Click to enlarge

File this in the “ANAB – Oversight Activities – Clueless” drawer.  For years, the ANAB-accredited registrar Bureau Veritas has held an ISO 9001 certificate of its own, issued by ANAB-accredited registrar BSI. And there’s a problem.

We must first wrap our collective heads around the idea that a CB which issues ISO 9001 certificates can be, itself, ISO 9001 certified. Because technically, that’s impossible. ISO 9001 CBs are supposed to be accredited to ISO 17021-1, instead. But that hasn’t stopped the North American offices of Bureau Veritas from obtaining an ISO 9001 certificate anyway, though, as seen on its website.

Next, you have to wonder about the marketing savvy of one CB using the certificate, marks, and logos of a competitor in order to market themselves. This should lead savvy potential customers wondering, “why would I buy ISO 9001 certification from Bureau Veritas, if they buy theirs from BSI?” That would be a valid question.

And one then notices that Bureau Veritas is still claiming certification to ISO 9001:2008, an obsolete standard, prompting another question: if BV is such an expert that it can certify others, how can it have missed that fact that their certificate was expired years ago?

But the real question is just how did all this happen, and how did ANAB — the accreditation body that oversees both BV and BSI — allow it? Especially since there are two specific ISO 17021-1 rules that appear to have been clearly violated here.

The first rule is found in clause 5.2.4 of ISO 17021-1:

5.2.4 A certification body shall not certify another certification body for its quality management system.

So how did Bureau Veritas and BSI skirt this? An examination of the actual certificate, which BV is kind enough to link to, shows that the actual scope of certification issued by BSI to BV doesn’t include management system certification services, but a host of other inspection, testing and product certification activities, spread out over offices in dozens of countries throughout Europe, Africa, Asia and the Americas. So technically, they didn’t get their management system auditing services certified, just everything else.

But it doesn’t really matter, since ISO 17021-1 is clear that all such CB-to-CB certifications are prohibited, period. Scope doesn’t matter.

Also, the Bureau Veritas website places the “ISO 9001” claim on every page of its website, in a footer, so that it appears on pages for services outside of that scope, which has always been prohibited. The rule in ISO 17021-1 clause 8.3.4 prohibits improperly advertising your ISO 9001 certification for services which were not included in the certificate, as well as generally being misleading in your marketing [emphasis added]:

8.3.4 The certification body shall through legally enforceable arrangements require that the certified client:

a) conforms to the requirements of the certification body when making reference to its certification status in communication media such as the internet, brochures or advertising, or other documents;

b) does not make or permit any misleading statement regarding its certification;

c) does not use or permit the use of a certification document or any part thereof in a misleading manner;

g) does not imply that the certification applies to activities and sites that are outside the scope of certification

BV appears to have violated all four of the bullets above, but that last one is particularly important. Since the ISO 9001 language appears on the pages which BV uses to market its management system certification services, average readers would clearly come away thinking — however incorrectly — that BSI has certified BV’s QMS certification activities. You would only know otherwise by finding the cert on the BV page, opening it, and then carefully reading the scope statement and accompanying pages of scope clarifications. Few people are likely to do that, and BV knows it.

It keeps getting worse. BSI confirmed with me that the Bureau Veritas ISO 9001:2008 certificate was canceled outright, but BV just kept marketing it anyway. Remember, this is the sort of thing that BV auditors write you up for during their audits of your company. We’re supposed to believe that no one at either BSI nor BV noticed this for years.

Next, the cert was issued in 2013, but also indicates it was originally granted in 1996, meaning ANAB has been asleep at the switch for over two entire decades ignoring these various violations and conflicts of interest.

I wrote to ANAB’s Lorri Gillespie, and got back the usual frustrating runaround. First, Gillespie was quick to pull an old industry hat-trick: despite language in a published standard saying one thing, behind the scenes the CBs have colluded to develop an “official” position that dilutes or reverses it. Sure enough, Gillespie pointed me to an official “clarification” issued by ISO CASCO — the committee of CBs that writes the ISO 17021-1 rules — which allows one CB to certify another after all, provided the scope doesn’t include their management system certification services. This is not at all what the actual ISO 17021-1 standard says, and no reader of that standard would ever guess that some secret document exists which undoes the literal language of the rule.

If this sounds very much like Animal Farm‘s ever-twisting rewording of “all animals are equal” declaration, you’d be on the nose. Or snout, as the case may be.

But this resolution appeared in July of 2015, which doesn’t explain how ANAB ignored the BV/BSI problem for years prior to that, of course. The rule against one CB certifying another existed explicitly in the 2011 version of ISO 17021 and would have even violated less-explicit rules on conflicts of interest in that standard’s precursor from the 1990’s, ISO Guide 62. So this problem isn’t new; CBs have just been violating the rules for years, and only in 2015 did CASCO update them to give them cover.

But this only relieves ANAB of having to enforce one of the two rules. What of the second, that by marketing ISO 9001 on every page, Bureau Veritas has been improperly inmplying that services out of scope were actually in scope? Gillespie ignored this entirely. Even when I wrote back pointing out that she had ignored it, she doubled down and still refused to address it. Instead, Gillespie said she’d file a complaint on my behalf with BSI (or BV or somebody, it wasn’t clear) on the one thing that wasn’t a violation:

The complaint will be that BVC is marketing an expired certification (by BSI) improperly and ANAB will follow up accordingly with BVC and BSI.

Here, Gillespie shows another common dirty trick of the CB/AB community: you file a complaint, and they arbitrarily and unilaterally re-phrase the complaint into something that leads to a simple, preconceived correction, stripping out the meat of the original complaint. In this case, it’s clear that Gillespie intends to just have Bureau Veritas strip the footer off of their website and call it a day. ANAB wants to give BSI and BV cover, because having to enforce the rules on them puts ANAB’s revenue at risk — ANAB can’t afford to lose either one of the two CBs, much less both of them at once. So BV can take five seconds to remove a footer, and ANAB will wash its hands of that. (UPDATE – see below, as that’s exactly what happened a few hours later.)

To hand BSI and BV the path to that simple fix, Gillespie had to reword my complaint to address, as I said, the one thing that wasn’t a violation. There’s no ISO 17021-1 rule about marketing the wrong version of a standard. It’s stupid and embarrassing, especially for a CB who audits other people for this very thing, but it’s not a violation.

And so, here is what the parties will collectively ignore:

  1. That BV improperly marketed its certification for years, implying services out of scope were actually certified.
  2. That BV improperly continued to market its certification for years after that cert had lapsed.
  3. That BSI failed to monitor the marketing of Bureau Veritas’ use of the ISO 9001 mark, despite being tasked to do so at every surveillance audit, for years.

But don’t worry, in her second email to me — the one in which she ignored the violation a second time — Gillespie tells me that she, personally, is on the job:

I will be working internally with an investigator, whom will get to the bottom of any and all requirements which have been violated.

I feel so relieved.


Sure enough, within hours the BV website was updated to refer to a new ISO 9001:2015 certificate, this time issued by TUV Nord and accredited by the German body DAkkS. Bureau Veritas continues to market the certification on pages out of scope, such as its own ISO 9001 certification services, but getting DAkkS to do anything is even harder than working with ANAB. So ANAB got the exact result it wanted: to be able to have BV change its website footer, and close the case.

No heavy lifting required.





ISO 45001 Implementation