ISO 17011 is the standard governing the activities of accreditation bodies, or “ABs.” Before we tackle that, however, let’s review what an AB actually does.
As you know, things — including companies, people, or products — can be “certified”. Essentially, certification is an attestation by a third party that a thing conforms with some standard. So products can be certified against safety standards, people can be certified against industry competency requirements, or companies can be certified against management system standards.
But certification can be done by anyone, including shady characters selling fake certificates over the internet. To add a layer of trust to the mix, “accreditation” is performed to oversee the certification bodies (CBs.)
To be absolutely honest, accreditation is merely certification of certification bodies. But to avoid confusion, the industry uses the term “accreditation” to differentiate the two levels.
So while a CB will certify a company, products, or persons, the AB will then “accredit” the CB, with the intent of adding trust to the resulting certifications by providing evidence that the CB itself was attested to by a third party.
So accreditation always sits above certification. It’s key to remember that.
We will discuss the various standards dictating rules for work by the CBs later, but we will start near the top of the pyramid with ISO 17011, which governs how the ABs will accredit their CBs.
Because of their placement near the stratosphere, the role of ABs is crucial. If a CB issues certificates based on bribes, for example, it is the AB’s role to suss that out, and withdraw accreditation from the CB to stop the practice. The thinking, then, is that anyone who holds an accreditation is reliable and trustworthy.
Therefore, the behavior of ABs must be beyond any reproach. They have to keep their hands completely and totally clean.
(As readers of this site know, they fail miserably in this. But I won’t belabor that point here, and instead focus on how ISO 17011 aims to rein in such bad behavior.)
One note: whereas under certification schemes, the conformity assessments are called “audits,” ISO 17011 prefers the term “assessments” for the accreditation industry. It’s another way to distinguish between the two levels (CBs vs. ABs). It’s nerdy and confusing, but important to know nonetheless.
The ISO 17011 Requirements
ISO 17011 breaks down to require some basic controls:
- Impartiality: the AB must have controls (best addressed via procedures) that ensure it can accredit CBs fairly and impartially. This then rolls into control of conflicts of interest(COIs), risk management of COIs, and the need to have objective parties review assessment reports and make accreditation decisions.
This is also the set of requirements that limits what other services an AB can do, such as consulting or certifying people who it might later have to assess.
- Confidentiality: ABs have access to confidential information related to the CBs, but also their certified clients. As a result, the AB must have controls in place (again, procedures are likely necessary) to ensure the management of confidentiality. Such rules must spread through the AB organization to all who might touch such confidential information.
ISO/CASCO has overcooked these requirements a bit, due to a large number of ABs actually being on the committee that writes the ISO 17011 standard (a conflict of interest in itself.) As a result, “confidentiality” has become an allowed reason to get around all sorts of other requirements, such as being responsive to complaints, or providing evidence of addressing COIs. Whenever asked to produce evidence, the AB can (selectively) cite the ISO 17011 clauses on “confidentiality,” as if they trump everything else in the standard.
(Fun aside: when Oxebridge implements an ISO 17011 system, we hard-code language into the AB’s procedures disallowing them from using confidentiality as a rationale to violate other requirements.)
- Establishing Accreditation Schemes: this is a tiny clause in ISO 17011, but results in the biggest level of work to implement the standard.
Here is where the AB must define its accreditation programs, how it intends on executing them, and all the other details related to those activities while maintaining full compliance with the rest of ISO 17011. An AB for environmental management system may have a very different accreditation scheme for one accrediting cybersecurity schemes, for example.
- Competence. Here ISO 17011 gets wordy, going into a lot of detail on how an AB must establish and ensure the competence of various people working within its scheme. These include assessors, reviewers, technical reviewers, and even its top management.
Ironically, the work necessary for ISO 17011 (for ABs) is less than that required by ISO 17021 (for CBs), as if the ABs wrote ISO 17011 to give themselves a break. Nevertheless, ABs implementing ISO 17011 from scratch often find this to be a heavy lift, and sometimes do a very poor job of it.
