cascoThe accreditation rules ISO 17021 (for certification bodies) and ISO 17011 (for accreditation bodies) are published by an obscure ISO committee called CASCO, or the Committee on Conformity Assessment.  They are so deep into the ISO substructure, few users of standards have ever heard of them, nor read their work; however, they are some of the most powerful people in the world when it comes to ensuring the value, validity and trust of ISO 9001 and related management system certifications.

They are also utterly rife with conflicts of interest, which eventually infect their work products, by continually weakening the oversight of ISO 9001 registrars, and crippling the trust in certifications.

The purpose of ISO 17021 is to ensure that certification bodies (CBs) who issue ISO 9001 certificates do so in an objective manner, done under the principles of impartiality, competence, responsibility, openness, and confidentiality. It also requires that CB’s be “responsive to complaints.” Much of the text comes from an older document, written by the same people, called ISO Guide 62. This standard has been in place for decades, with the only changes made being those that favor CBs, and push the envelope as far as it can go to stretch those core principles, without breaking them.

ISO 17011 is applicable to the accreditation bodies (ABs) that then accredit the CBs; these are organizations like ANAB in the US, or UKAS in the United Kingdom. The goal of ISO 17011, which mimics 17021 closely, is to ensure that the ABs only grant accreditation to CBs who can regularly demonstrate they are complying with 17021, and operating in an impartial, competent, responsible, open and confidential manner.

Obviously, in an era where ABs never cite their CBs, even in light of them participating in the cleaning up of potentially criminal activity, or where the ABs themselves collude with CBs in the creation of entire certification schemes from thin air, both the letter and spirit of these standards have been violated. When CBs are given a green light to harass, threaten and sue complainants, it’s clear there is no serious enforcement of the rule for “responsiveness to complaints.”

The problem is twofold. First, the ABs are not enforcing the ISO 17021 rules on their CBs, presumably because they are paid by the CBs, and doing so would cost the ABs tremendous amounts of lost revenue. We will leave that for another article, however.

Secondly, the ABs and CBs work to ensure the rules, as codified in those two standards, favor themselves over those that require trust in the certificates, while obtaining the imprimatur of ISO itself as a smug justification. So how can this be? How can CASCO routinely publish standards that ignore the needs of ISO 9001 users, and allow CBs to continue to violate them?

The answer is simple: the committee is almost entirely comprised of former high-ranking executives of Certification Bodies, and the rest work in national Accreditation Bodies. There are no voting members of CASCO that represent ISO 9001 user organizations. 

Let’s take a look. You can find a list of the major CASCO participants here (PDF), in the official minutes of it’s September 2014 meeting. Of the 20 active participants and CASCO executive team, half have previous experience working for certification bodies:

CASCO RepresentativeFormer CB Employer
Lane HallenbeckABS Quality Evaluations
Randy DoughertyNSF-ISR
Nigel CarterBSI
Ian CleareBSI
Roger BennettBSI
Graeme DrakeNCS (now BSI)
Peter UngerPRI
Alex EzrakhovichQMI-SAI Global
Christian PrillerTUV-SUD
German LombanaICONTEC

Of the remaining 10, seven work for accreditation bodies where the CBs are their paying clients. Only three members could not be confirmed as having CB/AB experience: Sean MacCurtain, Cynthia Woodley, and Hiromichi Fujisawa. Of those three, only Dr. Fujisawa comes close to representing a user organization, as a scientist with Hitachi; but that experience was not related to ISO 9001, but in scientific research.

So read that again: not a single member of CASCO represents those that care the most about the validity of ISO certifications. Not one.

It’s also worth noting the dominance of BSI, which will become an important factor in future developments around these issues.

Vice is Nice, But…

Incest: what could possibly go wrong?

Incest: what could possibly go wrong?

