Slides Iso 17021 Be Lac

Accreditation of certification bodies
in EMS/QMS: transition from

ISO guides 62 and 66 to
ISO/IEC 17021-1
Presented by Peter Vermaercke 26 June 2007

Lead Assessor BELAC
ISO 17021 – at first sight not new?
But, did you look close enough?
ISO/IEC 17021 Peter Vermaercke BELAC 26 June 2007

2
Content
ISO/IEC 17021:2006: “Conformity assessment—
Requirements for bodies providing audit and certification
of management systems “ Published 15 September 2006.
History and the framework of ISO/IEC 17021
Objectives and scope of the new standard
Content of the new standard
Future – what with IAF guideline documents?
Conclusion A word of thanks to
• Randy Dougherty for using his ISO CASCO-slides
• INAB for using partly their slides publicly available on INAB-website
These slides were based upon the EA training course on ISO 17021
held on 24/25 May 2007
3
Conformity Assessment
Where is ISO 17021?
Accreditation
Accreditation
ISO/IEC
ISO/IEC17011
17011
TESTING
TESTING INSPECTION
INSPECTION
CALIBRATION
CERTIFICATION
CERTIFICATION
CALIBRATION
ISO/IEC
ISO/IEC17025
17025 ISO/IEC
CLINICAL ISO/IEC17020
17020
CLINICAL ISO15089
ISO 15089
QUALITY
QUALITYSYSTEMS
SYSTEMS
ISO
MANAGEMENT
MANAGEMENTSYSTEMS
SYSTEMS ISO9000,
9000,GMP,
GMP,....
ISO/IEC
ISO/IEC17021
17021 AUDITING
ENVIRONMENTAL
ENVIRONMENTAL
ISO 19011
SYSYEMS
SYSYEMS
ISO
PRODUCTS
PRODUCTS ISO14001
14001
ISO
ISOGUIDE
GUIDE65
65
SAFETY
SAFETY&&OTHER
OTHER
HACCP,
PERSONS HACCP,
PERSONS
18001,…
OHSAS
ISO/IEC OHSAS18001, …
ISO/IEC17024
17024
4
Phase 1: Upgrading most ISO
Guides to Standards
Accreditation ISO/IEC 17011: 2004 Conformity assessment - General
requirements for accreditation bodies
accrediting conformity assessment
bodies
Inspection ISO/IEC 17020: 1998 General criteria for the operation of various
Reconfirmed in 2002 types of bodies performing inspection
System ISO/IEC Conformity assessment - General

Certification 17021:2006 requirements for bodies
(transition from providing audit and certification
ISO guides 62 of management systems
and 66)
Certification of ISO/IEC 17024: 2003 Conformity assessment - General
persons requirements for bodies operating
certification of persons
Testing/ ISO/IEC 17025: 2005 General requirements for the competence
calibration of testing and calibration laboratories
5
Revision of the standards related
to conformity assessment-phase 2
Phase 2 = Develop “Common elements” for conformity
assessment that shall be used in all ISO documents once
the principles and texts are confirmed. Common elements
across the core standards are to be found in a group of
ISO/IEC PAS (Publicly Available Specification which reflect
a good practice and which are documents designed for
the internal use of ISO/CASCO working groups);
We are now in this phase
After at least 5 years. Phase 3: develop a new series of
17000 standards, based on the “common elements” and
the functional approach

6
List of CASCO guides and
standards by field of application
Vocabulary, ISO/IEC 17000: 2004 Conformity assessment - Vocabulary
principles and and general principles
common
elements of ISO PAS 17001: 2005 Conformity assessment - Impartiality -
conformity Principles and requirements
assessment
ISO PAS 17002: 2004 Conformity assessment -
Confidentiality - Principles and
requirements
ISO PAS 17003: 2004 Conformity assessment - Complaints
and appeals - Principles and
requirements
ISO PAS 17004: 2005 Conformity assessment - Disclosure
of information - Principles and
requirements

7
List of CASCO guides and
standards by field of application
Product ISO/IEC Guide 23: Methods of indicating conformity with
certification 1982 standards for third-party
Reconfirmed in 2003 certification systems
ISO/IEC Guide 28: Conformity assessment - Guidance
2004 on a third-party certification
system for products
ISO/IEC Guide 53: Conformity assessment - Guidance
2005 on the use of an organization's
quality management system in
product certification
ISO/IEC Guide 65: General requirements for bodies
1996 operating product certification
systems
ISO/IEC Guide 67: Conformity assessment -
2004 Fundamentals of product
certification
8
List of CASCO list of CASCO
projects under way
Common elements of ISO PAS 17005 Conformity assessment - Use of management
conformity [CASCO WG 23] systems in conformity assessment - Principles
assessment FDPAS in progress. and requirements
Writing specifications for ISO/IEC 17007 Conformity assessment - Guidelines for drafting
use in conformity [CASCO WG 27] standards and specified requirements suitable for
assessment
use for conformity assessment
Auditing ISO/IEC 17021 Conformity assessment –

competence Part 2 Requirements for third party
[CASCO WG 21] auditing of management
systems
Proficiency testing ISO/IEC 17043 Proficiency testing by interlaboratory comparisons –
[CASCO WG 28] Part 1: Development and operation of proficiency
testing schemes and Part 2: Selection and use of
proficiency testing schemes by laboratory
accreditation bodies
Product certification ISO/IEC 17065 Conformity assessment – General requirements for