- Complaints & Appeals. ABs must have a robust method (again, procedures help here) to manage both complaints and appeals. The standard distinguishes between the two as follows: “complaints” are received from any party, and can be related to anything. “Appeals” are specific contests of AB decisions, coming from its CB clients; for example, a CB may appeal a decision by the AB not to issue accreditation.
I find that very simple procedures (using ISO 10002 as guidance on complaints handling) work great, and tying them into the AB’s corrective action system (a requirement we will discuss later) makes it very easy to manage, without needing to create an entirely separate complaints tracking tool.
- QMS requirements. ISO 17011 demands a minimum quality management system be implemented alongside all the other ISO 17011 requirements. Like many standards within the conformity assessment family, they allow two options: implementing ISO 9001 in full, or implementing key QMS elements (which, anyone would notice, were lifted from ISO 9001 anyway.)
Specifically, the minimum QMS requirements to be implemented are:
- Policies & objectives
- Defining roles, responsibilities, and authorities
- Document control
- Record control
- Control of nonconforming service
- Corrective Action (I typically add “preventive action” on top of this)
- Internal Audits
- Management Review
- Continual improvement
The Accreditation Process
Finally (although not in that order), ISO 17011 details the typical steps of the accreditation process. The standard lays out requirements for:
- New client intake and the accreditation contract
- Developing the assessment program (typically an overview of the assessments which will be required over a three-year period)
- Preparing for the assessment
- Performing the assessment
- Deciding on the assessment result (accreditation issuance or denial)
- Reporting the assessment result (including the issuance of an accreditation certificate)
- Extending, reducing, suspending, or withdrawing existing accreditations
All of these must be included in the procedure(s) related to each Assessment Scheme the AB provides.
Wait… Who Accredits Accreditation Bodies?
At this high altitude, the air starts to get thin and everyone gets a little loopy. That’s to be expected. If CBs are accredited by ABs, and ABs have to comply with ISO 17011, who accredits the accreditation bodies?
There are a few pathways here. First, an AB can choose to just stop… and not get recognized by anyone. This sounds shady, but at some point all the oversight has to give way to reality, and let either a nation’s Supreme Court or The Elder Gods do the rest.
Bodies like Exemplar and IRCA, for example, abandoned third-party recognition of their work accrediting training programs, and rely purely on their reputations and names in the marketplace. (Exemplar once held ISO 17024 accreditation, but later abandoned it. They insisted they were going to get it back, but that now seems to have been a fib.) In the aerospace scheme, the IAQG oversees all, but nobody oversees them; they’re not accredited to anything.
In other cases, it may be a Federal government agency that oversees the AB, and ensures compliance to ISO 17011. That’s less common in the United States, but entirely feasible.
For traditional management system schemes, like ISO 9001 and ISO 14001, the ABs involved have elected to undergo peer assessments per the IAF scheme (see pyramid illustration above.) In those cases, the IAF RAGs coordinate peer assessments to ensure the AB continues to operate in accordance with ISO 17011. The threat is that if they do not, they would be ejected from the IAF membership roster, and that would harm their reputation. We’ll talk a bit more about this later, when we discuss ISO 17040.
So the ABs reside so high up the food chain that oversight begins to get weak; the hope is that we can trust the ABs to understand just how important their role is in ensuring product safety and the validity of certifications, and they will take this seriously.[Oxebridge can help implement ISO 17011; for more information, click here.]
About Christopher Paris
Christopher Paris is the founder and VP Operations of Oxebridge. He has over 30 years' experience implementing ISO 9001 and AS9100 systems, and is a vocal advocate for the development and use of standards from the point of view of actual users. He is the author of Surviving ISO 9001 and Surviving AS9100. He reviews wines for the irreverent wine blog, Winepisser.