What is the implication? Its simple: when CBs object to key conditions of ISO 17021, they have unprecedented influence in shifting the standard to their benefit, because they are the only influence. There is no oversight at all to verify if the changes made by CASCO are pushing the standards away from ensuring trust in certifications and accreditations, because ISO assumes CASCO will just police itself.  Obviously, that’s not working.

Case in point. In previous editions of ISO 17021, the standard invoked ISO 19011 — the standard on auditing — and imposed it on CBs. ISO 19011 had included a valuable Annex B on planning and conducting audits, which included details on how to write nonconformities, how to perform proper sampling, and defining various forms of acceptable evidence, other than mere documentation. Certification bodies balked, however, and so with the 2011 revision of ISO 17021 the reference to 19011 was removed entirely. The Introduction was amended to include the following disclaimer:

The publication of this International Standard includes the text of ISO/IEC 17021:2006, including amendments to delete relevant references to ISO 19011, with new text adding specific requirements for third-party certification auditing and the management of competence of personnel involved in certification.

Regarding the “management of competence” of auditors, where ISO 19011 had dedicated six entire pages to the subject, the revised ISO 17021 featured a single paragraph. ISO TC 176 then released a new standard on auditor competence ISO 17021-3, which may become part of 17021 proper at some time in the future, but is irrelevant: the new standard features only a page and a half of any material that could be interpreted as dealing with auditor competence.

Another example: where CB auditors routinely harass ISO 9001 user organizations to conduct “annual internal audits” — despite there being no such requirement in ISO 9001 — they themselves have managed to stretch their own internal audit requirements to the point of vaporware. Yes, CBs are required to conduct internal audits of their own systems against ISO 17021, and yes they are supposed to do so annually, except they added the following clause which un-requires the requirement:

10.3.6.3 Internal audits shall be performed at least once every 12 months. The frequency of internal audits may be reduced if the certification body can demonstrate that its management system continues to be effectively implemented according to this International Standard and has proven stability.

Would any such language ever appear in ISO 9001? Of course not. ISO doesn’t trust companies to achieve “stability” in their processes, even though it allows CBs to run around the world claiming themselves management experts, chieftains in “value-added services” and top practitioners in quality principles. What a joke, given that they don’t even bother to audit their own systems once per year.

In short, the CBs were successful in using their clout on CASCO to have rules stripped down to make their lives easier, reduce their operating expenses, and allow them to engage in a perpetual cycle of conflicts of interest.

Whether or not you agree with this assessment, a more objective reality is evident: in examining the changes made by CASCO to its standards over time, not a single one could be in any way construed as significant to improving the validity and trust of resulting certifications and accreditations, but instead are associated with minor tweaks to concepts raised by CBs themselves, which always benefit the CBs.

ISO has rules that govern the composition of its committees, presumably to ensure that what has happened at CASCO … well, doesn’t happen. They are supposed to ensure an broad representation of stakeholders, and disallow the dominance of any single industry or stakeholder group. Clearly the dominance of CBs on CASCO would violate such rules, but it’s not clear if CASCO — which resides in a weird orbit not necessarily shared by other TCs — would be subject to these rules. Of course, the ISO mothership has won the reputation of being entirely selective in its enforcement of rules anyway, so it would be unlikely to mandate that CASCO improve its composition.

With exactly zero presence on CASCO of any ISO 9001 end user representatives, this of course is inevitable. It means not only are the patients running the asylum, they are also writing the rules that manage every other asylum on the planet.

To call for reform of CASCO, and demand that CASCO improve the composition of its voting membership, write to Sean MacCurtain, and be sure to cc a copy to ISO Secretary-General Rob Steele, since MacCurtain is part of the problem and unlikely to take action.

About Christopher Paris

Christopher Paris is the founder and VP Operations of Oxebridge. He has over 30 years' experience implementing ISO 9001 and AS9100 systems, and is a vocal advocate for the development and use of standards from the point of view of actual users. He is the author of Surviving ISO 9001:2015. He reviews wines for the irreverent wine blog, Winepisser.