CordialADVISORY
Book a consultation
Field notes

Is ISO 9001 worth it for a small business?

Anthony Pothecary · 5 June 2026 · 7 min read

If you run a small business that makes things, sooner or later someone will tell you that you need ISO 9001. It might be a customer asking whether you have it. It might be a tender document treating it as a tick-box. It might be a consultant offering to certify you in twelve weeks for a fixed fee. Whoever it is, the question lands and you have to decide what to do about it.

I have spent most of my career in operations roles in manufacturing and workshop businesses, and I have implemented quality systems at three different sizes of company. So the question “is ISO 9001 worth it for a small business” is one I have a clear answer to, and the answer is: sometimes, and not for the reason most people think.

A quick definition first, in case it is useful. ISO 9001 is the international standard for a quality management system. In plain English, it is a set of requirements for how a business documents its processes, manages risk, handles non-conformances, and improves itself over time. Certification means an external auditor has checked your system against the standard and signed it off. The certificate runs for three years, with annual surveillance audits in between.

That is the shape of it. Whether it is worth it depends on what you are buying it for.

When ISO 9001 is genuinely worth it

There are three reasons to certify, and only three that matter in practice.

The first is that a customer will not buy from you without it. This is the most common driver in small businesses and the easiest decision. If you are bidding for work in aerospace, automotive, defence, rail, medical devices, or any part of the public sector, ISO 9001 is often the entry ticket. Without it, the tender will not even open. If that is your situation, the question is not whether to certify. The question is how cheaply and cleanly you can do it. The cost of the certification is the price of being in the market at all.

The second is that you are growing past the point where the founder can hold the operation in their head. This is the reason most small business owners do not see coming, and it is the one that pays back hardest if you get it right. Somewhere between fifteen and forty people, depending on the business, the informal way of doing things stops working. New starters arrive and there is nothing written down for them to follow. The same mistake gets made twice because nobody captured the first one. Quality drifts because the rules are in three people’s heads and one of them has left. A documented quality system, of which ISO 9001 is one version, is what gets you through that ceiling without breaking what was working before.

The third is that you are in a sector where a single quality failure could harm a customer or expose you legally. Food, pharmaceuticals, medical devices, anything safety-critical, anything that goes into a building or a vehicle. In those sectors the standard is partly a quality system and partly an insurance policy. You buy it because the alternative, if something goes wrong, is much worse than the cost of certification.

If one or more of those three apply, ISO 9001 is worth the work. If none of them apply, it is probably not.

When it is overkill

This is the part most consultants will not tell you, because it is hard to sell against.

For a lot of small businesses, ISO 9001 is more system than the business needs, and the cost of it lands harder than the benefits return.

A ten-person workshop making bespoke joinery for residential clients does not need it. A twelve-person design studio does not need it. A growing food business selling direct to consumers does not need it, although they will need other things. A small engineering firm doing one-off work for repeat clients who know them does not need it.

The reason is not that quality does not matter to those businesses. It clearly does. The reason is that the formal certification adds two things on top of good quality discipline: an external auditor and a paper trail designed for an external auditor. Both cost money. Both create work. Neither makes the product better. If your customers are not asking for the certificate and your sector is not legally obliged to have it, you are paying for a signal nobody is reading.

The cost varies, but as a rough guide, a small business should expect to spend somewhere between three and ten thousand pounds on the initial certification, plus a few thousand a year after that for surveillance audits and maintenance. The real cost is bigger than the invoice, because someone in the business has to own the system, and that someone is usually the operations lead or the founder. A fortnight of senior time a year is not unusual.

For a business making a million pounds of revenue at a ten per cent margin, that is a meaningful chunk of profit going on a certificate. For a business making ten million at the same margin, it is a rounding error. The honest test is whether the certificate is opening doors that would otherwise be closed.

The lighter version that helps either way

Here is the bit that matters most, and it is the bit that almost never gets written down.

The discipline that sits underneath ISO 9001 is genuinely valuable, even if you never certify and never want to. You can have most of the operational benefit without any of the paperwork or the audit cost, and for a lot of small businesses that is the right answer.

What that discipline actually consists of, in practice, is four things.

Write down how you do the work. Not all of it. The core processes: how a job enters the business, how it is quoted, how it is built or delivered, how it is signed off, how it is invoiced. One page per process is usually enough. The point is not the document. The point is that two people doing the same job end up doing it the same way.

Track when things go wrong. Not in a heavy way. A simple log of non-conformances, customer complaints, and near-misses, with what happened and what was done about it. Reviewed monthly by whoever runs operations. Most small businesses have this conversation informally already; writing it down turns it into something you can spot patterns in.

Decide what good looks like, and measure it. One or two operational metrics per part of the business, no more. On-time delivery, first-time-right rate, customer return rate, whatever fits. Looked at every month, not every quarter. The number itself matters less than the act of looking.

Review the system regularly, and change it when it stops fitting. Once a quarter, sit down with whoever runs the operation and ask what is no longer working. Take things out as readily as you put them in. A quality system that only grows becomes a burden the team works around.

That is ninety per cent of what ISO 9001 asks for, without the cost and without the certificate. If you ever do need to certify later, because a customer asks or because you have grown into a sector that requires it, you will have most of the work done already.

The honest answer to “is ISO 9001 worth it for a small business,” then, is this. The certificate is worth it when a customer is demanding it, when you have outgrown the founder’s head, or when the stakes are high enough that you need the insurance. The discipline underneath the certificate is worth it almost always, and it is the bit most small businesses miss because they assume the only way to get to it is through the formal route.

It is not. You can start tomorrow, with a notebook and an honest hour.

If you want a second pair of eyes on whether your business has outgrown the informal way of doing things, that is most of what an audit looks for.

Anthony Pothecary is a co-founder of Cordial Advisory, working on operations and process.

More from the Journal

The Cordial digest

A note, roughly fortnightly.

What we are seeing inside UK businesses, and what to do about it. Roughly fortnightly, and easy to leave.

No noise. Unsubscribe in one click.

You are on the list. Thanks.