Certification committee2019-02-15T16:31:18+00:00

The answers presented here represent the consensus view of the EA Certification Committee – they are intended for informational purposes and should not be used as official guidance for the implementation of the requirements of the standards concerned. 

When reading questions and answers take into consideration whether transition periods are on-going.

Search in EA FAQ

Table of contents

Questions relating to ISO/IEC 17021-1: 2015 – Management Systems Certification

Question 32.1 Road Traffic Safety MS Scoping

The ISO/IE TS 17021-7 does not refer to differences for scoping purposes. The differences are based on context as referred to in table A 1 in the annex of ISO 39001. Some ABs scope in accordance with NACE codes, others in accordance with Table A1. What would be the appropriate scoping for ISO 39001?

September 2016

Table A 1 would appear to be the most appropriate mans of scoping for ISO 39001

Question 32.2 GFSI

GFSI is requiring Scheme owners to comply with their requirements like additional new audit items, but also to ‘audit’ all elements during every audit. This appears in contradiction with the methodology of MS certification as determined for QMS and EMS through IAF MD5 or FSMS through ISO/TS 22003, which applies the audit time reduction for surveillance and recertification audits (of 2/3 and 1/3 of the initial time respectively). Yet AB’s are giving with their accreditation logo’s the impression that auditing all elements is equally effective as covering them during the whole cycle. The clearest example is comparison of ISO22000 versus FSSC22000.

The question is:

  1. How do we interpret that GFSI based schemes have to ‘audit’ all criteria whereas the methodology of MS certification applies the assessment of all criteria over the certification cycle which therefore allows to give a reduction for surveillance and recertification audits.
  2. To enable the same amount of confidence to these different types of certification audits, should we require that these schemes apply a different time allocation scheme as well (i.e. above ISO/TS 22003)?

September 2016

GFSI Guidance Document – Version 6.4 / November 2015 – Part II § 3.5.1 states :
“The scheme owner shall have a clearly defined and documented audit frequency programme, which
shall ensure a minimum audit frequency of one audit per year of an organisation’s facility and has the scope
to assess all elements of the scheme’s standard.”
General understanding of the clause and the sentence is that the requirements of assessing all elements lies with the audit programme and not with the annual audit (which is in the sentence the first requirement put on the audit programme). There are no contradiction between GFSI requirements and ISO/IEC 17021-1 ISO/TS 22003 and related IAF MD documents.

Question 32.3 Duration

Background: ISO/IEC 17021-1:2015 does not specify requirements for audit time and audit duration. IAF-MD5 and e.g. ISO/TS22003 describe this in more detail. MD5 describes in §4.1 that audit duration (on-site) should not be less than 80% of the audit time indicating that planning and reporting should typically be <20% of the audit time. ISO/TS22003 is a bit clearer by mentioning that preparation (and reporting) are not included in audit time.
In practice it is noted that CAB’s consider to allocate time for reporting (else no report would be made), but time for planning and more importantly preparation of the audit team is not included (nor mentioned) and thus depends on the personal time of the team members.

Question: Could it be considered to suggest an amendment to IAF-MD5 to identify whether preparation time is required, that this be justified and recorded, and potentially indicate a ‘minimum’?

September 2016

Clause 9.1.4 of ISO/IEC 17021-1:2015 specifies the overriding requirements for audit time and requires that ‘for each client the certification body shall determine the time needed to plan and accomplish a complete and effective audit of the client’s management system.’ This is confirmed by clause 0.6 of IAF MD 5 which states that ‘notwithstanding the guidance provided by this document (MD 5) the time allocated for a specific audit should be sufficient to plan and accomplish a complete and effective audit of the client’s management system.’

It is, therefore, clear that preparation time to plan an audit is required by both ISO/IEC 17021-1:2015 and IAF MD 5.

There will be evidence from witnessed audits and reports to determine whether or not the certification body has an effective process for planning audits. Providing the certification body has demonstrated an effective process for planning audits and is allocating sufficient on site time to accomplish a complete and effective audit, there is no need for it to separately justify and record planning time.

Question 32.4 2-Stage

Some of the wording of the standard ISO/IEC 17021-1, related to stage I and stage II, having to be considered as one audit, conducted in two stages (9.3.1.1) cause some interpretation problems.
It is stated in a NOTE under 9.3.1.2.1 that “Stage 1 does not require a formal audit plan (see 9.2.3).”
Secondly, 9.2.3.1 states that “The certification body shall ensure that an audit plan is established prior to each audit identified in the audit programme…”.

Related questions are the following:

  1. What is required as the audit plan for a stage I? Is a telephone conversation acceptable?
  2. Since the stage II audit is not a separate audit, a formal audit plan is not required either?
  3. Or does this mean that the stage II audit (or the overall «initial audit») plan has to be prepared prior to stage I (i.e. prior to «the initial audit»), maybe in a more generic way, but with the objective that the stage I provides further focus/adaptation to this plan (ref. 9.3.1.2.2.f)?
  4. Do the requirements for 9.2.3 (and more specifically 9.2.3.2) apply to the audit plan for a stage II (even though that is not a separate audit)? Particular attention is requested to the requirement in 9.2.3.2.a (objectives) which are quite different for a stage I (9.3.1.2.2) from a stage II ‘audit’ (9.3.1.3).
  5. Can it be required that the CAB prior to the stage I at least will have to inform the client that prior to stage II an audit plan is prepared in line with the requirements of 9.2.3?
  6. A note normally does not contain requirements; how then can a note make requirements not applicable (as is the case here)?

September 2016

The sequence of clauses in ISO/IEC 17021-1 is as follows :

  • § 9.1.3.2 and 9.3.3.1 : the initial audit (part of the audit programme)is a two-stage audit
  • § 9.2.3.1: … an audit plan is established prior to each audit identified in the audit programme to provide the basis for agreement regarding the conduct and scheduling of the audit activities.
  • § 9.2.3.2: “The audit plan shall be appropriate to the objectives and the scope of the audit.”
  • § 9.2.3.2 and 9.2.3.3: give the elements to be found in each formal audit plan for each audit; It may come that some elements are not applicable/ necessary for stage 1.

Then an audit plan is required before the initial audit (then before stage I) so that the organisation to be audited is aware of what is to be audited and when (“agreement regarding the conduct and scheduling of the audit activities”). The CB may choose to draft one unique plan for stage I and II, in the form required per § 9.2.3.2 and 9.2.3.3, the plan addressing all elements of 9.3.1.2.2 and 9.3.1.3. If there is only one plan, it has to be reminded to the client that the plan may be adjusted after stage 1, following the conclusions of stage I.
If the CB chooses to have a plan in 2 parts, one for stage I, and then, after stage I, one specific for stage II it may accommodate the form of the stage I plan, as all points of § 9.2.3.2 and 9.2.3.3 may not apply. What is captured in the NOTE, is not to say that a plan is not required but is only waiving the formal aspects of the plan.

From there answers to questions :

  1. A plan (whether separate or not) is required but does not have to be formal, focusing on the objectives stated in § 9.3.1.2.2. If the plan is specific to stage 1 (where not the full team is present and not all elements are audited) it may waive some points of § 9.2.3.2 (c-d-e-f) as not yet identified at this stage, and of 9.2.3.3 (b-c). As does not have to be formal maybe an email or a phone call is acceptable. Records on what has been agreed with the client needed to demonstrate implementation of requirements (e.g. 9.2.3.1)
  2. See above: stage II plan is required, whether specific or integrated in the global “initial audit” plan
  3. An overall plan may be prepared before stage I (in other words the audit plan communicated before stage 1 may include the elements of stage 2), with the information known by the CB at this stage , to be reviewed after stage I conclusions
  4. All apply
  5. Yes, it has to be required in the case that the plan is not drafted in once
  6. According to ISO, Information marked as “NOTE” is intended to assist the understanding or use of the document. The NOTE intends to waive the “formal aspects” of the plan and not the full requirement

Question 32.5 2-stage

Some of the wording of the standard ISO/IEC 17021-1, related to stage I and stage II, having to be considered as one audit, conducted in two stages (9.3.1.1) cause some interpretation problems.

In 9.3.1.2.3, it is stated in a NOTE that “The stage I output does not need to meet the full requirements of a report (see 9.4.8). “

We do consider that the report of the “initial audit” in its totality (i.e. the full report prepared after conclusion of stage II), does need to comply with the requirements of 9.4.8. This means that it shall also include or refer to the “k) audit findings (see 9.4.5), reference to evidence and conclusions, consistent with the requirements of the type of audit” (i.e. findings, evidence and conclusions consistent with the requirements of stage I and stage II). So although the stage I findings don’t have to be reported immediately after the stage I in a report complying with all requirements of 9.4.8 (since then only “Documented conclusions with regard to fulfilment of the stage I objectives and the readiness for stage II shall be communicated to the client, including identification of any areas of concern that could be classified as a nonconformity during stage 2.” have to be reported), the stage I findings (positive and negative) should find their way into the overall “initial audit” report after stage II.

Please confirm that the above position, i.e. the report (whether consisting from several documents or not) in its totality shall comply with all requirements of 9.4.8 for both stage I and stage II audits.

September 2016

In 9.3.1.2.3, it is stated that “Documented conclusions with regard to fulfilment of the stage 1 objectives and the readiness for stage II shall be communicated to the client, including identification of any areas of concern that could be classified as a nonconformity during stage II.”

Actually “Documented conclusions” refers to “Stage I Audit Report” that does not need to meet the full requirements of a report as given in 9.4.8. That means not all items of audit report given in 9.4.8 are covered.

