How to Implement ISO 17021 for a Certification Body

As one of the few consultancies in the world that can implement ISO/IEC 17021-1 (we call it “ISO 17021” for short, but that “-1” is important), I thought it might be useful to write an article on just what is involved. This way, potential certification bodies (CBs) can decide for themselves if they want to tackle the job alone or use a consultant like Oxebridge.

One note ahead of time: no, I am not intentionally making this sound difficult so you will throw up your hands and hire us. But anyone doing the opposite — suggesting this is easy — is lying, and your CB would only suffer later when you applied for accreditation.

Also, there are some scammy Indian companies offering ISO 17021-1 template kits. Avoid these. They will not be customized to your organization, and you risk losing a lot of money on accreditation when the AB fails you during your final assessment. If you think you can become an accredited CB for only $500, then you are not ready to manage a CB and may want to rethink your choices. Being a CB is a serious responsibility and requires sober professionals at the helm.

The first thing to understand is that ISO 17021 is for certification bodies that intend to certify the management systems of client companies. This is not about certifying persons, individual processes, or products. ISO 17021-1 applies if you intend to offer certification to any of the ISO management system standards, like ISO 9001, ISO 14001, or ISO 45001. (For a full list of what ISO calls “Type A MSS’s,” click here.) This may also be used for certification of other management system standards that are not published by ISO.

If you are a CB looking to certify people, processes or products, ISO 17021 is not for you. See this page for details on the family of ISO 17000 standards.

Step 1: Obtain and Read the Standard

The first thing to do is buy a copy of the latest edition of ISO 17021-1, which (as of this writing) is the 2015 edition. ISO has it for sale here, but you may be able to get a cheaper copy from your country’s national standards body.

Just be sure you buy the “dash 1” standard, which is literally numbered ISO 17021-1 and not the older version when it was just called “ISO 17021” (without the -1 at the end.) Also, be sure you don’t buy the wrong dash number standard, like ISO 17021-2. You might need them later, but for now, just get -1.

The standard itself is broken into clauses, like any other standard. Since it’s not a management system standard, it doesn’t follow the Annex SL structure you might be used to. That’s a blessing here. The main clauses are:

• Clauses 0 – 2: Introductory front matter
• Clause 3: Terms and Definitions. These are useful, so you should not skip over this part. Some will prove to be crucial.
• Clause 4: Principles. These are also crucial, although do not comprise requirements per se. They help define the “spirit” of the requirements later.

The next clauses represent the requirements for the CB; these are mandatory.

