Oxebridge’s decades-long work in identifying the weaknesses and conflicts of interest within the ISO certification scheme has proven that the world’s certification and accreditation bodies do little to rein in problems. In fact, the pyramid-shaped fee structure of ISO audits creates a condition where those with the most responsibility to root out fraud and corruption have the least incentive to do so.

The International Organization for Standardization (ISO), meanwhile, feigns impotence on the matter. ISO insists it only publishes standards and has no role in certifications. This is wholly untrue since ISO partners with the International Accreditation Forum (IAF) to issue “Joint Communiques” that dictate global certification policies; for example, it determines when certifications to prior ISO standards will “sunset” upon release of a new version of that standard. In reality, ISO takes this position in order to insulate itself from worldwide government scrutiny and liability lawsuits.

The ISO Committee on Conformity Assessment, called “CASCO,” has a direct role in certifications, however. CASCO develops the standard applicable to both certification and accreditation bodies, namely ISO 17021-1 and ISO 17011 (among others). Again, ISO will insist that it has no actual job other than to facilitate meetings, but ISO wields tremendous power through its role as CASCO Secretariat. For many, many years, this position was held by ISO staffer Sean MacCurtain, who only recently stepped down and has been replaced by Cristina Draghici.

These folks will insist that actual standards are developed by CASCO members, but that’s a half-truth at best. The Secretariat retains the power to enforce ISO procedures on CASCO, and one of those procedures is to ensure that there is a fair and representative level of participation by industry stakeholders within all ISO committees. CASCO, however, is overwhelmingly populated by Accreditation Body (AB) and Certification Body (CB) representatives, assuring that the ISO 17021-1 and ISO 17011 standards are written by the people who will ultimately be held to obey them.

This invites a slow dilution of rules in favor of the bodies themselves, at the expense of the public and public safety. For example, whiny CB reps who claimed their competitors were reading their public registries of certified clients managed to manipulate the standards so that public registries are no longer required. This has opened the floodgates for fake ISO certificates, while making it harder than ever to verify certificate authenticity. But BSI is happy because they think Perry Johnson can’t poach their clients.

If ISO, through Draghici, would enforce the rules on committee membership, they would require that CBs and ABs comprise only a small portion of the CASCO committee, rather than nearly all of it. They would not allow meetings to even start until a proper quorum of representatives from multiple stakeholder groups — ISO standards end users, subject matter experts, whistleblowers, public safety groups, and labor unions — were involved.

Corruption On A Grand Scale

Right now, companies can be responsible for deadly product recalls, disasters, scandals, and outright criminal acts without fear of losing their ISO certifications. Worse, by retaining those certifications they then can continue to win more contracts, thus expanding their corruption further, like a criminal pandemic. Look at Odebrecht, the company found responsible for the “Lava Jato” international bribery scandal. That huge criminal enterprise has toppled entire governments, and yet Bureau Veritas continues to certify Odebrecht facilities en masses, ensuring that Odebrecht retains a sheen of respectability and trust, and — more importantly — continues to gain access to government contracts worldwise. Bureau Veritas, in exchange, gets paid huge fees for having Odebrecht as their client. BV went so far as to reward an Odebrecht executive with a Director position. Meanwhile, there’s no indication that Odebrecht has actually stopped bribing government officials, but instead may still be at it.

Clearly, that’s not supposed to be how things work. ISO certifications are third-party attestations that a company meets a certain standard. Because they are literally “third-party attestations,” they are supposed to be trusted over self-declarations. In reality — thanks to the corruption with CASCO and IAF — ISO certifications have become a corporate “protection racket,” where companies pay annual fees to CBs or ABs in exchange for a piece of paper that declares the company is a wholesome, angelic entity capable of no possible harm to anyone. So long as the company keeps paying their CB, they maintain their certificate no matter what.

