I cannot overstate the importance of what you are about to read. I am not being hyperbolic, as you will see. UKAS and the IAF have utterly annihilated all remaining sources of oversight, allowing so-called “accredited” bodies to violate long-established rules and laws at will. They will no longer face any scrutiny or accountability.
For those of you who have — for decades — accused me of being Don Quixote, tilting at windmills, you will be happy to know that the windmills have won. You were right. There was never any chance that organizations of such power would ever comply with any rule that limited their revenue, and it was a fool’s errand to spend decades trying to get them to do so.
A Brief History of Whistleblowing
As you may know, the Oxebridge ISO Whistleblower Reporting program has existed for about 15 years, allowing stakeholders around the world to file reports of fraud and corruption in the ISO certification scheme without fear of reprisal. Then, if called upon by the whistleblower, Oxebridge would vet the complaint and convert it into a formal submission to the appropriate oversight bodies. These included the certification bodies involved, their accreditation bodies, and/or ISO or IAF itself. We would invoke rules under ISO 17011 or ISO 17021-1, as well as laws such as the European Union’s EC 765/2008 regulation, to ensure the bodies involved responded properly.
Admittedly, the CBs and ABs did a poor job of things, even knowing that both accreditation and legal violations were at stake. At first, in the early days, the program saw some victories. CBs and ABs were forced to update procedures, marketing tactics, and training programs to ensure complaints were fully and properly addressed. Over time, they grew emboldened by the IAF’s decreasing oversight. ANAB, for instance, has not withdrawn a single accreditation in over nine years now, effectively having stopped its enforcement actions entirely. But they were still answering complaints and taking weak-tea actions, even if their responses were largely symbolic.
Then, around 2022 or so, I noticed that the bodies had stopped answering complaints altogether. I even wrote about it in this piece from 2024. I had gone back and noticed the pattern of CBs ignoring complaints had started around April of 2022. Right around that time, I noticed an uptick in the number of complaints we had to escalate because CBs never responded to a formal filing at all. Then, the ABs and the IAF oversight bodies — including the IAF regional groups — began ignoring the escalations, as well.
What happened? Around that time, the IAF regional body APAC, led by Graeme Drake, developed a policy against complaints filed by “vexatious” complainants. The intent was to silence Oxebridge specifically, but also stop others from around the world from calling attention to Drake’s overt violations of ISO 17011. Under Drake, APAC began allowing anyone to enter the IAF so long as they pay him a fee. APAC performs no serious ISO 17011 peer evaluations on its members, allowing known certificate mills from India and the Middle East to join the ranks of “proper” accreditation bodies. These APAC members then conduct no serious ISO 17021 audits on their CB clients, allowing them to flood the market with fake ISO certificates, even for products such as medical devices and pharmaceuticals. Drake gets paid, so he has no intention of stopping this.
So his “vexatious complainant” policy was never challenged, despite it being an overt violation of ISO 17011. That standard requires that complaints be processed in a formal and objective manner.
(Drake, whose prior experience had been developing standards for ostrich abattoirs — yes, really — , is now leading ISO’s work on certification audits for ISO 42001 on artificial intelligence. So he has been well rewarded for his overt corruption, and for sure he will water down the ISO 42001 auditing process so he can enrich himself further.)
But while Drake’s policy was nearly entirely aimed at Oxebridge, he hadn’t yet invoked it. Instead, Drake would slow-walk complaints, delay them, but continue to respond on paper. The end result was the same, to protect his AB members by burying the issues, but he never seemed to have the balls to trigger the policy weapon he created.
Matt Gantley Has Entered the Chat
UKAS had those balls.
As I reported here, UKAS then adopted a similar policy, although it never mentioned APAC or Drake. Instead, they claimed it was based on a policy developed by the UK Local Government & Social Care Ombudsman. This was, I would later find out, a lie. The LGO’s policy did not attempt to define the term “vexatious” but instead relied on the UK courts’ legal definition; it also offered rules requiring some level of processing by even those complainants deemed “vexatious.“
UKAS was not having any of that. Instead, they made up their own views on what constitutes “vexatious,” and provided no recourse whatsoever for anyone branded as such. Under the UKAS rule, complainants must comply with an unwritten, undocumented, and entirely arbitrary set of behavioral requirements to simply have their complaint acknowledged as received. If a complainant fails that test, UKAS can silently delete the complaint, prior to acknowledging receipt, so there is no record of it ever existing. The bodies sitting above UKAS — including the IAF and its regional body for Europe, EA — would never know it exists, since they only check complaints that have been filed. They have no means of verifying things that were shredded.