This report or “documented conclusions” shall be communicated before stage II. Since the standard is not saying “immediately communicated”, it can be communicated immediately or later stage I. However, it shall be communicated before stage II.

According to related requirements of the standard, the CB can prepare one “Initial Audit Report” consisting of two separate parts (e.g. Stage I and Stage II) or prepare two seperate audit reports; “Stage I report” and “Stage II report”. In the second case, most of requirements of 9.4.8 should be covered including sub-item “k)” “audit findings” since there is no need to report the conclusions of Stage I as “nonconformity”, just “identification of any areas of concern that could be classified as a nonconformity during Stage II” is enough.

Since the stage I “documented conclusions” shall be communicated in any format with the client of CB and these have to be based on findings (positive and negative), these (stage I findings) should find their way into the overall “initial audit” report after stage II provided that the conclusions are communicated with the client after or at the end of Stage I, and before Stage II.

Question 32.6 2-stage

Some of the wording of the standard ISO/IEC 17021-1, related to stage I and stage II, having to be considered as one audit, conducted in two stages (9.3.1.1) cause some interpretation problems.

Clause 9.4.1 states that “The certification body shall have a process for conducting on-site audits. This process shall include an opening meeting at the start of the audit and a closing meeting at the conclusion of the audit.”

Does this mean that the initial audit require only an Opening Meeting (meeting the requirements of 9.4.2) at the start of the stage I audit and a Closing Meeting (meeting the requirements of 9.4.7) at the end of the stage II audit (i.e. no Closing Meeting at end of stage I or Opening Meeting at the start of stage II)?
These would seem like a silly consequence as these audits have clear and distinct objectives, i.e. both need full Opening and Closing Meetings.

September 2016

Clause 9.4.2 of ISO/IEC 17021-1:2015 states that the purpose of the opening meeting is to ‘…..provide a short explanation of how the audit activities will be undertaken.’ Since the audit objectives and activities for stage one and stage two are different, the requirement of clause 9.4.2 can only be met if there is an opening meeting for each stage.
The requirement of clause 9.4.7 relate to a formal closing meeting which includes the recommendation regarding certification. A formal meeting complying with clause 9.4.7 is, therefore, not required at the end of stage one. However, clause 9.4.3.1 requires the audit team leader to ‘….periodically communicate the progress of the audit and any concerns to the client.’ Clause 9.3.1.2.2 requires that an objective of stage one is to ‘….undertake discussions with the client’s personnel to determine the preparedness for stage two.’ Whilst a formal closing meeting, in accordance with clause 9.4.7 is not required at the end of stage one, there is clearly a need for a meeting with the client, at the conclusion of stage one, in order that the certification body can meet the requirement for communication with the client and the objectives of stage one.

Question 32.8 logos

ISO/IEC 17021:2015, 8.3.1 denies any possibility of a labelling of products by an enterprise which is certified (only) with its management system.

In contrast, the PEFC rules allow the use of the logo “on product” for forest owners (see PEFC ST 2001:2008 , 7.2.1 : „The PEFC Logo can be used on-product by a PEFC Logo user with valid PEFC Logo usage license for group B (forest owners and managers) and group C (forest related industries).“ This is also possible for the group members respectively members of the Regional Working Groups in Germany.

In practice, the mark of conformity is not placed on the wood coming from forests under PEFC management, but there is one possible exemption to be discussed: a sign marking the entrance of the forest under PEFC management as “This wood is different. Certified and managed based on the accepted PEFC standards. Please ask for wood and paper with the PEFC logo”. This statement is connected with the PEFC logo and the certification number.
This can be interpreted as incorrect logo use.

September 2016

As far as the question is about the use of the phrase “This wood is different. Certified and managed based on the accepted PEFC standards. Please ask for wood and paper with the PEFC logo”, connected with the PEFC logo and the certification number (but no CB marks) as far as the mark of the CB is not used This statement is OK. There are no rules for the use of the Scheme owner marks (PEFC).
The PEFC document was prepared in 2008 and revised in 2010 and “PEFC ST 2001:2008”, date of entry into force is 2010-11-26. As a scheme owner, PEFC marks are different to CBs Marks.

PEFC selected ISO/IEC 17021-1:2015 as accreditation standard for “Sustainable Forest Manegement System” certification bodies. According to EA-1/22 requirements 3.5 and 3.6, the scheme owner shall not contradict or exclude any of requirements of ISO/IEC 17021-1:2015 as EA MLA Level 3 standard.

EA-1/22: 

“3.5 The conformity assessment process described or chosen by the SO shall fall within the scope of one of the EA MLA Level 3 standards (see EA-1/06).

3.6 Scheme specific requirements placed on CABs by the SO shall not contradict, or exclude, any of the requirements included in the standard referred t: o in 3.5.”

All the above mentioned considers that the PEFC logo is not a third party mark of conformity, cl. 3.1, in ISO 17030 (“Conformity assessment. General requirements for third-party marks of conformity applies”).

Question 33.1 Impartiality

This relates to clause 5.2.7 of ISO 17021-1:
5.2.7 Where a client has received management systems consultancy from a body that has a relationship with a certification body, this is a significant threat to impartiality. A recognized mitigation of this threat is that the certification body shall not certify the management system for a minimum of two years following the end of the consultancy.

Several CBs accredited by a particular NAB use contracted auditors (not ‘subcontractors,’ but individuals contracted to work for the CB, under the CB’s management system). Most of these auditors also provide consultancy. The NAB has, in the past, accepted that CBs could certify the management systems of clients who received consultancy from one of these contractors, as long as it was demonstrated that satisfactory controls were in place – transparency, different auditors, informing the impartiality committee, etc.

Clause 5.2.7 could be understood to mean that this practice can no longer continue.
However, it is proposed that this clause does not apply in the scenarios described above, because
a) Clause 5.2.7 refers to ‘a body,’ and the consultancy here is provided by individuals; and
b) Furthermore, clause 5.2.7 states that “A recognized mitigation of this threat is…” Because the word recognized is used, it means that there may be other ways of mitigating the threat; it is not mandated that the CB shall not certify the management system for two years.
Does the CC agree with the NAB’s position?

March 2017

An individual that has his/her own consultancy company would be considered as a body in terms of ISO/IEC 17021-1 and in this case clause 5.2.7 should be invoked and the “2 year” rule should be invoked, or a similar mitigation.

Question 33.2 OH@SMS EA-3/13M

As defined in EA 3/13 M: 2016 – G 9.2.1.3:
“Once the scope is defined, the OH&SMS shall include activities, products and services within the organization’s control or influence that can impact the organization’s OH&SMS performance.

Temporary sites, for example construction sites, shall be covered by the OH&SMS of the organization that has control of these sites, irrespective of where they are located. The need to visit such sites and the extent of sampling shall be based on an evaluation of the risks of failure of the management system to control the OH&S risks associated with the client’s operations (see clause B.9 of Appendix B)”.

Question: Considering the same importance and dignity of all the workers of an organization, that can affect the organization’s OH&SMS performance, is it mandatory to include into the scope of the certificate all the sites of the organization? In other words, can an organization decide to certify only a part of the organization, excluding some sites?

Example: An organization has 1 headquarter and a network of 10 sites. The organization applies the OH&SMS only in the headquarters and in 5 sites. Is it acceptable, or the company has to apply for the certification of the OH&SMS of the full organization? In this case, it could be acceptable that the organization establishes a plan in order to certify all sites.

March 2017

Clause G 9.2.1.3 of EA-3/13 relates to audit scope not scope of certification. EA-3/13 does not make any reference to whether or not all sites shall be included in the scope of certification. The core requirement is Clause 8.3.4 (g) of ISO/IEC 17021-1 which states that that the certified client ‘does not imply that the certification applies to activities and sites that are outside the scope of certification’. The existence of this requirement accepts that it is possible that not all sites are covered by the scope of certification. EA-3/13 provides no additional guidance to clause 8.3.4 of ISO/IEC 1702-11, therefore, it is acceptable that some sites could be excluded from the scope of certification.
The CB should report on the rationale/justification for not including all sites.

Question 33.3 OH@SMS EA-3/13M

As defined in EA 3/13 M: 2016 – G 9.2.1.3:
“Once the scope is defined, the OH&SMS shall include activities, products and services within the organization’s control or influence that can impact the organization’s OH&SMS performance”.

Question: Considering that all the activities, products and services within the organization’s control or influence can impact the organization’s OH&SMS performance, is it mandatory to include into the scope of the certificate all the activities, products and services of the organization?
In other words, can an organization decide to certify only a part of its activities, excluding some activities, products and services?

Example: An organization produce cars and trains. The organization applies the OH&SMS only in the cars production. Is it acceptable, or the company has to apply for the certification of the OH&SMS of the full organization? In this case, it could be acceptable that the organization establishes a plan in order to certify all production activities, products and services.

March 2017

Clause G 9.2.1.3 of EA-3/13 relates to audit scope not scope of certification. EA-3/13 does not make any reference to whether or not all activities, products and services shall be included in the scope of certification. The core requirement is Clause 8.3.4 (g) of ISO/IEC 17021-1 which states that that the certified client ‘does not imply that the certification applies to activities and sites that are outside the scope of certification’. The existence of this requirement accepts that it is possible that not all activities, products and services are covered by the scope of certification. EA-3/13 provides no additional guidance to clause 8.3.4 of ISO/IEC 17021, therefore, it is acceptable that some activities, products and services could be excluded from the scope of certification

However the OH&SMS should reflect the core activities of the organisation i.e. a manufacturing company should have the manufacturing activity as part of the OH&SMS, not just for example the office activities.

