Slides Iso 17021 Be Lac

Accreditation of certification bodies Accreditation of certification bodies in EMS/QMS: transition from in EMS/QMS: transition from

ISO guides 62 and 66 to ISO guides 62 and 66 to ISO/IEC 17021ISO/IEC 17021--1 1

Presented by PeterPresented by Peter Vermaercke 26 June 2007Vermaercke 26 June 2007Lead Assessor BELACLead Assessor BELAC

ISO/IEC 17021 Peter Vermaercke BELAC 26 June 2007 2

ISO 17021 ISO 17021 –– at first sight not new?at first sight not new?But, did you look close enough?But, did you look close enough?


ContentContent

ISO/IEC 17021:2006: ISO/IEC 17021:2006: ““Conformity assessmentConformity assessment——Requirements for bodies providing audit and certification Requirements for bodies providing audit and certification

of management systemsof management systems ““ Published 15 September 2006.Published 15 September 2006.History and the framework of ISO/IEC 17021History and the framework of ISO/IEC 17021Objectives and scope of the new standardObjectives and scope of the new standardContent of the new standardContent of the new standardFuture Future –– what with IAF guideline documents?what with IAF guideline documents?ConclusionConclusion A word of thanks to

• Randy Dougherty for using his ISO CASCO-slides• INAB for using partly their slides publicly available on INAB-website

These slides were based upon the EA training course on ISO 17021 held on 24/25 May 2007


Conformity AssessmentConformity AssessmentWhere is ISO 17021?Where is ISO 17021?

Accreditation ISO/IEC 17011

Accreditation ISO/IEC 17011

CERTIFICATIONCERTIFICATIONTESTING

CALIBRATIONISO/IEC 17025

CLINICAL ISO 15089

TESTINGCALIBRATIONISO/IEC 17025

CLINICAL ISO 15089

INSPECTION

ISO/IEC 17020

INSPECTION

ISO/IEC 17020

MANAGEMENT SYSTEMSISO/IEC 17021

MANAGEMENT SYSTEMSISO/IEC 17021

PRODUCTSISO GUIDE 65PRODUCTS

ISO GUIDE 65

PERSONSISO/IEC 17024PERSONS

ISO/IEC 17024

QUALITY SYSTEMSISO 9000, GMP, ..

QUALITY SYSTEMSISO 9000, GMP, ..

ENVIRONMENTAL SYSYEMSISO 14001

ENVIRONMENTAL SYSYEMSISO 14001

SAFETY & OTHERHACCP,

OHSAS 18001, …

SAFETY & OTHERHACCP,

OHSAS 18001, …

AUDITINGISO 19011


Phase 1: Upgrading most ISO Phase 1: Upgrading most ISO Guides to StandardsGuides to Standards

General requirements for the competence General requirements for the competence of testing and calibration laboratoriesof testing and calibration laboratories

ISO/IEC 17025ISO/IEC 17025: 2005: 2005Testing/Testing/calibrationcalibration

Conformity assessment Conformity assessment -- General General requirements for bodies operating requirements for bodies operating certification of personscertification of persons

ISO/IEC 17024ISO/IEC 17024: 2003: 2003Certification of Certification of personspersons

Conformity assessment Conformity assessment -- General General requirements for bodies requirements for bodies providing audit and certification providing audit and certification of management systemsof management systems

ISO/IEC ISO/IEC 17021:200617021:2006

((transition from transition from ISO guides 62 ISO guides 62 and 66)and 66)

SystemSystemCertificationCertification

General criteria for the operation of various General criteria for the operation of various types of bodies performing inspectiontypes of bodies performing inspection

ISO/IEC 17020ISO/IEC 17020: 1998: 1998Reconfirmed in 2002Reconfirmed in 2002

InspectionInspection

Conformity assessment Conformity assessment -- General General requirements for accreditation bodies requirements for accreditation bodies accrediting conformity assessment accrediting conformity assessment bodiesbodies

ISO/IEC 17011ISO/IEC 17011: 2004: 2004AccreditationAccreditation


Revision of the standards related Revision of the standards related to conformity assessmentto conformity assessment--phase 2phase 2

Phase 2 = Develop Phase 2 = Develop ““Common elementsCommon elements”” for for conformity conformity assessment that shall be used in all ISO documents once assessment that shall be used in all ISO documents once the principles and texts are confirmed. the principles and texts are confirmed. Common elements Common elements across the core standards are to be found in a group of across the core standards are to be found in a group of ISO/IEC PAS (ISO/IEC PAS (Publicly Available Specification which reflect Publicly Available Specification which reflect a good practice and which are a good practice and which are documents designed for documents designed for the internal use of ISO/CASCO working groups); the internal use of ISO/CASCO working groups); We are now in this phaseWe are now in this phaseAfter at least 5 years. Phase 3: develop a new series of After at least 5 years. Phase 3: develop a new series of 17000 standards, based on the 17000 standards, based on the ““common elementscommon elements”” and and the functional approachthe functional approach


List of CASCO guides and List of CASCO guides and standards by field of applicationstandards by field of application

Conformity assessment - Disclosure of information - Principles and requirements

ISO PAS 17004: 2005

Conformity assessment - Complaints and appeals - Principles and requirements

ISO PAS 17003: 2004

Conformity assessment -Confidentiality - Principles and requirements

ISO PAS 17002: 2004

Conformity assessment - Impartiality -Principles and requirements

ISO PAS 17001: 2005

Conformity assessment - Vocabulary and general principles

ISO/IEC 17000: 2004Vocabulary, principles and common elements of conformity assessment


List of CASCO guides and List of CASCO guides and standards by field of applicationstandards by field of application

Conformity assessment -Fundamentals of product certification

ISO/IEC Guide 67: 2004

General requirements for bodies operating product certification systems


Conformity assessment - Guidance on the use of an organization's quality management system in product certification


Conformity assessment - Guidance on a third-party certification system for products


Methods of indicating conformity with standards for third-party certification systems


Reconfirmed in 2003

Product certification


List of CASCO List of CASCO list of CASCO list of CASCO projects under wayprojects under way

Conformity assessment Conformity assessment –– General requirements for General requirements for bodies operating product certification systemsbodies operating product certification systems

ISO/IEC 17065ISO/IEC 17065[CASCO WG 29][CASCO WG 29]Revision of ISO/IEC Revision of ISO/IEC

Guide 65:1996Guide 65:1996

Product certification Product certification

Proficiency testing by interlaboratory comparisons Proficiency testing by interlaboratory comparisons ––Part 1: Development and operation of proficiency Part 1: Development and operation of proficiency testing schemes and Part 2: Selection and use of testing schemes and Part 2: Selection and use of proficiency testing schemes by laboratory proficiency testing schemes by laboratory accreditation bodiesaccreditation bodies

ISO/IEC 17043ISO/IEC 17043[CASCO WG 28][CASCO WG 28]

Proficiency testingProficiency testing

Conformity assessment Conformity assessment ––Requirements for third party Requirements for third party auditing of management auditing of management systemssystems

ISO/IEC 17021 ISO/IEC 17021 Part 2Part 2

[CASCO WG 21][CASCO WG 21]

Auditing Auditing competencecompetence

Conformity assessment Conformity assessment -- Guidelines for drafting Guidelines for drafting standards and specified requirements suitable for standards and specified requirements suitable for use for conformity assessmentuse for conformity assessment

ISO/IEC 17007ISO/IEC 17007[CASCO WG 27][CASCO WG 27]

Writing specifications for Writing specifications for use in conformity use in conformity assessmentassessment

Conformity assessment Conformity assessment -- Use of management Use of management systems in conformity assessment systems in conformity assessment -- Principles Principles and requirementsand requirements

ISO PAS 17005ISO PAS 17005[CASCO WG 23][CASCO WG 23]FDPAS in progress. FDPAS in progress.

