[This post was originally published by Deb Piatt on LinkedIn and is republished here with permission. The original article with comments thread may be found here. Ms. Piatt is a former Executive VP for Metal Alloys Corporation and currently operates AQUEST, a consulting firm offering AI governance risk assessments and management system consulting.]
When the International Organization for Standardization (ISO) published the first edition of ISO 9001 in 1987, the premise was straightforward: organizations meeting the same standard would be assessed against the same requirements. This standardization would enable mutual confidence across supply chains and borders. The standard itself was the requirement.
Nearly four decades later, this foundational principle has become obscured by layers of interpretive documents, policy statements, and guidance notes issued by an expanding network of oversight bodies. What was once a direct relationship between a standard and its implementation has evolved into a multi-tiered system where the published ISO standard represents only one element of the audit criteria an organization must satisfy.
The Bureaucratic Layered System
The conformity assessment ecosystem now comprises multiple organizations, each positioned between the ISO standard and the certified organization:
ISO publishes management system standards such as ISO 9001, ISO 14001, and ISO 45001.
ISO/CASCO (the ISO Committee on Conformity Assessment) publishes standards governing conformity assessment bodies themselves, including ISO/IEC 17021-1 for certification bodies and ISO/IEC 17011 for accreditation bodies.
International Arrangements — formerly the International Accreditation Forum (IAF) and International Laboratory Accreditation Cooperation (ILAC), now consolidated as Global Accreditation Cooperation Incorporated (GACI) since January 2026, publish mandatory documents (the MD series) that add interpretive requirements beyond what appears in ISO standards.
Regional Cooperations such as the Asia Pacific Accreditation Cooperation (APAC), European co-operation for Accreditation (EA), Inter American Accreditation Cooperation (IAAC), and others may issue their own guidance or interpretive documents applicable within their territories.
National Accreditation Bodies organizations such as UKAS (United Kingdom), ANAB (United States), JAS-ANZ (Australia and New Zealand), and their counterparts worldwide, issue policy documents and technical interpretations that their accredited certification bodies must follow.
Certification Bodies develop internal procedures, checklists, and guidance reflecting the expectations of their accreditation body, often shaped by findings from accreditation body witness audits.
Individual CB and AB Auditors base their interpretation of all of these layers of requirements on their understanding of how all this bureaucratic red tape and overreach requirements actually apply to their client’s business.
The Consequences
By the time an auditor conducts an assessment, the audit criteria may bear limited resemblance to what appears in the published ISO standard. Nonconformities are raised for practices that comply with the standard’s text but conflict with an IAF mandatory document, an accreditation body policy note, a certification body procedure, or an auditor’s personal interpretation of a clause.
The certified organization has no practical mechanism to challenge such interpretations. Disputing a finding risks the certificate. The certification body defers to the accreditation body’s expectations. The accreditation body points to GACI requirements. The standard, which the organization purchased and implemented, becomes one input among many rather than the definitive statement of requirements.
The Original Intent
The premise of international standardization was that a certificate to ISO 9001 in one economy would carry equivalent meaning to a certificate issued in another. The mutual recognition arrangements maintained by GACI and the regional cooperations exist precisely to deliver on this promise: “accredited once, accepted everywhere.”
Yet the proliferation of interpretive layers creates the conditions for divergent audit outcomes. Two organizations with identical management systems may receive different audit findings depending on which certification body they engage, which accreditation body oversees that certification body, and which auditor conducts the assessment. The interpretive overlay varies across the system.
The 2026 Structure Changes
The 2026 merger of IAF and ILAC into Global Accreditation Cooperation Incorporated consolidated the international tier, removing one layer of parallel structures. The regional cooperations remain intact, each maintaining its own membership, fee structures, committee activities, and in some cases, regional interpretive documents.
The pathway from certified organization to international recognition runs through multiple fee-paying relationships:
1. The organization pays the certification body for certification and surveillance audits.
2. The certification body pays the accreditation body for accreditation and surveillance.
3. The accreditation body pays the regional cooperation for membership and peer evaluation participation.
4. The regional cooperation participates in the international arrangement.
Each tier maintains secretariats, holds meetings, publishes documents, and conducts evaluations. The costs flow upward through the system; the requirements flow downward.
Implications for Certified Organizations
Organizations implementing ISO management system standards face the challenge that the published standard no longer constitutes the complete set of requirements against which they will be assessed. Compliance with ISO 9001 now means compliance with ISO 9001 plus the accumulated interpretive overlay of every body in the certification and accreditation chain.
This reality is not transparent to most certified organizations. The standard they purchase and implement does not reference the mandatory documents, policy notes, and interpretive guidance that will influence their audit. The auditor arrives with expectations shaped by layers of documentation the organization may never have seen.
Final Observation
The international standardization system that emerged in the late twentieth century was built on the principle that common standards would produce common outcomes. The layered structure that has developed since introduces vast amounts of variations at each tier that can result in different audit findings for equivalent management systems.
Each tier in this structure maintains its own operational costs for secretariats, committees, peer evaluations, document development, and meetings. As these systems grow more complex and as each tier expands its requirements and oversight activities, the fees at every level trend upward. Certified organizations absorb these cumulative increases through rising certification and surveillance costs, often without visibility into how their fees are distributed across the tiers above their certification body.
Whether this complexity serves the original purpose of facilitating trade through mutual confidence, or whether it has become an end in itself, is a question the conformity assessment community has yet to address directly. What remains clear is that “meeting the standard” now requires navigating a system considerably more complex and more costly than the original intent of the standard was.
Christopher Paris is the founder and VP Operations of Oxebridge. He has over 35 years’ experience implementing ISO 9001 and AS9100 systems, and helps establish certification and accreditation bodies with the ISO 17000 series. He is a vocal advocate for the development and use of standards from the point of view of actual users. He is the writer and artist of THE AUDITOR comic strip, and is currently writing the DR. CUBA pulp novel series. Visit www.drcuba.world
