Iso 17021
Iso 17021
Iso 17021
ISO/IEC 17021-1:2015
Conformity assessment — Requirements
for bodies providing audit and certification
of management systems
Part 1: Requirements
2017.9 Beijing
ISO/IEC 17021-1
Conformity assessment — Requirements for bodies providing audit and
certification of management systems — Part 1: Requirements
17021-2 Environmental management system
17021-3 Quality management system
17021-4 Event sustainability management
17021-5 Asset management system
17021-6 Business continuity management system
17021-7 Road traffic safety management system
17021-9 Anti-bribery management systems
17021-10 Occupational health and safety management system
ISO 28003
ISO/IEC 27006 ISO TS 22003 ISO 50003
Supply Chain
ISMS CB FSMS CB EnMS CB
Security MS CB
1 Scope
This part of ISO/IEC 17021 contains principles and requirements for the
competence, consistency and impartiality of bodies providing audit and certification
of all types of management systems.
Certification bodies operating to this part of ISO/IEC 17021 do not need to offer all
types of management system certification.
Certification of management systems is a third-party conformity assessment activity
(see ISO/IEC 17000:2004, 5.5) and bodies performing this activity are therefore
third-party conformity assessment bodies.
NOTE 1 Examples of management systems include environmental management systems,
quality management systems and information security management systems.
NOTE 2 In this part of ISO/IEC 17021, certification of management systems is referred to as
“certification” and third-party conformity assessment bodies are referred to as “certification
bodies”.
NOTE 3 A certification body can be non-governmental or governmental, with or without
regulatory authority.
NOTE 4 This part of ISO/IEC 17021 can be used as a criteria document for accreditation,
peer assessment or other audit processes.
2 Normative references
The following documents, in whole or in part, are
normatively referenced in this document and are
indispensable for its application. For dated references,
only the edition cited applies. For undated references, the
latest edition of the referenced document (including any
amendments) applies.
ISO 9000, Quality management systems — Fundamentals
and vocabulary
ISO/IEC 17000, Conformity assessment — Vocabulary
and general principles
3 Terms and definitions
For the purposes of this document, the terms and definitions given in
ISO 9000, ISO/IEC 17000 and the following apply.
3.1 certified client
organization whose management system has been certified
3.2 impartiality
presence of objectivity
Note 1 to entry: Objectivity means that conflicts of interest do not
exist, or are resolved so as not to adversely influence subsequent
activities of the certification body.
Note 2 to entry: Other terms that are useful in conveying the element
of impartiality include “independence”, “freedom from conflict of
interests”, “freedom from bias”, “lack of prejudice”, “neutrality”,
“fairness”, “openmindedness”, “even-handedness”, “detachment”,
“balance”.
3.3 management system consultancy
participation in establishing, implementing or maintaining a management
system
EXAMPLE 1 Preparing or producing manuals or procedures.
EXAMPLE 2 Giving specific advice, instructions or solutions towards the
development and implementation of a management system.
Note 1 to entry: Arranging training and participating as a trainer is not
considered consultancy, provided that, where the course relates to
management systems or auditing, it is confined to the provision of generic
information; i.e. the trainer should not provide client-specific solutions.
Note 2 to entry: The provision of generic information, but not client specific
solutions for the improvement of processes or systems, is not considered to be
consultancy. Such information may include:
— explaining the meaning and intention of certification criteria;
— identifying improvement opportunities;
— explaining associated theories, methodologies, techniques or tools;
— sharing non-confidential information on related best practices;
— other management aspects that are not covered by the management system
being audited.
3.4 certification audit
audit carried out by an auditing organization independent of the client and the
parties that rely on certification, for the purpose of certifying the client’s
management system
Note 1 to entry: In the definitions which follow, the term “audit” has been used for
simplicity to refer to third party certification audit.
Note 2 to entry: Certification audits include initial, surveillance, re-certification
audits, and can also include special audits.
Note 3 to entry: Certification audits are typically conducted by audit teams of
those bodies providing certification of conformity to the requirements of
management system standards.