Common elements of Common elements of conformity conformity assessmentassessment


Product certifiers!Product certifiers!

It should be noted that the ISO 17021 is not intended for It should be noted that the ISO 17021 is not intended for product certification, and as ISO guide 65 will not change product certification, and as ISO guide 65 will not change in the next year it is reasonable to expect that in the in the next year it is reasonable to expect that in the future a revision of ISO 65 will take a similar path. So, future a revision of ISO 65 will take a similar path. So, product certifiers should make themselves familiar with product certifiers should make themselves familiar with this new standardthis new standard


ISO/IEC 17021ISO/IEC 17021--22

ISO 19011 is a ISO 19011 is a guidelineguideline that addresses that addresses –– only audits of QMS and EMSonly audits of QMS and EMS–– all types of audits, both internal and externalall types of audits, both internal and external–– guidelines and not requirementsguidelines and not requirements

So there is a need for a text addressing specifically 3rdParty So there is a need for a text addressing specifically 3rdParty Management System auditing Management System auditing requirements, so a standardrequirements, so a standardProposal for the development of ISO/IEC 17021Proposal for the development of ISO/IEC 17021--2 addressing:2 addressing:–– Generic aspects of 3rd party management system auditingGeneric aspects of 3rd party management system auditing–– Generic audit competence requirementsGeneric audit competence requirements–– A template for the future development of specific A template for the future development of specific

competence requirements for any management system competence requirements for any management system schemescheme


ISO/IEC 17021ISO/IEC 17021--22

Very little known about it, but it has three components:Very little known about it, but it has three components:–– 1. You need to have generically competent auditors.1. You need to have generically competent auditors.–– 2. You need to make competent use of those auditors, 2. You need to make competent use of those auditors,

so the right people for the right audit can be selected, so the right people for the right audit can be selected, working together as a competent audit team. working together as a competent audit team.

–– 3. Give that competent audit team the resources they 3. Give that competent audit team the resources they need to do a competent audit. The main resource in need to do a competent audit. The main resource in that respect is time that respect is time -- time to do a thorough audit, to time to do a thorough audit, to prepare adequately all the documents, to report prepare adequately all the documents, to report adequately, and to breathe in between audits ... adequately, and to breathe in between audits ...


ContentContent

History and the framework of ISO/IEC 17021History and the framework of ISO/IEC 17021Objectives and scope of the new standardObjectives and scope of the new standardContent of the new standardContent of the new standardFuture Future –– what with IAF guideline documents?what with IAF guideline documents?ConclusionConclusion


TrendsTrends

Over the last 5Over the last 5––10 years, the thinking concerning 10 years, the thinking concerning Management Systems has evolved towards Management Systems has evolved towards –– 1) Quality Management Systems built around an ISO 1) Quality Management Systems built around an ISO

9001 Core e.g. sector schemes such as 9001 Core e.g. sector schemes such as Telecommunications (TL9000), Aerospace (AS9100), Telecommunications (TL9000), Aerospace (AS9100), Automotive (ISO TS 16949), Automotive (ISO TS 16949), ……

–– 2) Compatibility between different management systems 2) Compatibility between different management systems e.g. ISO 9001 and 14001 e.g. ISO 9001 and 14001 -- Integrated management Integrated management systems, systems, ……..

–– 3) Future extension of the scope of management 3) Future extension of the scope of management systems e.g. Agrosystems e.g. Agro--food Safety Management (ISO food Safety Management (ISO 22000), Information security management 22000), Information security management information information security (ISO/IEC 27001:2005) and supply chain security security (ISO/IEC 27001:2005) and supply chain security (ISO/PAS 28000:2005)(ISO/PAS 28000:2005)


Requirements for the standardsRequirements for the standardsalso accreditation standardsalso accreditation standards

Maintaining a Common Core Maintaining a Common Core Obtaining CompatibilityObtaining CompatibilityEnhancing credibility of 3rd party certificationEnhancing credibility of 3rd party certificationSo, flexibility to meet marketplace (So, flexibility to meet marketplace (sectoralsectoral) needs) needs--avoiding unnecessary redundancy when addressing similar avoiding unnecessary redundancy when addressing similar themesthemes--compatibility and compatibility and alignment, whenever possible,alignment, whenever possible,ensuring stakeholder credibilityensuring stakeholder credibility


Objectives ISO/IEC 17021Objectives ISO/IEC 17021

To replace Guide 62 and 66 (or the BELAC documents To replace Guide 62 and 66 (or the BELAC documents based upon EN 45012)based upon EN 45012)To be applicable to any type of management system; a reTo be applicable to any type of management system; a re--active and proactive and pro--active approach to standardization active approach to standardization –– the the standard should also provide a platform for certification of standard should also provide a platform for certification of other management systems. other management systems. To incorporate current guidelines developed by the To incorporate current guidelines developed by the International Accreditation Forum (IAF GD2 en GD8) for International Accreditation Forum (IAF GD2 en GD8) for their members to follow when applying the last editions of their members to follow when applying the last editions of ISO/IEC Guides 62 and 66.ISO/IEC Guides 62 and 66.To incorporate latest technologyTo incorporate latest technologyTo be consistent with the common elementsTo be consistent with the common elements


Positive pointsPositive pointsReduces the proliferation of standards Reduces the proliferation of standards Is the first attempt for a core conformity assessment Is the first attempt for a core conformity assessment standard with the advantage of a range of recent changes to standard with the advantage of a range of recent changes to working practice and understanding in place (taken over working practice and understanding in place (taken over from IAF). from IAF). Adoption of a more Adoption of a more ““performance basedperformance based”” approach to the approach to the orientation of the requirements in the core standards as orientation of the requirements in the core standards as opposed to a opposed to a ““design baseddesign based”” approach, which is more approach, which is more prescriptive (what and how to do things). I counted 240 prescriptive (what and how to do things). I counted 240 ““shallshall”” clauses under ISO 17021, which is far less than the clauses under ISO 17021, which is far less than the 400+ requirements of the two current standards. 400+ requirements of the two current standards.


An example of the transfer of IAF An example of the transfer of IAF guides to the standardguides to the standard

IAF Guidance GD2: IAF Guidance GD2: ““CBCB’’s may participate in training s may participate in training courses, provided that where these courses relate to courses, provided that where these courses relate to quality assurance, management systems or auditing they quality assurance, management systems or auditing they should confine themselves to the provision of generic should confine themselves to the provision of generic information and advice which is freely available in the information and advice which is freely available in the public domain, i.e. they should not provide company public domain, i.e. they should not provide company specific advice which contravenes the requirements.specific advice which contravenes the requirements.””ISO 17021 Clause 3.3: ISO 17021 Clause 3.3: ““Arranging training and Arranging training and participating as a trainer is not considered consultancy, participating as a trainer is not considered consultancy, provided that where the course relates to management provided that where the course relates to management systems or auditing, the course is confined to the systems or auditing, the course is confined to the provision of generic information that is freely available in provision of generic information that is freely available in the public domain, i.e. the trainer should not provide the public domain, i.e. the trainer should not provide companycompany--specific solutions.specific solutions.””


ContentContent


RVA TRVA T--3232

IAF GD6IAF GD6Guide 66Guide 66IAF GD2IAF GD2Guide 62Guide 62ISO/IEC 17021 ClausesISO/IEC 17021 Clauses

5.1.2 Certification agreement.

G.4.1.8G.4.1.9

G.4.1.10

4.1.2dG.2.1.10G.2.1.11

2.1.2d5.1.1 Legal entity.

