The International Accreditation Forum (IAF) has been forced to admit that its CertSearch database of ISO certifications has failed. In an updated version of its public FAQ document, IAF acknowledges:

IAF CertSearch needs to change because the current funding model has not worked and the database contains only 35% of accredited management systems certificates. This poses a reputation risk to IAF, ABs and CBs. Users of accredited certification have voiced concern that IAF members have not yet addressed this urgent issue. (1) 

There are two angles to unpack here — funding model vs. participation — so let’s take both separately.

Funding Model

The IAF has simply refused to do the obvious — and easy — thing: to work with ISO CASCO to make participation in its database a mandatory part of accreditation. To do this, the requirement need merely be added to ISO 17011, the standard for accreditation bodies. That standard can be updated to require that accreditation be contingent on participation in a global database selected by ISO. Then, ISO would award a sole-source contract to the IAF’s spinoff company, IAF Database LLC (which already exists), closing the loop.

Participation in IAF CertSearch would require payment for management and database administration, to be collected by each CB from each certified client, as a part of each certification fee. This is similar to how the IAQG collects fees to pay for the management of the AS9100 OASIS database, so it’s not rocket science. CBs and ABs don’t pay anything, they pass the costs down to the certified company. The end hit to a user is minimal, because it’s spread out over the entire certification community. Maybe $100 per year at most?

But because IAF is just refusing to do this, it can’t crack the case on how to fund CertSearch. And now it’s making the same mistake so many have tried since the mid-1990s.

Under the “CertSearch 1.0” launch, IAF was sold a dubious plan by its chosen database provider, Quality Trade Pty (of Australia.) Quality Trade saw dollar signs in the data, so wanted to create a B2B “MarketPlace” using the CertSearch database entries. The details get murky here, but documents discussing the deal suggest Quality Trade saw some spamming opportunities. (I will have more on that in an upcoming article.) They wanted to monetize the eventual data.

In exchange for access to this data, Quality Trade agreed to manage the CertSearch database for free. That alone tells you they had serious plans for that data. That, however, didn’t work out either.

From the FAQ:

IAF CertSearch was originally structured to be funded through a cross-sales arrangement with a supply-chain promotion database called MarketPlace. However, due to concerns raised by stakeholders about the cross-selling of services to Certified
Entities the connection with MarketPlace was discontinued. This means that QualityTrade is currently maintaining IAF CertSearch free of charge.

In other words, CertSearch failed to address the main complaint that CBs had been making about all centralized databases: poaching. For decades, CBs have griped that listing their clients in any format whatsoever was an invitation for competitors to scrape the data, and then cold-call their clients, asking them to switch.  BSI was so powerful in making this gripe, it managed to have the accreditation standard ISO 17021-1 rewritten to remove requirements that CBs maintain their own public databases. It’s not clear why the IAF thought the CBs would have a change of heart on this, since they had already won the fight against ISO itself.

So now the same gripe returns; the thinking is that using CertSearch MarketPlace, say, Perry Johnson Registrars could access the list and target its advertising outreach to clients of, say, BSI. They refer to as “cross-selling of services to Certified Entities,” but it basically means poaching. Adding insult to injury, Quality Trade would make a few bucks on the practice, just so IAF didn’t have to pay anything to host and manage CertSearch. Thus, IAF was actually facilitating poaching in order to save itself from having to pay anything for CertSearch!

(Now, the real answer to poaching is that the CBs need to improve their services so their clients can’t be poached, but that never entered their minds. So here we are.)

So, for “CertSearch 2.0,” IAF reached out to CBs and Quality Trade to develop a solution. Note that they did not reach out to end-users of CertSearch, which is what really matters. As a result, they got a garbage idea thrown back at them:

This is not a viable or sustainable option for either party and so the IAF Database Management Committee has investigated several options with stakeholders and QualityTrade and has put forward a recommended option for IAF Members to consider and give feedback on, before a final vote on proposed changes in 2022.

The new changes are a mess, as could be expected. Quality Trade is only out to help itself, and is not really interested in improving the trust of certifications. Its new proposal makes things much, much worse, and has already been attempted multiple times, and always failed.

As there is no requirement on IAF, ABs or CBs to fund IAF CertSearch; the most viable mechanism available is through voluntary user-pays services. The proposed user pays model is funded through two voluntary paid-for-services: Analytical Services (for CBs and ABs and institutional users) and Verification Services (for supply chain verifiers).

Let’s look at these two user tiers.

The “Analytical Services” tier is aimed at researchers and reporters who want to run analysis on the aggregate data, say for market analysis. They will have to be pre-approved, and then pony up a huge fee. Typical industry equivalents can charge as much as $100,000 per year for this level of service, keeping it out of reach for almost everyone. This would be used by the likes of news organizations like Bloomberg or data crunching outlets like Deloitte. The reality here is that the demand for this is likely to be very, very low, especially since ISO already releases its annual ISO Survey data for free.

Unless — and get ready — IAF is gearing up to convince ISO to break the tradition that has existed since the 1990s, and stop publishing the ISO Survey data entirely. I can see that happening, since the ISO Survey is currently an annual black eye for ISO, revealing how certifications are often withering. By handing it over to IAF, and knowing it will cost a fortune, ISO can insist the data is “still out there,” but in practical terms, it will have been firewalled to complete invisibility.

The “Verification Services” tier is the one that average users would utilize. For this, anyone wanting to verify a certificate would pay a small fee for searches. It would even include OASIS-like features, such as watch lists. Now, IAF says that “small and medium sized enterprises will be able to validate up to 100 certificates per annum free of charge,” but it’s not clear how one will get an account. Will IAF pre-approve those users, too? If you exceed 100 searches, what is the fee? Why are they emphasizing “enterprises” as the user base, and not individual Joes and Janes? Will you have to prove you’re a company just to create a login?