The CB should report on the rationale/justification for not including all activities.

Question 33.6 Operational Control

If a certification body does not have any agency, representative or branch office, is the Clause 6.2.2 still applicable to check their own operational controls? I mean, is 6.2.2 independent from Clause 6.2.1 or a subclause linked with it?

March 2017

Clause 6.2.2 is independent and that it apples to the certification body’s own operational controls as well as control of activities delivered by branch offices, partnerships, agents, franchisees, etc.,

Question 33.7 Organisational Control

What does the following mean?

“The person(s) [excluding members of committees (see 6.1.4)] assigned by the certification body
to make a certification decision shall be employed by, or shall be under legally enforceable arrangement with either the certification body or an entity under the organizational control of the certification body.”
Who are these persons?
Are these persons from the entities where explained in bullets a, b and c in the same clause? Or these persons can be different?

March 2017

*These persons can be from the entities explained in the bullets a,b,c and also persons employed by, or shall be under legally enforceable arrangement with either the certification body or an entity under the organizational control of the certification body.
IAF Technical Committee Decision 15/10/02 is relevant to this question.
It is acceptable for CB decision taking group to be composed of people who are hired as external personnel; provided the personnel meet the competence requirements outlined in ISO/IEC 17021 and ISO/IEC 17021-1 (e.g. section 7.2.8) and the CB has organizational and operational control outlined ISO/IEC 17021-1, section 6.2 as it relates to the decision making person/s.
There are many examples today of this type of situation and ABs have found it acceptable in accordance with ISO/IEC 17021.
Note: ISO/IEC 17021 (nor ISO/IEC 17021-1) does not differentiate between permanent and non-permanent staff.
This means that the persons do not have to be from the entities listed in bullets a), b) and c), but that they shall be under a legally enforceable arrangement with the certification body or one of the entities listed in bullets a), b) and c) and must be under the certification body’s operational control.

Question 33.8 Operational Control

What is the interaction between clause 6.2 and 7.5?
Does status of an organisation having a relationship with the CB for performing any part of the certification activities of the CB fall in clauses 6.2.1 and 7.5.1?
Under which circumstances such an organization does not fall in the clause 7.5?

March 2017

Clause 6.2 is concerned with the certification body having operational control over its certification activities performed by its branch offices, joint ventures, agents and franchises etc.

Clause 7.5 covers the certification body’s process for outsourcing (subcontracting) of any part of the certification activities to another organisation. Organisations listed in Clause 6.2 which are part of the certification body, for example branch office, joint ventures are not subject to the requirements of Clause 7.5. Organisations listed in Clause 6.2 which are not part of the certification body, for example some particular agents and franchises are subject to the requirements of Clause 7.5.

Question 33.10 Product References Primary Packaging

Is it possible to use the statement (ref requirement 8.3 of ISO/IEC 17021-1:2015) on the primary packaging, the one that is in direct contact with the product like the tomatoes’ can, or the milk bottle?

The standard clearly stat that is not possible to add the certification mark on the packaging but is not so clear about the statement use.
“A certification body shall have rules governing the use of any statement on product packaging or in accompanying information that the certified client has a certified management system. Product packaging is considered as that which can be removed without the product disintegrating or being damaged. Accompanying information is considered as separately available or easily detachable. Type labels or identification plates are considered as part of the product.”

March 2017

It was agreed that according to the standard it is not possible to add the certification mark on the primary product packaging.

Bottles are packaging material, so the statement can appear on the bottle. The statement must refer to the management system not to the product.

Question 33.11 Quoting of 17021 parts

Relating to ISO/IEC17011: 2004 Clause 7.9.4
The accreditation body shall provide an accreditation certificate to the accredited CAB. This accreditation certificate shall identify (on the front page, if possible) the following:
……..
g) a statement of conformity and a reference to the standard(s) or other normative document(s), including
issue or revision used for assessment of the CAB.

The Question: With the recent issuance of requirements document ISO/IEC17021-3: 2016 to support accreditation to ISO/IEC17021-1: 2015 EMS, do AB’s have to make reference to this normative document on EMS accreditation scoping documentation in the same manner as Level 4 documents such as ISO27006.

March 2017

This was discussed at the IAF Technical Committee meeting in Frankfurt in April 2017; the question has been raised before in 2014.

IAF Decision log states

Some ABs reference ISO/IEC 17021 on the certificate with the assumption that it includes the dash standards (e.g. ISO/IEC 17021-2) as it is applicable to the scope of accreditation, and they do not reference all the parts. The ABs feel this is appropriate because the foreword of ISO/IEC 17021 standard states, ISO/IEC 17021 consists of the following parts…

Some ABs include all normative documents used in the assessment of the CB (per ISO/IEC 17011), including all individual parts of ISO/IEC 17021 (e.g. ISO/IEC 17021-2) and IAF MDs. One word of warning with including everything (including versions) is that it can become an issue of maintenance; however, it is the ABs decision on the level of detail included.

The TC reached consensus that the ABs can decide how to manage the accreditation certificate on their own, recognizing accreditation certificates can vary in level of detail. “

Question 33.14 medical Devices Scoping

According to ISO 13485 standard it can be used by organizations involved in one or more stages of the life-cycle of a medical device, including design and development… Furthermore, it can also be used by suppliers or other external parties providing product (e.g. raw materials, components, subassemblies…) to such organizations. The supplier or external party can voluntarily choose to conform to the requirements of ISO 13485 or can be required by contract to confirm.

In case the product cannot be unambiguously defined to be a medical device or any of the related products identified in the ISO 13485 but the manufacturer still wants to certified against ISO 13485 – is this acceptable or not?

And more generally can ISO 13485 be used for certification purposes in the voluntary field outside the proper scope of the standard?

March 2017

Supplier or external party shall demonstrate the intention of its “product” (item such a device, part incorporated in a device, raw material etc.) or service in the context of an application or use of a medical device.

  • CAB (certification body) has to perform a contract review considering the elements stated in this answer (see below) including the national interpretation of medical devices performed by the national regulatory authorities (apply list of medical devices or family of medical devices). .
  • Activity or product shall fall into the definition of (ISO 13485:2016 – 3 Terms and definitions – 3.11 medical device (see also source GHTF/SG1/N071:2012, 5.1 and 5.2 ( note GHTF/SG1/N071:2012 5.2 is not mentioned in ISO 13485:2016. Therefore, ISO 13485:2016 is not fully clear in the non-regulated field of IVD.

The supplier or external party seeking certification according to ISO 13485:2016 shall justify all not applicable clauses of ISO 13485:2016. The CAB shall critically audit the reason for not applying the requirements. Certification bodies shall always avoid certifying when it has some indication that a standard is applied in a way to only pretend compliance in the medical device field and in reality, it does not fit the encountered activity. The contract review of the supplier or external party shall always include an investigation of the purpose of the use of the ordered “product” or service.
Conclusion: If no clarity is reached the supplier or external party should better be certified against ISO 9001:2015 only. Therefore, there shall be no certification outside the proper scope of the standard ISO 13485:2016. The only difficulty lies in the evaluation of the boundary of the scope of the standard ISO 13485:2016 as it will contain some arbitrary components and perhaps some national particularities.

Question 33.15 Consultancy

5.2.7 Where a client has received management systems consultancy from a body that has a relationship with a certification body, this is a significant threat to impartiality. A recognized mitigation of this threat is that the certification body shall not certify the management system for a minimum of two years following the end of the consultancy.

Many CB’s external auditors are owners of one man consultancy enterprises and the contracts with the CB are signed by the enterprise.
We have understood the changes in wording of the standard in a way that in such cases the relationship constitutes a significant threat to impartiality as the contractor is the enterprise/body – not an individual and thus 5.2.8 does not apply.

In addition, we recently faced a case where at the same time the CB made an annual surveillance of ISO 9001:2008 certification by auditor X an external auditor Y of the same CB was giving consultancy to the same company for ISO 9001:2015.

What would be your reaction in such cases?

March 2017

Clause 5.2.8 refers to outsourcing (sub-contracting) and this is different to contracting-in external resources.

An individual that has his/her own consultancy company would be considered as a body in terms of ISO/IEC 17021-1 and in this case clause 5.2.8 should be invoked and the CB should not outsource audits to them

An individual used as a contracted-in external resource does not come under 5.2.8 however impartiality rules still apply in terms of ensuring previous relationships do not compromise the impartiality of the audit process.

Question 33.16 Annual Indicators

IAF MD 15 defines the data an AB shall collect on an annual basis as indicators of CBs activities.

The NAB has included the indicators in the request for information we regularly ask the CBs to provide before the assessment. However we have not received relevant information concerning “overdue audits”. According to the NAB’s experiences the CBs have not even defined when an audit is ”overdue” or any consequences of delayed/overdue audits.

The NAB has raised a NC of this type of findings in several assessments.

To be discussed: Have other NABs similar experiences or findings? What actions have been taken? An NC raised against MD15 documents?

March 2017

IAF TC Dec log April 2016 (see below) shows some explanation about what is an “overdue audit” helping to the definition of overdue audits.