G.4.1.21G.1.1.233.3 management systems consultancy


ISO/IEC 17021:2006ISO/IEC 17021:2006ContentsContents

–– 1 Scope1 Scope–– 2 Normative references2 Normative references–– 3 Terms and definitions3 Terms and definitions–– 4 Principles4 Principles–– 5 General requirements5 General requirements–– 6 Structural requirements6 Structural requirements–– 7 Resource requirements7 Resource requirements–– 8 Information requirements8 Information requirements–– 9 Process requirements9 Process requirements–– 10 Management system requirements for CBs10 Management system requirements for CBs


ISO/IEC 17021:2006ISO/IEC 17021:2006Section 4 PrinciplesSection 4 Principles

What is new?What is new?–– regarding the standard?regarding the standard?

Section 4 PrinciplesSection 4 Principles [for third party certification][for third party certification]–– Subsequent requirements are based on the principlesSubsequent requirements are based on the principles–– The principles are not auditableThe principles are not auditable

The principles are statements of what should be achieved. The principles are statements of what should be achieved. Knowing what is to be achieved helps in drafting the Knowing what is to be achieved helps in drafting the subsequentsubsequent



4.1.3 Principles for inspiring Confidence4.1.3 Principles for inspiring Confidence..–– impartialityimpartiality–– competencecompetence–– responsibilityresponsibility–– opennessopenness–– confidentialityconfidentiality–– responsiveness to complaintsresponsiveness to complaints



4.2 Impartiality threats.4.2 Impartiality threats.Self interestSelf interestSelf reviewSelf reviewFamiliarityFamiliarityIntimidationIntimidation



4.3 Competence.4.3 Competence.

Competence of personnel supported by management Competence of personnel supported by management system.system.

Competence is the demonstrated ability to apply Competence is the demonstrated ability to apply knowledge and skills.knowledge and skills.

Certification must provide confidenceCertification must provide confidence



4.4 Responsibility4.4 ResponsibilityCertification body has responsibility to assess sufficient Certification body has responsibility to assess sufficient

objective evidence upon which to base a decision.objective evidence upon which to base a decision.Grant certificate if sufficient evidence of conformity.Grant certificate if sufficient evidence of conformity.

Links to confidence. Integrity and credibility of certification.Links to confidence. Integrity and credibility of certification.needs competence needs competence



4.5 Openness4.5 Openness..Provision and access to information.Provision and access to information.

4.6 Confidentiality4.6 Confidentiality..Integrity and confidenceIntegrity and confidence

4.7 Responsiveness to complaints4.7 Responsiveness to complaints..Confidence, trust, integrity, credibility.Confidence, trust, integrity, credibility.Cannot hide behind confidentiality.Cannot hide behind confidentiality.


ISO/IEC 17021:2006ISO/IEC 17021:2006Section 5 General requirementsSection 5 General requirements

5.1 Legal and contractual matters5.1 Legal and contractual matters5.1.1 legal responsibility5.1.1 legal responsibility

–– CB shall be such that it can be held legally responsible CB shall be such that it can be held legally responsible for its certification activitiesfor its certification activities

shall be a legal entity or a defined part of a legal shall be a legal entity or a defined part of a legal entityentitya governmental CB is deemed to be a legal entitya governmental CB is deemed to be a legal entity



5.1 Legal and contractual matters5.1 Legal and contractual matters5.1.2 certification agreement5.1.2 certification agreement

–– a CB shall have a legally a CB shall have a legally enforceableenforceable (that demonstrate (that demonstrate the capability to take legal action, if needed, to enforce the capability to take legal action, if needed, to enforce conformance by its clients) agreement with certification conformance by its clients) agreement with certification clients (international contracts involves knowledge of clients (international contracts involves knowledge of legislation?, language?)legislation?, language?)

–– for multiple offices of a CB or client, a CB shall ensure for multiple offices of a CB or client, a CB shall ensure the agreement explicitly covers all site covered by the the agreement explicitly covers all site covered by the scope of certificationscope of certification

5.1.3 responsibility for certification decisions5.1.3 responsibility for certification decisions–– a CB shall be responsible and shall retain authority for its a CB shall be responsible and shall retain authority for its

decisions relating to certificationdecisions relating to certification



What is new?What is new?–– regarding impartiality?regarding impartiality?

Eliminated the definition for, and use of the term, Eliminated the definition for, and use of the term, ““related related bodybody””, and instead describe activities/relationships that , and instead describe activities/relationships that are a threat to impartiality (this can be based on are a threat to impartiality (this can be based on ownership, governance, management, personnel, shared ownership, governance, management, personnel, shared resources, finances, contracts, marketing and payment of resources, finances, contracts, marketing and payment of a sales commission or other inducement for the referral of a sales commission or other inducement for the referral of new clients, etc.)new clients, etc.)So, the emphasis of demonstrating impartiality shifts from So, the emphasis of demonstrating impartiality shifts from AB that made a complete evaluation of the AB that made a complete evaluation of the ““related related bodiesbodies”” to the CB that now has to make a document to the CB that now has to make a document describing all describing all ““badbad”” activities/relationships that needs to activities/relationships that needs to be approved by the impartiality committeebe approved by the impartiality committee



5.2 Management of impartiality5.2 Management of impartiality5.2.1 top management commitment5.2.1 top management commitment

–– publicly accessiblepublicly accessible statement by top management of statement by top management of the CBthe CB

understands importance of impartialityunderstands importance of impartialitymanages conflict of interestmanages conflict of interestensures objectivityensures objectivity



5.2 Management of impartiality5.2 Management of impartiality5.2.2 5.2.2 impartiality threat analysisimpartiality threat analysis

–– identify, analyze and document COI or threats to identify, analyze and document COI or threats to impartialityimpartiality

–– relationshipsrelationships–– document elimination or reduction of threatsdocument elimination or reduction of threats–– demonstrate to impartiality committee (IC)demonstrate to impartiality committee (IC)



5.2 Management of impartiality5.2 Management of impartiality5.2.3 5.2.3 relationships that threaten impartialityrelationships that threaten impartiality

–– when a relationship that threatens impartiality cannot when a relationship that threatens impartiality cannot be eliminated or minimized, then certification shall not be eliminated or minimized, then certification shall not be providedbe provided

5.2.4 5.2.4 a CB shall not certify another CBa CB shall not certify another CB

5.2.5 a 5.2.5 a CB, and any part of the same legal entity, shall not CB, and any part of the same legal entity, shall not provide management systems consultancyprovide management systems consultancy–– applies also to a governmental CBapplies also to a governmental CB



5.2 Management of impartiality5.2 Management of impartiality5.2.6 5.2.6 a CB, and any part of the same legal entity, shall not a CB, and any part of the same legal entity, shall not

provide internal audits to its certified clientsprovide internal audits to its certified clients–– Note: if a CB provided internal audits for an Note: if a CB provided internal audits for an

organization, it shall not provide certification for at least organization, it shall not provide certification for at least two yearstwo years



5.2 Management of impartiality5.2 Management of impartiality5.2.7 CB and consultancy relationships5.2.7 CB and consultancy relationships

–– a CB shall not certify a client that received a CB shall not certify a client that received management system consultancy or internal audits management system consultancy or internal audits where the relationship between the management where the relationship between the management system consultancy organization and the CB poses an system consultancy organization and the CB poses an unacceptable threat to impartiality of the CBunacceptable threat to impartiality of the CB

–– allowing a minimum period of two years following the allowing a minimum period of two years following the end of the consultancy or internal audits is one means end of the consultancy or internal audits is one means of reducing the threat to impartiality to an acceptable of reducing the threat to impartiality to an acceptable levellevel



5.2 Management of impartiality5.2 Management of impartiality5.2.7 CB and consultancy relationships5.2.7 CB and consultancy relationships

–– Basis of relationships that threaten impartialityBasis of relationships that threaten impartialitycommon ownership, governance, or managementcommon ownership, governance, or managementshared resources or financesshared resources or financescontractscontractsmarketingmarketingpayment of a sales commission or other inducement payment of a sales commission or other inducement for referral of new clientsfor referral of new clients