[CASCO WG 29] bodies operating product certification systems
Revision of ISO/IEC
ISO/IEC 17021 Peter Vermaercke BELAC 26 June Guide
2007 65:1996 9
Product certifiers!
It should be noted that the ISO 17021 is not intended for
product certification, and as ISO guide 65 will not change
in the next year it is reasonable to expect that in the
future a revision of ISO 65 will take a similar path. So,
product certifiers should make themselves familiar with
this new standard

10
ISO/IEC 17021-2
ISO 19011 is a guideline that addresses
– only audits of QMS and EMS
– all types of audits, both internal and external
– guidelines and not requirements
So there is a need for a text addressing specifically 3rdParty
Management System auditing requirements, so a standard
Proposal for the development of ISO/IEC 17021-2 addressing:
– Generic aspects of 3rd party management system auditing
– Generic audit competence requirements
– A template for the future development of specific
competence requirements for any management system
scheme
11
ISO/IEC 17021-2
Very little known about it, but it has three components:
– 1. You need to have generically competent auditors.
– 2. You need to make competent use of those auditors,
so the right people for the right audit can be selected,
working together as a competent audit team.
– 3. Give that competent audit team the resources they
need to do a competent audit. The main resource in
that respect is time - time to do a thorough audit, to
prepare adequately all the documents, to report
adequately, and to breathe in between audits ...

12
Content
Conclusion

13
Trends
Over the last 5–10 years, the thinking concerning
Management Systems has evolved towards
– 1) Quality Management Systems built around an ISO
9001 Core e.g. sector schemes such as
Telecommunications (TL9000), Aerospace (AS9100),
Automotive (ISO TS 16949), …
– 2) Compatibility between different management systems
e.g. ISO 9001 and 14001 - Integrated management
systems, ….
– 3) Future extension of the scope of management
systems e.g. Agro-food Safety Management (ISO
22000), Information security management information
security (ISO/IEC 27001:2005) and supply chain security
(ISO/PAS 28000:2005)
14
Requirements for the standards
also accreditation standards
Maintaining a Common Core
Obtaining Compatibility
Enhancing credibility of 3rd party certification
So, flexibility to meet marketplace (sectoral) needs-
avoiding unnecessary redundancy when addressing similar
themes-compatibility and
alignment, whenever possible,
ensuring stakeholder credibility

15
Objectives ISO/IEC 17021
To replace Guide 62 and 66 (or the BELAC documents
based upon EN 45012)
To be applicable to any type of management system; a re-
active and pro-active approach to standardization – the
standard should also provide a platform for certification of
other management systems.
To incorporate current guidelines developed by the
International Accreditation Forum (IAF GD2 en GD8) for
their members to follow when applying the last editions of
ISO/IEC Guides 62 and 66.
To incorporate latest technology
To be consistent with the common elements
16
Positive points
Reduces the proliferation of standards
Is the first attempt for a core conformity assessment
standard with the advantage of a range of recent changes to
working practice and understanding in place (taken over
from IAF).
Adoption of a more “performance based” approach to the
orientation of the requirements in the core standards as
opposed to a “design based” approach, which is more
prescriptive (what and how to do things). I counted 240
“shall” clauses under ISO 17021, which is far less than the
400+ requirements of the two current standards.

17
An example of the transfer of IAF
guides to the standard
IAF Guidance GD2: “CB’s may participate in training
courses, provided that where these courses relate to
quality assurance, management systems or auditing they
should confine themselves to the provision of generic
information and advice which is freely available in the
public domain, i.e. they should not provide company
specific advice which contravenes the requirements.”
ISO 17021 Clause 3.3: “Arranging training and
participating as a trainer is not considered consultancy,
provided that where the course relates to management
systems or auditing, the course is confined to the
provision of generic information that is freely available in
the public domain, i.e. the trainer should not provide
company-specific solutions.”
18
Content
Conclusion
RVA T-32
ISO/IEC 17021 Clauses Guide 62 IAF GD2 Guide 66 IAF GD6

3.3 management systems consultancy G.1.1.23 G.4.1.21
5.1.1 Legal entity. 2.1.2d G.2.1.10 4.1.2d G.4.1.8

G.2.1.11 G.4.1.9
G.4.1.10
5.1.2 Certification agreement.
19
ISO/IEC 17021:2006
Contents
– 1 Scope
– 2 Normative references
– 3 Terms and definitions
– 4 Principles
– 5 General requirements
– 6 Structural requirements
– 7 Resource requirements
– 8 Information requirements
– 9 Process requirements
– 10 Management system requirements for CBs

20
ISO/IEC 17021:2006
Section 4 Principles
What is new?
– regarding the standard?
Section 4 Principles [for third party certification]

– Subsequent requirements are based on the principles
– The principles are not auditable
The principles are statements of what should be achieved.