The information is collected is for exploitation of the AB during assessments. There are no requirements at the IAF MD 15 about the need to define consequences of delayed/overdue audits. The indicators could provide an insight into the effectiveness of the Certification Body’s processes. The requirements about due date of audits are at the ISO 17021-1 : first surveillance (only for ISO 17021:2006 and 2011) second surveillance and recertification audit (each calendar year and before the expiry date of the certificate)

Question 33.19

The CB shall periodically evaluate the performance of each auditor on-site. The frequency of on-site evaluations shall be based on need determined from all monitoring information available

Is there any upper limit of frequency (in years) recommended? (some CB perform yearly monitoring of personnel audit, other CB extend the frequency to many years.)

March 2017

There is not any specified upper limit for on-site monitoring in ISO/IEC 17021-1:2015, IAF MD-10 and any other relevant normative documents. But, in practice the most of CBs perform at least one on-site monitoring every three years. According to ISO/IEC 17021-1:2015 clause 7.2.9 “There shall be a documented process for monitoring competence and performance of all persons involved, based on the frequency of their usage and the level of risk linked to their activities.”. This frequency should be based on assignment frequency and the level of risk.

Another factor, linked to risk, which should be considered is the results of previous monitoring. It is reasonable to expect that auditors where issues have been identified are monitored more frequently than those where no issues have been raised.

In ILAC P15:07/2016 clause 6.1.9b, for inspection body’ inspectors there is a limit saying that “at least once during the accreditation re-assessment cycle”.
For ABs, ISO/IEC 17011:2004 clause 6.3.2 says that “Each assessor shall be observed on-site regularly, normally every three years.”

Question

Is the performance of energy audits, in accordance with ISO 50002 or BSEN 16247, as well as environmental and/or energy management system certification for the same client considered to be an unacceptable threat to impartiality?

March 2017

Consensus Position
An energy audit may be used to support the “Energy review”, which is a key process and forms the basis for an energy management system according to ISO 50001. An energy audit according to ISO 50002 (or BS EN 16247) is defined as a “systematic analysis of energy use and energy consumption within a defined energy audit scope, in order to identify, quantify and report on the opportunities for improved energy performance”. Performing a full energy audit according to ISO 50002 or BS EN 16247 contains elements of management system consultancy, including the following examples:

  • “establish and evaluate the current energy performance”;
  • “The energy auditor shall identify energy performance improvement opportunities based on analysis and the following: a) their own competency and expertise …
  • “When reporting the energy audit results, the energy auditor shall: … f) provide a prioritized list of energy performance improvement opportunities; … g) suggest recommendations for the implementation of the opportunities.”
  • “The energy audit report shall include the following topics: d) opportunities for improving energy performance: 1) recommendations and the suggested implementation programme; 2) assumptions and methods used in calculating energy savings, and the resulting accuracy of
    calculated energy savings and benefits; 3) assumptions used in calculating costs of implementation, and the resulting accuracy; 4) appropriate economic analysis, including known financial incentives and any non-energy gains; 5) potential interactions with other proposed recommendations; 6) measurement and verification methods recommended for use in post-implementation assessment of the recommended opportunities;”.

Therefore, the performance of energy audits, in accordance with ISO 50002 or BSEN 16247, as well as environmental and/or energy management system certification for the same client is considered to be an unacceptable threat to impartiality. It is noted that providing EMS or EnMS certification to entities, related to the client where the Certification Body has provided an energy audit, who could use those energy audit results (i.e. through having a similar energy profile) shall also be considered to be an unacceptable threat to impartiality.

When EnMS and EMS Certification Bodies demonstrate through their regular mechanisms awareness and mitigation of the risks to impartiality arising from the consultancy elements as listed above, the performance of energy audits at other clients is not considered to be an unacceptable threat to impartiality.

Question 34.2 Incorrect References to certification

Due to a delay in the re-certification process (application of clause 9.6.3.2.5) an organization is temporally without a certificate. (delay of audit + closure of non-conformities) but it seems that the certification status could be reinstalled within 6 months from expiry date.

How is ISO/IEC 17021-1:2015, 8.3.5: “The CB shall … take action to deal with incorrect references to certification status” to apply? The organization makes promotion with the certification status on their website and on their business documents (stationery). They state that they need the certification to get business.

Shall the CB enforce clause 8.3.5 for this short period (up to 6 months) that the organization deletes the publicity as “certified company” from the website and shall the CB request stopping the use of the business documentation (stationery) with the certification status as “certified”?

September 2017

During the period between the certificate expiring and the successful completion of the re-certification process, the organization is not certified, according to § 9.6.3.2.4 “then recertification shall not be recommended and the validity of the certification shall not be extended. Τhe client shall be informed and the consequences shall be explained”.

During the suspension period, the status “certified company” as mentioned in its communication, business documentation, but also in the contracts with its own customers (this should not be forgotten), is incorrect, and the CB has to take action in case of incorrect reference to certification status as per § 8.3.5

Question 34.3 Appeals

A CB has a rule for handling complaints and appeals:
“Cost of complaints and appeals will be charged to the complainant/appellant in the case of a negative decision against the complaint or appeal.”
Is this a discriminatory action against the appellant if the CB charges the appellant only in a negative case or decision?

September 2017

This question was subsequently discussed at IAF and an IAF Decision was recorded:

Consensus of the IAF TC: Decision Log: 17/10/05

Charging of Fees for the handling of unsuccessful Appeals

If the entity considers the risk to impartiality and have mitigated any identified risks and the process is considered effective; then it is up to the entity if they are going to charge a fee or not.

Question 34.4 Conflicts of Interest

See

9.5.1.1 The certification body shall ensure that the persons or committees that make the decisions for
granting or refusing certification, expanding or reducing the scope of certification, suspending or restoring certification, withdrawing certification or renewing certification are different from those who carried out the audits.

5.2.12 All certification body personnel, either internal or external, or committees, who could influence
the certification activities, shall act impartially and shall not allow commercial, financial or other pressures to compromise impartiality.

Therefore, there is no requirements that states that the sales person (internal or external sale agent) has to be are different from those who carry out the audits or take decision.
However if the sales person takes a fee from the CB for selling the certification service, there is a high risk of impartiality if the same sales agent is involved also in auditing or decision.

So, is it an acceptable risk the fact that a sales person could act, for the same client, also as an auditor or a decision maker?

Example:

  • Mr. Smith (sales agent) takes the fee of 100 € from the CB for each contract signed by a new client, and other 500 € if the Client maintains the certification for the first certification cycle.
  • After the signature of the contract, the CB assigns to Mr. Smith also the responsibility to perform the audits or the decision
  • if the audit goes well Mr. Smith earn extra 500 €.. a good incentive to grant a certificate!

September 2017

There is no requirement of ISO/IEC 17021 which specifically prevents a sales person being involved in audits or decisions of clients he/she has introduced to a certification body. Clause 5.2.1 of ISO/IEC 17021 requires that certification body shall be responsible for the impartiality of its conformity assessment activities and shall not allow commercial, financial or other pressures to compromise impartiality. In the example quoted, there will clearly be a potential conflict of interest which could compromise the impartiality of the certification process and Clause 5.2.3 of ISO/IEC 17021 requires the certification body to:

  • have a process to identify, analyse, evaluate, treat, monitor, and document the risks related to conflict of interests arising from provision of certification;
  • document and demonstrate how it eliminates or minimizes such threats and document any residual risk
  • (top management) shall review any residual risk to determine if it is within the level of acceptable risk
    This is reinforced by Clause 5.2.13 of ISO/IEC 17021 which requires the certification body to
  • require personnel, internal and external, to reveal any situation known to them that can present them or the certification body with a conflict of interests;
  • record and use this information as input to identifying threats to impartiality raised by the activities of such personnel or by the organizations that employ them;
  • not use such personnel, internal or external, unless they can demonstrate that there is no conflict of interest.

It may be possible that a sales person could be involved in the certification process, provided the certification body can demonstrate that its process for managing impartiality has evaluated that there is no conflict of interest. The fact that for clients the sales person has introduced to the certification body, he/she will receive payment depending on a positive audit/decision, means there is a conflict of interest and he/she cannot be used in the certification process (ref. ISO/IEC 17021 Clause 5.2.13). This would not, necessarily, prevent the sales person being used for clients he/she did not introduce to the certification body.

Clause 5.2 note 1 should also be noted: Source of threats to impartiality of the certification body can be based on :payment of a sales commission or other inducement for the referral of a new clients etc.

Question 34.5 Certification Marks

The CB would like use a mark accompanied with the picture where only the name of the corporate appears together with letters indicating the country. Of course the certification requirement is referenced too e.g. ISO 9001 or ISO 14001.

The problem is that XXXXXX has a lot of other activities outside certification (training, advisory services etc.) and the certification activities are performed by the daughter company of XXXXXX, the legal entity XXXXXX Certification Ltd which is the CAB (legal entity) accredited.

We would appreciate view of other NABs on implementation of clause 8.3.1 of ISO/IEC 17021-1 which the proposal maybe doesn’t comply with.

I think the traceability to the certification body is becoming more and more important once the references to certification can appear also in product packages.

Unfortunately send the model cannot be attached for confidentiality reasons.

September 2017

The important factor to take into account here is the traceability of the certificate to the accredited Certification Body

Quesiton 34.6 IAF MD5

IAF MD 5:2015 clause 4.4:”The CAB shall provide the audit time determination and the justification to the client organization as a part of the contract and make it available to its Accreditation Body upon request”.