5.2 Management of impartiality5.2 Management of impartiality5.2.8 5.2.8 a CB shall not outsource audits to a management a CB shall not outsource audits to a management

system consultancy organization.system consultancy organization. Note: does not apply to Note: does not apply to individuals contracted as auditors in 7.3individuals contracted as auditors in 7.3

CB COAuditors under

control of CB’s QMS

“Hired in”

“Outsource”

Auditors under control

of CO’s QMS



5.2 Management of impartiality5.2 Management of impartiality5.2.9 a CB5.2.9 a CB’’s activities shall not be marketed as linked to the s activities shall not be marketed as linked to the

activities of an organization that provides management activities of an organization that provides management system consultancysystem consultancy–– no no ‘‘linkedlinked’’ claims that certification would be faster, claims that certification would be faster,

easier, or less expensive easier, or less expensive –– CB shall take action to correct inappropriate claims by a CB shall take action to correct inappropriate claims by a

consultancy organizationconsultancy organization



5.2 Management of impartiality5.2 Management of impartiality5.2.10 any personnel involved in management system 5.2.10 any personnel involved in management system

consultancy for a client shall not be involved in consultancy for a client shall not be involved in certification of the client for at least two years following certification of the client for at least two years following the end of the consultancythe end of the consultancy

5.2.11 CB shall respond to threats to its impartiality arising 5.2.11 CB shall respond to threats to its impartiality arising from the actions of othersfrom the actions of others

5.2.12 CB personnel shall act impartially and not allow 5.2.12 CB personnel shall act impartially and not allow commercial, financial or other pressures to compromise commercial, financial or other pressures to compromise impartialityimpartiality–– internalinternal–– externalexternal–– CommitteesCommittees

5.2.13 CBs shall require personnel to disclose any situation 5.2.13 CBs shall require personnel to disclose any situation that may present them or the CB with a conflict of that may present them or the CB with a conflict of interestinterest



5.3 Liability and financing5.3 Liability and financing5.3.2 5.3.2 CB shall evaluate its finances and sources of income CB shall evaluate its finances and sources of income

and demonstrate to the impartiality committee that and demonstrate to the impartiality committee that commercial, financial and other pressures do not commercial, financial and other pressures do not compromise its impartialitycompromise its impartiality


ISO/IEC 17021:2006ISO/IEC 17021:2006Section 6 Structural requirementsSection 6 Structural requirements

6.1 Organizational structure and top management 6.1 Organizational structure and top management 6.1.1 CB shall document6.1.1 CB shall document

–– organizational structure organizational structure –– responsibilities of personnel and committeesresponsibilities of personnel and committees–– relationships to other parts of same legal entityrelationships to other parts of same legal entity



Supplier - Producer

Board of Governors

Operational Management

TechnicalManagement (per scheme)

AppealCommittee

Advisory board

Certification-Committee

Technical Committee's)



6.1.2 CB shall identify top management having 6.1.2 CB shall identify top management having responsibility forresponsibility for–– policies and financespolicies and finances–– development and performance of certification schemesdevelopment and performance of certification schemes–– decisions on certificationdecisions on certification–– delegation to committees/personsdelegation to committees/persons–– contractual arrangementscontractual arrangements–– providing adequate resourcesproviding adequate resources

6.1.3 CB shall have formal rules for appointment, 6.1.3 CB shall have formal rules for appointment, terms of terms of reference and operations of committeesreference and operations of committees involved with involved with certificationcertification



6.2 Committee for safeguarding impartiality6.2 Committee for safeguarding impartiality6.2.1 structure of the CB shall include a committee6.2.1 structure of the CB shall include a committee

–– assist in development of policies relating to impartiality assist in development of policies relating to impartiality of certificationof certification

–– counteract any tendency by CB to allow commercial or counteract any tendency by CB to allow commercial or other considerations to prevent objective certificationother considerations to prevent objective certification

–– advise on matters affecting confidence of certification, advise on matters affecting confidence of certification, such as openness and public perceptionsuch as openness and public perception

–– review, at least once annually, impartiality of the audit, review, at least once annually, impartiality of the audit, certification and decision making processescertification and decision making processes



6.2 Committee for safeguarding impartiality6.2 Committee for safeguarding impartiality6.2.2 composition, TOR, competence, responsibilities to be 6.2.2 composition, TOR, competence, responsibilities to be

documented and authorized by top management to ensuredocumented and authorized by top management to ensure–– balanced representationbalanced representation--no single interest no single interest

predominating (personnel of the certification body are predominating (personnel of the certification body are considered to be a single interest)considered to be a single interest)

–– Access to all the information necessary to enable it to Access to all the information necessary to enable it to fulfill its functionsfulfill its functions

5.2.2 impartiality analysis5.2.2 impartiality analysis5.3.2 financial analysis5.3.2 financial analysis

–– right of committee to independent action if top right of committee to independent action if top management does not respects its advice (e.g. management does not respects its advice (e.g. informing authorities or informing authorities or ABsABs))


Committee for Committee for safeguarding impartialitysafeguarding impartiality

:If relevant

Consumers/Public

CB

Tradeassociations

Clients/Producers

Government Experts

Customers of clients


ISO/IEC 17021:2006ISO/IEC 17021:2006Section 7 Resource requirementsSection 7 Resource requirements

What is new?What is new?–– regarding CB and audit team competence?regarding CB and audit team competence?

Requirements that result in a process for ensuring the Requirements that result in a process for ensuring the assignment of competent audit teamassignment of competent audit team

–– competence analysis (7.1 & 7.2)competence analysis (7.1 & 7.2)–– application reviewapplication review——competence needed (9.2.2.2)competence needed (9.2.2.2)–– audit team selectionaudit team selection——competence provided (9.2.2.3)competence provided (9.2.2.3)–– competence to make certification decision (9.2.2.4)competence to make certification decision (9.2.2.4)



ISO/IEC 17021:2006: 4.3 ISO/IEC 17021:2006: 4.3 –– Competence = the ability to Competence = the ability to applyapply knowledge and skills (eknowledge and skills (eg like a lab technician or an g like a lab technician or an inspector) inspector) –– attending a training course, having a attending a training course, having a diploma, .. are examples of qualifications, not diploma, .. are examples of qualifications, not examples of demonstration of competenceexamples of demonstration of competence7.2.7. The certification body shall use auditors and 7.2.7. The certification body shall use auditors and technical experts only for those certification activities technical experts only for those certification activities where they have where they have demonstrateddemonstrated competence (monitoring of competence (monitoring of previous activities, feedback from the client, witnessing on previous activities, feedback from the client, witnessing on site, interviews, passed a formal examination, a formal site, interviews, passed a formal examination, a formal test, holds a certificate, test, holds a certificate, …….).)The initial competence evaluation of an auditor shall The initial competence evaluation of an auditor shall include a observation by a competent evaluator observing include a observation by a competent evaluator observing the auditor conducting an audit.the auditor conducting an audit.



CB shall ensure :– Personnel has relevant knowledge in the fields of activity

and geographic regions in which it operates– For each sector, it determines competence requirements

to be demonstrated prior to performance– It has competent management and administrative

personnel, in addition to auditors and experts– It has access to the necessary technical expertise for

advice on matters directly relating to certification for technical areas, types of management system and geographic areas in which the certification body operates. Such advice may be provided externally or by certification body personnel.