• Clause 5: General Requirements. This section defines requirements for the legal and organizational structure of the candidate CB, including an absolutely crucial sub-clause on impartiality. It is here where ISO 17021 starts to paint a picture of how a CB must be independent of consulting and other conflicted practices and companies. I always urge new CBs to read this section and take an honest look at whether they can really comply with the impartiality sub-clause. So many potential CBs are performing consulting that they cannot get past this first hurdle, and if they cannot, they are not ready to get accredited to ISO 17021.
• Clause 6: Structural Requirements. Even though the prior clause began discussing this, this clause (6) now goes into further detail on how the CB must be organized. It goes into more detail on impartiality and how the CB must manage any related companies, branches, offices, etc.
• Clause 7: Resource Requirements. This clause goes into detail on varoius resources necessary for the trustworthy operation of a CB. These include competence, personnel, external auditors, and external technical experts. It concludes with rules and restrictoins on outsourcing any key activities.
• Clause 8: Information Requirements. Here, the standard defines crucial information to be created and maintained by the CB, beginning with “public information” that the CB must publish to instill confidence and trust in its operations. Then, the clause defines the requirements for certifications issued by the CB and the rules that the CB must develop to control the use of its logo, certification marks, and other references to certification. The clause then includes a large, although somewhat easy-to-implement, clause on confidentiality.  The clause ends on a lengthy and complicated sub-clause on “Information exchange between a certification body and its client.” This last part goes over various types of communication the CB may have with its clients, such as change notices, and the rules for managing them.
• Clause 9: Process Requirements. This clause is very large and begins to define the mandatory steps a CB must use to issue an accredited certificate. Specifically, this involves:
  • The application process (for when clients apply for your certification services)
  • Audit programming: here is where you determine the full program of audits to be performed for the client over the first three-year period.
  • Audit duration: how to calculate audit time based on employee count and other factors. This one causes a great deal of headache for new CBs. It pulls in a variety of additional standards and requirements, depending on what ISO certificates you intend to issue. If you want to certify clients to ISO 27001, for example, you will now have to buy and understand ISO 27006, which will have more details on audit duration. You will also have to comply with third-party rules like the IAF Mandatory Document 5 (MD5), which is not explicitly called out by ISO 17021-1, but which is required nevertheless. Casual readers are unlikely to know this last fact.
  • Multi-site sampling rules for when the client has a variety of sites.
  • Multi-standard rules for when a client wants to combine different ISO standards into a single certification audit by you.
  • Audit Planning. This is different from “audit programming” (above), and many new CBs get them confused. Audit planning is the development of individual audit plans for each of the audit events determined during audit programming. This will include determination of the scope of audits, determining the audit team members, identifying any technical experts or observers, and then documenting and communicating the final audit plan.
  • Initial certification. This is the first certification audit performed by the CB and is typically the most complicated. It is broken into two stages, Stage 1 and Stage 2, and the rules for both are fully defined here.
  • Conducting Audits. Here, the standard goes into detail on how audits are to be conducted, how evidence is to be gathered, meetings, report writing, and rules for reporting nonconformities.
  • Certification Decision. This section defines what to do after the audit is complete, and the CB must issue a final up-or-down certification decision. This is another sticking point for many small CBs, as the certification decision must be made by someone other than the audit team. Typically, this requires a Certification Review Committee (CRC) or some similar body. This, then, ropes in a whole host of additional requirements for the makeup of the CRC: who is allowed to be on it, their competence, impartiality, etc. It’s not a small thing.
  • Maintaining Certification. This section assumes the client is certified by you and now must undergo annual “surveillance” audits. It defines the rules for subsequent surveillance audits and then, at the end of the 3-year mark (essentially at the beginning of the fourth year), the rules for “recertification” audits. It then goes into rules for special audits, scope extensions, and scope limitations. The clause includes a section on appeals and complaints (see next bullet) and ends with rules on the CB’s required client records.
  • Appeals and Complaints. Technically, this part is still part of the “Maintaining Certification” sub-clause, but it’s such an important point, it’s worth isolating for full understanding. You must have a written procedure on handling appeals and complaints (or a separate procedure for each). The rules here are crucial for a good, trusted CB and most bodies do a poor job here. Bungling this leads to a lack of confidence in your CB, which competitors can latch onto as a way to market against you. Plus, getting appeals and complaints right is obviously the right thing to do
• Clause 10: Management System Requirements: this clause then defines the management system requirements for the CB itself. It’s a somewhat diluted version of ISO 9001, and you have two choices. “Option A” allows you to build a management system around requirements defined directly in the next few sub-clauses of Clause 10, while “Option B” says you can just implement ISO 9001 instead. You pick. If you opt for Option A, it then defines the requirements for a management system, such as having an overall manual, document control, records control, management reviews, an internal audit program, and a corrective action system.

One note on that last part. A CB cannot be, itself, ISO 9001 certified. The rules prohibit one CB from certifying the quality management system of another CB. They can certify other types of management systems, but not your QMS. So you can have your CB certified to ISO 27001 for information security management, but not to ISO 9001.

Step 2: Check the Organization’s Structure

With the standard in the back of your head, now you must verify that the structure of your CB aligns with the requirements of the standard and that there are no structural conflicts of interest that would prevent you from conforming. For example, if your CB operates a consulting company, that’s not allowed. You have to be structured in a way that ensures objectivity and impartiality in all certification decisions.