Note 4 to entry: A joint audit is when two or more auditing organizations
cooperate to audit a single client.
Note 5 to entry: A combined audit is when a client is being audited against the
requirements of two or more management systems standards together.
Note 6 to entry: An integrated audit is when a client has integrated the
application of requirements of two or more management systems standards into
a single management system and is being audited against more than one
standard.
3.5 client
organization whose management system is being audited for
certification purposes
3.6 auditor
person who conducts an audit
3.7 competence
ability to apply knowledge and skills to achieve intended results
3.8 guide
person appointed by the client to assist the audit team
3.9 observer
person who accompanies the audit team but does not audit
3.10 technical area
area characterized by commonalities of processes relevant to a
specific type of management system and its intended results
Note 1 to entry: See Note to 7.1.2.
3.11 nonconformity
non-fulfilment of a requirement
3.12 major nonconformity
nonconformity (3.11) that affects the capability of the management
system to achieve the intended results
Note 1 to entry: Nonconformities could be classified as major in the
following circumstances:
— if there is a significant doubt that effective process control is in
place, or that products or services will meet specified requirements;
— a number of minor nonconformities associated with the same
requirement or issue could demonstrate a systemic failure and thus
constitute a major nonconformity.
3.13 minor nonconformity
nonconformity (3.11) that does not affect the capability of the
management system to achieve the intended results
3.14 technical expert
person who provides specific knowledge or expertise to
the audit team
Note 1 to entry: Specific knowledge or expertise is that
which relates to the organization, the process or activity
to be audited.
3.15 certification scheme
conformity assessment system related to management
systems to which the same specified requirements,
specific rules and procedures apply
3.16 audit time
time needed to plan and accomplish a complete and effective audit of the
client organization’s management system
3.17 duration of management system certification audits
part of audit time (3.16) spent conducting audit activities from the opening
meeting to the closing meeting, inclusive
Note 1 to entry: Audit activities normally include:
— conducting the opening meeting;
— performing document review while conducting the audit;
— communicating during the audit;
— assigning roles and responsibilities of guides and observers;
— collecting and verifying information;
— generating audit findings;
— preparing audit conclusions;
— conducting the closing meeting.
Varied uses
“duration of the management system audit” (9.1.4.2; 9.1.4.3; 9.1.4.4)
“duration of on-site audit activities” (9.2.3.2)
4 Principles
4.1 General
4.1.1 The principles described in this clause provide the basis for the
subsequent specific performance and descriptive requirements in this part of
ISO/IEC 17021. This part of ISO/IEC 17021 does not give specific requirements
for all situations that can occur. These principles should be applied as guidance
for the decisions that may need to be made for unanticipated situations.
Principles are not requirements.
4.1.2 The overall aim of certification is to give confidence to all parties that a
management system fulfils specified requirements. The value of certification is
the degree of public confidence and trust that is established by an impartial and
competent assessment by a third-party. Parties that have an interest in
certification include, but are not limited to
a) the clients of the certification bodies;
b) the customers of the organizations whose management systems are certified;
c) governmental authorities;
d) non-governmental organizations;
e) consumers and other members of the public.
4.1.3 Principles for inspiring confidence include:
— impartiality;
— competence;
— responsibility;
— openness;
— confidentiality;
— responsiveness to complaints;
— risk-based approach.
NOTE This part of ISO/IEC 17021 sets out the principles of certification in
Clause 4; the corresponding principles related to auditing can be found in ISO
19011:2011, Clause 4.
5.2.3
The risk assessment process shall include identification of and
consultation with appropriate interested parties to advise on
matters affecting impartiality including openness and public
perception. The consultation with appropriate interested parties
shall be balanced with no single interest predominating.
5.2.4 A certification body shall not certify another certification body for its
quality management system.
5.2.5 The certification body and any part of the same legal entity and any
entity under the organizational control of the certification body [see 9.5.1.2,
bullet b)] shall not offer or provide management system consultancy. This
also applies to that part of government identified as the certification body.