What is new?What is new?–– regarding impartiality?regarding impartiality?

personnel records shall include any relevant consultancy personnel records shall include any relevant consultancy services that may have been provided (7.4)services that may have been provided (7.4)

Not a note from an auditor saying that he/she is impartial, Not a note from an auditor saying that he/she is impartial, but a note describing what are the conflicts but a note describing what are the conflicts ……


ISO/IEC 17021:2006ISO/IEC 17021:2006Section 8 Information Section 8 Information

What is new?What is new?–– regarding publicly accessible information?regarding publicly accessible information?

certifications granted, suspended or withdrawn (8.1.3)certifications granted, suspended or withdrawn (8.1.3)EgEg. Website, allow visit to the office, send by e. Website, allow visit to the office, send by e--mail or mail or fax on request, give information by phone, fax on request, give information by phone, ……


ISO/IEC 17021:2006ISO/IEC 17021:2006Section 8 InformationSection 8 Information

What is new?What is new?–– regarding the certification documents?regarding the certification documents?

an an expiry expiry date consistent with the redate consistent with the re--certification cycle certification cycle (8.2.3.c)(8.2.3.c)


ISO/IEC 17021:2006ISO/IEC 17021:2006Section 8 InformationSection 8 Information

8.4.2 A certification body shall not permit its marks to be applied to laboratory test, calibration or inspection reports, as such reports are deemed to be products in this context.

8.5.2 The certification body shall inform the client, in advance, of the information it intends to place in the public domain. All other information, except for information that is made publicly accessible by the client, shall be considered confidential.


ISO/IEC 17021:2006ISO/IEC 17021:2006Section 9 Process requirementsSection 9 Process requirements

Somewhat the process approach to CBSomewhat the process approach to CB’’ss



9.1 general requirements9.1 general requirements9.2 initial audit and certification9.2 initial audit and certification9.3 surveillance activities9.3 surveillance activities9.4 recertification9.4 recertification9.5 special audits9.5 special audits9.6 suspending, withdrawing, reducing scope of certification9.6 suspending, withdrawing, reducing scope of certification9.7 appeals9.7 appeals9.8 complaints9.8 complaints9.9 records of applicants and clients9.9 records of applicants and clients



Process requirementsProcess requirements–– used used ““functional approachfunctional approach”” for all three kinds of audits for all three kinds of audits

in the certification cyclein the certification cycle–– Initial, Surveillance, RecertificationInitial, Surveillance, Recertification

““selection processselection process””——planning planning ““determination processdetermination process””——auditaudit““attestation processattestation process””——audit reportaudit report““attestation review processattestation review process””——certification decisioncertification decision



What is new?What is new?–– regarding the certification process?regarding the certification process?

flexibility to adjust the audit program based on flexibility to adjust the audit program based on demonstrated effectiveness of the clientdemonstrated effectiveness of the client’’s management s management system (9.1.1system (9.1.1))



9.1 General requirements9.1 General requirements9.1.1 Certification and audit program (9.1.1)9.1.1 Certification and audit program (9.1.1)

twotwo--stage audit for initial certificationstage audit for initial certificationthree year certification cycle begins with certification or rethree year certification cycle begins with certification or re--certification decisioncertification decisionsurveillance audits in first and second years (the date of surveillance audits in first and second years (the date of the first surveillance audit following initial certification shathe first surveillance audit following initial certification shall ll not be more than 12 months from the last day of the not be more than 12 months from the last day of the stage 2 audit)stage 2 audit)rere--certification audit in the third year prior to expirationcertification audit in the third year prior to expiration



9.1 General requirements9.1 General requirements

9.1.1 9.1.1 subsequent adjustments to the audit program shall subsequent adjustments to the audit program shall consider demonstrated level of management system consider demonstrated level of management system effectiveness and results of previous auditseffectiveness and results of previous audits–– The The ‘‘hookhook’’ for new IAF guidance for advanced for new IAF guidance for advanced

surveillance and reassessment procedures (ASRP)surveillance and reassessment procedures (ASRP)




9.1.1 where a CB is taking account of certification 9.1.1 where a CB is taking account of certification or other audits already granted the client, it or other audits already granted the client, it shall collect sufficient, verifiable information shall collect sufficient, verifiable information to to justify and record adjustments to the audit justify and record adjustments to the audit programprogram




9.1.2 audit plan for each audit 9.1.2 audit plan for each audit –– documented requirementsdocumented requirements……in accordance with the in accordance with the

relevant guidance provided in relevant guidance provided in ISO 19011ISO 19011

9.1.3 CB shall have a process for appointing audit team 9.1.3 CB shall have a process for appointing audit team based on competence neededbased on competence needed–– documented requirementsdocumented requirements……in accordance with the in accordance with the

relevant guidance provided in relevant guidance provided in ISO 19011ISO 19011




9.1.4 auditor time for an effective audit9.1.4 auditor time for an effective audit–– documented process for determinationdocumented process for determination–– auditor time, as determined by the CB, and auditor time, as determined by the CB, and

justification, to be recordedjustification, to be recorded

9.1.5 multi9.1.5 multi--site samplingsite sampling–– documented rationale for the sampling plandocumented rationale for the sampling plan




9.1.6 audit team and client knowledge of tasks given to the 9.1.6 audit team and client knowledge of tasks given to the audit teamaudit team–– examine and verify the structure, policies, processes, examine and verify the structure, policies, processes,

procedures, records and related documents of the procedures, records and related documents of the client relevant to the management systemclient relevant to the management system

–– meet requirements relevant to the scope of certificationmeet requirements relevant to the scope of certification–– determine processes are established, implemented and determine processes are established, implemented and

maintained effectively to provide a basis for confidence maintained effectively to provide a basis for confidence in the clientin the client’’s management systems management system

–– communicate to the client any inconsistencies between communicate to the client any inconsistencies between clientclient’’s policies, objectives and targets and the resultss policies, objectives and targets and the results




9.1.7 CB shall provide to the client the name and, when 9.1.7 CB shall provide to the client the name and, when requested, background information on each audit team requested, background information on each audit team membermember–– time for the client to objecttime for the client to object–– time to reconstitute the teamtime to reconstitute the team

9.1.8 audit plan to be communicated, and dates to be 9.1.8 audit plan to be communicated, and dates to be agreed, in advanceagreed, in advance




9.1.9 CB shall have a process for conducting on9.1.9 CB shall have a process for conducting on--site audits site audits –– documented requirementsdocumented requirements……in accordance with the in accordance with the

relevant guidance provided in ISO 19011relevant guidance provided in ISO 19011

Note: Note: ‘‘onon--sitesite’’ can include remote access to electronic can include remote access to electronic site(s)site(s)–– provides the provides the ‘‘hookhook’’ for IAF guidance on computer for IAF guidance on computer

assisted auditsassisted audits




9.1.10 CB shall provide a written report for each audit9.1.10 CB shall provide a written report for each audit–– based on relevant guidancebased on relevant guidance……in ISO 19011in ISO 19011–– may identify may identify OFIOFI’’ss but not recommend solutionsbut not recommend solutions–– ownership of the report by the CBownership of the report by the CB




9.1.11 CB 9.1.11 CB shallshall require the client to analyze the cause and require the client to analyze the cause and take correction and corrective action to eliminate identified take correction and corrective action to eliminate identified nonconformities, within a defined timenonconformities, within a defined time

9.1.12 CB 9.1.12 CB shallshall review the corrections and corrective actions review the corrections and corrective actions to determine if these are acceptableto determine if these are acceptable




9.1.13 CB shall inform the client what is needed to verify 9.1.13 CB shall inform the client what is needed to verify effective correction and corrective actioneffective correction and corrective action

additional full audit?additional full audit?additional limited audit?additional limited audit?documented evidence that will be confirmed on documented evidence that will be confirmed on future surveillance audits?future surveillance audits?