This typically requires documenting the CB’s structure, and I recommend creating an “Accreditation Manual” that defines your CB management system for the purposes of accreditation. This will become necessary later on, so starting the manual off by documenting your structure, to prove it is objective and impartial, is a good start.

Step 3: Impartiality Management

I typically do this next as it dovetails nicely into the prior activity. With your organization documented, you can start to identify risks to impartiality. I will have another article on this shortly, but the work here can be complicated. You need to identify and manage conflicts of interest (COIs) in multiple directions and from different angles:

For each of these, you will have to create tools (typically risk registers) that show how you have identified the COI risks and then mitigated them to ensure your impartiality. A procedure is typically necessary here.

Step 4: Confidentiality Management

This one is easy. You have to implement confidentiality agreements and, likely, a procedure to ensure information remains confidential. This will mean having employees, subcontractors, and other parties sign agreements before work with them can begin.

Contrary to a common trick used by CBs to get out of processing complaints, however, the confidentiality rules do not extend to informing complainants on resolutions and actions taken related to complaints. You can invoke confidentiality when dealing with complaints, but it’s a sure sign your CB is being shady. Not recommended, even though all the big CBs do it.

Step 5: Resource Management

Now you can begin to identify the necessary resources for your CB. This will primarily be your employees and auditor pool, but will also include physical assets (hardware, offices, etc.) and “soft” assets like IT resources, etc. For each, you need to decide how you will onboard them, validate them, use them, etc.

If you intend on doing remote audits — and it is likely you will — then you need to also put in controls for performing audits using Remote Auditing Methods, or what ISO refers to as “ICT” (“information and communication technology.”) More procedures here ensure good control.

Step 6: Competence and Training

This next step requires you to start defining the competence requirements for employees, auditors, technical experts, and certification review personnel.  Then, you have to provide training to ensure that competence where needed.

The biggest effort here is typically made around ensuring that your auditors meet all requirements. This starts to rope in a variety of additional standards from the applicable ISO certification scheme you intend to work in. For example, if you intend to offer ISO 9001, there are other standards that define requirements for ISO 9001 Lead Auditors and (non-lead) Auditors. For ISO 27001, there is a host of cybersecurity-specific requirements for auditors.

There are also requirements for those responsible for certification decisions, such as your CRC members (we will get to that in a minute). So while a lot of this work is done around your auditor pool, there’s more to it.

Step 7: Information

For this step, you will want to start documenting your system (per a Manual and procedures, as recommended above), but then decide which of these will be made public. Some must be (like your complaints handling procedure and a general description of your certification process), but others may not need to be published externally.

This step will remain open until the end, since you will continue to create new documents and forms, and some of those may need to be made public. But you can start this here.

Step 8: Build Your Certification Process

This is the most complicated step, apart from the Impartiality one earlier. Here, you will create your entire auditing and certification scheme methods and approach, including all the bullet points I included in my explanation of Clause 9 above.

This requires adding a lot of procedures on audit planning, audit programming, performance of auditors, etc. You will then have to add the additional scheme requirements from supporting standards, like ISO 27006, ISO 20000-6, ISO 42006, etc., depending on which ISO standard you are offering certification to.

Then, you must research specific additional requirements demanded by the Accreditation Body (AB) you intend to pursue accreditation with. So, ANAB may have additional requirements that differ from JASANZ or UKAS. At this point, then, you should decide on which AB you will be using and build your system around its specific requirements.

Do not reach out to your selected AB yet! They will start to shove you onto their calendar and demand documents from you, but you are not ready yet. Just do your research, and if you do talk to them, be sure to insist that you are not ready and don’t sign anything. As soon as you sign an AB agreement, you have to pay them, and the clock starts ticking. If you don’t complete the rest of the steps within 6 months or so, they can toss out your contract and force you to sign up again and pay all over again. It’s free money for them.

Finally, you need to research the library of IAF documents, including the Mandatory Document (MD) series, to ensure you comply with those, as well.

