In recent days UKAS ruled that BSI’s Entropy® software does not constitute consulting, and therefore BSI has not violated ISO 17021 by then certifying Entropy® users.

We here at Oxebridge have argued otherwise. So who’s right? Let’s check facts.

First, let’s look at the actual prohibition in ISO 17021, the accreditation standard that BSI is subject to, and for which UKAS audits them. ISO 17021 clause 4.1.2 it sets the tone for the standard:

The overall aim of certification is to give confidence to all parties that a management system fulfills specified requirements. The value of certification is the degree of public confidence and trust that is established by an impartial and competent assessment by a third-party.

It then goes onto define the principals which ensure such trust:

4.1.3 Principles for inspiring confidence include:

  • impartiality,
  • competence,
  • responsibility,
  • openness,
  • confidentiality, and
  • responsiveness to complaints.

The one we want to focus on is impartiality. There, ISO 17021 explains further:

4.2.1 Being impartial, and being perceived to be impartial, is necessary for a certification body to deliver certification that provides confidence.

4.2.3 To obtain and maintain confidence, it is essential that a certification body’s decisions be based on objective evidence of conformity (or nonconformity) obtained by the certification body, and that its decisions are not influenced by other interests or by other parties.

It then defines potential threats to impartiality, including (emphasis added):

b) Self-review threats: threats that arise from a person or body reviewing the work done by themselves. Auditing the management systems of a client to whom the certification body provided management systems consultancy would be a self-review threat.

So we’ve established that certifying a consultant client is a threat to impartiality. But is it explicitly prohibited? Yes, under 5.2 “Management of Impartiality”:

5.2.5 The certification body and any part of the same legal entity shall not offer or provide management system consultancy.

5.2.7 The certification body shall not certify a management system on which a client has received management system consultancy or internal audits, where the relationship between the consultancy organization and the certification body poses an unacceptable threat to the impartiality of the certification body

The next question, then, is what constitutes “consultancy”? The glossary at the beginning of ISO 17021 tells us:

3.3 management system consultancy: participation in designing, implementing or maintaining a management system


a) preparing or producing manuals or procedures, and

b) giving specific advice, instructions or solutions towards the development and implementation of a management system.

The definition then gives the registrar some wiggle room, by allowing certain activities that otherwise someone might see as consulting:

NOTE: Arranging training and participating as a trainer is not considered consultancy, provided that, where the course relates to management systems or auditing, it is confined to the provision of generic information that is freely available in the public domain; i.e. the trainer should not provide company-specific solutions.

I won’t get into a legal discussion on how whacked-out that definition is (a public course is not “public domain” and the course material is not “freely available” if you charge for it.) The important point here is that the trainer (i.e., the registrar) cannot provide “specific solutions.” Keep that point in mind as we move ahead.

The final definition that we will need in hand is that of “procedure.” For that, we have to go to ISO 9000:2008, which (for you detail perfectionists) is listed in ISO 17021 as a normative reference, so it’s legally required:

3.4.5 procedure: specified way to carry out an activity or a process

NOTE 1 Procedures can be documented or not.

NOTE 2 When a procedure is documented, the term “written procedure” or “documented procedure” is frequently used. The document that contains a procedure can be called a “procedure document”.

So, with all of these hard, cold requirements in hand, we can summarize, thusly: a registrar must maintain confidence by ensuring impartiality. A threat to impartiality is the certification of a client for which it provided consulting. Consulting includes the preparation of procedures. A procedure is any specified way to carry out an activity. Therefore: a registrar may not certify a client to whom it has provided a procedure.

Simple, right?

Not So Fast, Sparky

Now, remember, UKAS has ruled that BSI’s Entropy® did not breach any of this, that Entropy® is nothing more than “an audit template” and is not consulting nor a procedure. UKAS thus permits BSI is to continue to certify Entropy® users, and to sell Entropy® as part of its certification services.

So the next logical debate to have would be, “is software a document?” Well, we don’t even have to go that far, because every user of BSI Entropy® receives a set of various… erm, “written word things” alongside the software. This includes a set of documents defining how to use the software, along with on-screen help documentation.  So we don’t even have to discuss the software aspect ; let’s just focus on the supporting documents provided to each Entropy® user.

Looking at just the CAPA module, the help screens appear like this (click to enlarge):

Entropy screencap CAPA


Here is a similar screen for the internal audit module (click to enlarge):

Entropy screencap audits

Looking at just the last example (auditing), notice the format: it is literally a numbered list of steps; you can’t see it in these screenshots, but the header each section is called “Step by Step.” Next, look at the actual language used.  The steps tell the reader how to do things. For scheduling, for example, the help screen literally reads “to schedule an audit, do the following.”  That sentence utilizes the imperative verb form, providing a command…  or, if you will, a specific instruction.