NOTE This does not preclude the possibility of exchange of information (e.g.
explanation of findings or clarification of requirements) between the certification
body and its clients.
5.2.6 The carrying out of internal audits by the certification body and any part
of the same legal entity to its certified clients is a significant threat to
impartiality. Therefore, the certification body and any part of the same legal
entity and any entity under the organizational control of the certification body
[see 9.5.1.2, bullet b)] shall not offer or provide internal audits to its certified
clients. A recognized mitigation of this threat is that the certification body
shall not certify a management system on which it provided internal audits for
a minimum of two years following the completion of the internal audits.
NOTE See Note 1 to 5.2.3.
5.2 Management of impartiality
5.2.7 Where a client has received management systems consultancy from a body
that has a relationship with a certification body, this is a significant threat to
impartiality. A recognized mitigation of this threat is that the certification body shall
not certify the management system for a minimum of two years following the end
of the consultancy.
NOTE See Note 1 to 5.2.3.
5.2.8 The certification body shall not outsource audits to a management system
consultancy organization, as this poses an unacceptable threat to the impartiality
of the certification body (see 7.5). This does not apply to individuals contracted as
auditors covered in 7.3.
5.2.9 The certification body’s activities shall not be marketed or offered as linked
with the activities of an organization that provides management system
consultancy. The certification body shall take action to correct inappropriate links
or statements by any consultancy organization stating or implying that
certification would be simpler, easier, faster or less expensive if the certification
body were used. A certification body shall not state or imply that certification
would be simpler, easier, faster or less expensive if a specified consultancy
organization were used.
5.2 Management of impartiality
5.2.10 In order to ensure that there is no conflict of interests, personnel who have
provided management system consultancy, including those acting in a managerial
capacity, shall not be used by the certification body to take part in an audit or
other certification activities if they have been involved in management system
consultancy towards the client. A recognized mitigation of this threat is that
personnel shall not be used for a minimum of two years following the end of the
consultancy.
5.2.11 The certification body shall take action to respond to any threats to its
impartiality arising from the actions of other persons, bodies or organizations.
5.2.12 All certification body personnel, either internal or external, or committees,
who could influence the certification activities, shall act impartially and shall not
allow commercial, financial or other pressures to compromise impartiality.
5.2.13 Certification bodies shall require personnel, internal and external, to reveal
any situation known to them that can present them or the certification body with a
conflict of interests. Certification bodies shall record and use this information as
input to identifying threats to impartiality raised by the activities of such personnel
or by the organizations that employ them, and shall not use such personnel,
internal or external, unless they can demonstrate that there is no conflict of
interest.
5.3 Liability and financing
6 Structural requirements
6.1 Organizational structure and top management
6.1.1 The certification body shall document its organizational
structure, duties, responsibilities and authorities of
management and other personnel involved in certification
and any committees. When the certification body is a
defined part of a legal entity, the structure shall include the
line of authority and the relationship to other parts within the
same legal entity.
6.1.2 Certification activities shall be structured and managed
so as to safeguard impartiality.
6 Structural requirements
6.1.3 The certification body shall identify the top management (board, group of
persons, or person) having overall authority and responsibility for each of the
following:
a) development of policies and establishment of processes and procedures
relating to its operations;
b) supervision of the implementation of the policies, processes and procedures;
c) ensuring impartiality;
d) supervision of its finances;
e) development of management system certification services and schemes;
f) performance of audits and certification, and responsiveness to complaints;
g) decisions on certification;
h) delegation of authority to committees or individuals, as required, to undertake
defined activities on its behalf;
i) contractual arrangements;
j) provision of adequate resources for certification activities.
6.1.4 The certification body shall have formal rules for the appointment, terms of
reference and operation of any committees that are involved in the certification
activities.
6 Structural requirements
6.2.1 The certification body shall have a process for the effective
control of certification activities delivered by branch offices,
partnerships, agents, franchisees, etc., irrespective of their legal status,
relationship or geographical location. The certification body shall
consider the risk that these activities pose to the competence,
consistency and impartiality of the certification body.
