ISO 17000 Series: ISO 17021-1 for Management System Certification Bodies

[This series of articles discusses the ISO 17000 family of standards, which are often obscure and complex. For links to the full series of articles, click here.]

Readers of the Oxebridge site are probably familiar with the “ISO 17021” standard, as we quote it often in our reporting and whistleblower reports related to certification body (CB) malfeasance. It defines what CBs should be doing, but often aren’t.

Officially, the standard is numbered “ISO 17021-1,” the dash number having been added in 2015. The intent is to allow ISO to add a host of standards and guidance documents that support the ISO 17021 mini-family. For example, ISO 17021-2 discusses competence requirements for ISO 14001 environmental system auditors.

(For shorthand, I’m going to just refer to ISO 17021-1 as ISO 17021 within this article.)

ISO 17021 deals with the certification of management systems. As I wrote here, there are other standards that can be used for certification of other types of “systems,” but it’s a difficult chore to figure out which one. Luckily, the identification of a “management system” is fairly easy; these include the major schemes such as:

• ISO 9001 – for Quality Management Systems
• ISO 14001 – for Environmental Management Systems
• ISO 20000 – for IT Service Management Systems
• ISO 22000 – for Food Safety Management Systems
• ISO 27001 – for Information Security Management Systems
• ISO 45001 – for Occupational Health & Safety Management Systems

But potential users of ISO 17021 are not limited to those famous offerings. In fact, a would-be certification body may opt to launch a certification scheme based on some other management system standard that isn’t published by ISO at all, but instead by an industry organization or trade association. The (doomed) “SN9001” program for snow and ice management companies was one such example (albeit botched), but others might include certification of companies under Australia’s NDIS program for disability services management, or the planned certification of cannabis manufacturers under the FOCUS standards.

In fact, a body could create its own management system standards and then offer accredited certification to them under ISO 17021.

The ISO 17021-1 Requirements

ISO 17021 is an important document for both CB users as well as their clients, because it spells out the official rules for the conduct of CBs, and how they must operate. These rules include:

• Impartiality: the CB must have controls (best addressed via procedures) that ensure it can perform its certifications fairly and impartially. This then rolls into control of conflicts of interest (COIs), risk management of COIs, and the need to have objective parties make final certification decisions. Readers of this site know we run into problems here often, as the ISO 9001 CBs often ignore these rules entirely, handing out certifications like candy to anyone who pays. (The Oxebridge Q001 program was built, in part, to stop this bad behavior.) But a hard reading of the standard shows it puts in place controls to prevent this. So the standard itself is fine, and I often say we don’t need a new set of rules to bring CBs into compliance, we merely need proper enforcement.

(I should point out, however, that the rules have been diluted over time, as the CBs and ABs themselves are largely responsible for the development of ISO 17021-1. They actively work to weaken the rules to benefit themselves. But — at least for now — the rules are still sufficient to manage impartiality and objectivity.)

• Confidentiality: CBs have access to confidential information related to their certified clients. As a result, the CB must have controls in place (again, procedures are likely necessary) to ensure the management of confidentiality. Such rules must spread through the CB organization to all who might touch such confidential information.

  Here, the problem is that many CBs use “confidentiality” as an excuse to hide records of bad behavior, such as cronyism, favoritism, auditor malpractice, and complaints. That’s not the intent here, and when Oxebridge helps implement ISO 17021, we put additional rules in place to try to prevent this.

• Competence. This is one of the heaviest lifts for new CBs trying to implement ISO 17021. The standard lays out requirements for identifying competence requirements, and these must be heavily documented. The CB must then work to ensure its staff — including auditors, report reviewers, technical experts, etc. — all comply with these requirements.

Then, remember that related standards in the ISO 17021 family (“-2”, “-3”, etc.) define specific, additional competence requirements for auditors within certain management system schemes.

Making things more difficult is the fact that any given scheme is likely to have additional requirements defined by industry organizations, apart from ISO entirely. These, then, must be layered on top of the generic ones provided in ISO 17021. For example, aerospace CBs will have to comply with additional IAQG requirements, and information security auditors will have to comply with additional ISO 27xxx requirements.

• Resources. Resource management for CBs is typically easy as it pertains to equipment and facilities, since there’s not much of an infrastructure overhead requirement for such companies. The big lift here is that ISO 17201 requires the CB have “sufficient” staff and audit personnel to perform its work. For new CBs, this can be a challenge — finding auditors to populate its initial auditor pool — and often leads to delays in completing their implementation of ISO 17021.
• Complaints & Appeals. CBs must have a robust method (again, procedures help here) to manage both complaints and appeals. The standard distinguishes between the two as follows: “complaints” are received from any party, and can be related to anything. “Appeals” are specific contests of CB decisions, coming from its clients; for example, a client may appeal when a certification is suspended or withdrawn.

I find that very simple procedures (using ISO 10002 as guidance on complaints handling) work great, and tying them into the CB’s corrective action system (a requirement we will discuss later) makes it very easy to manage, without needing to create an entirely separate complaints tracking tool.

• Defining certification activities. By far the most work required for implementing ISO 17021-1 falls within this bucket. The CB must define its procedures for conducting audits, writing reports, reviewing the reports, determining the end certification decision, and all other related activities. For common schemes like ISO 9001, these methods have been developed and matured already, but if a CB wants to work in a more obscure scheme, it may take additional work.

  Also, if a CB offers multiple certifications under different standards, the certification activities for each scheme must be fully documented.

• QMS requirements. ISO 17021 demands a minimum quality management system be implemented alongside all the other requirements. Like many standards within the conformity assessment family, they allow two options: implementing ISO 9001 in full, or implementing key QMS elements (which, anyone would notice, were lifted from ISO 9001 anyway.)

Specifically, the minimum QMS requirements to be implemented are:

• • Policies & objectives
  • Document control
  • Record control
  • Control of nonconforming service
  • Corrective action
  • Internal Audits
  • Management Review
  • Continual improvement

Accreditation to ISO 17021

If you opt to pursue ISO 17021, you would later become accredited by one of the many traditional Accreditation Bodies, such as ANAB, A2LA, UKAS, etc. This typically subjects you not only to eventual witness audits by your selected AB, but also by the various parties within the IAF scheme, such as IAF regional bodies or even the IAF itself.

As a result, there are a number of other documents which you would be expected to comply with (and which may then trigger the creation of additional policies or procedures.) These include the IAF “mandatory documents” (or “MDs”) governing things like minimum audit duration, auditor competency, etc., as well as specific add-on requirements by the Accreditation Body you select. ANAB and A2LA have, for example, additional procedures related to the use of their marks, and you must include those in your internal procedures.

Oxebridge can help implement ISO 17021-1; for more information, click here.