In the CAPA screenshot, we see similar imperative commands: “set a priority for the action” and “record how much the action will (or did) cost.”

Which means, of course, thse help screens literally and unambiguously define “a specified way to carry out an activity or a process” — meaning they meet the definition of “procedure” per ISO 9000, and since they are documented, they meet the definition of “documented procedure.” Since they are related to some of the “six required procedres” under ISO 9001, a client could utlize these help screens as the totality of their QMS documentation.

So what? ISO 17021 then says that BSI must audit those documents, of course. Which means, BSI would be auditing documentation and procedures they, themselves, provided to the client.

But Wait, There’s More!

Now most clients will go further and write their own procedures on top of the BSI ones. But that hardly matters, since the software can only be used a certain way, unless one were to violate BSI’s patents, copyrights and trademarks, and completely recompile the source code and rewrite it. For example, if you don’t want to “set a priority for the action,” you may not have a choice if the software forces you to enter that field before proceeding. Thus, BSI has determined the procedure by designing the software, and then gone the extra mile and just handed over the documentation, too.

It doesn’t stop at mere help screens, though. In addition, Entropy® users are given more documented procedures. Logging into their client portal, Entropy® users can access MS Word documents which give even more levels of detail. Here’s a cropped example from a document entitled “Audits for Site Users” (click to enlarge):


Again, we see BSI going so far as to define what audits are, and saying what is “imperative.” It creates its own hierarchy of audits dividing them into two groups — checklist or “ad hoc” — something not supported in any ISO standard and not “in the public domain,” but rather wholly invented by BSI. A hierarchy that BSI will later certify, of course.

Here is another view of the same document:


Notice here that it specifies exactly how audit records will be created, and even mandates who will schedule corporate audits (“the corporate team.”) If you don’t have a “corporate team,” you have to form one or you cannot comply with BSI’s procedure (or just ignore it, and risk a nonconformity for not following the procedure.)

With these documents, however, BSI attempts a neat trick: BSI doesn’t call them “procedures,” but instead “Training Modules.” They even feature bogus “Exercises” which, if you read the text, are just more procedures, including step-by-step numbered lists of instructions:


BSI thinks that if you provide a written document that tells an employee what to do , how to do it, and who will do it, it’s not a procedure if you merely type “training module” at the top of the page.  The only people falling for this is UKAS, who of course has a multi-million dollar incentive to do so.

Which invokes this famous piece of art, because the UKAS/BSI interpretation is nothing if not surreal:


So let’s review again. BSI provides software which includes both documented help screens and actual documents, both of which provide specific instructions using the imperative verb form. Users of the software have no recourse but to follow said procedures, since they reflect fixed software code outside of the ability of the user to modify. BSI then certifies said clients.

Then, when a complaint is raised to what is a glaringly obvious conflict of interest, UKAS spends five months to come to this conclusion:

The investigation concluded that the Entropy internal audit module did not go any further than provide a template framework for an audit programme.

They also ruled that there’s no resulting financial self-threat even though BSI sells and markets both Entropy® and its certification services side by side, literally within the same quotes.

To anyone reading this piece, it’s beyond obvious that BSI Entropy® is a consulting product, and that it would threaten objective impartiality for any auditor. What BSI auditor would write up a nonconformity against Entropy®?

That’s the final measure. Remember that ISO 17021 intends to ensure confidence in the resulting ISO 9001 certifications. Despite all of UKAS’s legal wrangling and word-torture, does the end result ensure or diminish confidence in BSI’s certifications? Of course any rational and objective person will say that it introduces threats to impartiality. BSI sells Entropy®  as a product, and therefore it would cost them money to write nonconformities against it, especially doing so in front of the people they sold it to. No one can come to any other conclusion that confidence is thus diminished, not strengthened by this absurd UKAS conclusion.

The next question is how and why did UKAS rule this way? And for that they will have to answer soon enough.

There’s still some time left before this comes to a climax from which none of them are likely to emerge with any remaining reputation. They can still fix this.

[Images taken from BSI products are excerpted under Fair Use copyright rules, and are protected speech. Likewise for excerpts of ISO 17021 and ISO 9000, which are (TM) ISO. See Oxebridge Legal Policy here. The BSI Entropy product is ® BSI. Magritte is dead, so we apologize to his estate for sullying his painting by putting it next to these other guys.]



About Christopher Paris

Christopher Paris is the founder and VP Operations of Oxebridge. He has over 30 years' experience implementing ISO 9001 and AS9100 systems, and is a vocal advocate for the development and use of standards from the point of view of actual users. He is the author of Surviving ISO 9001 and Surviving AS9100. He reviews wines for the irreverent wine blog, Winepisser.


ISO 45001 Implementation