Knowing what is to be achieved helps in drafting the
subsequent

21
ISO/IEC 17021:2006
4.1.3 Principles for inspiring Confidence.
– impartiality
– competence
– responsibility
– openness
– confidentiality
– responsiveness to complaints

22
ISO/IEC 17021:2006
4.2 Impartiality threats.
Self interest
Self review
Familiarity
Intimidation

23
ISO/IEC 17021:2006
4.3 Competence.
Competence of personnel supported by management

system.
Competence is the demonstrated ability to apply
knowledge and skills.
Certification must provide confidence

24
ISO/IEC 17021:2006
4.4 Responsibility
Certification body has responsibility to assess sufficient
objective evidence upon which to base a decision.
Grant certificate if sufficient evidence of conformity.
Links to confidence. Integrity and credibility of certification.

needs competence

25
ISO/IEC 17021:2006
4.5 Openness.
Provision and access to information.
4.6 Confidentiality.
Integrity and confidence
4.7 Responsiveness to complaints.

Confidence, trust, integrity, credibility.
Cannot hide behind confidentiality.

26
ISO/IEC 17021:2006
Section 5 General requirements
5.1 Legal and contractual matters
5.1.1 legal responsibility
– CB shall be such that it can be held legally responsible
for its certification activities
shall be a legal entity or a defined part of a legal
entity
a governmental CB is deemed to be a legal entity

27
ISO/IEC 17021:2006
5.1 Legal and contractual matters
5.1.2 certification agreement
– a CB shall have a legally enforceable (that demonstrate
the capability to take legal action, if needed, to enforce
conformance by its clients) agreement with certification
clients (international contracts involves knowledge of
legislation?, language?)
– for multiple offices of a CB or client, a CB shall ensure
the agreement explicitly covers all site covered by the
scope of certification
5.1.3 responsibility for certification decisions
– a CB shall be responsible and shall retain authority for its
decisions relating to certification
28
ISO/IEC 17021:2006
What is new?
– regarding impartiality?
Eliminated the definition for, and use of the term, “related
body”, and instead describe activities/relationships that
are a threat to impartiality (this can be based on
ownership, governance, management, personnel, shared
resources, finances, contracts, marketing and payment of
a sales commission or other inducement for the referral of
new clients, etc.)
So, the emphasis of demonstrating impartiality shifts from
AB that made a complete evaluation of the “related
bodies” to the CB that now has to make a document
describing all “bad” activities/relationships that needs to
beVermaercke
ISO/IEC 17021 Peter approvedBELAC 26 June by
2007 the impartiality committee
29
ISO/IEC 17021:2006
5.2 Management of impartiality
5.2.1 top management commitment
– publicly accessible statement by top management of
the CB
understands importance of impartiality
manages conflict of interest
ensures objectivity

30
ISO/IEC 17021:2006
5.2.2 impartiality threat analysis
– identify, analyze and document COI or threats to
impartiality
– relationships
– document elimination or reduction of threats
– demonstrate to impartiality committee (IC)

31
ISO/IEC 17021:2006
5.2.3 relationships that threaten impartiality
– when a relationship that threatens impartiality cannot
be eliminated or minimized, then certification shall not
be provided
5.2.4 a CB shall not certify another CB
5.2.5 a CB, and any part of the same legal entity, shall not
provide management systems consultancy
– applies also to a governmental CB

32
ISO/IEC 17021:2006
5.2.6 a CB, and any part of the same legal entity, shall not
provide internal audits to its certified clients
– Note: if a CB provided internal audits for an
organization, it shall not provide certification for at least
two years

33
ISO/IEC 17021:2006
5.2.7 CB and consultancy relationships
– a CB shall not certify a client that received
management system consultancy or internal audits
where the relationship between the management
system consultancy organization and the CB poses an
unacceptable threat to impartiality of the CB
– allowing a minimum period of two years following the
end of the consultancy or internal audits is one means
of reducing the threat to impartiality to an acceptable
level

34
ISO/IEC 17021:2006
5.2.7 CB and consultancy relationships
– Basis of relationships that threaten impartiality
common ownership, governance, or management
shared resources or finances
contracts
marketing
payment of a sales commission or other inducement
for referral of new clients

35
ISO/IEC 17021:2006
5.2.8 a CB shall not outsource audits to a management
system consultancy organization. Note: does not apply to
individuals contracted as auditors in 7.3
“Outsource”
CB CO
Auditors under Auditors under
control control
of CB’s QMS of CO’s QMS
“Hired in”
36
ISO/IEC 17021:2006
5.2.9 a CB’s activities shall not be marketed as linked to the
activities of an organization that provides management
system consultancy
– no ‘linked’ claims that certification would be faster,
easier, or less expensive
– CB shall take action to correct inappropriate claims by a
consultancy organization

37
ISO/IEC 17021:2006
5.2.10 any personnel involved in management system
consultancy for a client shall not be involved in
certification of the client for at least two years following
the end of the consultancy
5.2.11 CB shall respond to threats to its impartiality arising
from the actions of others
5.2.12 CB personnel shall act impartially and not allow
commercial, financial or other pressures to compromise
impartiality
– internal
– external
– Committees
5.2.13 CBs shall require personnel to disclose any situation
that may present them or the CB with a conflict of
ISO/IEC 17021 interest
Peter Vermaercke BELAC 26 June 2007
38
ISO/IEC 17021:2006
5.3 Liability and financing
5.3.2 CB shall evaluate its finances and sources of income
and demonstrate to the impartiality committee that
commercial, financial and other pressures do not
compromise its impartiality

39
ISO/IEC 17021:2006
Section 6 Structural requirements
6.1 Organizational structure and top management
6.1.1 CB shall document
– organizational structure
– responsibilities of personnel and committees
– relationships to other parts of same legal entity

