Skip to main content Scroll Top

FAQ

FAQ Question 36.15 New schemes
Question 36.15 New schemes

The main federal regulator in the medical field has set up a complex certification scheme under ISO/IEC 17021-1 (management system) for data protection in patient health care. Accreditation of CB is the base for the acceptance of certification bodies by the regulator to work in this field.

The requirements in the legislation are already set up, but in practice the scheme is still under development, (the legislation text has several requirements that shall be tested by a special software).

Unfortunately, due to some problems, a considerable delay occurred and the software as a key element in this data protection scheme is not available yet.

Nevertheless, the federal regulator urged the NAB to start the assessment process of the potential applicant certification bodies and the certification bodies shall start with the first step of the scheme (certification according to ISO 27001). The reason why this happened, are not clear.

Question:

Is it possible to refuse in general the assessment task when a “scheme is not fully developed and available”? In addition, at this moment the NAB has no prove that the scheme will be based on rugged procedures. Even when it is based on a federal ordinance.

A1) What can be used as arguments (backed up by EA, IAF or normative criteria) to still perform the work as requested? What provisos shall be made?

A2) What arguments (backed up by EA, IAF or normative criteria) can be used to refuse such an (unfinished) work?

September 2018

This question is not specific to Certification and could also be provided to the HHC.

consensus is that the situation is as described in A2 with the arguments that accreditation to a specific accreditation scheme cannot be delivered if requirements of ISO/IEC 17011 § 4.6 are not fulfilled.

In the present case, it looks that these requirements cannot yet be fulfilled.

And an AB shall fulfill whole ISO/IEC 17011, as per EC 765/2008 and the IAF and EA MLAs.

Another way would be to allow each CB to develop its own scheme based on the already published requirements and that the NAB evaluate each certification scheme implementing ISO/IEC 17011 §4.6. But this would be very difficult for the NAB and leading to potential different certification schemes and then certification results, which would be very risky and does not seem to be the need of the regulator in such a complex and regulated area.