IAF is drafting a mandatory document “Control of Entities Operating on
behalf of Accredited Certification Bodies”
6.2.2 The certification body shall consider the appropriate level and
method of control of activities undertaken including its processes,
technical areas of certification bodies’ operations, competence of
personnel, lines of management control, reporting and remote access
to operations including records.
7 Resource requirements
7 Resource requirements
7.1 Competence of personnel
7.1.1 General considerations
The certification body shall have processes to ensure that
personnel have appropriate knowledge and skills relevant
to the types of management systems (e.g. environmental
management systems, quality management systems,
information security management systems) and geographic
areas in which it operates.
7 Resource requirements
A.2.7 Language skills appropriate to all levels within the client organization
Capable of communicating effectively to persons at any level of an organization using
appropriate terms, expressions and speech.
A.2.8 Note-taking and report-writing skills
Capable of reading and writing with sufficient speed, accuracy and comprehension to
record, take notes, and effectively communicate audit findings and conclusions
A.2.9 Presentation skills
Capable of presenting audit findings and conclusions to be easily understood. For the
team leader, presenting in a public forum (e.g., closing meeting) audit findings,
conclusions, and recommendations appropriate to the audience.
A.2.10 Interviewing skills
Capable of interviewing to obtain relevant information by asking, open-ended, well
formulated questions and listening to understand and evaluate the answers.
A.2.11 Audit-management skills
Capable of conducting and managing an audit to achieve the audit objectives within
the agreed timeframe. For the team leader, capable of facilitating meetings for the
effective exchange of information and capable of making assignments or re-
assignments where necessary.
43
IAF MD 10:2013
IAF Mandatory Document for Assessment of CB
Management of Competence in accordance with ISO/IEC
17021:2011
Intended results for the following functions
• Application review
• Establishing audit program
• Scheduling of audits
• Allocation of audit teams
• Audit planning
• Auditing and reporting
• Report reviews & certification decisions
• Maintenance of certification
7 Resource requirements
Examination
Knowledge and Skills
Interview
7.2.9 The certification body shall ensure the satisfactory performance of all
personnel involved in the audit and other certification activities. There shall be
a documented process for monitoring competence and performance of all
persons involved, based on the frequency of their usage and the level of risk
linked to their activities. In particular, the certification body shall review and
record the competence of its personnel in the light of their performance in order
to identify training needs.
7.2.10 The certification body shall monitor each auditor considering each type
of management system to which the auditor is deemed competent. The
documented monitoring process for auditors shall include a combination of on-
site evaluation, review of audit reports and feedback from clients or from the
market. This monitoring shall be designed in such a way as to minimize
disturbance to the normal processes of certification, especially from the client’s
viewpoint.
7.2.11 The certification body shall periodically evaluate the performance of
each auditor on-site. The frequency of on-site evaluations shall be based on
need determined from all monitoring information available.
7 Resource requirements
7.5 Outsourcing
7.5.1 The certification body shall have a process in which it
describes the conditions under which outsourcing (which is
subcontracting to another organization to provide part of the
certification activities on behalf of the certification body) may
take place. The certification body shall have a legally
enforceable agreement covering the arrangements, including
confidentiality and conflicts of interests, with each body that
provides outsourced services.
7.5.2 Decisions for granting, refusing, maintaining of certification,
expanding or reducing the scope of certification, renewing,
suspending or restoring, or withdrawing of certification shall not
be outsourced.
7 Resource requirements
8 Information requirements
8.1 Public information
8.1.1 The certification body shall maintain (through publications, electronic media or other means),
and make public, without request, in all the geographical areas in which it operates, information
about
a) audit processes;
b) processes for granting, refusing, maintaining, renewing, suspending, restoring or withdrawing
certification or expanding or reducing the scope of certification;
c) types of management systems and certification schemes in which it operates;
d) the use of the certification body’s name and certification mark or logo;
e) processes for handling requests for information, complaints and appeals;
f) policy on impartiality.