40
ISO/IEC 17021:2006
Advisory Board of Appeal

board Governors Committee
Technical Operational
Committee's) Management
Technical
Certification-
Management
Committee
(per scheme)
Supplier - Producer

41
ISO/IEC 17021:2006
6.1.2 CB shall identify top management having
responsibility for
– policies and finances
– development and performance of certification schemes
– decisions on certification
– delegation to committees/persons
– contractual arrangements
– providing adequate resources
6.1.3 CB shall have formal rules for appointment, terms of
reference and operations of committees involved with
certification

42
ISO/IEC 17021:2006
6.2 Committee for safeguarding impartiality
6.2.1 structure of the CB shall include a committee
– assist in development of policies relating to impartiality
of certification
– counteract any tendency by CB to allow commercial or
other considerations to prevent objective certification
– advise on matters affecting confidence of certification,
such as openness and public perception
– review, at least once annually, impartiality of the audit,
certification and decision making processes

43
ISO/IEC 17021:2006
6.2 Committee for safeguarding impartiality
6.2.2 composition, TOR, competence, responsibilities to be
documented and authorized by top management to ensure
– balanced representation-no single interest
predominating (personnel of the certification body are
considered to be a single interest)
– Access to all the information necessary to enable it to
fulfill its functions
5.2.2 impartiality analysis
5.3.2 financial analysis
– right of committee to independent action if top

management does not respects its advice (e.g.
informing authorities or ABs)
44
Committee for
safeguarding impartiality
CB
Government Experts
Consumers Clients/
/Public Producers
Customers Trade
of clients associations :If relevant

45
ISO/IEC 17021:2006
Section 7 Resource requirements
What is new?
– regarding CB and audit team competence?
Requirements that result in a process for ensuring the

assignment of competent audit team
– competence analysis (7.1 & 7.2)
– application review—competence needed (9.2.2.2)
– audit team selection—competence provided (9.2.2.3)
– competence to make certification decision (9.2.2.4)

46
ISO/IEC 17021:2006
ISO/IEC 17021:2006: 4.3 – Competence = the ability to
apply knowledge and skills (eg like a lab technician or an
inspector) – attending a training course, having a
diploma, .. are examples of qualifications, not
examples of demonstration of competence
7.2.7. The certification body shall use auditors and
technical experts only for those certification activities
where they have demonstrated competence (monitoring of
previous activities, feedback from the client, witnessing on
site, interviews, passed a formal examination, a formal
test, holds a certificate, ….)
The initial competence evaluation of an auditor shall
include a observation by a competent evaluator observing
the auditor conducting an audit.
47
ISO/IEC 17021:2006
CB shall ensure :
– Personnel has relevant knowledge in the fields of activity
and geographic regions in which it operates
– For each sector, it determines competence requirements
to be demonstrated prior to performance
– It has competent management and administrative
personnel, in addition to auditors and experts
– It has access to the necessary technical expertise for
advice on matters directly relating to certification for
technical areas, types of management system and
geographic areas in which the certification body operates.
Such advice may be provided externally or by certification
body personnel.
48
ISO/IEC 17021:2006
What is new?
– regarding impartiality?
personnel records shall include any relevant consultancy

services that may have been provided (7.4)
Not a note from an auditor saying that he/she is impartial,

but a note describing what are the conflicts …

49
ISO/IEC 17021:2006
Section 8 Information
What is new?
– regarding publicly accessible information?
certifications granted, suspended or withdrawn (8.1.3)

Eg. Website, allow visit to the office, send by e-mail or
fax on request, give information by phone, …

50
ISO/IEC 17021:2006
What is new?
– regarding the certification documents?
an expiry date consistent with the re-certification cycle

(8.2.3.c)

51
ISO/IEC 17021:2006
8.4.2 A certification body shall not permit its marks to be
applied to laboratory test, calibration or inspection reports,
as such reports are deemed to be products in this context.
8.5.2 The certification body shall inform the client, in

advance, of the information it intends to place in the
public domain. All other information, except for
information that is made publicly accessible by the client,
shall be considered confidential.

52
ISO/IEC 17021:2006
Section 9 Process requirements
Somewhat the process approach to CB’s

53
ISO/IEC 17021:2006
9.1 general requirements

9.2 initial audit and certification
9.3 surveillance activities
9.4 recertification
9.5 special audits
9.6 suspending, withdrawing, reducing scope of certification
9.7 appeals
9.8 complaints
9.9 records of applicants and clients

54
ISO/IEC 17021:2006
Process requirements
– used “functional approach” for all three kinds of audits
in the certification cycle
– Initial, Surveillance, Recertification
“selection process”—planning
“determination process”—audit
“attestation process”—audit report
“attestation review process”—certification decision

55
ISO/IEC 17021:2006
What is new?
– regarding the certification process?
flexibility to adjust the audit program based on

demonstrated effectiveness of the client’s management
system (9.1.1)

56
ISO/IEC 17021:2006
9.1 General requirements
9.1.1 Certification and audit program (9.1.1)
two-stage audit for initial certification
three year certification cycle begins with certification or re-
certification decision
surveillance audits in first and second years (the date of
the first surveillance audit following initial certification shall
not be more than 12 months from the last day of the
stage 2 audit)
re-certification audit in the third year prior to expiration

