Recently, a client hired me to do a contract ISO 17021-1 internal audit for their new certification body. This client had not yet obtained accreditation and had only just begun their journey towards ISO 17021-1. Their intent was to offer ISO 9001 and ISO 14001 certificates, alongside the cosmetics GMP standard ISO 22716.
We scheduled the audit, which was planned to take about one to one-and-a-half days in total. I began the document review portion and immediately noticed something was off. The client’s documentation was designed around ISO 17021-1 and was overall very good. But they had switched gears and opted to only offer ISO 22716, and dropped the plans for ISO 9001 and 14001. Herein lay the wrinkle.
ISO 22716 is a guidance document and not a management system standard. To offer accredited ISO 22716 certificates, the CB would have to pursue ISO 17065 accreditation, and not ISO 17021-1. So their entire documentation package was written to the wrong accreditation standard.
Bad Guys Give Bad Advice
Now, I should have noticed this up front, to be completely honest. I saw that they intended to offer 9001 and 14001, and just assumed — wrongly, as it turned out — that their ISO 22716 offering would fall under a separate ISO 17065 effort, and not the ISO 17021-1 project they had hired me for.
I stopped my documentation audit and, the next day, we began our full practical audit in earnest. However, I immediately raised my issue with the client, and we agreed to abort the 17021-1 audit given the circumstances. I only billed him for the meeting time, and we cancelled the rest.
In speaking with the client, I found out that, sure enough, his entire plan had been the product of scammy advice given to him by a fake accreditation mill. The client wants to offer accredited ISO 22716 cosmetic GMP certifications, yes. But in the UK — where the client was located — UKAS doesn’t offer accreditation under that standard. The United States’ accreditation body, ANAB, offers it, but it’s roped into another set of standards related to the US FDA. (Accreditation to issue guidance document certifications must be connected to some other set of requirements that are not guidance. I am oversimplifying here, since it’s actually a complicated mess of legalize, but you get the idea.)
However, my UK client had encountered an accreditation body more than willing to sell him an ISO 17021-1 accreditation for the issuance of certificates to guidance documents. As soon as I saw the AB’s name, I realized it was one of the fake bodies included on my list of certification and accreditation mills.
Let’s pause on that. Because this scammer wanted to sell him a fake accreditation, my client spent a lot of time and money creating an entire set of (very good, mind you) ISO 17021-1 documents, a full online client processing portal, and other internal systems. It’s only through pure luck that he contracted his internal audits to me and not some other scammer who would have gone ahead with the full audit and never told him he was barking up the wrong accreditation standard tree.
IAF Members Suck At This, Too
This kind of thing happens a lot, and even comes about as a result of bad advice from the allegedly “respectable” IAF member accreditation bodies. A few years ago, a client approached me to do internal audits for one ISO 17000-series standard or another (I can’t recall which now). As I was getting ready to quote the project, I realized he was also adopting the wrong standard. In this case, it was Reinaldo Figueiredo, one of ANAB’s bottomless stable of VPs, who had given the client the wrong information. As we dug in deeper, we found that Figueiredo was pushing the client into an ISO 17000 accreditation program that ANAB offered, when in fact the client needed one that ANAB did not. So instead of telling the client, “hey, we don’t offer that particular standard,” Figueiredo tried to sell the guy the wrong accreditation. Because ANAB gotta eat.
A few years prior to that, a similar situation arose with the accreditation body A2LA. In that case, A2LA was trying to sell the client on ISO 17025 for test labs when the appropriate standard would have been ISO 17020 for inspection bodies. In that case, A2LA offered both (if I recall), and it was a simple case of the A2LA sales rep having their head up their ass when trying to quote the project. Once we figured that out, the client switched gears and was able to implement the correct standard. Fortunately, they had not started yet, so they lost nothing.
I get it. Accreditation is hard, and the growing number of accreditation standards is getting out of hand. (Read this article to try to decipher some of it.)
It’s all made worse by the growing threat of scammy accreditation bodies that operate outside the rules of the IAF, and the fact that the IAF has stopped enforcing accreditation rules on the so-called “official” bodies. It’s impossible to tell the difference between them now that Victor Gandy has taken over the IAF and allowed Graeme Drake at APAC to rubber-stamp accreditation mills into the IAF ranks.
But these scams and misinformation are expensive. A company can implement the entirely wrong standard and only find out after it’s spent the money. The ABs are so desperate to sell stuff, they won’t tell you, either.
So, if you get stuck on which accreditation standard might apply to you, reach out to me. Fair warning: I’m often confused, too, but I take the time to research and figure it out, and I don’t charge for that discussion. We can sort it out together before you spend any money.
Christopher Paris is the founder and VP Operations of Oxebridge. He has over 35 years’ experience implementing ISO 9001 and AS9100 systems, and helps establish certification and accreditation bodies with the ISO 17000 series. He is a vocal advocate for the development and use of standards from the point of view of actual users. He is the writer and artist of THE AUDITOR comic strip, and is currently writing the DR. CUBA pulp novel series. Visit www.drcuba.world