8.1.2 The certification body shall provide upon request information about:
a) geographical areas in which it operates;
b) the status of a given certification;
c) the name, related normative document, scope and geographical location (city and country) for
a specific certified client.
NOTE 1 In exceptional cases, access to certain information can be limited on the request of the client
(e.g. for security reasons).
NOTE 2 The certification body can also make the information in 8.1.2 public by any means it chooses
without request, e.g. on its internet website.
8.1.3 Information provided by the certification body to any client or to the marketplace, including
advertising, shall be accurate and not misleading.
8 Information requirements
AB assessors should seek to verify the effectiveness of the CAB’s rules by:
1. Evaluating the CAB’s rules to assure that the statements contain and / or reference to:
‒ identification (e.g. brand or name) of the certified client
‒ the type of management system (e.g. quality, environment) and the applicable standard;
‒ the certification body issuing the certificate
It is not allowed to use the management system certification mark on a product or product
packaging.
2. Verifying that the CAB has legally enforceable agreement to govern the content and its use of
the statements as required by ISO/IEC 17021-1. It is advisable for CABs to approve the contents
and the use of such statements by their clients prior to their application to the product packaging
or in accompanying information.
3. Reviewing the use of the statements by:
‒ verifying the statement on product packaging or in accompany information prior to distribution;
‒ verifying records regarding initial generation (if applicable) or changes of product packaging
and accompanying information, and , complaints about misuse of statements in relation to
certification.
An example of statement conforming to the requirements of ISO/IEC 17021-1 is as follows:
This product was manufactured (or packaged, etc.) by ABC Ltd. whose quality management
system (or EMS, or FSMS) is certified by Certification Body XYZ. to ISO 9001:2015 (or ISO
14001:2015, or ISO 22000:2005)
Some examples of improper statements regarding Management System certification are shown
below:
(X) No certified client’s name
Example: This product was manufactured under a quality management system (or EMS, or FSMS)
certified by Certification Body XYZ to ISO 9001:2015 (or ISO 14001:2015, or ISO 22000:2005)
(X) No applicable Management System standard (e.g. ISO 9001:2015)
Example: This product was manufactured (or packaged, etc.) by ABC Ltd. whose quality
management system (or EMS, or FSMS) is certified by Certification Body XYZ
(X) No CAB name
Example: This product was manufactured (or packaged, etc.) by ABC Ltd. whose quality
management system (or EMS, or FSMS) is certified to ISO 9001:2015 (or ISO 14001:2015, or ISO
22000:2005)
(X) Misleading Information
Example: This product was certified by Certification Body XYZ to ISO 9001:2015 (or ISO
14001:2015, or ISO 22000:2005) – This statement implies the product is certified to the mentioned
standard.
(X) Use of CAB’s management system certification mark on product packaging or in
accompanying information
Example:
This product was manufactured
XYZ
Endorsed ISO (or packaged, etc.) by ABC Ltd.
9001 whose quality management
Management system is certified by Certification
System Body XYZ. to ISO 9001:2015
XXXXXXXX XXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXX
This product was tested by ABC Ltd. whose quality
management system (or EMS, or FSMS) is certified by
Certification Body XYZ. to ISO 9001:2015 (or ISO
14001:2015, or ISO 22000:2005)
An example of statement conforming to the requirements of ISO/IEC 17021-1 is as follows:
This product was manufactured (or packaged, etc.) by ABC Ltd. whose quality management
system (or EMS, or FSMS) is certified by Certification Body XYZ. to ISO 9001:2015 (or ISO
14001:2015, or ISO 22000:2005)
Some examples of improper statements regarding Management System certification are shown
below:
No certified client’s name
Example: This product was manufactured under a quality management system (or EMS, or FSMS)
certified by Certification Body XYZ to ISO 9001:2015 (or ISO 14001:2015, or ISO 22000:2005)
No applicable Management System standard (e.g. ISO 9001:2015)
Example: This product was manufactured (or packaged, etc.) by ABC Ltd. whose quality
management system (or EMS, or FSMS) is certified by Certification Body XYZ
No CAB name
Example: This product was manufactured (or packaged, etc.) by ABC Ltd. whose quality
management system (or EMS, or FSMS) is certified to ISO 9001:2015 (or ISO 14001:2015, or ISO
22000:2005)
Misleading Information
Example: This product was certified by Certification Body XYZ to ISO 9001:2015 (or ISO
14001:2015, or ISO 22000:2005) – This statement implies the product is certified to the mentioned
standard.
