How to verify an ISO certificate in 2026

First, read the full certificate

Verification begins in the document itself. A serious certificate declares the data that allow it to be checked; the absence of any of them is already information. Look for:

• · Exact legal name of the certified organization.
• · Standard and version: ISO 9001:2015, ISO/IEC 27001:2022, whichever applies.
• · Scope of certification: which activities and which sites it covers.
• · Dates of issue and expiry.
• · Issuing certification body, with verifiable identity.
• · Mark of the accreditation body backing the issuer.
• · Unique certificate code, suitable for lookup.

Verification in five steps

With the document read, the verification circuit runs through the issuer, its accreditation and its public registry. Each step leaves its own evidence.

1. 01 Identify the issuing body

   The certificate states which body issued it. Locate the official site of that body —not that of the intermediary who handed you the document— and confirm that the identity matches the one printed on the certificate.

2. 02 Consult the issuer’s public directory

   Serious certification bodies keep a public search tool for current certificates. Enter the code or legal name and check status, standard and dates against it. If the issuer has no search tool, request written confirmation through an official channel of the body.

3. 03 Confirm the issuer’s accreditation

   Verify that the certification body is accredited by the national accreditation body the certificate cites, within the relevant technical scope. Since 1 January 2026, the international cooperation that sustains recognition between national bodies is GLOBAC, successor to the IAF.

4. 04 Match scope and validity against your decision

   A valid certificate backs exactly what its scope declares. Before accepting a commercial claim, read the full scope and confirm that it covers the activity, the site and the service you are deciding on.

5. 05 Document the consultation

   Record the date, URL consulted, result and a screenshot. In procurement, compliance and audit, verification is worth what its traceability proves: who consulted, when and what they found.

The role of public registries

Public registries turn verification into a direct consultation: directories of national accreditation bodies, certificate search tools of certification bodies and independent registries of technical evidence.

Each layer answers a different question: who is accredited, which certificate is valid and what evidence backs a specific credential.

The IAC Trust Registry belongs to the third category: it publishes records with a public code, current status, declared scope and last-updated date. If the document or credential in front of you cites an IAC code, verify it directly at /verify. The full map of layers —and the IAF→GLOBAC transition that reordered the international level— is developed in The global trust map 2026.

Warning signals on a certificate

No single signal proves fraud; several signals together justify suspending the decision until verification is complete. The most frequent:

• · The issuer has no public verification channel or avoids answering written queries.
• · The scope is generic, absent, or covers activities the organization does not perform.
• · The dates are inconsistent: validity without an expiry, or a cycle longer than the usual three-year one in management systems without surveillance audits.
• · The accreditation mark does not correspond to any identifiable body, or the certificate omits any accreditation reference.
• · The document circulates only as a forwarded PDF and online verification proves impossible.
• · The pressure to accept the document without verifying it is part of the offer.