To what extent does the information supplied to the client need to be client specific? See below examples:

Question part 1; Which of below listed alternatives can be accepted as audit time determination and justification to be provided to the client organization as part of the contract-

  • To state the total days offered and refer to IAF MD 5:2015 and the factors specified in the document? Example “Audit time has been calculated in accordance with requirements in the document IAF MD5:2015, available at iaf.nu”
  • To state the total days offered and refer to IAF MD 5:2015 and the factors specified in the document, complemented with information that a more detailed explanation will be included in the audit report of Stage 1?
  • To state the total days offered and include a general explanation on the calculation method with examples of factors that may potentially be used as a basis of addition/reduction for audit time calculation?
  • To state the total days offered and include information on the number of personnel used, the complexity level used and a specification of the actual factors that has affected the audit time calculation of the client?
  • The full man-day calculation shall be included, fully traceable with adjustments in percentages etc. (This “determination and justification” would in this case have the same level of detail as the one available to the Accreditation Body at assessment)

Question part 2; Is it acceptable to state in the contract that, due to confidentiality reasons, the information will be made available for the client upon request?

September 2017

This question was subsequently discussed at the IAF Technical Committee in Vancouver October 2017, the recorded decision was: –

Consensus of the IAF TC: Decision Log: 17/10/02

MD5 clauses 2.3.2 and 4.4

The justification included in the written contract must be enough for the client to understand the calculation and may not include all of the calculations the CAB used to determine the audit time (which can be reviewed by the AB within the CAB records).
The detail in the contract may include; determination and number of effective personnel, the number of audit days, and the factors without the percentage that were applied based on the information supplied by the organization seeking certification, for all of the requirement documents (e.g. IAF MD 11).
It is not acceptable for the contract to just refer to IAF MD 5 to understand the audit time determination.
Note; the contract may include annexes that include this level of detail. As long as the annex is part of the contract this would be acceptable in meeting IAF MD 5.

Additional Discussion
The reason for the new requirements in IAF MD 5 was to make sure the CAB was open and transparent with the clients, as well as the ABs (upon request). And to prevent unfair competition by withholding information from the client.
If we focus too much on the numbers, we have lost the intent as it relates to the value of the audit and it will be lost on the client. We question getting too prescriptive.
There is a need to build awareness with the clients to understand the outliers and the jeopardy that has on the certification. The information should be enough to understand the outliers.

Question 34.7 Assessment for Notification Purposes

Are the IAF Mandatory Documents obliged to use as the criteria of the conformity assessment (IAF MD 1, IAF MD 2, IAF MD 5) when accreditation for notification purposes is according to ISO/IEC 17021-1?

September 2017

A new revision of EA 2/17 will begin soon, managed by the HHC, this point will be clarified as part of that revision process.

The consensus of the CC was that the Mandatory documents apply for Accreditation for Notification wherever that standard is used as the preferred standard. But care should be taken because, for example, for Module D and E ISO/IEC 17065 has been identified as the preferred standard and so the MDs in question would not apply. The only Module with ISO/IEC 17021-1 as the preferred standard is Module H.

Question 34.9 Identification of revised certification documents

ISO 17021-1, clause 8.2.2 The certification body shall provide by any means it chooses certification documents to the certified client
i) in the event of issuing any revised certification documents, a means to distinguish the revised documents from any prior obsolete documents.
Can this requirement be considered as fulfilled if the revised certification document has a unique serial number/date different from the obsolete document or shall the revised document have a reference to the obsolete document

September 2017

Both cases can be acceptable.
The CB can use any means to distinguish or differentiate these two versions of the obsolete document.

Question 35.1 Decision Making Competence

The expected knowledge of the decision-making committee or person includes all the criteria and procedures for certification, shall this also include the knowledge of the various industrial scopes.

Shall the person(s) or committee(s) who will take the decision have the competence:

  • in accreditation scheme requirement (ISO/IEC 17021-1 & ISO/IEC 17021-3)
  • the conformity assessment scheme requirements (ISO 9001)
  • as well as in the industrial scope (39 fields)?

If yes what is the difference between an assessor and the decision-making person.

March 2018

According to: ISO/IEC 17011 clause 6.2.1 “6.1.2.1 The accreditation body shall have a documented process for determining and documenting the competence criteria for personnel involved in the management and performance of assessments and other accreditation activities. Competence criteria shall be determined with regard to the requirements”

Therefore, with regard to the items in the question:

–           Yes, they should have competence in the conformity assessment standard

–           Yes, they should have knowledge of the scheme requirements

–           No, generally there would be no requirements for the m to have detailed knowledge of the industrial scope

It is not expected that the decision makers should have the same level of knowledge as an assessor, but they need to now sufficient to ensure that everything relevant has been covered by the assessment. Decision makers can call on expertise as part of their review.

Question 35.2 ISO 27001 ISMS Scoping

We have a certification body with an client for ISO 27001 that has within its (client of the CB) scope ‘cloud storage’ but this is hosted by a third party company. We have required evidence of how this can be included in the scope and how it can be incorporated into the client’s ISMS. We have accepted this situation if the third-party company carrying out the ‘cloud storage’ has an accredited ISO 27001 certificate for this activity and the CB’s client has to ensure that this is current and maintained.

Does the committee consider this acceptable?

March 2018

It is the responsibility of the certified client to ensure the cloud storage provider meets requirements:

ISO 27001 requires in #8.1 Operational planning and control

“The organization shall ensure that outsourced processes are determined and controlled.”

Although ensuring the cloud storage provider holds an accredited ISO 27001 certificates is, of course, one means to control that process (“cloud storage”) is not the only one possibility.

Question 35.3 ISO 27001 ISMS calculation of audit time

This question concerns how the calculation of auditor time for ISMS audits should be carried out. One CB we have is applying a formula to calculate ‘effective personnel’ and then applying the tables in Annex B and Annex C of ISO 27006. There is a concept of ‘effective personnel’ contained in ISO 50003 but there is no such term used in ISO 27006. IAF MD 5 also includes the concept of ‘effective personnel’ for QMS and EMS audits.

Does the committee consider this acceptable?

March 2018

Annex B of ISO 27006 states:

“The total number of persons doing work under the organization’s control for all shifts is the starting

point for determination of audit time.”

The concept in the 2 documents is the same: the effective personnel is the personnel falling into the scope of the QMS or ISMS, which means potentially each and every person who is utilizing the ISMS or the QMS.

The concept in ISO 50003(Annex A) is different as the effective personnel is defined as personnel “who materially impact the EnMS”.

The criteria of IAF MD5, i.e. the effective number of personnel, should be the one taken into account for implementing ISO 27006.

Question 35.6 Accreditation to Draft Standards

When we had the transition from ISO 9001:2008 and ISO 14001:2008 to the new revision, we had some accreditation bodies that accredited CABs already on the draft of the 2015 revision.

So, we had CABs accredited on the F-DIS before the publication of the standard.

Soon we will have the publication of ISO 45001:2018, and we are facing the same situation.

Questions:

  1. Can an AB accredit against a draft of the standard already circulated for public consultation (but not yet published)?
  2. Can an AB accredit against a draft of the standard not yet circulated for public consultation but available as a draft within the working group?

March 2018

The consensus of the Certification Committee is that accreditation can only be delivered against a formal, published, standard, not against a DIS or FDIA.

  1. According to 765 Reg:
    • Accreditation shall mean an attestation by a national accreditation body that a conformity assessment body meets the requirements set by harmonised standards and, where applicable, any additional requirements including those set out in relevant sectoral schemes, to carry out a specific conformity assessment activity;
  1. EA MLA Coverage
    • Conformity Assessment Schemes (CAS) covered by the EA-MLA (according to EA MLA Coverage) are:
      • Accreditation according to ISO/IEC 17025
      • Accreditation according to ISO/IEC 15189
      • Accreditation according to ISO/IEC 17020
      • Accreditation according to ISO/IEC 17024, etc.

Question 35.8 Exclusion of “design and development”

With the requirements of ISO 9001:2015, is it still possible to exclude “design and development” in the application phase and to give an a-priori reduction on the time allocation?

In the opinion of RvA, the new standard requires that “The organization shall establish, implement and maintain a design and development process that is appropriate to ensure the subsequent provision of products and services.” Though it is accepted that for some organisations, an appropriate process may be a simple process to audit, however, all organisations will perform some form of design and development (if only to enable changes to the internal processes and services). The appropriateness of the process will have to be audited (especially in initial audits).

It is our opinion that a statement like “the scope of certification does not specify ‘design and development’ and therefore we reduce 10 – 30 % of audit time” is not in line with the current requirements and intent of ISO 9001:2015 and of ISO 17021-1, cl. 9.1.4. 2.a.

March 2018

The consensus view of the CC is that YES, it is possible to exclude design and development but that such an exclusion must be justified.

It is agreed that most organisations carry out some type of design and development although it may not always be Recognised as such.

Design and development could be excluded of the scope of the QMS of an organization provided the organization has demonstrated (§ 4.3 and annex A5 of ISO 9001) that it has not to fulfill the requirement of § 8.3 of ISO 9001.

But the CB shall evaluate this demonstration and the real scope of the organization before deciding it can or not reduce audit time; This could be an output of stage I.

Question 35.9 Accreditation Cycle for MD17

Would it be possible to harmonise the concept of accreditation cycle for the purpose of equivalent application of the requirements for NAB’s in IAF MD17 (and others such as MD16, etc.).

MD17 requires NAB’s to determine the number of witness audits per accreditation cycle. For the purposes of harmonization, could we state that this should be read as the number of witness audits per 4 years and that if NAB’s have an accreditation cycle of 5 years, that the number of witness audits in the cycle should be 20% higher. The discrepancy between the cycle lengths would negate part of the harmonization efforts that are intended by this IAF MD.