Use of CAB’s management system certification mark on product packaging or in
accompanying information
8 Information requirements
8.4 Confidentiality
8.4.1 The certification body shall be responsible, through legally enforceable agreements, for
the management of all information obtained or created during the performance of certification
activities at all levels of its structure, including committees and external bodies or individuals
acting on its behalf.
8.4.2 The certification body shall inform the client, in advance, of the information it intends to
place in the public domain. All other information, except for information that is made publicly
accessible by the client, shall be considered confidential.
8.4.3 Except as required in this part of ISO/IEC 17021, information about a particular certified
client or individual shall not be disclosed to a third party without the written consent of the
certified client or individual concerned.
8.4.4 When the certification body is required by law or authorized by contractual arrangements
(such as with the accreditation body) to release confidential information, the client or individual
concerned shall, unless prohibited by law, be notified of the information provided.
8.4.5 Information about the client from sources other than the client (e.g. complainant,
regulators) shall be treated as confidential, consistent with the certification body’s policy.
8.4.6 Personnel, including any committee members, contractors, personnel of external bodies
or individuals acting on the certification body’s behalf, shall keep confidential all information
obtained or created during the performance of the certification body’s activities except as
required by law.
8.4.7 The certification body shall have processes and where applicable equipment and facilities
that ensure the secure handling of confidential information.
8 Information requirements
9 Process requirements
9.1 Pre-certification activities
9.1.1 Application
The certification body shall require an authorized representative of the
applicant organization to provide the necessary information to enable it to
establish the following:
a) the desired scope of the certification;
b) relevant details of the applicant organization as required by the specific
certification scheme, including its name and the address(es) of its site(s),
its processes and operations, human and technical resources, functions,
relationships and any relevant legal obligations;
c) identification of outsourced processes used by the organization that will
affect conformity to requirements;
d) the standards or other requirements for which the applicant organization
is seeking certification;
e) whether consultancy relating to the management system to be certified
has been provided and, if so, by whom.
9 Process requirements
9.1.3.2
NOTE 1 Annex E provides a flowchart of a typical audit and certification
process.
NOTE 2 The following list contains additional items that can be considered
when developing or revising an audit programme, they might also need to
be addressed when determining the audit scope and developing the audit
plan:
— complaints received by the certification body about the client;
— combined, integrated or joint audit
— changes to the certification requirements;
— changes to legal requirements;
— changes to accreditation requirements;
— organizational performance data (e.g. defect levels, key performance
indicators data);
— relevant interested parties’ concerns.
NOTE 3 If specified by the industry specific certification scheme, the
certification cycle can be different from three years.
9 Process requirements
9.1.4.1 The certification body shall have documented procedures for determining audit time. For
each client the certification body shall determine the time needed to plan and accomplish a
complete and effective audit of the client’s management system.
9.1.4.2 In determining the audit time, the certification body shall consider, among other things,
the following aspects:
a) the requirements of the relevant management system standard;
b) complexity of the client and its management system;
c) technological and regulatory context;
d) any outsourcing of any activities included in the scope of the management system;
e) the results of any prior audits;
f) size and number of sites, their geographical locations and multi-site considerations;
g) the risks associated with the products, processes or activities of the organization;
h) whether audits are combined, joint or integrated.
NOTE 1 Time spent travelling to and from audited sites is not included in the calculation of the
duration of the management system audit days.
NOTE 2 The certification body can use the guidelines established in ISO/IEC TS 17023 for
determining the duration of management system audit when documenting these procedures.
Where specific criteria have been established for a specific certification scheme, e.g. ISO/TS
22003 or ISO/IEC 27006, these shall be applied.
