I’m excited to be back at work helping develop certification bodies, something that I had done many years ago, but which fell aside under the flood of AS9100 implementations I did throughout the 2010’s. This month alone I am lucky enough to be working on setting up three different CBs, and it’s exciting work. Not many can do it.

It means I am spending a lot of time in ISO 17021-1, as a real user of the standard, digging deep through it, mining for gems. ISO 17021-1 is a crucial work within the ISO certification world, but you wouldn’t find many people who know much about it. It’s the standard that applies to certification bodies, like BSI and SGS, and which defines their requirements. If you’re certified to ISO 9001, and unless you hired a cert mill, your CB is accredited to ISO 17021-1.

So you’d think the rules governing the industry’s judges would be reasonably well-written.

You’re adorable!

ISO 17021-1 is written by the ISO Committee on Conformity Assessment (CASCO). That committee was, until recently, lead by long-time ISO staffer Sean MacCurtain, and is supposed to be one of the more put-together ISO committees. So you might be surprised to see just how terrible ISO 17021-1 is, and how it reveals it was hammered together by a cast of dubiously-qualified characters all firing in different directions.

Now, don’t get me wrong: the rules are important. I’m constantly holding CBs accountable to them, so I acknowledge we need what’s written in 17021-1. It’s just the way it’s written that is both frustrating and hilarious.

For example, the folks on CASCO don’t really know what a “document” is. I’m serious, and you’ll agree completely about two minutes from now. Stick with me.

In prior ISO standards, the text called out the need for “documented procedures” whenever the authors wanted a user to have… well, a documented procedure. Then, the word “records” was used to call out requirements for records.

In the 2010s, though, a new crop of standards developers overtook most of ISO’s committees, and brought with them a need to make things as confusing as possible, to sell their consulting services later. CASCO, which has always been largely populated by CB reps and consultants, was infected with this problem far, far earlier. Back in 1996, the original ISO Guide 62 simply called out a need for “procedures.” By the time that guide was turned into a full standard (ISO 17021), the CB reps had taken over CASCO, and started to muddy things up.  The latest edition — published in 2015 — makes things much, much worse.

Let’s start with clause 5.2 on “management of impartiality.” That clause requires the following:

The certification body shall have a policy that it understands the importance of impartiality in carrying out its management system certification activities….

OK, so it calls out a “policy.” Most will agree that needs to be documented, so there’s not much confusion there. Now we move to the very next paragraph in the same clause, which reads:

The certification body shall have a process to identify, analyze, evaluate, treat, monitor, and document [risks]….

As a former chemical process engineer, this casual usage of the word “process” drives me crazy.  ISO 9001 tried to get people to understand process management, but obviously failed. ISO standards developers still do not understand that a process and a procedure are two very different things, and so they use the terms interchangeably. But technically a process may invoke measurement (KPIs, etc.) while a procedure doesn’t; so the distinction is important. If you’re a CB getting just getting started, you’re already scratching your head, asking, “Am I supposed to write this stuff down or not?

Moving ahead in the standard a bit, clause 6.1 on “Organizational Structure” then requires:

The certification body shall document its organizational structure….

Okay, that’s clearly calling out a document, even if I wouldn’t know whether the org structure is supposed to be in a procedure or not. One assumes a chart will do.

But then, on just the next page, it calls out something entirely different:

The certification body shall have formal rules for the appointment, terms of reference and operation of any committees that are involved in the certification activities.

Formal rules?” This, by the way, is a holdover from the earliest 2000’s versions of ISO 17021, and they haven’t edited it since. One can assume that “formal rules” should be written, but to be fair, it doesn’t really say that.

Moving to clause 7.1.1 on “Competence,” the standard then requires this:

The certification body shall have processes to ensure that personnel have appropriate knowledge and skills….

Most will not get upset by this, but the sudden shift to plural (“processes” vs. “process“) is maddening. I’ve had auditors tell me that if the standard indicates a plural, then you must have “more than one” of a thing. Therefore, an accreditation auditor can ask to see multiple “processes” and — assuming they really mean “procedures” — you’d have to produce multiple documents. If you wanted to combine them into one, you’d technically be in violation of the standard. Sigh.

The very next clause, 7.1.2, jumps back to the singular:

The certification body shall have a process for determining the competence criteria for personnel…

Argh! And then, 7.1.3 goes one step further:

The certification body shall have documented processes for the initial competence evaluation…

Now, not only are we back to plural, but here the clause distinguishes that — in this case — the processes must be “documented.” Does that mean in all the other cases, they didn’t need to be documented? Now everything we’ve been assuming up to now is thrown out.

Oh, we’re not done yet. Jumping forward to 8.3.1 we see this:

A certification body shall have rules governing any management system certification mark that it authorizes certified clients to use.

Or clause 9.4.1:

The certification body shall have documented procedures for determining audit time.

Or 9.6.5:

The certification body shall have a policy and documented procedure(s) for suspension, withdrawal or reduction of the scope of certification, and shall specify the subsequent actions by the certification body.

Or 9.7:

The certification body shall have a documented process to receive, evaluate and make decisions on appeals.

Or 9.9.4:

The certification body shall have a documented policy and documented procedures on the retention of records.

Or 10.2.1:

The certification body’s top management shall establish and document policies and objectives for its activities.

Or 10.2.2:

All applicable requirements of this part of ISO/IEC 17021 shall be addressed either in a manual or in associated documents.

Or 10.2.4:

The certification body shall establish procedures to define the controls needed for the identification, storage, protection, retrieval, retention time and disposition of its records…

In all, by the time ISO 17021-1 is done, it has used upwards of fifteen different terms referring to stuff that should be written down. Beyond the hard requirements, there are a host of other terms used in the standard which strongly imply the need for a written thing, such as “the certification body shall make clear…” or ” the certification body shall provide information on….”, or multiple references to “legally enforceable agreements.

If CASCO just had an editor, none of this would happen. But ISO can’t afford a proofreader, apparently. Sean MacCurtain had enough money to retire young, so I’m not sure what he was being paid to do, exactly. It certainly wasn’t catching obvious goof-ups like these.

The thing is, this stuff matters. When someone like me is guiding a new CB into developing its various policies and procedures, it helps to know what the accreditation bodies will be demanding to see. It shouldn’t be left up to interpretation, since my interpretation might differ from, say, ANAB’s — and that can mean a costly nonconformity during the initial accreditation audit. Standards are supposed to be beneficial because they ensure everyone speaks the same language about a certain topic; it’s frustrating when committees like CASCO can’t get their writers to speak the same language from one page to the next, in the same standard!

It’s standardization, for heaven’s sake. It’s in ISO’s name! You’d think they could standardize the words they use in their publications.

Well, I suppose I shouldn’t complain. The reason certification bodies have to bring on a hired gun like me to set up their systems is because CASCO has made the ISO 17021-1 standard so impossible to understand. Maybe I should be paying for Sean MacCurtain’s next vacation!

There are precious few people on the planet who can help set up a CB, so feel free to reach out to me if you get stuck and need help. Send me an email… or is it a message? A documented infobite? A digital textogram?

About Christopher Paris

Christopher Paris is the founder and VP Operations of Oxebridge. He has over 30 years' experience implementing ISO 9001 and AS9100 systems, and is a vocal advocate for the development and use of standards from the point of view of actual users. He is the author of Surviving ISO 9001:2015. He reviews wines for the irreverent wine blog, Winepisser.


ISO 45001 Implementation