The IAF has released a beta website for its coming international ISO certificate database, called CertSearch. The early code and site layout give us some hints as to what IAF has planned, and nearly every possible consideration of the project appears to suggest it’s doomed.
First, recall that the CBs of the world, led by BSI, made a fuss because accreditation rules required them to manage public-facing “registries” of their certified clients. This was to allow the public an opportunity to verify certificates, and to distinguish valid ones from counterfeit certificates issued by the unaccredited or self-accredited mills, such as Guberman-PMC or American Global Standards. This was, in fact, why we called CBs “registrars,” because they maintained literal “registries.”
BSI and others argued that their competitors were using the registries to “poach” clients, so they complained to their associated Accreditation Bodies, mainly UKAS, ANAB and DAkkS. Those ABs then dutifully carried the message to ISO/CASCO committee, led by Sean MacCurtain, which writes the accreditation rules. Sure enough, the last revision of ISO 17021-1 removed the requirement, and the CBs began deleting their public registries, saving money on the costs of maintaining them. It was a craven caving-in by CASCO, and proved that MacCurtain is a willing shill for the bodies his committee is supposed to be writing rules to control.
With the vacuum, however, the IAF and ANAB saw a way to make some money for themselves, so ANAB’s Randy Dougherty and his friend Jerry Norris, cooked up a scheme to create a new database of their own. But since ANAB was not about to suddenly do anything that resembled its actual job of overseeing registrars, it quickly announced that the new IAF database would be “optional.” Keep in mind, the IAF could have ruled that participation in the database was a mandatory part of accreditation, but it chose not to.
The fact that CBs do not have to participate ignores the decades of history and lobbying by BSI to get the registries removed in the first place. Dougherty and his gang think that suddenly the CBs will voluntarily give up their trophy after they’ve already won. Unimpeded with any sense of logic or common sense, they quickly scurried to create a new LLC so they can collect money from this misguided venture. The money, no doubt, will eventually go to the very same people who set it up. (Norris appears to have already been paid.)
So we know already that the IAF CertSearch is doomed from the start because of its “voluntary” nature. Without 100% participation, if a person searches for a cert and does not find it, they would not know if that meant the cert they were checking was actually invalid, or simply not in the system. This negates the entire purpose of having a cert. Imagine a database of drivers’ licenses that only had 50% of drivers entered into it; this would drive traffic cops nuts, because it would be entirely useless.
Mind you, both Norris and Dougherty know this will fail because they tried this already. The two of them cooked up the same exact thing for the International Associated of Accredited Registrar (IAAR) and ran that on the IAAR website for years. That proved to be totally unreliable because only IAAR members could participate, and even some of those CBs didn’t participate. But guys like Dougherty and Norris are so used to being promoted for fucking up, they pushed ahead anyway. Since Dougherty was still running the IAF at the time, he just thought he’d try again, but this time using the IAF’s logo instead of that of the inept IAAR.
(An ironic aside; the IAAR website is running an alert that its old database was stolen by QMS software maker Jadian, who then republished it without permission. Making matters worse, the intrepid ASQ flagship publication Quality Progress published an article written by Sheronda Jeffries that linked to the Jadian stolen database, because fact-checking is hard. Apparently, Jeffries, who works as a Program Manager for Cisco and is supposed to be a telecom expert, doesn’t know what a subdomain is. It’s another case of the industry cannibals eating each other, for our amusement.)
The only thing that could make this worse would be if the IAF repeated the errors of others who tried the “universal database” approach before, such as the doomed efforts by the former publisher of Quality Systems Update (itself a defunct publication). And by this I mean trying to monetize this by forcing users to buy a subscription and burying the database behind a paywall.
The beta website appears to suggest this is the approach IAF will use, since it has a placeholder for a “Login” feature. If the IAF’s plan was to create a website that any member of the public could use to verify certs, it wouldn’t need users to create an account. But IAF intends on this anyway, and that’s likely another reason the LLC was created: to process payments and administer the accounting of revenue. Because, you know, Elva Nilsen needs a new private plane.
The mistake made by “Whoscertified.com” and the other registries was that it assumed the only people checking certs are buyers in large organizations who check certs in bulk. This is flawed for a number of reasons. First, the majority of searches are made by reporters, members of the public and small companies who are verifying a single cert only occasionally; in many cases, never more than once at all. Next, large companies who this might appeal to — and who can afford the outlandish costs (the cost of searches in “Whoscertified” was astronomical) — have other means of checking QMS validity and won’t pay for a subscription. They can instead rely on beating up suppliers to fill in surveys, and many such companies conduct on-site auditors by their teams of Supplier Quality Assurance auditors. They really don’t need this service.
Let me be clear: nobody checks ISO certificates in bulk. If IAF puts this behind a paywall, they are putting the final bullet in the head of an already comatose patient.
The last point that’s troubling is that the website itself appears to rely on Java, which is one of the least secure ways to develop a website. There were earlier indications that the database itself would be built on SQL, so a Java-based website running SQL means that the IAF’s official database will have all the security of, say, the Oxebridge website. Do the CBs really want to commit to providing data with that low of an assurance of security? There are a lot of bad actors who could have a lot of fun with that data, like selling it to “poachers” and thus ensuring the exact problem the CBs feared to begin with was realized yet again.
The IAF’s efforts to create this database were done, of course, behind closed doors, led by Dougherty and Norris. The public was not allowed to weigh in, nor were any of the million-plus ISO 9001 certified companies whose contact information will be used to pay the IAF and it’s pals.
Which raises a fourth concern: what if an ISO 9001 certified company doesn’t want its information listed? Guess what, the IAF is prepped to rule that even though CBs have a choice to submit their data or not, you — the unwashed end user of the certificates, who pays for all of this — won’t have that choice. You’re stuck with whatever decision your CB makes. If you don’t like it, you will have to switch to a CB that doesn’t participate in Dougherty’s little pet project.
It is remarkable that those administering a standard based on “continual improvement” and “factual decision making” can so openly flout those concepts and press ahead on bad ideas fueled by greed. But there you have it.
About Christopher Paris
Christopher Paris is the founder and VP Operations of Oxebridge. He has over 30 years' experience implementing ISO 9001 and AS9100 systems, and is a vocal advocate for the development and use of standards from the point of view of actual users. He is the author of Surviving ISO 9001:2015. He reviews wines for the irreverent wine blog, Winepisser.