Certificate issued in December 2024 to Gazprom, accredited by UKAS. Source: IAF CertSearch as of 9 June 2025. Click to enlarge.
Worse still, UKAS applies this to allegations of criminal behavior by its staff. Recently, we learned that our report on UKAS’ apparent violation of UK sanctions against the Russian military company Gazprom was deleted without any record. While UK law prohibits UK companies from giving support for Gazprom, UKAS continues to accept money from the company and uses it to pay Matt Gantley’s salary. If anyone else did this, they’d probably be arrested for criminal money laundering.
Now, in fairness, UKAS may have a perfectly legal explanation for why it continues to work with Gazprom, but it is refusing to produce that explanation even though it is required to do so under ISO 17011.
Last week, a source from within UKAS revealed that the “vexatious complainant” policy was instituted to silence Oxebridge, just as APAC had attempted. It was reportedly brought to UKAS upper management by Jackie Burton, who holds the ironic title of Process Improvement and Customer Feedback Manager. Burton was Oxebridge’s point of contact for complaint filings at the accreditation body.
The policy was presented to UKAS head Matt Gantley, who quickly agreed, apparently furious over the fact that my editorial cartoons featured him dressed up as “Valdematt.” Gantley brought the policy to the UKAS Board, and they agreed to make it official.
Despite their published policy declaring they will notify a complainant who has been branded as vexatious, UKAS does not do so. Immediately after the approval of the policy, Burton stopped responding and UKAS began deleting formal complaints, destroying the evidence of their existence.
Then, things got worse.
Now, Everyone is Vexatious
First, UKAS had intended the policy to apply to Oxebridge. It took very little time for UKAS to expand that to other people it didn’t like, including Conor Chapple. I have unconfirmed reports that others have filed complaints of varying levels of seriousness and also got the silent treatment from Burton and UKAS.
(The scandal where UKAS has allowed British Assessment Bureau — now Amtivo — to sell QMS consulting via a software package seems to have angered more than just me. UKAS is refusing to process any complaint sent to it on that matter, while it takes Amtivo’s money.)
UKAS wasn’t done yet. Instead, UKAS appears to have worked with Victor Gandy at the IAF to expand the policy across the entire ecosystem of ISO accreditation and certification bodies. The IAF was ripe for such a move. Years earlier, the IAF’s prior head, Elva Nilsen, had requested that Oxebridge stop including the IAF in copies of its complaints. To which I refused, reminding the IAF that it only has one job — to ensure ABs comply with ISO 17011 — and that if they fail to do that, they could lose their 501(c)(3) tax-exempt status. If only to justify its tax status, the IAF was required to stay informed on matters it was supposed to be monitoring.
For her part, Nilsen shut up about it, but was then replaced by Victor Gandy. Gandy was also reportedly exhausted by the complaints he was being copied on, so it appears he happily signed on to the UKAS policy. However, whereas UKAS and APAC published their policies, Gandy kept his entirely secret. IAF will not even publicly admit it exists.
Now, I do not have firm evidence for this next part, and I can only provide anecdotes. It appears that the IAF silently alerted all its members to automatically ignore any filings from Oxebridge, plus any other complainants that the AB might arbitrarily brand as “vexatious.” The ABs then began adopting this, and we saw it affect the accreditation bodies from various countries across South America, Asia, and Europe. (So far, it does not seem to have hit Africa.) By 2024, none of the bodies were acknowledging receipt of the complaints.
Worse still, the IAF appears to have likewise told the CMMC scheme’s sole accreditation body, the Cyber AB, that they, too, can simply delete complaints filed by Oxebridge. So far, a complaint filed with the Cyber AB in March has gone unanswered.
Next, the IAF apparently instructed its regional bodies to do the same. IAF currently has six “Regional Accreditation Groups” (RAGs), as follows:
- EA (Europe)
- AFRAC (Africa)
- APAC (Asian Pacific region, but covers the entire world anyway)
- ARAC (Saudi Arabia)
- IAAC (North and South America)
- SADCA (South Africa)
Normally, when an AB ignores a complaint, it gets tossed up the chain to the IAF regional body. Since the policy, however, even bodies like EA — which is tasked with ensuring EU member nations comply with the EC-765-2008 accreditation law — have begun ignoring complaint escalations filed with them.
No One is Coming to Save Us
As it stands, you can no longer expect any CB or AB to respond to even a serious complaint, even though ISO 17021 and ISO 17011 require the bodies to process them. The “vexatious complainant” rules violate these standards. Since these dystopian policies were created by the bodies tasked with upholding those standards, there’s no one left to escalate complaints to when CBs delete them. The IAF has officially washed its hands of all oversight responsibilities.
