What gets reviewed

• 2 Process Areas in Basic Profile:
  • Project Management (PM)
  • Software Implementation (SI)
• Required activities in each process
• Required artifacts (work products)

Phase outputs

• Gap report — list of missing/needed items
• Action plan + timeline
• Resource estimate

Phase 2 — Process Implementation

The longest and most critical phase — write and implement processes per the standard.

Required Work Products

Process	Key Work Products
Project Management (PM)	Statement of Work, Project Plan, Risk Register, Change Request Log, Status Report, Acceptance Record
Software Implementation (SI)	Requirements Specification, Software Design, Source Code, Test Cases, Test Report, User Manual, Installation Guide, Maintenance Plan

Golden rules

• "Show me the evidence" — documents must be real and used, not produced for the audit
• Traceability — Requirements ↔ Design ↔ Code ↔ Test must be traceable
• Reviews / Approvals — key documents must have review evidence

Phase 3 — Internal Audit

Before external audit, the team must self-audit — required by the standard and reduces surprises at Stage 2.

• Assign internal auditor who does not own that process (avoid conflict of interest)
• Use the same checklist as external audit
• Record non-conformities (NC) and opportunities for improvement (OFI)
• Close all NCs before Stage 1

Phase 4 — Stage 1 Audit (Document Review)

The CB sends an auditor to review documentation — typically remote or 1-2 days on-site.

What auditors check

• Quality Management System Manual
• Process documentation for all required processes
• Sample work products from active projects
• Internal audit results + corrective actions
• Management review records

Outcomes

• Pass — proceed to Stage 2
• Major NC — fix and reschedule (3-6 months)
• Minor NC — fix before or during Stage 2

Phase 5 — Stage 2 Audit (On-site)

Auditor visits the office for 2-3 days to verify process implementation in practice.

What happens on the day

• Opening meeting — auditor explains scope + plan
• Document sampling — request docs from active projects
• Interview — talk to PMs, devs, testers, leads
• Walk-through — examine workspace and tools
• Closing meeting — summarize findings

Common questions auditors ask

• "Show me the project plan for an active project."
• "Show me the requirements traceability matrix."
• "Show me the test report for the latest release."
• "Trace this production defect back to its requirement."
• "Show me change requests reviewed in the last 3 months."
• "What did your last internal audit find? Closed?"

Phase 6 — Issuance + Surveillance

After passing Stage 2, the CB issues a certificate valid for 3 years — but during those 3 years, you must pass annual Surveillance Audits.

Surveillance Audit (Years 1, 2)

• Mini-audit, 1-2 days
• Focus on changes + closure of prior NCs
• Approximately 30-50% of Stage 2 cost

Re-certification Audit (Year 3)

• Full scope like the original Stage 1+2
• New 3-year certificate issued

Time and Cost Estimates

Item	Time	Cost (estimate)
Pre-assessment + Implementation	3-5 months	Mostly internal effort
External Consultant (optional)	3-6 months	Depends on scope + chosen consultancy
Stage 1 + Stage 2 (CB fees)	2-4 weeks	~THB 100,000 for a small VSE*
Annual Surveillance	1-2 days	~30-50% of Stage 2
Re-certification (Year 3)	2-4 weeks	Close to first Stage 2
International benchmark (3-year lifecycle)	3 years	USD 10,000-50,000

^* Reference: Thailand's Digital Economy Promotion Agency (depa) ran an ISO/IEC 29110 grant program in fiscal year 2024 — covering 70% of cost up to THB 70,000 per company for the first 100 applicants, implying an average first-cycle certification cost of ~THB 100,000 for small VSEs. The program continued in 2025 in partnership with the Federation of Thai Industries.

Note: these are market ranges — actual costs vary by team size, scope, number of sites, and CB chosen. Request quotes from IAF-accredited CBs for firm numbers.

5 Most Common Reasons Teams Fail

1. Documents created only for the audit — auditors detect from revision history or filename patterns
2. Broken traceability — Requirements → Design → Code → Test gaps
3. Team doesn't know the process — answers don't match documents = "not the actual process"
4. Weak internal audit — no real evidence / no follow-up
5. Change requests without approval trail — especially scope/requirement changes

Choosing a CB

• Accreditation — must be IAF-member-accredited (international) or nationally accredited
• Auditor experience — auditors with software experience understand context better
• Geographic coverage — local CB reduces travel cost
• Reputation — international names (SGS, BV, TÜV) carry more recognition

After Certification — What Continues

• Continual improvement — measure and refine processes (vital for surveillance)
• Quarterly Management Review — record issues + decisions
• Annual Internal Audit — before surveillance
• Update docs as laws and tooling change

Implications for Government Buyers

Agencies selecting software vendors — particularly for ERP and large systems — can use ISO 29110 as a basic filter:

• Vendor has ISO 29110 = verifiable process management
• Vendor also has ISO 27001 = + verifiable security — see What is ISO 27001
• Always verify the certificate — request the certificate number and confirm against the CB's website
• Check the scope — sometimes the certificate covers only part of the company

About Saeree ERP

Saeree ERP, by Grand Linux Solution, has been ISO/IEC 29110 Basic Profile certified since 2015 (current certificate issued by TÜV NORD against ISO/IEC 29110-4-1:2018, valid 13 Nov 2024 – 12 Nov 2027), passing every surveillance cycle. Every customer project follows the standard process — Project Management Plan, Requirements Spec, Test Report, and User Manual all traceable.

See our ISO 29110 certification event and Why Saeree ERP.

3 Sentences to Remember

1. ISO 29110 isn't paperwork — it's a process actually used and verifiable.
2. Good audits catch documents created just for the audit.
3. The certificate is valid 3 years + annual surveillance — not "one and done".

An ISO/IEC 29110 certificate doesn't prove a team performed well on audit day — it proves they sustained the same standard every day, verified by an independent certification body without interruption. For us, that means 10 consecutive years since 2015.

— Grand Linux Solution

Related:

• ISO/IEC 29110 — What it is and why software companies should be certified
• ISO 27001 — Information Security Standard Every Organization Needs

This article was written from real ISO 29110 Audit experience of the Grand Linux Solution team — contact sale@grandlinux.com or 02-347-7730.