If you recall, we filed a complaint with UK-based registrar ACM after we found a Qatar consultancy quoting ISO certification allegedly on behalf of ACM. ACM has since conducted their investigation and concluded that the consultancy — Quality Administration Consultancy (“QAC”) — was dropping their name into proposals without any authority to do so. In short, ACM never heard of QAC and had no idea this was going on.

That excuse might sound pat in most cases, but ACM then did the one thing you’d expect from a registrar, but which is rarely done: they proved it. Furthermore, at no time did ACM adopt a combative, accusatory tone. They never threatened legal action, nor engage in any defamation of either Oxebridge or the whistleblower. They didn’t make physical threats.

They did everything so right, in fact, that their example should be an example to every organization in the ISO certification scheme, from the certified companies all the way up to the IAF itself.

Let’s dissect how ACM pulled this off, while doing so in a way that made it appear nearly effortless.

Acknowledgment of the Complaint

Within about a day of receipt of the formal complaint issued by Oxebridge, ACM notified us that they assigned the issue to a non-executive member of their Board, Chris McHale. McHale is, specifically, a member of the ACM Impartiality Committee. That first step is nothing less than miraculous, given how other CBs respond to receiving a complaint.

What have others done? LRQA responded to a formal complaint by immediately threatening to sue Oxebridge, and then placing a worldwide “server ban” on any emails sent from the Oxebridge.com domain to anyone at LRQA.com, cutting off all communications regarding the complaint. BSI’s Vice President of North American Business Development responded to a complaint by threatening to kill me; he was fired two weeks later. TNV Certifications is threatened legal action and accused Oxebridge of defamation for filing a complaint. SIS Certifications just deleted the complaint after 20 minutes.

ACM, instead, forwarded the complaint to a member of its Impartiality Committee, who responded back with a calm and cool acknowledgment. That took nearly no effort on their part, either.

So ACM got an A+ within the first day, just by being professional in its acknowledgment of the complaint.

Communicating Status of the Complaint

A requirement of ISO 17021-1 is that the CB must communicate the status of the complaint to the complainant. Here again, ACM excelled. Even though barely any time had passed, McHale sent a polite email to me indicating that the process would be delayed slightly because he was on travel. The delay was to be all of a week — not six or seven months like it takes ANAB to process a complaint. A single week delay triggered a polite notification from ACM.

Again, A+. And it wasn’t hard to do.

Investigation and Response

Even with the week delay, ACM managed to respond in less than one month. That would normally give me concern, thinking the CB rushed their work, but McHale provided a massive 5-page investigation report that not only provided ACM’s conclusions, but detailed how they came about their answer, the methods used, and even some of the evidence they examined.

Normally, CBs and ABs respond back with a single paragraph or two denying the complaint, refusing to provide any insight on the process or evidence by falsely invoking “confidentiality” as the reason for their lack of details. ANAB’s Lori Gillespie is an absolute master of this, but UKAS and BSI and LRQA and NSF and a dozen other bodies have shown the same tendency.

Most recently the accreditation body IAS has done the same thing, watering down the original Oxebridge complaint’s allegations, and then addressing only their diluted, paraphrased version of events, providing no evidence at all to support their conclusions. IAS then cited “confidentiality” as the reason they didn’t provide evidence. Riiighht….

I’ve always argued that a CB can respond to a complaint and provide ample justification for their answer — even when denying the issue — without providing “confidential” information.  Short of a subpoena — which some of these bodies may still wind up getting — you can’t prove or disprove their position. Clever.

ACM’s response, however, was broken down into three main parts. First, McHale provided a rough description of their conclusion; ACM had no knowledge of QAC’s name-dropping them, and never gave them permission to use their name in the first place. Fair enough.

Next, McHale provided a detailed bulleted list of what evidence he examined, which included a number of things not even mentioned in the original complaint. This means they (rightly) went beyond the limited scope of the complaint to address the problem holistically.

Next, McHale spent nearly an entire page on the process that ACM used to conduct its investigation. Again, he was able to provide sufficient details without ever violating anyone’s confidentiality.

Finally, McHale provided a line-by-line answer to each of Oxebridge’s specific allegations, addressing each of them separately. They did not dilute the allegations, and then address paraphrased versions of them. They addressed the actual allegations.

Paying attention yet, IAS?

Each of ACM’s answers was then justified, too. There was no ambiguity left in the answers, making it clear that ACM took this seriously and performed due diligence.

Voluntarily Admitted Lapses 

ACM then did yet another thing that is unheard of: it admitted that during its investigation it found some troubling social media posts that name-dropped ACM, but which were not mentioned in the original complaint. They actually went out and found additional concerns, rather than intentionally isolating their work only to address the specific evidence found in the complaint. They then reported these bad actors to local authorities, as they should. Astonishing.

Improvement Opportunities

Finally, despite having found it didn’t violate ISO 17021-1, ACM didn’t gloat. It didn’t end the response with a snarky threat or nasty middle-finger to Oxebridge. Instead, it took on some action items to help prevent the problem from cropping up again, to the extent that ACM can even stop bad actors from using their name. This includes the extraordinary step of sampling regional consultants’ websites to make sure the ACM name isn’t being used by others without permission.

This is how complaints are supposed to be processed. Sure, no one likes a complaint, and if the complaint is disproved, it’s probably even more irritating But ACM took the feedback in and found ways to use it to improve. It will now likely face less bad actors using its name in vain, too.

Whereas bodies like IAS, ANAB, NQA, BSI and the rest wind up torching their reputations by responding in angry, dismissive or passive aggressive manners — a short-term gain that does irreparable long-term damage — ACM flipped the script. It’s very short term need to answer a complaint has won it long-term reputational improvements.

You can’t put a price on that.

So, kudos to ACM. Well done.


As a side note, it was since discovered that the consultancy QAC is a very, very shady organization. Not only do they use ACM’s name without permission, they claim to hold their own ISO 9001 certification issued by a defunct fake registrar called Mark Global Certifications. The Mark Global website hasn’t been working for years, but QAC nevertheless provided a fake ISO 9001 certificate with a recent date on it. That cert also claims accreditation by DAB (Deutsche Accreditation Board), another fake body with an equally out-of-date website. According to DAB, they are still accrediting registrars for ISO 9001:2008. Both Mark Global and DAB have been outed as frauds on online consumer gripe websites, so you know the kind of people QAC are.

We’ve alerted our friends at ISOBench.org to update their database of certificate mills to include both DAB and Mark Global.



About Christopher Paris

Christopher Paris is the founder and VP Operations of Oxebridge. He has over 30 years' experience implementing ISO 9001 and AS9100 systems, and is a vocal advocate for the development and use of standards from the point of view of actual users. He is the author of Surviving ISO 9001 and Surviving AS9100. He reviews wines for the irreverent wine blog, Winepisser.


ISO 45001 Implementation