ISO and other bodies have burned up years pretending to be interested in fixing the problems. Back when ANAB managed the IAF (before China took it over), they spent over a decade on an “Outputs Matter” campaign to try to ensure that ISO certifications were only granted to companies that actually complied with the applicable ISO standards.  Nothing ever materialized, and ANAB has become one of the worst enablers of corruption in the field.

Perpetual ISO gadfly Nigel Croft latched onto ANAB’s campaign in 2010, and has tried to brand himself as the one man capable of fixing ISO’s ills. Happy that few pay attention to his absolute failure in this arena (and nearly every other), in 2018 Croft kept at it, heading up ISO’s “ISO 9001 Brand Integrity Group,” which has turned into an international joke. Croft co-convenes the IAF “Task Force on Fraudulent Behavior” with one of the industry’s most controversial characters, IAS Vice President Mohan Sabaratnam, who has literally argued that accreditation standards don’t take effect until after a certificate is issued.

The IAF, now under Chinese control, tried another angle, launching its CertSearch website with a promise to “end fake certifications” entirely. That hasn’t happened, and the CertSearch database remains half-baked and filled with bad data.

So ISO and its attendant cronies have insisted they were working on fixing the corruption problem since — by my notes — as early as 2002. Which, for those counting on their fingers, is nineteen years ago.

If they were serious about this issue, they would have come up with something by now. They haven’t, and they aren’t.

The Simple Fix

Assuming CASCO doesn’t want to make its membership more representative (and it doesn’t), the other fix is both obvious and simple. CASCO could make a tiny change to ISO 17021-1 that would — with a stroke of a pen — begin dismantling the corruption within the entire ISO certification scheme.

So how, exactly?

Easy: ISO 17021-1 needs to add a single clause that would force CBs to hold clients responsible when things go sideways. This would fall under clause 9.6.4, which defines rules for “Special Audits.” Such language might look like this: Incident-Driven Special Audits

Special audits shall be performed by the certification body in response to incidents involving certified clients which bring doubt or disrepute into the certifications issued. In such cases, the special audit shall focus on the client’s formal responses to the incident(s), in order to ascertain if suitable corrective action is underway or has been implemented. Certification shall be suspended or withdrawn if the special audit reveals that either no corrective action has been taken by the certified client, or if the corrective action appears inadequate to prevent recurrence of the incident.

Note: “incidents” in this context include, but are not limited to, product recalls, disasters, scandals, significant customer complaints, allegations of criminal activity, and government sanctions.

This means that if a CB learns of some dramatic incident, whether by a news report or customer complaint, it would be obligated to ensure the integrity of its certificate by triggering a special audit. Should that audit find the client hadn’t applied any corrective action, or if the corrective action was somehow inadequate, the company’s certification could be temporarily suspended or permanently withdrawn.

This wouldn’t require CBs to have an active incident monitoring system, but they’d also not be able to ignore major news events affecting their clients. They’d also have to address credible complaints filed with them by customers of their certified clients.

But what’s to ensure the CBs obey the suggested “incident” rules at all? In truth, powers already exist for ABs to enforce this as per their own requirements in ISO 17011. There would be no need to update that standard at all. ABs would simply ensure that CBs were using Special Audits when incidents were known, and then trigger de-accreditation if the CB was refusing to do so.

The CASCO Secretariat won’t act on this suggestion itself, insisting it has no power to do so. Instead, the proposal must be brought to a CASCO meeting by a member — and Oxebridge isn’t a member, since the US’s ISO body (ANSI) has largely banned our participation in anything to do with ISO.

This means that if you think this idea has merit, you’ll have to contact your nation’s CASCO member body, and propose that they raise it for inclusion in an updated version of ISO 17021-1. You can find your nation’s CASCO member here.

About Christopher Paris

Christopher Paris is the founder and VP Operations of Oxebridge. He has over 30 years' experience implementing ISO 9001 and AS9100 systems, and is a vocal advocate for the development and use of standards from the point of view of actual users. He is the author of Surviving ISO 9001 and Surviving AS9100. He reviews wines for the irreverent wine blog, Winepisser.


ISO 45001 Implementation