9.1.14 CB shall ensure the decision for certification or 9.1.14 CB shall ensure the decision for certification or recertification is made by persons or committees different recertification is made by persons or committees different from those who carried from those who carried out the auditsout the audits




9.1.15 CB shall confirm, prior to making a decision9.1.15 CB shall confirm, prior to making a decisiona) information from the audit team is sufficient with a) information from the audit team is sufficient with respect to requirements and scoperespect to requirements and scope




9.1.15 CB shall confirm, prior to making a decision9.1.15 CB shall confirm, prior to making a decisionb) it has reviewed, accepted and verified the b) it has reviewed, accepted and verified the effectiveness of correction and corrective action for effectiveness of correction and corrective action for any nonconformities that representany nonconformities that represent

failure to fulfill requirements of the standard; orfailure to fulfill requirements of the standard; orsignificant doubt the clientsignificant doubt the client’’s system can achieve s system can achieve intended outputsintended outputs




9.1.15. CB shall confirm, prior to making a decision9.1.15. CB shall confirm, prior to making a decisionc) for any other nonconformities, it has reviewed and c) for any other nonconformities, it has reviewed and accepted the clientaccepted the client’’s planned correction and s planned correction and corrective actioncorrective action



9.2 Initial audit and certification9.2 Initial audit and certification9.2.1 application9.2.1 application9.2.2 application review9.2.2 application review9.2.3 initial certification audit9.2.3 initial certification audit9.2.4 initial certification audit conclusions9.2.4 initial certification audit conclusions9.2.5 information for granting initial certification9.2.5 information for granting initial certification



9.2 Initial audit and certification9.2 Initial audit and certification9.2.1 application9.2.1 application

–– CB shall require applicant to provide information to CB shall require applicant to provide information to enable it to establish the following:enable it to establish the following:

desired scope of certificationdesired scope of certificationname, address, sites, significant aspects, name, address, sites, significant aspects, legal legal obligationsobligationsinformation relevant for field of certification, information relevant for field of certification, resources, relationship in a corporationresources, relationship in a corporationinformation concerning information concerning outsourced processesoutsourced processesstandards or requirements for certificationstandards or requirements for certificationapplicants to provide information concerning any applicants to provide information concerning any management system consultancy receivedmanagement system consultancy received



9.2 Initial audit and certification9.2 Initial audit and certification9.2.2 application review9.2.2 application review9.2.2.1 CB to review application to ensure9.2.2.1 CB to review application to ensure

information sufficient for an auditinformation sufficient for an auditrequirements provided to applicantrequirements provided to applicantany known differences are resolvedany known differences are resolvedCB has competence and ability to provide CB has competence and ability to provide certificationcertificationscope, locations, audit time, language, threats to scope, locations, audit time, language, threats to safety or impartiality has been taken into accountsafety or impartiality has been taken into accountrecords of justification to accept client are records of justification to accept client are maintainedmaintained



9.2 Initial audit and certification9.2 Initial audit and certification

9.2.2 application review9.2.2 application review9.2.2.2 based on application review, CB to determine 9.2.2.2 based on application review, CB to determine competences needed for audit team and for the competences needed for audit team and for the certification decisioncertification decision

9.2.2.3 appointment of an audit team having the totality 9.2.2.3 appointment of an audit team having the totality of competences neededof competences needed

9.2.2.4 appointment of persons for making the 9.2.2.4 appointment of persons for making the certification decision that have the competence neededcertification decision that have the competence needed




9.2.3 initial certification audit shall be 9.2.3 initial certification audit shall be conducted in two stagesconducted in two stages

stage 1 and stage 2stage 1 and stage 2



9.2 Initial audit and certification9.2 Initial audit and certification9.2.3.1 stage 1 audits9.2.3.1 stage 1 audits

9.2.3.1.1 stage 1 audit shall be performed to:9.2.3.1.1 stage 1 audit shall be performed to:–– audit the management system documentationaudit the management system documentation–– evaluate site(s) and personnel to determine evaluate site(s) and personnel to determine

preparedness for the stage 2 auditpreparedness for the stage 2 audit–– review clientreview client’’s understanding and identification of key s understanding and identification of key

performance or significant aspects regarding the scope performance or significant aspects regarding the scope and operation of the management systemand operation of the management system




9.2.3.1.1 stage 1 audit shall be performed to:9.2.3.1.1 stage 1 audit shall be performed to:–– collect necessary information regarding the scope and collect necessary information regarding the scope and

related statutory and regulatory requirements of the related statutory and regulatory requirements of the clientclient’’s operations operation

–– review allocation of resources and agree with the client review allocation of resources and agree with the client upon details for the stage 2 auditupon details for the stage 2 audit




9.2.3.1.1 stage 1 audit shall be performed to:9.2.3.1.1 stage 1 audit shall be performed to:–– provide a focus for planning the stage 2 audit by provide a focus for planning the stage 2 audit by

gaining understanding of the clientgaining understanding of the client’’s management s management system, site operations and significant aspectssystem, site operations and significant aspects

–– evaluate if internal audits and management review are evaluate if internal audits and management review are being performed and that the level of implementation being performed and that the level of implementation substantiates the client is ready for the stage 2 auditsubstantiates the client is ready for the stage 2 audit




9.2.3.1.2 9.2.3.1.2 stage 1 audit findings shall be documented and stage 1 audit findings shall be documented and communicated to the client, including identification of any communicated to the client, including identification of any areas of concernareas of concern

BackBack--toto--back stage 1 and 2 are back stage 1 and 2 are theoretically theoretically …… possible, possible, A stage 1 audit not on site is A stage 1 audit not on site is theoretically theoretically …… possiblepossibleThe number of man days is only fit for auditing activities, The number of man days is only fit for auditing activities,

which is only a small part of stage 1 which is only a small part of stage 1 ……




9.2.3.1.3 in determining the arrangements for the stage 2 9.2.3.1.3 in determining the arrangements for the stage 2 audit, consideration shall be given to the time needed to audit, consideration shall be given to the time needed to resolve areas of concern identified in the stage 1 auditresolve areas of concern identified in the stage 1 audit



9.2 Initial audit and certification9.2 Initial audit and certification9.2.3 initial certification audit9.2.3 initial certification audit

9.2.3.2 stage 2 audit9.2.3.2 stage 2 audit——the purpose is to evaluate the the purpose is to evaluate the implementation, including effectiveness of the clients implementation, including effectiveness of the clients management system. The stage 2 audit shall take place management system. The stage 2 audit shall take place at the sites of the client.at the sites of the client.




9.2.3.2 the stage 2 audit shall include, at least:9.2.3.2 the stage 2 audit shall include, at least:–– evidence of conformity to all requirementsevidence of conformity to all requirements–– performance against key objectives and targetsperformance against key objectives and targets–– performance as regards legal complianceperformance as regards legal compliance–– operational control of processesoperational control of processes–– internal auditing and management reviewinternal auditing and management review–– management responsibility for clientmanagement responsibility for client’’s policiess policies–– links between requirements, policy, performance links between requirements, policy, performance

objectives and targets consistent with expectations of objectives and targets consistent with expectations of the standard, legal requirements, responsibilities, the standard, legal requirements, responsibilities, competence of personnel, operations, performance competence of personnel, operations, performance data and internal audit conclusionsdata and internal audit conclusions




9.2.4 initial certification audit conclusions9.2.4 initial certification audit conclusionsthe audit team shall analyze all information and the audit team shall analyze all information and audit evidence from the stage 1 and stage 2 audits audit evidence from the stage 1 and stage 2 audits and agree upon conclusionsand agree upon conclusions




9.2.5 information for granting initial certification9.2.5 information for granting initial certification

9.2.5.1 information provided by audit team for the 9.2.5.1 information provided by audit team for the certification decision shall includecertification decision shall include–– audit reports (stage 1 and stage 2)audit reports (stage 1 and stage 2)–– comments on nonconformities and correction and comments on nonconformities and correction and

corrective actionscorrective actions–– confirmation of information used in application reviewconfirmation of information used in application review

number of employees for determining audit durationnumber of employees for determining audit durationuse of consultancyuse of consultancy

–– audit team recommendation for or against certificationaudit team recommendation for or against certification




9.2.5 information for granting initial certification9.2.5 information for granting initial certification