57
ISO/IEC 17021:2006
9.1.1 subsequent adjustments to the audit program shall

consider demonstrated level of management system
effectiveness and results of previous audits
– The ‘hook’ for new IAF guidance for advanced
surveillance and reassessment procedures (ASRP)

58
ISO/IEC 17021:2006
9.1.1 where a CB is taking account of certification

or other audits already granted the client, it
shall collect sufficient, verifiable information
to justify and record adjustments to the audit
program

59
ISO/IEC 17021:2006
9.1.2 audit plan for each audit

– documented requirements…in accordance with the
relevant guidance provided in ISO 19011
9.1.3 CB shall have a process for appointing audit team

based on competence needed

60
ISO/IEC 17021:2006
9.1.4 auditor time for an effective audit

– documented process for determination
– auditor time, as determined by the CB, and
justification, to be recorded
9.1.5 multi-site sampling

– documented rationale for the sampling plan

61
ISO/IEC 17021:2006
9.1.6 audit team and client knowledge of tasks given to the

audit team
– examine and verify the structure, policies, processes,
procedures, records and related documents of the
client relevant to the management system
– meet requirements relevant to the scope of certification
– determine processes are established, implemented and
maintained effectively to provide a basis for confidence
in the client’s management system
– communicate to the client any inconsistencies between
client’s policies, objectives and targets and the results

62
ISO/IEC 17021:2006
9.1.7 CB shall provide to the client the name and, when

requested, background information on each audit team
member
– time for the client to object
– time to reconstitute the team
9.1.8 audit plan to be communicated, and dates to be

agreed, in advance

63
ISO/IEC 17021:2006
9.1.9 CB shall have a process for conducting on-site audits

Note: ‘on-site’ can include remote access to electronic

site(s)
– provides the ‘hook’ for IAF guidance on computer
assisted audits

64
ISO/IEC 17021:2006
9.1.10 CB shall provide a written report for each audit

– based on relevant guidance…in ISO 19011
– may identify OFI’s but not recommend solutions
– ownership of the report by the CB

65
ISO/IEC 17021:2006
9.1.11 CB shall require the client to analyze the cause and

take correction and corrective action to eliminate identified
nonconformities, within a defined time
9.1.12 CB shall review the corrections and corrective actions

to determine if these are acceptable

66
ISO/IEC 17021:2006
9.1.13 CB shall inform the client what is needed to verify

effective correction and corrective action
additional full audit?
additional limited audit?
documented evidence that will be confirmed on
future surveillance audits?

67
ISO/IEC 17021:2006
9.1.14 CB shall ensure the decision for certification or

recertification is made by persons or committees different
from those who carried out the audits

68
ISO/IEC 17021:2006
9.1.15 CB shall confirm, prior to making a decision

a) information from the audit team is sufficient with
respect to requirements and scope

69
ISO/IEC 17021:2006
9.1.15 CB shall confirm, prior to making a decision

b) it has reviewed, accepted and verified the
effectiveness of correction and corrective action for
any nonconformities that represent
failure to fulfill requirements of the standard; or
significant doubt the client’s system can achieve
intended outputs

70
ISO/IEC 17021:2006
9.1.15. CB shall confirm, prior to making a decision

c) for any other nonconformities, it has reviewed and
accepted the client’s planned correction and
corrective action

71
ISO/IEC 17021:2006
9.2 Initial audit and certification
9.2.1 application
9.2.2 application review
9.2.3 initial certification audit
9.2.4 initial certification audit conclusions
9.2.5 information for granting initial certification

72
ISO/IEC 17021:2006
9.2.1 application
– CB shall require applicant to provide information to
enable it to establish the following:
desired scope of certification
name, address, sites, significant aspects, legal

obligations
information relevant for field of certification,
resources, relationship in a corporation
information concerning outsourced processes
standards or requirements for certification
applicants to provide information concerning any

management system consultancy received
73
ISO/IEC 17021:2006
9.2.2.1 CB to review application to ensure
information sufficient for an audit
requirements provided to applicant
any known differences are resolved
CB has competence and ability to provide
certification
scope, locations, audit time, language, threats to
safety or impartiality has been taken into account

records of justification to accept client are
maintained
74
ISO/IEC 17021:2006

9.2.2.2 based on application review, CB to determine
competences needed for audit team and for the
certification decision
9.2.2.3 appointment of an audit team having the totality

of competences needed
9.2.2.4 appointment of persons for making the

certification decision that have the competence needed

75
ISO/IEC 17021:2006
9.2.3 initial certification audit shall be

conducted in two stages
stage 1 and stage 2

76
ISO/IEC 17021:2006
9.2.3.1 stage 1 audits
9.2.3.1.1 stage 1 audit shall be performed to:

– audit the management system documentation
– evaluate site(s) and personnel to determine
preparedness for the stage 2 audit
– review client’s understanding and identification of key
performance or significant aspects regarding the scope
and operation of the management system

77
ISO/IEC 17021:2006

– collect necessary information regarding the scope and
related statutory and regulatory requirements of the
client’s operation
– review allocation of resources and agree with the client
upon details for the stage 2 audit

78
ISO/IEC 17021:2006

– provide a focus for planning the stage 2 audit by
gaining understanding of the client’s management
system, site operations and significant aspects
– evaluate if internal audits and management review are
being performed and that the level of implementation
substantiates the client is ready for the stage 2 audit

79
ISO/IEC 17021:2006
9.2.3.1.2 stage 1 audit findings shall be documented and

communicated to the client, including identification of any
areas of concern
Back-to-back stage 1 and 2 are theoretically … possible,

A stage 1 audit not on site is theoretically … possible
The number of man days is only fit for auditing activities,
which is only a small part of stage 1 …

80
ISO/IEC 17021:2006
9.2.3.1.3 in determining the arrangements for the stage 2

audit, consideration shall be given to the time needed to
resolve areas of concern identified in the stage 1 audit

81
ISO/IEC 17021:2006
9.2.3 initial certification audit
9.2.3.2 stage 2 audit—the purpose is to evaluate the

implementation, including effectiveness of the clients
management system. The stage 2 audit shall take place
at the sites of the client.