March 2018

This question was put to the IAF Technical Committee in Frankfurt in March 2018, IAF MD17 was subsequently updated and is in draft form.

The draft introduced a standard first period of 5 years of accreditation for witnessing irrespective of the accreditation cycle, this was subsequently agreed at the IAF TC.

But the CB shall evaluate this demonstration and the real scope of the organization before deciding it can or not reduce audit time; This could be an output of stage I.

Question 35.10 Definition of nonconformity

During the assessment of a certification dossier (initial certification), RvA noted the following: though generally the nonconformities are rated and resolved appropriately, for one of the nonconformities the following is noted. Minor nonconformity X reads “The Management Review does not demonstrably include inputs “the effectiveness of actions taken to address risks and opportunities” and “opportunities for improvement” (ref. 9.3.2 e and f). The nonconformity was classified as minor, because the topics related to these sub elements could be shown to have been managed within the QA dept.

The client had taken the following (paraphrased) corrective action: The management review template was changed to include these topics (demonstrated); and new method will be implemented next year. This had resulted in closing the minor nonconformity and issuing the ISO 9001 certificate (effective implementation to be verified at the first surveillance).

The CAB had used the definitions in line with ISO/IEC 17021-1 (3.12 and) 3.13 to the letter. However, this means that the CAB has certified a client, while they have demonstrated that a nonconforming situation had not yet been demonstrably closed, i.e. it had demonstrated that the client does not comply with all requirements.

In our opinion, this is a clear and straightforward example of where the current definition of nonconformity does not function properly. Under the requirements of ISO/IEC 17021:2011, the CAB should have raised a major nonconformity, because, in line with cl. 9.1.15 b1, the “nonconformity represented 1) failure to fulfil one or more requirements of the management system standard” and the CAB was required to verify effective implementation of corrective actions prior to closure.

It is our opinion that in this type of cases “non-fulfillment of the requirement of the standard”, even though it is not demonstrable (or even if it is just not clear whether) this nonconformity affects the capability of the management system to achieve the intended results, should be raised as major nonconformities.

This topic may be as applicable to many other nonconformities, e.g.

“The organization did not define the audit criteria and scope for each internal audit” (9.2.2.b);

“The organization did not retain documented information that identifies the authority deciding the action in respect of the nonconformity”(8.7.2.d);

“It is not demonstrable that, in determining the extent of post-delivery activities that are required, the organization has considered customer feedback or customer requirements (cl. 8.5.5 d and e).

“It is not demonstrable that the organization has taken into consideration, the effectiveness of the controls applied by the external provider” (8.4.2.c.2);

Etc.

We ask if this item can be raised as a broader concern with the aim of ensuring that if a nonconformity is raised which represents “a failure to fulfill one or more requirements of the standard”, then the consequence is that such a nonconformity shall be closed only after effective implementation of corrective action has been demonstrated. This is to ensure that the CAB’s statement of conformity is not supported with an audit that has demonstrated a failure to fulfill a requirement of the standard.

March 2018

In the soul of the standard, writers concern two type nonconformities (see 3.11, 3.12 and 3.13 of ISO/IEC 17021-1:2015). One can be closed conditionally (without reviewing corrective action evidences for effective implementation), the other one can not (reviewing corrective action evidences for effective implementation is MUST).

Actually, it depends on the nature or context or content of the NC. According to new High Level Structure approach, the intended results can be changed from one organization to other one. Even the organisations are almost at the same size and in the same business sector. Their intended results may vary depending on what they want or expect from the implementation of ISO 9001 or any MS standard.

To support this comment, we should take into consideration Clause 9.5.2 b) and c) of ISO/IEC 17021-1:2015 given below.

3.11

nonconformity

non-fulfilment of a requirement

 

3.12

major nonconformity

nonconformity (3.11) that affects the capability of the management system to achieve the intended results

Note 1 to entry: Nonconformities could be classified as major in the following circumstances:

  •  if there is a significant doubt that effective process control is in place, or that products or services will meet specified requirements;
  •  a number of minor nonconformities associated with the same requirement or issue could demonstrate a systemic failure and thus constitute a major nonconformity.

 

3.13

minor nonconformity

nonconformity (3.11) that does not affect the capability of the management system to achieve the intended results

 

9.5.2 Actions prior to making a decision

The certification body shall have a process to conduct an effective review prior to making a decision for granting certification, expanding or reducing the scope of certification, renewing, suspending or restoring, or withdrawing of certification, including, that:

  1. b) for any major nonconformities, it has reviewed, accepted and verified the correction and corrective actions; (actually the decision is not conditional)
  1. c) for any minor nonconformities it has reviewed and accepted the client’s plan for correction and corrective action. (actually the decision is conditional, effective implementation of correction or corrective action will be verified during the next audit e.g. first surveillance)

Question CW2017 1

This question is the result of a workshop held at the EACC meeting in March 2017

Can a Certification Body offer management systems related training?

March 2018

ISO/IEC 17021-1: 2015 – Clause 5.2.1 and 5.2.3

The consensus position of the EACC is that training can be offered as long as it is generic and not tailored to a particular customer and as long as it does not offer direct solutions to the customer’s management system implementation.

Attendance at training courses must not be compulsory and customers sending delegates must not be given any preferential treatment.

The provision of training should be covered within the CB’s risk management system.

Question CW2017 2

This question is the result of a workshop held at the EACC meeting in March 2017

How much should the organisation’s consultant be involved in the CB audit process.

March 2018

ISO/IEC 17021-1: 2015 – clause 9.1.1; 9.2.2.3; and 9.3.1.3

The consensus position of the EACC is that there is no restriction on the presence of the consultant in the audit process.

The role of the consultant (e.g. ranging from being observer/guide to acting Quality Representative) shall be clearly established and the participation should be accordingly (e.g. no interference vs answering/contributing as QR).

Notwithstanding the above, the following points should be noted by the CBs auditor:

  • The management system should be owned by the organization with the consultant’s assistance, the organization must be able to demonstrate that there is effective leadership in terms of the implementation of the management system
  • If the consultant is present during the audit, it is important that the CB is able to see that the system is effectively implemented by the organization and is not just “owned” by the consultant.

Question CW2017 3

This question is the result of a workshop held at the EACC meeting in March 2017

Can the CB offer internal auditing to its clients

March 2018

ISO/IEC 17021-1: 2015 – Clause 5.2.6

The consensus position of the EACC is that this is not possible for existing clients of the CB, internal auditing can be offered to other organisations not certified by the CB. There should be a suitable gap (2 years) between the CB offering internal audit and the customer becoming certified by that CB.

Question CW2017 4

This question is the result of a workshop held at the EACC meeting in March 2017

Can a CB provide finders fees to consultants

March 2018

ISO/IEC 17021-1: 2015 – Clause 5.2.1; 5.2.3; Attention is drawn to the IAF Technical Committee decision 10/10/01 which his reproduced here: –

It should be noted that this decision was made in 2010 and there have been some changes since then, for example the bullet point referring to Impartiality Committee, which is no longer a requirement; reference should be made to the risk processes of the certification body.

“Consensus of the IAF TC is that there are alternative methods to the 2-year option to manage impartiality in the case of payment of commission/finder’s fee to consultants.  A CAB has to demonstrate the following:

  • Transparency – all documentation relevant to this relationship are recorded and available on request to AB. The client and relevant CAB personnel are aware of this relationship and/or payment of commission/finder’s fee and that the CAB does not provide special treatment.
  • Management of the CAB has signed the relevant declaration of impartiality that includes reference to such relationships and their management.
  • Risk assessment conducted for the specific relationship between the involved parties. Special attention given to the threats arising from relationships of the parties/individuals involved.
  • Impartiality committee reviews the effectiveness of management of risk due to such relationships.
  • A process is established to ensure there is no special treatment of clients during the certification process.
  • Instances of pressure or influence from management, consultant or client are reported and mitigated.
  • Additional witnessing of the audits may need to be conducted by the CAB.
  • Closer scrutiny of audit output and certification / recertification decisions.
  • Monitoring of such relationships through internal audit.
  • An AB may need additional time to assess the management of such relationships and may also need to conduct additional witness audits.”

Questions relating to ISO/IEC 17065 – Product Certification

Question 32,7 Other standards

The question concerns certification schemes where inspection is (part of) the evaluation activities. Which independence criteria would apply to inspection bodies or individually hired inspectors?

As certification and the inclusive components like inspection are a third party activity, we would assume that the requirements of ISO/IEC 17020: 2012 Clause 4.1.6.a / Clause A.1. apply in full.

September 2016

It is for the certification scheme (and accordingly for the scheme owner) to specify the independence requirements applicable to the nature of the evaluation activity. So in general, inspection bodies type A, B or C might be specified to be used where inspection is (part) of the evaluation activities. In the other hand it is for the CB to demonstrate that both internal and external resources meet the independence requirements stipulated in the relevant standard.

A) Individually hired inspectors (ISO 17065 6.2.1 internal resources )
The requirements for personnel including the inspectors are described in the Standard.(ISO/IEC 17020:2012) regardless of the type (A, B or C ) of inspection body from which they derive.

B) Outsourced Inspection body (ISO 17065 6.2.2 external resources )
ISO 17065 6.2.2.2 allows the CB to outsource activities to “non independent” bodies like the testing lab. of the client of the certification body. Certification is a third-party activity, but Inspection as a part of the certification scheme may include “different parties´” activities: from Type A inspection Bodies (third-party inspection), Type B and/or Type C inspection bodies (first party inspection for its parent organization ).