9.2.5.2 CB shall make the certification decision on 9.2.5.2 CB shall make the certification decision on the basis of the audit findings and the basis of the audit findings and conclusions and other relevant informationconclusions and other relevant information



9.3 Surveillance activities9.3 Surveillance activities9.3.1 general9.3.1 general9.3.2 surveillance audit9.3.2 surveillance audit9.3.3 maintaining certification9.3.3 maintaining certification



9.3 Surveillance activities9.3 Surveillance activities9.3.1 general9.3.1 general

9.3.1.1 9.3.1.1 CB shall develop its surveillance activities so CB shall develop its surveillance activities so representative areas and functions are monitored on a representative areas and functions are monitored on a regular basis and take into account changesregular basis and take into account changes



9.3 Surveillance activities9.3 Surveillance activities9.3.1 general9.3.1 general

9.3.1.2 9.3.1.2 surveillance shall include onsurveillance shall include on--site site audits and audits and may include:may include:

enquiries to the client on aspects of certificationenquiries to the client on aspects of certificationreviewing clientreviewing client’’s website and promotionss website and promotionsrequests to the client for documents and recordsrequests to the client for documents and recordsother means of monitoring performanceother means of monitoring performance



9.3 Surveillance activities9.3 Surveillance activities

9.3.2 surveillance audit9.3.2 surveillance audit9.3.2.1 surveillance audits are on9.3.2.1 surveillance audits are on--site audits, but not site audits, but not

necessarily full system audits and shall be planned with necessarily full system audits and shall be planned with other surveillance activities so the CB can maintain other surveillance activities so the CB can maintain confidence that the management system continues to confidence that the management system continues to fulfill requirements between recertification auditsfulfill requirements between recertification audits




9.3.2 surveillance audit9.3.2 surveillance audit9.3.2.1 surveillance audit program shall include, at least:9.3.2.1 surveillance audit program shall include, at least:–– internal audits and management reviewinternal audits and management review–– actions on actions on NCRsNCRs from previous auditfrom previous audit–– ComplaintsComplaints–– Effectiveness achieving clientEffectiveness achieving client’’s objectivess objectives–– Progress at continual improvementProgress at continual improvement–– Continuing operational controlContinuing operational control–– Changes Changes –– Use of marks and reference to certificationUse of marks and reference to certification




9.3.2 surveillance audit9.3.2 surveillance audit9.3.2.2 surveillance audits shall be conducted at least 9.3.2.2 surveillance audits shall be conducted at least

once a year.once a year.

–– date of the first surveillance audit following certification date of the first surveillance audit following certification shall be not more than 12 months from the last day of shall be not more than 12 months from the last day of the stage 2 audit the stage 2 audit (=date of closing meeting(=date of closing meeting))




9.3.3 maintaining certification9.3.3 maintaining certification–– CB shall maintain certification based on demonstration CB shall maintain certification based on demonstration

that the client continues to satisfy requirements. that the client continues to satisfy requirements. –– CB may maintain certification based on a positive CB may maintain certification based on a positive

conclusion by the audit team leader w/o further conclusion by the audit team leader w/o further independent review, providedindependent review, provided::

for any issue that may lead to suspension or for any issue that may lead to suspension or withdrawal, the audit team leader initiates review by withdrawal, the audit team leader initiates review by competent personnel different from those carrying competent personnel different from those carrying out the audit out the audit Competent CB personnel monitoring the Competent CB personnel monitoring the effectiveness of the CBeffectiveness of the CB’’s surveillance programs surveillance program



9.4 Recertification9.4 Recertification9.4.1 recertification audit planning9.4.1 recertification audit planning9.4.2 recertification audit9.4.2 recertification audit9.4.3 information for granting recertification9.4.3 information for granting recertification



9.4 Recertification9.4 Recertification

9.4.1 recertification audit planning9.4.1 recertification audit planning9.4.1.1 a recertification audit shall be planned and 9.4.1.1 a recertification audit shall be planned and

conducted to evaluate continued fulfillment of all conducted to evaluate continued fulfillment of all requirements, to confirm continued conformity and requirements, to confirm continued conformity and effectiveness of effectiveness of the management system as a whole, the management system as a whole, and continued relevance for the scopeand continued relevance for the scope




9.4.1 recertification audit planning9.4.1 recertification audit planning9.4.1.2 the recertification audit shall consider 9.4.1.2 the recertification audit shall consider

performance over the period of certification and include performance over the period of certification and include review of previous surveillance audit reportsreview of previous surveillance audit reports



9.4 Recertification9.4 Recertification9.4.1 recertification audit planning9.4.1 recertification audit planning

9.4.1.3 may need a stage 1 audit if there have been 9.4.1.3 may need a stage 1 audit if there have been significant changessignificant changes

9.4.1.4 audit planning shall include consideration of 9.4.1.4 audit planning shall include consideration of multiple sites or multiple standards to ensure adequate multiple sites or multiple standards to ensure adequate onon--site coveragesite coverage



9.4 Recertification9.4 Recertification9.4.2 recertification audit 9.4.2 recertification audit

9.4.2.1 shall include an on9.4.2.1 shall include an on--site audit that addressessite audit that addresses–– effectiveness of the system in its entirety and continued effectiveness of the system in its entirety and continued

relevance to the scope of certificationrelevance to the scope of certification–– demonstrated commitment to maintain effectiveness demonstrated commitment to maintain effectiveness

and improvement to enhance overall performanceand improvement to enhance overall performance–– system contributes to achievement of policies and system contributes to achievement of policies and

objectivesobjectives



9.4 Recertification9.4 Recertification9.4.2 recertification audit 9.4.2 recertification audit

9.4.2.2 for nonconformities, the CB shall define time limits 9.4.2.2 for nonconformities, the CB shall define time limits for correction and corrective actions to be implemented for correction and corrective actions to be implemented prior to expiration of certificationprior to expiration of certification




9.4.3 information for granting recertification9.4.3 information for granting recertification–– Decisions on renewing certification shall be based on Decisions on renewing certification shall be based on

results of the recertification audits as well as review of results of the recertification audits as well as review of the system over the period of certification and the system over the period of certification and complaints from users of certificationcomplaints from users of certification



9.9 Records9.9 Records

9.9.1 CB shall maintain records on all clients, including 9.9.1 CB shall maintain records on all clients, including applicants and for withdrawalsapplicants and for withdrawals




9.9.2 records shall include9.9.2 records shall include–– applications and audit reportsapplications and audit reports–– certification agreementcertification agreement–– justifications for samplingjustifications for sampling–– justifications for auditor time determinationjustifications for auditor time determination–– verification of correction and corrective actionsverification of correction and corrective actions–– records of complaints and appealsrecords of complaints and appeals–– committee deliberations and decisionscommittee deliberations and decisions–– documentation of certification decisionsdocumentation of certification decisions–– certification documentscertification documents–– related records to establish credibility of certification, related records to establish credibility of certification,

such as evidence of competence of auditors and such as evidence of competence of auditors and expertsexperts




9.9.3 CB shall keep records secure and confidential9.9.3 CB shall keep records secure and confidential

9.9.4 CB shall have a documented policy and 9.9.4 CB shall have a documented policy and procedures on retention of records. Records procedures on retention of records. Records shall be retained for the duration of the current shall be retained for the duration of the current cycle plus one full certification cyclecycle plus one full certification cycle


ISO/IEC 17021:2006ISO/IEC 17021:2006Section 10 Management systemSection 10 Management system

10 Management system requirements for CBs10 Management system requirements for CBs10.1 Options10.1 Options10.2 10.2 Option 1Option 1——Management system requirements in Management system requirements in

accordance with ISO 9001accordance with ISO 900110.3 Option 210.3 Option 2——General management system requirementsGeneral management system requirements