Will tax regulators step in, then? After all, accreditation bodies and related entities are required to do the thing they convinced their governments they do, in exchange for being granted the freedom not to pay taxes on their income. The problem is that they are not doing those things and are operating as for-profit companies. Imagine if I opened a non-profit soup kitchen to feed the homeless. Then, a year after getting my tax-exempt status, I changed it to a commercial, for-profit restaurant, but I continued to claim tax-exempt status. I would be arrested. Not so with accreditation scheme actors.
And governments? Well, national governments have consistently refused to hold their official ABs, such as DAkkS (in the PIP breast implant scandal) or UKAS (in the cases of Randox and Grenfell) accountable. Each time, the ABs have escaped all scrutiny. UKAS recently dodged a call for it to be nationalized after Grenfell, but that was recently scuttled by government officials. Lawmakers in that country do not want to tarnish UKAS, which they view as one of the “crown jewels” of their country’s governance. Likewise, the Italian government refused to investigate ACCREDIA’s continued work in Russia, and Austria’s Akkreditierung Austria worked to (successfully) block an Oxebridge-driven court case in that country over allegations of fraud.
So, governments and tax regulators are not coming. What about the standards bodies?
ISO 17011 and ISO 17021 are written by ISO’s Committee on Conformity Assessment (CASCO). However, ISO refuses participation in CASCO by stakeholders and the public, and it is instead dominated by national standards bodies and the ABs or CBs themselves. (Often, a nation’s AB is owned by the standards body, such as ANAB, which is owned by ANSI.) These parties have then worked hard to dilute requirements against consulting and other restrictions. As a result, the inmates are writing their asylum’s own procedures.
(I recently wrote to CASCO Secretary Cristina Draghici, asking to discuss the problem with her directly; she also ignored the request.)
Courts are no help, either. Instead, they have given accreditation bodies an unprecedented level of deference. In the US, this is largely due to a lack of related case history within ISO accreditations. As a result, lazy attorneys search LexisNexis, Pacer, and Westlaw for anything with the word “accreditation” in it, and they land on cases related to the accreditation of universities. Uneducated defense attorneys often fail to challenge the case law as irrelevant and subsequently lose their cases. Judges then consistently defer to the accreditation bodies instead of holding them accountable.
What about journalists? Unfortunately, the press has shied away from reporting on the ISO and IAF scandals because they are both dull and complicated. Even showing how IAF inaction has resulted in scandals such as Grenfell, Randox, Deepwater Horizon, the Equifax hack, and countless other avoidable disasters, it does not appear that the Fourth Estate will be riding in to provide any serious reporting anytime soon.
Nearly every one of the indicated disasters or scandals could have been avoided had the IAF and its AB members done their jobs.
The last remaining firewall against this corruption had been the right of members of the public and industry stakeholders to file complaints and demand accountability. With the UKAS and IAF move, the entire whistleblowing process is destroyed, and not just for Oxebridge, but for every whistleblower in any country who supports the ISO and IAF scams. Which, to date, is pretty much everyone except China.
Yes, it now appears that China has the world’s only remaining effective accreditation scheme. I’ll have more reports on that in the future.
The Windmills Claim Victory
In closing, I have grim news. I will have to shut down the ISO Whistleblower Reporting program entirely because it no longer serves any function. To merely report problems to Oxebridge, but then not have any way to file them with the proper authorities, means the program is powerless. The bad guys got what they wanted: a total lack of any oversight and accountability.
So, expect things to get worse. As we see, the IAF has allowed LRQA to buy a consulting firm outright, and now it certifies its own consulting clients. That used to be the clear marker of what makes a “certificate mill,” but now it is normal practice for fully accredited bodies. In fact, the entire ISO certification scheme is now one huge, pay-to-play scheme. ISO will strip out rules previously intended to manage conflicts of interest. Anyone daring to file a complaint can be falsely accused of crimes, harassed, threatened, or even arrested (yes, they did that, too). The oversight bodies will continue to enjoy tax-exempt status while doing the exact opposite of what’s in their official bylaws. So, just to add salt in the wound, your tax money is subsidizing this wholesale, global corruption and criminality.
It was a good fifteen-year run. R.I.P., whistleblower program.
Happy World Accreditation Day.
Christopher Paris is the founder and VP Operations of Oxebridge. He has over 35 years’ experience implementing ISO 9001 and AS9100 systems, and helps establish certification and accreditation bodies with the ISO 17000 series. He is a vocal advocate for the development and use of standards from the point of view of actual users. He is the writer and artist of THE AUDITOR comic strip, and is currently writing the DR. CUBA pulp novel series. Visit www.drcuba.world