Type A inspection bodies may always be used for evaluation activities complying with the rest of requirements of the ISO 17065.

The use of type B and C implies that the CB analyzes the potential conflicts of interest and adopts measures to eliminate or reduce it. Type B inspection bodies all should not be involved in the certification of its parent company but may be used for evaluation activities complying with the rest of requirements of the ISO 17065.The use of Type C inspection bodies as part of the evaluation may be used for evaluation activities complying with the rest of requirements of the ISO 17065 but this fact should be communicated in advance to the client of certification.

Probably it is going to be easier for a CB to demonstrate independence when using Type A inspection bodies while it will require more work when using Type C inspection bodies.

Question 33.4 Discrimination

Clause 4.4 of ISO/IEC 17065 reads:

4.4.1 The policies and procedures under which the certification body operates, and the administration of them, shall be non-discriminatory. Procedures shall not be used to impede or inhibit access by applicants, other than as provided for in this International Standard.[…] 4.4.3 Access to the certification process shall not be conditional upon the size of the client or membership of any association or group, nor shall certification be conditional upon the number of certifications already issued. There shall not be undue financial or other conditions.
During a recent assessment an assessor raised following NC against 4.4:
Within „certification case XYZ“, the fee was reduced without reason (compared to the fee schedule). The rules and procedures of the CB foresee such reductions but without reasoning. (The CB is internationally active and subject to assessments of several AB. Furthermore, the reduction of the fee was decided on by a “non CL” office, not the accredited office itself.)

1) Does the EA CC support the interpretation that individual, “freeform” discounts of certification fees without reasoning and general applicability are not in line with the requirements of ISO/IEC 17065 and constitute a discrimination especially looking at equal treatment of clients?

2) More generally, what is the stance of the EA CC toward discounts and application of fee schedules? Are discounts acceptable? Under which circumstances?

3) Does the EA CC support a submission of this query to the ISO/CASCO?

March 2017

A certification body does not have to charge all clients that are in the same condition the same fee. Offering discounts does not ‘impede or inhibit’ access by applicants, neither does it impose ‘undue financial or other conditions’.

The fees charged by a certification body are a purely commercial decision for the certification body and it is perfectly acceptable for a CB to charge different clients different fees, providing the certification process is applied equally to all clients. Certification bodies operate in a competitive environment. Most clients obtain multiple quotations for certification and cost will be one of the factors taken into account. Certification bodies need the flexibility to vary their fees in order to attract clients. There is no requirement in ISO/IEC 17065 for the CB to justify the reasons for the fees it charges or for applying a discount.

Question 33.5 Group Certification

EA 6/04 stresses that groups under an umbrella organization, where only this umbrella organization is certified, may NOT sell their products individually as certified.

How is this issue dealt with in face of the fact, that at least GLOBALG.A.P. as a major scheme owner does allow group members to sell their products individually, due to market pressure in the US?

What is the opinion of the EA CC in general in relation to group certificates, especially within product/process/service certification and their use by individual members?

The reply will be the more important since a solid stance on this will be part of the revised EA 6/04.

March 2017

In a group, certification is granted based on the sampling performed and based on the assessment that the group has done on all the operators that comprise it. An operator belonging to a certified group cannot receive an individual certificate (sub certificate) as far as it has not been evaluated.

Question 33.9 certification of Feeds

Regulation (EC) No. 834/2007 in the second paragraph of the first article provides products originating from agriculture, to which the latter regulation applies as follows:

(A) live or unprocessed agricultural products;
(B) processed agricultural products for use as food;
(C) feed and
(D) vegetative propagating material and seeds for cultivation.

Our assessment procedures take into account those four areas when assessing the qualifications of persons to carry out certification procedures. If all conditions for accreditation in these areas are fulfilled, they are also listed in the annex to the accreditation certificate.

Certification bodies accredited for certification of organic production and processing under Regulation (EC) No. 834/2007, in section “C” – feed include only customers – companies which produce feeds in the production process (eg. mixing concentrated feed). Customers which produce feed on their own farms (eg. grass, hay, corn, other cereals, etc.) are included in the area “A” or “B”.

We are kindly asking for your opinion if the current classification of the customers in the area “C” – feed is appropriate or whether it is necessary to include in this area all farms producing mainly unprocessed agricultural products (usually only for animal feed) kept on their own farms.

March 2017

3 different situations can be considered :

If an operator produces feed for his livestock on his own farm (eg grass, corn, cereals …), he must be included in unprocessed plant products, provided that the feed is intended exclusively for his own livestock. The operator may add to the agricultural products, substances complying with Annex V or additives listed in Annex VI to R (EC) 889. Category A

If the operator produces raw materials for animal feed, he can market them to third parties with the scope of unprocessed plant products. Category A

If the operator mixes the raw materials from his own holding and adds them to the substances listed in Annex V or additives of Annex VI and wishes to market the feed to third parties, he must be included in processed agricultural products for animal feed.

(It was agreed that this question would be forwarded to DG AGRI for further consideration)

Question 33.12 Notified Body Stating of Product Standards

Is it possible for an accredited CB, when acting also as a Notify Body, to issue a certificate of conformity to the producer for a given type of product, without mentioning the product standards or specifications against which conformity has been demonstrated?

Note for example the Lifts Directive: The Commission Communication 2016/C 138/03 published the list of harmonized standards to be used for the conformity assessment. So, the list of applicable standards is defined in the law, and anyone can access it.

If the conformity certificate is a positive one (approval without exclusions) the absence of identification of the standards becomes administrative and may be omitted as long as the assessment report contains the details of the conformity assessment, including the standards used?

March 2017

ISO/IEC 17065:2012 says that in 7.1.2 “The requirements against which the products of a client are evaluated shall be those contained in specified standards and other normative documents.” and in 3.10 “scope of certification identification of

  • the product(s), process(es) or service(s) for which the certification is granted,
  • the applicable certification scheme, and
  • the standard(s) and other normative document(s), including their date of publication, to which it is judged that the product(s), process(es) or service(s) comply”

If manufacturer choses non-harmonised product conformity standard, in this case they should conduct risk analysis and show its (non-harmonised standard) applicability and validity.

On the other hand, in some EU directives, there is no defined harmonised standard for specific products and in this case, it is left to manufacturer’s decision to choose the most relevant product conformity standard or criteria.

In both cases, the product conformity certificate should give reference to relevant standard or criteria (normative document). For other cases (when EU Directive mandates to use any harmonized product conformity standard), there is no need to give additional reference in the product conformity certificate

ΝΟΤΕ
All the technical specifications and standards (harmonized or not) of these products normally is a part of their technical files.

Question 33.17 Response to nonconformities

Situation: The certification process in the CB is as follows :

  • The CB auditor performs the audit and writes non conformities in case there are. His/her action stops after that.
  • The reviewer (technical officer inside the CB) is in charge of the follow up of the audit which includes analysis of the answers from the client to the nonconformities and recommendation on closing or not the nonconformity
  • The reviewer is in charge of reviewing other results from the evaluation process (e.g. test results)
  • This reviewer makes a recommendation for the certification
  • The certification decision is taken by the CB’s Director

Question: Is the analysis of the answers from the client to the nonconformities (and opinion on closing or not the nonconformity) part of the audit or can it be considered as part of the review?,

  • In other words is the analysis of the answers from the client to the non conformities is an evaluation task and shall be considered as an evaluation activity or is this analysis of client answers part of the evaluation process without being considered as an evaluation task belonging to evaluation activities?

Depending on the answer, is it fulfilling (or not) 7.5 requirements that the reviewer performs the analysis of the answers from the client to the non conformities raised in audit?

Mars 2017

Clause 7.5.1 of ISO/IEC 17065 states “7.5.1

  • The certification body shall assign at least one person to review all information and results related to the evaluation. The review shall be carried out by person(s) who have not been involved in the evaluation process.”

Therefore in, an independent review is required. The review, acceptance and verification of answers to nonconformities is an evaluation activity and the individual performing these tasks cannot, therefore, perform the review required by clause 7.5.1 of ISO/IEC 17065.

If the product certification scheme requires that the certification body performs management system auditing as part of product certification, it shall meet the applicable requirements of ISO/IEC 17021-1. The applicable requirements concerning handling the client’s response to non-conformities are specified in Clause 9.5.2 of ISO/IEC17021-1 which states that prior to making a certification decision:

  • that for any major non-conformities, the certification body has reviewed, accepted and verified the correction and corrective actions and
  • that for any minor nonconformities it has reviewed and accepted the client’s plan for correction and corrective action.

In this case, the review and acceptance of the client’s plan for correction and corrective action, in respect of minor non-conformities, is not part of the evaluation as there is no verification of the correction and corrective action, and the individual performing these tasks can perform the review required by clause 7.5.1 of ISO/IEC 17065

Question 33.20 witnessing for CPR

In the area of Product Certification, the NAB performs demo witness assessments in the initial accreditation or scope extension assessments for the CABs that are not designated as NB yet by notifying authority and applied first time in the field of CPR (Reg.No. 305/2011) for a certain scope and makes decision about CAB’s competence according to this demo witness assessment.

The question is whether CABs can use the reports and outcomes of this demo witness assessment as a basis for certification decision and issuing real certificate under CPR for relevant producer, after being accredited by NAB and being designated as Notified Body by authorities without performing a new audit to relevant producer?