9.2.1.3 The audit scope shall describe the extent and boundaries of
the audit, such as sites, organizational units, activities and processes
to be audited. Where the initial or re-certification process consists of
more than one audit (e.g. covering different sites), the scope of an
individual audit may not cover the full certification scope, but the
totality of audits shall be consistent with the scope in the certification
document.
9.2.1.4 The audit criteria shall be used as a reference against which
conformity is determined, and shall include:
— the requirements of a defined normative document on management
systems;
— the defined processes and documentation of the management
system developed by the client.
9 Process requirements
9.2.2.1.3 The necessary knowledge and skills of the audit team leader and
auditors may be supplemented by technical experts, translators and interpreters
who shall operate under the direction of an auditor. Where translators or
interpreters are used, they shall be selected such that they do not unduly
influence the audit.
NOTE The criteria for the selection of technical experts are determined on a case-by-case
basis by the needs of the audit team and the scope of the audit.
9.3.1.3 Stage 2
The purpose of stage 2 is to evaluate the implementation, including effectiveness,
of the client’s management system. The stage 2 shall take place at the site(s) of
the client. It shall include the auditing of at least the following:
a) information and evidence about conformity to all requirements of the
applicable management system standard or other normative documents;
b) performance monitoring, measuring, reporting and reviewing against key
performance objectives and targets (consistent with the expectations in the
applicable management system standard or other normative document);
c) the client’s management system ability and its performance regarding meeting
of applicable statutory, regulatory and contractual requirements;
d) operational control of the client’s processes;
e) internal auditing and management review;
f) management responsibility for the client’s policies.
9.3.1.4 Initial certification audit conclusions
The audit team shall analyse all information and audit evidence gathered during
stage 1 and stage 2 to review the audit findings and agree on the audit
conclusions.
9 Process requirements
9.6.3 Recertification
9.6.3.1 Recertification audit planning
9.6.3.1.1 The purpose of the recertification audit is to confirm the continued
conformity and effectiveness of the management system as a whole, and its
continued relevance and applicability for the scope of certification. A recertification
audit shall be planned and conducted to evaluate the continued fulfilment of all of the
requirements of the relevant management system standard or other normative
document. This shall be planned and conducted in due time to enable for timely
renewal before the certificate expiry date.
9.6.3.1.2 The recertification activity shall include the review of previous surveillance
audit reports and consider the performance of the management system over the most
recent certification cycle.
9.6.3.1.3 Recertification audit activities may need to have a stage 1 in situations
where there have been significant changes to the management system, the
organization, or the context in which the management system is operating (e.g.
changes to legislation).
NOTE Such changes can occur at any time during the certification cycle and the
certification body might need to perform a special audit (see 9.6.4), which might or might
not be a two-stage audit.
9 Process requirements
Validity of current certificate 6 months after expiry > 6 months after expiry
A B (expiry) C D E Time
Scenario 1: Normal
Recertification activities (audit, closure & review) completed before B (expiry)
Decision taken on A before B (expiry)
New certificate starts from B, valid until B+3 years. Certificate with history, no gap
Scenario 2a: Certification restored Scenario 2b: Certification restored
Recertification activities initiated, NOT completed before B Recertification activities completed before B
Decision taken on C, but before D. New certificate starts from C, valid till B+3 years
Certificate with history indicating the gap between B and C (8.2.2 b Note)
Correct, it makes no difference whether recertification is initiated before or after expiry
Validity of current certificate 6 months after expiry > 6 months after expiry
A B (expiry) C D E Time
Scenario 4:
• Recertification activities NOT initiated before B (even if completed before D)
• A full initial audit is necessary
• New certificate starts from the decision taken and is valid till decision date +
3 years
• Certificate without history
• There is a gap in the certification, which is between B and the decision date
It is correct only if the CB decides to handle the client as a new client and
a full stage 1 and stage 2 audit is conducted. The CB and client could still
agree this will still be done as a recertification, in which case the new
certificate will start from the decision date and will be valid till B + 3 years,
and the certificate will show the gap between B and the decision date.
