The IAF is running polls to gather public support for making its CertSearch ISO certificate registry a mandatory part of accreditation. If this comes to pass, every accredited ISO certification body will be forced to enter their data into CertSearch, thus allowing the world to differentiate — finally — between fully accredited certificates, and those of fake “certificate mills.”

What’s so absolutely frustrating is that the IAF has refused this idea since at least 2002 — two decades ago! — when I pushed them to do this very thing.

Told You So

During an Oxebridge speaking tour called “10 Steps to Save ISO 9001,” one of the steps I discussed was to “develop a central ISO 9001 registry.” This would be run by ISO, I said at the time, although I pitched the idea to both ISO/CASCO and IAF. Here’s a slide from that original presentation:

I beat that drum for years. In 2004, I gave a presentation in front of the Independent Association of Accredited Registrars (IAAR), a US-based certification body cabal, which was attended by Reg Blake of BSI and Bob King of ANAB, among others. The idea was met largely with scorn, and IAAR president Pierre Salle made the weird request afterward that I “tell no one” I appeared before them to even make the suggestion. (I ignored him, because that was stupid. But you’ll see Salle had a reason.)

Then, through the manipulations largely of BSI, ISO/CASCO went in the opposite direction and diluted requirements in ISO 17021-1 that CBs maintain their own, individual registries. BSI complained that competitors like Perry Johnson Registrars were using their public registries to “poach” their clients. (Here’s an idea: if your clients can be poached, it means they don’t like your services. Happy clients can’t be poached in the first place.)

After BSI mucked around at CASCO, the rule was removed, and — as predicted — this gave an overnight boost to the flourishing certificate mill industry. Now, there’s no way to differentiate a real certificate from a fake one. Accreditation became largely meaningless since it was not verifiable.

By the 2010s, IAF began to realize its mistake, but — always a slave to the accreditation bodies it’s supposed to oversee — bungled it again. It began mulling ideas for a universal registry, but ANAB quickly took hold of the idea, and put their developer pal Jerry Norris on the job. Norris and ANAB’s Randy Dougherty had actually been paying attention at my 2004 presentation, and ANAB and the IAAR went on to try and create a registrary on their own … explaining, at least in part, Salle’s weird demand that I tell no one I had suggested it to them.

Norris worked on the IAF thing for a while, presumably using the code he wrote for IAAR. But he made no significant headway, and eventually IAF put the CertSearch development out for proper commercial bidding. An Australian firm stepped in to replace Norris, but the damage was already done. ANAB had convinced IAF that any such registry could never be mandatory.

So in 2018, when IAF launched its original plans for CertSearch, I wrote — again — about how it would be entirely ineffective if not made a formal condition for accreditation. And, again, they refused to listen. And, when the “beta” version appeared in 2019, I repeated the argument. IAF refused to listen.

And, yet again again, this proved true. The CertSearch website has been plagued with errors, incomplete information, false information, and even false marketing claims. Worse, the IAF made no compelling case that anyone should enter data into it in the first place. The data is supposed to be entered by CBs, but on their own dime: for large firms like BSI or Intertek, this costs a fortune. They have to hire someone to collate data from their international clients, translate everything into English, enter the data, and then constantly update it. And they have to do all of this without making spelling errors which, given the average intelligence of a CB employee, is asking a lot.

Now before you think I’m sympathizing with BSI, I’m not. These companies have more than God’s money, and can easily afford this. They’re just cheap, and refuse to do so. The IAF failed in providing a clear justification for asking anyone to participate, beyond the empty suggestion that the IAF logo on the CertSearch website would mean something. It doesn’t.

Poor User Interface, Crippled Functionality

Worse still, the CB paranoia led to practical problems with the CertSearch interface that cripples its functionality. For example, IAF put hard limits on search usage; you can only search a few times per day. But because the data is often entered incorrectly, you’ll need a few tries to find what you’re looking for, so you’ll burn through those limits very quickly.

Next, there’s also no way to search for all certs in a given region, or from a given CB, etc. You can only search for one certificate at a time.

But then you’ll find that the data is woefully incomplete. If you search for a given cert, and it doesn’t show up, you can’t know for sure if that means the certificate is fake, or if the CB simply isn’t participating in CertSearch to begin with. If using CertSearch can’t answer the question, “is this certificate valid?”,” then the entire thing is pointless.

So now the IAF is scrambling again, in 2022, to try and convince the CBs that participation should be mandatory. They have run two public polls on the subject, as if the IAF ever cared about public opinion. (They are still supporting Putin, and ignoring international sanctions.) The reason for the polls is simple: this is to bolster their argument to the CBs later, giving them some data to argue their point.

The CBs are unlikely to change position. They are notoriously greedy, stupid, and lazy, like Fredo Corleone at his peak in Las Vegas. And the IAF is impotent, unable to carry out its “one job” and enforce accreditation rules on anyone. So the CBs will reject this, and CertSearch will remain the biggest smoking tire on the junkheap of failed ISO certificate registries.

What needs to happen is that ISO takes this over (as I originally proposed, two decades ago.) ISO needs to have skin in the game, and start licensing their logo on official certificates. It’s the only practical, workable solution, and would put the fake certificate mill industry out of business overnight. Better still, ISO would make a fortune, with almost no overhead. The pennies they’re making on selling standards would be eclipsed by the annual licensing fees collected for ensuring certificates are valid. Like IAQG’s OASIS, they could even partially fund the thing by attaching a $500 fee onto every single certificate issued, for “database management.”

But if IAF is Fredo, then ISO is Paulie. And we know what the Mafia did to Paulie.

About Christopher Paris

Christopher Paris is the founder and VP Operations of Oxebridge. He has over 30 years' experience implementing ISO 9001 and AS9100 systems, and is a vocal advocate for the development and use of standards from the point of view of actual users. He is the author of Surviving ISO 9001 and Surviving AS9100. He reviews wines for the irreverent wine blog, Winepisser.


ISO 14001 Implementation