82
ISO/IEC 17021:2006
9.2.3.2 the stage 2 audit shall include, at least:

– evidence of conformity to all requirements
– performance against key objectives and targets
– performance as regards legal compliance
– operational control of processes
– internal auditing and management review
– management responsibility for client’s policies
– links between requirements, policy, performance
objectives and targets consistent with expectations of
the standard, legal requirements, responsibilities,
competence of personnel, operations, performance
data and internal audit conclusions
83
ISO/IEC 17021:2006
9.2.4 initial certification audit conclusions

the audit team shall analyze all information and
audit evidence from the stage 1 and stage 2 audits

and agree upon conclusions

84
ISO/IEC 17021:2006
9.2.5.1 information provided by audit team for the

certification decision shall include
– audit reports (stage 1 and stage 2)
– comments on nonconformities and correction and
corrective actions
– confirmation of information used in application review
number of employees for determining audit duration
use of consultancy
– audit team recommendation for or against certification

85
ISO/IEC 17021:2006
9.2.5.2 CB shall make the certification decision on

the basis of the audit findings and
conclusions and other relevant information

86
ISO/IEC 17021:2006
9.3 Surveillance activities
9.3.1 general
9.3.2 surveillance audit
9.3.3 maintaining certification

87
ISO/IEC 17021:2006
9.3.1 general
9.3.1.1 CB shall develop its surveillance activities so

representative areas and functions are monitored on a
regular basis and take into account changes

88
ISO/IEC 17021:2006
9.3.1 general
9.3.1.2 surveillance shall include on-site audits and

may include:
enquiries to the client on aspects of certification
reviewing client’s website and promotions
requests to the client for documents and records
other means of monitoring performance

89
ISO/IEC 17021:2006

9.3.2.1 surveillance audits are on-site audits, but not
necessarily full system audits and shall be planned with
other surveillance activities so the CB can maintain
confidence that the management system continues to
fulfill requirements between recertification audits

90
ISO/IEC 17021:2006

9.3.2.1 surveillance audit program shall include, at least:
– internal audits and management review
– actions on NCRs from previous audit
– Complaints
– Effectiveness achieving client’s objectives
– Progress at continual improvement
– Continuing operational control
– Changes
– Use of marks and reference to certification
91
ISO/IEC 17021:2006

9.3.2.2 surveillance audits shall be conducted at least
once a year.
– date of the first surveillance audit following certification

shall be not more than 12 months from the last day of
the stage 2 audit (=date of closing meeting)

92
ISO/IEC 17021:2006
9.3.3 maintaining certification

– CB shall maintain certification based on demonstration
that the client continues to satisfy requirements.
– CB may maintain certification based on a positive
conclusion by the audit team leader w/o further
independent review, provided:
for any issue that may lead to suspension or
withdrawal, the audit team leader initiates review by
competent personnel different from those carrying
out the audit
Competent CB personnel monitoring the
effectiveness of the CB’s surveillance program

93
ISO/IEC 17021:2006
9.4 Recertification
9.4.1 recertification audit planning
9.4.2 recertification audit
9.4.3 information for granting recertification

94
ISO/IEC 17021:2006
9.4 Recertification

9.4.1.1 a recertification audit shall be planned and
conducted to evaluate continued fulfillment of all
requirements, to confirm continued conformity and
effectiveness of the management system as a whole,
and continued relevance for the scope

95
ISO/IEC 17021:2006
9.4 Recertification

9.4.1.2 the recertification audit shall consider
performance over the period of certification and include
review of previous surveillance audit reports

96
ISO/IEC 17021:2006
9.4 Recertification
9.4.1.3 may need a stage 1 audit if there have been
significant changes
9.4.1.4 audit planning shall include consideration of
multiple sites or multiple standards to ensure adequate
on-site coverage

97
ISO/IEC 17021:2006
9.4 Recertification
9.4.2.1 shall include an on-site audit that addresses

– effectiveness of the system in its entirety and continued
relevance to the scope of certification
– demonstrated commitment to maintain effectiveness
and improvement to enhance overall performance
– system contributes to achievement of policies and
objectives

98
ISO/IEC 17021:2006
9.4 Recertification
9.4.2.2 for nonconformities, the CB shall define time limits

for correction and corrective actions to be implemented
prior to expiration of certification

99
ISO/IEC 17021:2006
9.4 Recertification
9.4.3 information for granting recertification

– Decisions on renewing certification shall be based on
results of the recertification audits as well as review of
the system over the period of certification and
complaints from users of certification