Does any other NAB faced a similar case in their country and what is the general implementation about this issue in other EA member countries?

Note: The national authority requests the NAB’s opinion about this issue and expects the NAB to determine some rules in accreditation procedures for preventing this issue.

March 2017

When CPR came into force there was two options for the initial accreditation:
One possibility with DEMO witness assessment and the other possibility with conditional accreditation.

The first possibility takes place in the initial accreditation for the CABs which are not notified. If the AB follow all the procedures regarding accreditation then it is not needed new audit to the relevant producer after the Notification.( DEMO witnessing assessment) – however the NB would need to carry out a review to ensure that the processes used in the DEMO witnessed are still valid in terms of the processes under which the CAB achieved Notification.

The second possibility was a practice suggested by the European Union. This means accreditation shall be gained without witness assessment and under the condition that the first witness assessment will take place with the AB. (conditioning accreditation)

Question 34.1 Interrpetation of Organizational Control

One applicant certification body has two owners (persons) . These two owners are also the owners of another company. The second company is a provider of the certified services. This two people owns all the shares of both companies.

Do you consider that the second company (the provider of certified services) is under the “organizational control” of the certification body?

4.2.6 The certification body and any part of the same legal entity and entities under its organizational control (see 7.6.4) shall not:

  • be the designer, manufacturer, installer, distributer or maintainer of the certified product;
  • be the designer, implementer, operator or maintainer of the certified process;
  • be the designer, implementer, provider or maintainer of the certified service;

7.6.4 A certification body’s organizational control shall be one of the following:

  •  whole or majority ownership of another entity by the certification body;
  • majority participation by the certification body on the board of directors of another entity;
  • a documented authority by the certification body over another entity in a network of legal entities (in which the certification body resides), linked by ownership or board of director control.

The standard states “whole or majority ownership of another entity” by the certification body, as a mean to exercise organizational control but nothing is said about the same situation for the owners of the certification body.

September 2017

The two persons own all the shares of the CB, then they are legally responsible for the CB and they have full authority on the CB. They shall be then considered as being the CB.

Therefore, the answer is yes: the second company (providing the certified services) is under the organizational control of the CB

Clause 4.2.3 should also be noted, this requires the CB to identify risks to its impartiality on an ongoing basis, including risks that arise from its relationships, or from the relationships of its personnel. The Note to this clause states that a relationship that threatens the impartiality of the certification body can be based on ownership, governance, management, personnel. Such common ownership should be identified as a risk to impartiality.

Question 34.5 Competence criteria

Relating to ISO/IEC 17065 Clause 6.1.2.1 the certification body shall determine the criteria for the competence of personnel for each function in the certification process (see Clause 7).

Does the above requirement include the determination of competence criteria for each function identified in Clause 7, for example for personnel:

  • handling complaints and appeals (Clause 7.13)
  • implementing changes affecting certification (Clause 7.10) ?

March 2018

Yes, the highlighted roles are considered to be a function of the certification process and therefore competence needs to be determined.

Questions relating to ISO/IEC 17024 – Certification of Persons

Question 32.0 restriction

The situation concerns invoicing of an initial certification which can in the same CB follow 2 different routes :

  • Registration directly to the CAB: payment of fees for initial and 1st surveillance in one go
  • Registration via a training body (with which the CBs has an agreement): payment of fees in 2 steps part before the initial examination, the other part before the 1st surveillance
  • The total amount of fees is the same in both cases

One possible interpretation of the case is that these provisions are not acceptable regarding § 4.3.3 and 4.3.4 as they lead to 2 different treatments of the certified person :

  • In the first case, the applicant has to pay for the whole process no matter he/she succeeds in the certification or continue to work after the certification
  • in the second case, under the same circumstances, the applicant will have paid only a part.

The CBs argues that :

  • conformity to § 4.3.3 from the definition of fairness (3.16 fairness : equal opportunity for success provided to each candidate (3.14) in the certification process (3.1)) the CB argues that the difference of invoicing does not affect the opportunity of success
  • Conformity to §4.3.4 : the CBs argues that
  • The price is the same for all applicants
  • The fact that there are 2 steps of invoicing is due to the fact as part of the initial exam can be included in some training financial support (which exist in some cases for helping working persons to go on professional training)
  • Each applicant is informed of this possibility and can apply through a training body

Then the question is what interpretation of the 2 above is acceptable regarding (§4.3.3 and § 4.3.4 of the standard).

September 2016

ISO/IEC 17024 states :

4.3.3 : Policies and procedures for certification of persons shall be fair among all applicants, candidates and certified persons.

4.3.4 : Certification shall not be restricted on the grounds of undue financial or other limiting conditions, such as membership of an association or group. The certification body shall not use procedures to unfairly impede or inhibit access by applicants and candidates.

There is no apparent breach of clauses 4.3.3 (the opportunities to be certified are the same by either of the two ways) or 4.3.4 (access is not restricted or limited arbitrarily (unfairly) to a candidate to the detriment of another), as long as both options are available to all and the relationship between the CB and the training organisations meets all other requirements of the standard.

Question 33.18 publicly available information

According to ISO 17024 cl 7.2.2, and 7.2.3, the only information that shall be publicly available without request, is that regarding the “scope” of the scheme (cl 8.2. a)) a general description of the certification process and the prerequisites (cl 8.2. e)).
Please give us your opinion (agreement or not with and if not, details for justification) on the following:

a) the previous paragraph,

b) that the standard clearly excludes the required “competencies” of the person (cl 8.2 c) be publicly available without request, and

c) Upon request, both the “competencies” (cl 8.2 c) and the “job description” (cl 8.2 b) shall be provided (this does not exclude the right of the scheme owner to be paid for that information (please note that this is the case of the Standardization Bodies)

March 2017

As a preliminary, the standard has 3 different levels of diffusion regarding information :

  • The one without request (4.3.1, 7.2.2 ,7.2.3, 9.2.2, 9.8.3, 9.9.2) to any one
  • The one upon request i.e. to anyone requesting
  • The one for applicants (9.1.1) : this is also upon request (through the application)

a. Not in agreement: we do not interpret the clauses like this: the minimum mandatory publicly available information are 8.2.a and 8.2.e). This doesn’t prevent CBs to have other publicly available information if they wish to do.

b. Not in agreement (from answer to a))

c. Partial agreement: as per §9.1.1, the CB shall make available “the requirements for certification and its scope”. The “requirements for certification” of 9.1.1 are considered to be equal to the “c) required competence; » of 8.2.c. It is not nevertheless mandatory to give the 8.2.b, even upon request

Question 35.4 Welder Qualification EN ISO 9606

Criterion 6.3 (EN ISO 9606-1: 2014) Welding conditions states “The welding qualifier tests must be performed using pWPS or WPS prepared according to EN ISO 15609-1 or EN ISO 15609-2.

Criterion 10 (EN ISO 9606-1: 2014) The welder certificate contains the text “… The recommended format is in Annex A. It shall contain all the particulars listed in Annex A.” And annex A requires “WPS – Reference:” without any note or explanation.

1) Is it necessary to always state the WPS reference on the personal certificate?

I.e. : WPS has to be used for welder test or where pWPS was used for the test: at the time of certificate issuing, there must exist WPS which was verified with WPQR and which was identical to pWPS used for the test.

2) Is the personal certificate, where only pWPS is stated, acceptable?

3)  In case the test was performed using pWPS (not verified with WPQR), is it acceptable to issue a personal certificate declaring that test was performed using WPS?

4) Is it acceptable on the certificate to be written the only number e.g. “192” in the part “WPS reference” without informing it is pWPS and is not WPS?

5) In case the test was performed using pWPS (not verified with WPQR), is it acceptable to issue a personal certificate where in the part “WPS reference”  is replaced with “pWPS/WPS reference” and it is not clarified which document version was used for the test?

6) Is a such a situation at a factory in line with special technical standards in the field of welding? A welding supervisor (in a company which has certified management system according to ISO 9001 and ISO 3834-x) accepts a personal certificate based on pWPS /WPS from a different location (e.g. issued by accredited certification body for personnel, where test/conditions are not the same as in the company) without any additional activity/measures?

March 2018

EWF (European Welding Federation) was consulted on this question and replied as follows:

  1. As stated in clause 6.3,  a WPS or a pWPS can be used. A certificate can be issued solely based on a pWPS or on a WPS.
  2. Yes.
  3. No. If a pWPS was used, that pWPS has to be referenced not a WPS.
  4. If the WPS or pWPS is referenced in the certificate, the correct reference has to be written to guarantee the traceability. Annex A is informative, but all information within the annex is mandatory to present. How to present it is not mandatory but our opinion is that in the certificate it should be clear if a pWPS or a WPS was used. Example: “pWPS nº/WPS nº:” (strike what is not applicable).
  5. If the test was done according to a specific pWPS, that pWPS has to be traceable to the test. If the pWPS is referenced in the certificate, the reference might not contain details of which type it is, but in the certificate it should be clear if a pWPS or a WPS was used. Example: “pWPS nº/WPS nº:” (strike what is not applicable). The identification code of an WPS or pWPS used on the welder certificate must be traceable to the test records.
  6. If the certificate is valid, yes. ISO 9606-1 states all the conditions to perform the tests (minimum dimensions, tests to perform, etc.), and also allows to use a pWPS or WPS. So there could be differences on the dimensions of the test pieces used, different tests used, etc. But all these are permitted by the standard since all minimum test conditions are guaranteed, and for that reason the certificate remains valid. It is up to the company to accept it, or ask for further tests.