9 Process requirements
9.7 Appeals
9.7.1 The certification body shall have a documented process to receive, evaluate and make
decisions on appeals.
9.7.2 The certification body shall be responsible for all decisions at all levels of the appeals-
handling process. The certification body shall ensure that the persons engaged in the appeals-
handling process are different from those who carried out the audits and made the certification
decisions.
9.7.3 Submission, investigation and decision on appeals shall not result in any discriminatory
actions against the appellant.
9.7.4 The appeals-handling process shall include at least the following elements and methods:
a) an outline of the process for receiving, validating and investigating the appeal, and for deciding
what actions need to be taken in response to it, taking into account the results of previous similar
appeals;
b) tracking and recording appeals, including actions undertaken to resolve them;
c) ensuring that any appropriate correction and corrective action are taken.
9.7.5 The certification body receiving the appeal shall be responsible for gathering and verifying
all necessary information to validate the appeal.
9.7.6 The certification body shall acknowledge receipt of the appeal and shall provide the
appellant with progress reports and the result of the appeal.
9.7.7 The decision to be communicated to the appellant shall be made by, or reviewed and
approved by, individual(s) not previously involved in the subject of the appeal.
9.7.8 The certification body shall give formal notice to the appellant of the end of the appeals
handling process.
9 Process requirements
9.8 Complaints
9.8.1 The certification body shall be responsible for all decisions at all levels of
the complaintshandling process.
9.8.2 Submission, investigation and decision on complaints shall not result in any
discriminatory actions against the complainant.
9.8.3 Upon receipt of a complaint, the certification body shall confirm whether the
complaint relates to certification activities that it is responsible for and, if so, shall
deal with it. If the complaint relates to a certified client, then examination of the
complaint shall consider the effectiveness of the certified management system.
9.8.4 Any valid complaint about a certified client shall also be referred by the
certification body to the certified client in question at an appropriate time.
9.8.5 The certification body shall have a documented process to receive,
evaluate and make decisions on complaints. This process shall be subject to
requirements for confidentiality, as it relates to the complainant and to the subject
of the complaint.
9 Process requirements
9.8.6 The complaints-handling process shall include at least the following elements and
methods:
a) an outline of the process for receiving, validating, investigating the complaint, and for
deciding what actions need to be taken in response to it;
b) tracking and recording complaints, including actions undertaken in response to them;
c) ensuring that any appropriate correction and corrective action are taken.
NOTE ISO 10002 provides guidance for complaints handling.
9.8.7 The certification body receiving the complaint shall be responsible for gathering and
verifying all necessary information to validate the complaint.
9.8.8 Whenever possible, the certification body shall acknowledge receipt of the complaint,
and shall provide the complainant with progress reports and the result of the complaint.
9.8.9 The decision to be communicated to the complainant shall be made by, or reviewed
and approved by, individual(s) not previously involved in the subject of the complaint.
9.8.10 Whenever possible, the certification body shall give formal notice of the end of the
complaints-handling process to the complainant.
9.8.11 The certification body shall determine, together with the certified client and the
complainant, whether and, if so to what extent, the subject of the complaint and its
resolution shall be made public.
9 Process requirements
10.2.6.2 An audit programme shall be planned, taking into consideration the importance
of the processes and areas to be audited, as well as the results of previous audits.
10.2.6.3 Internal audits shall be performed at least once every 12 months. The frequency
of internal audits may be reduced if the certification body can demonstrate that its
management system continues to be effectively implemented according to this part of
ISO/IEC 17021 and has proven stability.
10.2.6.4 The certification body shall ensure that:
a) internal audits are conducted by competent personnel knowledgeable in certification,
auditing and the requirements of this part of ISO/IEC 17021;
b) auditors do not audit their own work;
c) personnel responsible for the area audited are informed of the outcome of the audit;
d) any actions resulting from internal audits are taken in a timely and appropriate manner;
e) any opportunities for improvement are identified.
Module 3 – Management System & Org. Structure