100
ISO/IEC 17021:2006
9.9 Records
9.9.1 CB shall maintain records on all clients, including

applicants and for withdrawals

101
ISO/IEC 17021:2006
9.9 Records
9.9.2 records shall include

– applications and audit reports
– certification agreement
– justifications for sampling
– justifications for auditor time determination
– verification of correction and corrective actions
– records of complaints and appeals
– committee deliberations and decisions
– documentation of certification decisions
– certification documents
– related records to establish credibility of certification,
such as evidence of competence of auditors and
experts
102
ISO/IEC 17021:2006
9.9 Records
9.9.3 CB shall keep records secure and confidential
9.9.4 CB shall have a documented policy and

procedures on retention of records. Records
shall be retained for the duration of the current
cycle plus one full certification cycle

103
ISO/IEC 17021:2006
Section 10 Management system
10 Management system requirements for CBs
10.1 Options
10.2 Option 1—Management system requirements in
accordance with ISO 9001
10.3 Option 2—General management system requirements

104
ISO/IEC 17021:2006
10.1 Options
CB shall have a management system for demonstrating
consistent achievement of the requirements of [17021].
In addition to meeting the requirements in 5-9 of [17021],
a CB shall have a management system in accordance with
10.2 or 10.3

105
ISO/IEC 17021:2006
10.2 Option 1—Management system requirements in

accordance with ISO 9001
– CB shall have a MS conforming to ISO 9001
Scope shall include design and development
Customer focus shall consider the needs of all

parties, not just its clients
Input for management review shall include
complaints and appeals from users
Design and development of new scheme, CB shall
ensure guidance in ISO 19011 is an input

106
ISO/IEC 17021:2006
10.3.1 general
CB’s top management shall establish policies and
objectives
CB’s top management shall appoint a management
rep
10.3.2 management system manual

107
ISO/IEC 17021:2006
10.3.3 control of documents

10.3.4 control of records (records shall be retained for the
duration of the current cycle plus one full certification
cycle)
10.3.5 management review (content more detailed)
10.3.6 internal audits
10.3.7 corrective actions
10.3.8 preventive actions

108
Content
Requirements for bodies providing audit and
certification of management systems “
Published 15 September 2006.
Conclusion

109
IAF guidances
In November 2006, IAF resolved that the transition to ISO/IEC
17021:2006 be effective 24 months after publication
– based on the publication date of 15 September 2006, the
deadline will be 15 September 2008.
migrating to the new requirements may require
translations, changes to procedures, contracts,
committees and other arrangements, all of which take
time.
certification bodies will also need time to identify
changes needed to their own quality management
systems to conform to the new requirements and to
prepare and implement transition plans.
– the annexes to IAF GD2 and IAF GD6 should continue to be
applied until superseded
110
IAF guidances
In March 2006 and reaffirmed in November 2006, the IAF
Technical Committee decided to de-link the annexes (to
current IAF guidance on ISO/IEC Guides 62 and 66) and
publish these as stand-alone IAF application guidance or
requirements
Scopes of Accreditation for QMS
Duration of Audits to ISO 9001:2000
Duration of Audits to ISO 14001:2004
Certification of Multiple Sites based on Sampling
Transfer of Certification
Advanced Surveillance and Recertification
Procedures (ASRP)
111
Content
Requirements for bodies providing audit and
certification of management systems “
Published 15 September 2006.
Conclusion

112
Conclusion
Very important standard, since now over 1.000.000
companies are certified in about 200 countries. It will be
the unique requirements document for accrediting bodies
that certify any management system. This will help to
ensure consistent good practice both by accreditors and
certifiers.
Not many guidelines for integrated audits: planning, audit
time, competence of “integrated auditors”, … still IAF will
have to help. So, integrated audits for QMS and EMS are
logical, but the trend will go even more in this direction,
with an auditor auditing “core elements” and sectoral
auditors/experts auditing the sectoral aspects

113
Things to do … start as quickly as
possible
Involvement of interest parties in analysis and impact on
the system
Internal audits of changes
If you have multiple sites, implementation in all these sites
Personal records reflecting “competence” instead of only
meeting qualification requirements
Practical changes: two-stages audits, report reviewing,

114
Conclusion
new” ISO 17021 document is NOT a simple cut-and-paste
merging of the two current ISO guides, combined with
the current IAF requirements since it involves now also
some current trends in management systems and
accreditation which will create added value
Evidences need to be readily available by the CB on
impartiality, competence, man days, certification decision,
… less need for AB auditors to review links, cv’s, man day
calculations, certification decisions, … AB auditors can
simply always ask: “I have the perception that something
is wrong, show me that it is not?”

115
Conclusion
Any CB opposing to this standard, would mean that the
corresponding AB was doing its work badly – the view of
Belgian CB’s that BELAC during the last 5-7 was tough is
completely in line with the new standard
ISO/IEC 17020 and ISO guide 65 will be aligned with this
standard – so CB’s start preparing
It doesn’t make of auditors more easily – the “old
fashioned ISO 9002” auditor will disappear

116
From “this one” to “This one”
This one
Thank you BELAC for making sure that most

Belgian CB’s probably already have a lot of work
ISO/IEC 17021 Peter Vermaercke BELACdone
26 June 2007… it makes our life as AB auditor easier …
117

Viel mehr als nur Dokumente.