What I do is typically create a Certification Scheme Manual for each certification the CB intends to offer. So, one for ISO 9001 audits, one for ISO 27001 audits, etc. Each Certification Scheme Manual then defines the rules for conducting audits under that scheme. Much of the content will be identical between them, but a lot might not be. In some cases, a single Certification Scheme Document can be used for all the schemes, but it can get complicated and confusing. The approach here depends a lot on the number of standards you are offering certifications for and the complexities of the various supporting requirements.

Step 9: Complaints and Appeals Procedures

Now you should build a robust complaints and appeals procedure. This is fairly easy to do, but it does require thought to ensure your methods are robust, objective, and transparent.

A note on the difference in terms. “Appeals” represent when a CB’s client disagrees with a decision, such as a suspension or withdrawal. “Complaint” is pretty much anything else, where any third party has a complaint about the CB’s activities.

Step 10: Management System 

Next, you have to implement the basic MS controls required by either ISO 9001 or the Option A rules of 17021-1. This means creating procedures and methods for document control, record control, corrective action, internal audits, and management review.

It’s a good idea to hold an initial management review at this stage, but set your expectations: it will be messy and ugly the first time. You’ll do another one later that will make it all look cleaner.

Step 11: Get Pilot Clients

Now things will get difficult. Your CB must offer a few non-accredited audits and certifications in order to generate records and evidence you will later use when you undergo your accreditation by your selected AB. That means you need to find clients who are willing to (1) undergo a non-accredited audit now and (2) wait to have any certifications you issued converted to accredited certificates later. That’s tricky, and many clients may not agree. Typically, new CBs offer discounted rates to such “pilot” clients.

Step 12: Perform Pilot Audits

Now you will perform actual conformity assessment audits using all your procedures and methods for those pilot clients. This will stress-test your systems and ensure everything is working as planned. You will likely find problems and have to adjust your methods accordingly; update any procedures along the way, if necessary.

You can issue certifications to pilot clients, but be sure they do not include any language suggesting you are accredited. You are not.

You should have at least two pilot clients certified before going much further.

Step 13: Perform Internal Audits and Management Review

With a few clients under your belt, now you have enough evidence to begin surviving audits (hopefully.) Schedule your internal audit against ISO 17021-1 and conduct that, using your corrective action system to resolve any findings. Then hold your management review; this will now be much more orderly and organized than the prior one.

Step 14: Reach Out to Accreditation Body

Now you will want to contact your selected AB and begin the application process. You can pay them and submit your documents because you are fully ready. Schedule your accreditation audit and wait for the fun to begin. And by “fun,” I mean that in the medieval dentistry sense.

Step 15: Undergo Accreditation Audit

You will then go through your audit with the AB, who will identify problems. Use your corrective action system to close them. It will likely be an annoying, dull, drawn-out affair, and you will be underwhelmed with the AB’s auditors. They don’t have a lot of control, so your AB auditor might be the type who goes easy and sleeps through the whole thing, or he might be a would-be Napoleon with a dictator complex. There’s no predicting this. Stay calm and rely on your corrective action system to resolve the findings.

Step 16: Implement Accreditation Mark Rules

Now you will update your procedures on logo use to include the use of the AB’s logo and name. The AB will have a procedure on this, and you must comply with that. Update your procedures to ensure this compliance, and then update your certificates to include the logo. Do not send these to your pilot clients, however.

Step 17: Convert Your Pilot Clients to Accredited Certs

Once you get accredited, talk to your AB about how to convert your pilot clients over to fully-accredited certificates. Normally, this is done during the next routine audit for each client. It is not automatic. You may want to offer a low-cost “Special Audit” that can be done prior to their next routine audit. But get your AB’s advice on this, as each AB has a different take on this unusual step.

Step 18: Maintain Accreditation

Now you have to maintain accreditation. This means ensuring you continue to follow all your procedures, do internal audits, and do management reviews. You will likely have to be re-assessed by your AB every two years, so if you let your system slip, you can lose your accreditation. Don’t let that happen.

If you get stuck, of course, reach out to Oxebridge for help.