Is it allowed for an ISO 9001 scheme that the first surveillance audit in a certification cycle generally does not cover operations (section 8) but focus on the management system?
This is especially seen for schemes that consists of the requirements in ISO 9001 in combination with some extra requirements in e.g., national executive orders. E.g. a national statutory order on control, maintenance, and repair of lifts with specific requirements on certification in combination with requirements in ISO 9001. Operations of the certified company are stated in procedures of CB’s not to be assessed at the first surveillance. This means that the first surveillance in a certification cycle only covers documents and records of the managements system.
March 2022
ISO/IEC 17021-1 says “§9.6.2.2 Each surveillance for the relevant management system standard shall include: … f) continuing operational control;”
So, this is not allowed, as per ISO/IEC 17021-1, no matter whether the management system is full ISO 9001 or derived from it.
This is fully logical and consistent with a risk-based thinking approach: after the initial certification (i.e., the first surveillance), the operations should be subject to being audited in priority to demonstrate that what has been delivered (management system certification) is effective.
Such a scheme is not fit for ISO/IEC 17021-1 accreditation.