Slides Iso 17021 Be Lac

Hochgeladen von

Dokumentinformationen

Beschreibung:

Copyright:

Verfügbare Formate

Slides Iso 17021 Be Lac

Hochgeladen von

Beschreibung:

Copyright:

Verfügbare Formate

Verwandte Titel

Accreditation of certification bodies

in EMS/QMS: transition from

Presented by Peter Vermaercke 26 June 2007

ISO/IEC 17021 Peter Vermaercke BELAC 26 June 2007

System ISO/IEC Conformity assessment - General

ISO/IEC 17021 Peter Vermaercke BELAC 26 June 2007

ISO/IEC 17021 Peter Vermaercke BELAC 26 June 2007

Auditing ISO/IEC 17021 Conformity assessment –

Product certification ISO/IEC 17065 Conformity assessment – General requirements for

ISO/IEC 17021 Peter Vermaercke BELAC 26 June 2007

ISO/IEC 17021 Peter Vermaercke BELAC 26 June 2007

ISO/IEC 17021 Peter Vermaercke BELAC 26 June 2007

ISO/IEC 17021 Peter Vermaercke BELAC 26 June 2007

ISO/IEC 17021 Peter Vermaercke BELAC 26 June 2007

ISO/IEC 17021 Clauses Guide 62 IAF GD2 Guide 66 IAF GD6

5.1.1 Legal entity. 2.1.2d G.2.1.10 4.1.2d G.4.1.8

ISO/IEC 17021 Peter Vermaercke BELAC 26 June 2007

 Section 4 Principles [for third party certification]

 The principles are statements of what should be achieved.

ISO/IEC 17021 Peter Vermaercke BELAC 26 June 2007

ISO/IEC 17021 Peter Vermaercke BELAC 26 June 2007

ISO/IEC 17021 Peter Vermaercke BELAC 26 June 2007

Competence of personnel supported by management

ISO/IEC 17021 Peter Vermaercke BELAC 26 June 2007

Links to confidence. Integrity and credibility of certification.

ISO/IEC 17021 Peter Vermaercke BELAC 26 June 2007

4.7 Responsiveness to complaints.

ISO/IEC 17021 Peter Vermaercke BELAC 26 June 2007

ISO/IEC 17021 Peter Vermaercke BELAC 26 June 2007

 manages conflict of interest

ISO/IEC 17021 Peter Vermaercke BELAC 26 June 2007

ISO/IEC 17021 Peter Vermaercke BELAC 26 June 2007

5.2.4 a CB shall not certify another CB

ISO/IEC 17021 Peter Vermaercke BELAC 26 June 2007

ISO/IEC 17021 Peter Vermaercke BELAC 26 June 2007

ISO/IEC 17021 Peter Vermaercke BELAC 26 June 2007

 shared resources or finances

 payment of a sales commission or other inducement

for referral of new clients

ISO/IEC 17021 Peter Vermaercke BELAC 26 June 2007

ISO/IEC 17021 Peter Vermaercke BELAC 26 June 2007

ISO/IEC 17021 Peter Vermaercke BELAC 26 June 2007

ISO/IEC 17021 Peter Vermaercke BELAC 26 June 2007

Advisory Board of Appeal

ISO/IEC 17021 Peter Vermaercke BELAC 26 June 2007

ISO/IEC 17021 Peter Vermaercke BELAC 26 June 2007

ISO/IEC 17021 Peter Vermaercke BELAC 26 June 2007

 5.3.2 financial analysis

– right of committee to independent action if top

ISO/IEC 17021 Peter Vermaercke BELAC 26 June 2007

 Requirements that result in a process for ensuring the

ISO/IEC 17021 Peter Vermaercke BELAC 26 June 2007

 personnel records shall include any relevant consultancy

 Not a note from an auditor saying that he/she is impartial,

ISO/IEC 17021 Peter Vermaercke BELAC 26 June 2007

 certifications granted, suspended or withdrawn (8.1.3)

ISO/IEC 17021 Peter Vermaercke BELAC 26 June 2007

 an expiry date consistent with the re-certification cycle

ISO/IEC 17021 Peter Vermaercke BELAC 26 June 2007

 8.5.2 The certification body shall inform the client, in

ISO/IEC 17021 Peter Vermaercke BELAC 26 June 2007

ISO/IEC 17021 Peter Vermaercke BELAC 26 June 2007

9.1 general requirements

ISO/IEC 17021 Peter Vermaercke BELAC 26 June 2007

 “attestation process”—audit report

 “attestation review process”—certification decision

ISO/IEC 17021 Peter Vermaercke BELAC 26 June 2007

Section 4 Principles [for third party certification]

The principles are statements of what should be achieved.

manages conflict of interest

shared resources or finances

payment of a sales commission or other inducement

5.3.2 financial analysis

Requirements that result in a process for ensuring the

personnel records shall include any relevant consultancy

Not a note from an auditor saying that he/she is impartial,

certifications granted, suspended or withdrawn (8.1.3)

an expiry date consistent with the re-certification cycle

8.5.2 The certification body shall inform the client, in

“attestation process”—audit report

“attestation review process”—certification decision

flexibility to adjust the audit program based on

additional limited audit?

documented evidence that will be confirmed on

significant doubt the client’s system can achieve

name, address, sites, significant aspects, legal

standards or requirements for certification

applicants to provide information concerning any

requirements provided to applicant

any known differences are resolved

CB has competence and ability to provide