10 Management system requirements for CBs10 Management system requirements for CBs

10.1 Options10.1 OptionsCB shall have a management system for demonstrating CB shall have a management system for demonstrating consistent achievement of the requirements of [17021]. consistent achievement of the requirements of [17021]. In addition to meeting the requirements in 5In addition to meeting the requirements in 5--9 of [17021], 9 of [17021], a CB shall have a management system in accordance with a CB shall have a management system in accordance with 10.2 or 10.310.2 or 10.3




10.2 10.2 Option 1Option 1——Management system requirements in Management system requirements in accordance with ISO 9001accordance with ISO 9001–– CB shall have a MS conforming to ISO 9001CB shall have a MS conforming to ISO 9001

Scope shall include design and developmentScope shall include design and developmentCustomer focus shall consider the needs of all Customer focus shall consider the needs of all parties, not just its clientsparties, not just its clientsInput for management review shall include Input for management review shall include complaints and appeals from userscomplaints and appeals from usersDesign and development of new scheme, CB shall Design and development of new scheme, CB shall ensure guidance in ISO 19011 is an inputensure guidance in ISO 19011 is an input




10.3 Option 210.3 Option 2——General management system requirementsGeneral management system requirements

10.3.1 general10.3.1 generalCBCB’’s top management shall establish policies and s top management shall establish policies and objectivesobjectivesCBCB’’s top management shall appoint a management s top management shall appoint a management reprep

10.3.2 management system manual10.3.2 management system manual




10.3 Option 210.3 Option 2——General management system requirementsGeneral management system requirements

10.3.3 control of documents10.3.3 control of documents10.3.4 control of records 10.3.4 control of records (records shall be retained for the (records shall be retained for the duration of the current cycle plus one full certification duration of the current cycle plus one full certification cycle)cycle)10.3.5 10.3.5 management review (content more detailed)management review (content more detailed)10.3.6 internal audits10.3.6 internal audits10.3.7 corrective actions10.3.7 corrective actions10.3.8 preventive actions10.3.8 preventive actions


ContentContent

ISO/IEC 17021:2006: ISO/IEC 17021:2006: ““Conformity assessmentConformity assessment——Requirements for bodies providing audit and Requirements for bodies providing audit and

certification of management systemscertification of management systems ““Published 15 September 2006. Published 15 September 2006.



IAF guidancesIAF guidances

In November 2006, IAF resolved that the transition to ISO/IEC In November 2006, IAF resolved that the transition to ISO/IEC 17021:2006 be effective 24 months after publication17021:2006 be effective 24 months after publication–– based on the publication date of 15 September 2006, the based on the publication date of 15 September 2006, the

deadline will be 15 September 2008. deadline will be 15 September 2008. migrating to the new requirements may require migrating to the new requirements may require translations, changes to procedures, contracts, translations, changes to procedures, contracts, committees and other arrangements, all of which take committees and other arrangements, all of which take time.time.certification bodies will also need time to identify certification bodies will also need time to identify changes needed to their own quality management changes needed to their own quality management systems to conform to the new requirements and to systems to conform to the new requirements and to prepare and implement transition plans.prepare and implement transition plans.

–– the annexes to IAF GD2 and IAF GD6 should continue to be the annexes to IAF GD2 and IAF GD6 should continue to be applied until supersededapplied until superseded


IAF guidancesIAF guidances

In March 2006 and reaffirmed in November 2006, the IAF In March 2006 and reaffirmed in November 2006, the IAF Technical Committee decided to deTechnical Committee decided to de--link the annexes (to link the annexes (to current IAF guidance on ISO/IEC Guides 62 and 66) and current IAF guidance on ISO/IEC Guides 62 and 66) and publish these as standpublish these as stand--alone IAF application guidance or alone IAF application guidance or requirementsrequirements

Scopes of Accreditation for QMSScopes of Accreditation for QMSDuration of Audits to ISO 9001:2000Duration of Audits to ISO 9001:2000Duration of Audits to ISO 14001:2004Duration of Audits to ISO 14001:2004Certification of Multiple Sites based on SamplingCertification of Multiple Sites based on SamplingTransfer of CertificationTransfer of CertificationAdvanced Surveillance and Recertification Advanced Surveillance and Recertification Procedures (ASRP)Procedures (ASRP)


ContentContent

ISO/IEC 17021:2006: ISO/IEC 17021:2006: ““Conformity assessmentConformity assessment——Requirements for bodies providing audit and Requirements for bodies providing audit and

certification of management systemscertification of management systems ““Published 15 September 2006. Published 15 September 2006.



ConclusionConclusion

Very important standard, since now over 1.000.000 Very important standard, since now over 1.000.000 companies are certified in about 200 countries. It will be companies are certified in about 200 countries. It will be the the uniqueunique requirements document for accrediting bodies requirements document for accrediting bodies that certify any management system. This will help to that certify any management system. This will help to ensure consistent good practice both by ensure consistent good practice both by accreditorsaccreditors and and certifiers. certifiers. Not many guidelines for integrated audits: planning, audit Not many guidelines for integrated audits: planning, audit time, competence of time, competence of ““integrated auditorsintegrated auditors””, , …… still IAF will still IAF will have to help. have to help. So, integrated audits for QMS and EMS are So, integrated audits for QMS and EMS are logical, but the trend will go even more in this direction, logical, but the trend will go even more in this direction, with an auditor auditing with an auditor auditing ““core elementscore elements”” and and sectoralsectoralauditors/experts auditing the auditors/experts auditing the sectoralsectoral aspectsaspects


Things to do Things to do …… start as quickly as start as quickly as possiblepossible

Involvement of interest parties in analysis and impact on Involvement of interest parties in analysis and impact on the systemthe systemInternal audits of changesInternal audits of changesIf you have multiple sites, implementation in all these sitesIf you have multiple sites, implementation in all these sitesPersonal records reflecting Personal records reflecting ““competencecompetence”” instead of only instead of only meeting qualification requirementsmeeting qualification requirementsPractical changes: twoPractical changes: two--stages audits, report reviewing, stages audits, report reviewing,



newnew”” ISO 17021 document is NOT a simple cutISO 17021 document is NOT a simple cut--andand--paste paste merging of the two current ISO guides, combined with merging of the two current ISO guides, combined with the current IAF requirements since it involves now also the current IAF requirements since it involves now also some current trends in management systems and some current trends in management systems and accreditation which will create added valueaccreditation which will create added valueEvidences need to be readily available by the CB on Evidences need to be readily available by the CB on impartiality, competence, man days, certification decision, impartiality, competence, man days, certification decision, …… less need for AB auditors to review links, less need for AB auditors to review links, cvcv’’ss, man day , man day calculations, certification decisions, calculations, certification decisions, …… AB auditors can AB auditors can simply always ask: simply always ask: ““I have the perception that something I have the perception that something is wrong, show me that it is not?is wrong, show me that it is not?””



Any CB opposing to this standard, would mean that the Any CB opposing to this standard, would mean that the corresponding AB was doing its work badly corresponding AB was doing its work badly –– the view of the view of Belgian CBBelgian CB’’s that BELAC during the last 5s that BELAC during the last 5--7 was tough is 7 was tough is completely in line with the new standard completely in line with the new standard ISO/IEC 17020 and ISO guide 65 will be aligned with this ISO/IEC 17020 and ISO guide 65 will be aligned with this standard standard –– so CBso CB’’s start preparing s start preparing It doesnIt doesn’’t make of auditors more easily t make of auditors more easily –– the the ““old old fashioned ISO 9002fashioned ISO 9002”” auditor will disappearauditor will disappear


From From ““this onethis one”” to to ““This oneThis one””

This oneThis one

Thank you BELAC for making sure that most Thank you BELAC for making sure that most Belgian CBBelgian CB’’s probably already have a lot of work s probably already have a lot of work done done …… it makes our life as AB auditor easier it makes our life as AB auditor easier ……

Slides Iso 17021 Be Lac

Documents

Transcript of Slides Iso 17021 Be Lac