It also fails to stop poaching. If I want to poach, I need only create a burner email account to create a login credential, and do my 100 searches. Then, I create a new burner, make a new account, and do another 100. Rinse and repeat. Eventually, with enough burner accounts, I can get the entire client list for any CB I want. If you’re getting paid to market your CB, there’s actually an incentive to spend time doing this.

Also, putting the entire thing behind a login firewall just reduces participation by legitimate searchers. In reality, users need to jump on, check a cert, and leave. That’s likely 90% of the use-cases CertSearch will ever get. If you require someone to log in, then you have to create accounts, have users surrender data (like email addresses), go through the verification, etc. Even if you can do all of this quickly, it will nevertheless turn off the bulk of people who want to jump on and check a cert quickly.

Worse, Quality Trade will have your email data, so you’ll get spammed afterward. They have to make money, and that means selling your info.

The winners, as usual, will be the fake certificate mills. Until verifying a cert is free and easy, the usage will always be limited. Then, fake certificates can go unverified, and the bad guys win.

Finally, this model has been tried already… many, many times. Quality Digest tried to run one, and it failed. The publisher of the now-defunct magazine Quality Systems Update ran one, at WorldPreferred.com, and that died within two years. GlobusRegistry.com also died, and — like World Preferred — now comes up with a dead URL.

It’s been literally true since 1995: throwing ISO certificate verification behind a paywall always fails. 

Yet again, the IAF is ignoring history and repeating the same errors, having learned nothing.

Participation

IAF admits that its plan to make CertSearch voluntary has failed. From the FAQ:

The current voluntary model has not worked, IAF CertSearch contains only 34% of the total potential management systems certification. Users of accredited certification have expressed dissatisfaction that IAF Certsearch is not complete, and that the opportunity to address the pernicious problem of fraudulent certification has not been tackled through IAF CertSearch, as demonstrated during the Covid pandemic with fake management system certificates for PPE and medical devices.

But, as I said, IAF just cannot bring itself to make this truly mandatory. Their idea to accomplish this is a joke:

The proposed model would be made mandatory through Accreditation Bodies (ABs) and will have back-to-back contractual arrangements with QualityTrade and a clearly defined data sharing and management agreement between CBs and IAF Database LLC.

So rather than work with CASCO, as I said, they are trying to force IAF members into making this a contractual requirement — first, between ABs and their CBs demanding the arrangement, and then between CBs and their certified clients. This means that in order to get certified, you’d have to agree that your CB will publish your data in CertSearch. You will also be signing away your rights to Quality Trade to do whatever they like with that data afterward.

Sure, but making this a “contractual” matter, without tying it to accreditation status, is meaningless.

Here’s why that will fail, and only embolden the unaccredited certificate mills. A CB can simply refuse to embed such terms into its contracts with clients, and there’s nothing IAF can do about it. The IAF cannot legally inject itself into a contract between two third parties (the CB and its client). Next, the IAF would claim it was forcing the ABs to police this, which they can’t really do either. But the final question is this: would the IAF really eject any AB for failing to ensure CBs and clients had all the necessary contracts in place? Of course not.

So if BSI or UKAS decide tomorrow they are not going to play ball — and all signs point to them dropping IAF entirely — then IAF would only be left with two decisions: eject their largest, most influential members, or sue in court. Since the IAF has no legal resources whatsoever (nor any budget for legal expenses), they cannot sue. So we are supposed to imagine that IAF would one day eject UKAS or ANAB or JAS-ANZ from its membership.

Which is utter fantasy.

Let’s face it, the IAF has no lawyers. They issued a rule stating they would eject any AB who ignored international law and sanctions against Russia, and then did exactly nothing when its members ignored them. The IAF is facing full-on OFAC violations under US law, and its execs could go to prison, but it still can’t bring itself to enforce its ruling. You think it’s going to enforce some tepid “contractual flowdown”?

The nightmare scenario is that this overreach invites IAF members to drop out. The IAF’s threats are empty, and thus embarrassing. They openly expose the fiction that IAF membership actually matters. Why continue to participate at all, and still risk the “poaching” issue? ABs and CBs are as likely to reject this new model, and — because IAF is claiming this will be a “mandatory” requirement of membership, just cancel their membership.

Now — again — if ISO made this a requirement as part of ISO 17011, then there’s no way for an AB or CB to drop out. They either play or they go open an ice cream stand.

That has always been the only way this can work, and will always be the only way it can work. All this discussion and debating has resulted in decades of wasted time and sunk costs.

But if IAF is only talking to Quality Trade, then of course they are getting bad information.

Meanwhile, the cert mills are loving it!


(1) Compare that honest appraisal with what the IAF was fraudulently claiming back in January of 2021, when IAF rep Grant Ramely wrote (in Quality Digest) that “Currently the database holds information on nearly 100-percent of accredited certification bodies, although not all of them are visible to the public,” and “the database is nearly 100% full of the CABs, as the IAF members uploaded all the CABsthey have accredited under the IAF MLA.”  That was never true, and IAF never issued a correction or retraction, and Quality Digest (of course) can’t be bothered to check what it publishes.

About Christopher Paris

Christopher Paris is the founder and VP Operations of Oxebridge. He has over 30 years' experience implementing ISO 9001 and AS9100 systems, and is a vocal advocate for the development and use of standards from the point of view of actual users. He is the author of Surviving ISO 9001 and Surviving AS9100. He reviews wines for the irreverent wine blog, Winepisser.

Advertisements

Free ISO 9001 Template Kit