Is it within the assessment of CABs a requirement to judge the risk-based approach of the CABs or just to check if it was done and that within the assessment no findings have been identified which would not be occurred if the risk based approach would have been done in a proper way?
In several standards like ISO/IEC 17021:2015 (article 4.8), or other standards within the ISO/IEC 17000 family there are requirements concerning risk-based approaches. The CABs are requested identifying and analysing these risks and if they are concerned about some of these risks, they have to initialize action to avoid or minimize these risks. But in none of these standards an information is given with respect of the necessary level of documentation, the necessary level of analysing risks, a distinction between “critical” or “non-critical” risks or that this approach or analysis are to be judged by the NABs with regards to the content.
March 2020
The full performance of a CAB for which requirements exist in the accreditation standard, must be assessed for conformity and for efficiency. I.e. this includes an evaluation of the reliability and appropriateness of the CAB’s risk approach, and a conclusion thereof.