DEVCO Workshop

Kiev, June 2008

ISO 17021 / Tools

for Audits and Auditors
Presented by Alister DALRYMPLE
Director, Business Development and Partnerships
AFNOR International
Marketplace Context

ISO is concerned about its own image and the

negative effects of sub-standard certification
ISO TC 176 has actively addressed the
implementation of ISO 9001
Rules and requirements for certification are contained
in many documents (standards, guides, guidelines,
guidance, recommendations, ) published by many
different organizations
Accreditation does not have a set of detailed rules at
its disposal, but now has a global framework with the
ISO 17021 standard
Intense CB competition on many markets

2 Rfrences
Marketplace Context

Competing Certification
Bodies

Pressure to Loss of Lower Prices

decrease prices Confidence in
Certification*

Lower added value

Cutting corners
to the client

*The Certification Death Spiral

3 Rfrences
A Key Development - ISO/IEC 17021:2006

The publication by ISO/CASCO of ISO/IEC 17021 in

September 2006 has a number of immediate consequences,
because it
replaces Guides 62 for QMS and 66 for EMS

is applicable for the implementation by any CB of any

management system certification scheme (past, present and
future ! )

incorporates appropriate IAF guidance

acknowledges latest technological advances (e-based

technologies and auditing, etc)

provides a solid baseline set of rules for accrediting CBs

4 Rfrences
A Key Development - ISO/IEC 17021:2006

And because it

is consistent with other CASCO documents

Provides a complete section on the (non-auditable) principles

needed to obtain confidence in management system certification,
but which offer the basis for interpretation of any situation where
specific requirements are not drafted

promotes principles-based performance requirements

5 Rfrences
ISO/IEC 17021 Requirements for CB (extracts)

Section 4 : Principles
The aim of certification is to give confidence to all parties
that a management system fulfils specified requirements.
Interested Parties include, but are not limited to :

a) clients of the certification bodies,

b) customers of the organizations whose management
systems are certified
c) governmental authorities
d) non-governmental organizations and
e) consumers and other members of the public

Consequence : The auditor represents all the

above when assessing a management system

6 Rfrences
ISO/IEC 17021 Requirements for CB (extracts)

Whats new ? . regarding the certification process

The CB shall have :
- Personnel having demonstrated competence for each phase of
the certification process (auditing, decision-making, managing
functions)

- Process ensuring the assignment of competent audit team :

competency analysis for all personnel involved in the
complete certification process (7.1 & 7.2)
application review ( competence needed (9.2.2.2))
records justifying accepting the client (9.2.2.1.f)
audit team selection ( competence provided (9.2.2.3))
competence to make certification decision (9.2.2.4)
Consequence : Competence (not necessarily
qualification !!) at all stages of the process
7 Rfrences
ISO/IEC 17021 Requirements for CB (extracts)

Whats new ? . regarding the certification process

Sufficient Auditor time for an effective audit (9.1.4)

documented process for determination
auditor time, as determined by the CB, and justification, to be
recorded
Certification audit program (9.1.1)
two-stage audit for initial certification
surveillance audit at least once a year
Re-certification audit every 3 years

With flexibility to adjust the audit program based on

demonstrated effectiveness of the clients management
system (9.1.1)
Consequence : Permitting effective audits with higher expectations
on the audit outcome
8 Rfrences
ISO/IEC 17021 Requirements for CB (extracts)

Whats new ? . regarding the certification process

Stage 1 audit (9.2.3.1)
Establishes seven objectives to be fulfilled during the
stage 1 audit
Recommended, but not required, that at least part of the
stage 1 audit be carried out at clients premises
In addition to physical locations, on-site may include remote
access to electronic sites (note 1 to 9.1.9)

Consequence : A better planned audit and obtaining timely

relevant information, wherever it is available

9 Rfrences
ISO/IEC 17021 Requirements for CB (extracts)

Whats new ? regarding the certification process

For surveillance audits, the Audit team may be empowered to

inform the client that certification may be maintained
- If there is a positive conclusion to the audit
- If no non-conformities likely to lead to suspension or
withdrawal of the certification are detected

Consequence : Confidence in the judgment of the

Audit team and empowering it to take responsibility

10 Rfrences
ISO/IEC 17021 Requirements for CB (extracts)

Whats new ? regarding the certification process

Competent personnel of the CB must monitor the

performance of all personnel involved in the certification

activities (7.2.10), including

- Surveillance activities, including reporting

- On-site auditor performance

- Bodies used through out-sourcing

Consequence : More flexibility implies additional control over

the certification process, including auditing

11 Rfrences
ISO/IEC 17021 Requirements for CB (extracts)

What is NOT in ISO/IEC 17021 ?

1) Tables, methods or tools for
Calculating audit duration
Qualifying of auditors
Defining Competence criteria of audit teams
2) Sector or standard-specific requirements (e.g. food
safety, IT security, Environmental regulations). CASCO is
not empowered by ISO to draft such standards.

Conclusion : One size does not fit all

12 Rfrences
ISO/IEC 17021 (Part 2)

TERMS OF REFERENCE
CASCO Working Group 21 will develop an
international standard that will complement the
existing requirements of ISO/IEC 17021 with respect
to third party auditing and the management of
competence, the generic requirements in this
standard will be based in part on the relevant
guidance given in ISO 19011.
It will also provide a framework to enable competent
parties to develop specific criteria for third party
auditing and management of competence for different
types of management systems or sector applications.
13 Rfrences
ISO/IEC 17021 (Part 2)

This means..
- It will be a generic requirements document for the 3rd
party auditing of (all) management systems
- Guidance in ISO 19011 will be transformed into
appropriate requirements
- It will cover third party auditing and the management
of competence related to third party auditing
- It will provide a template for other bodies of
knowledge to develop specific criteria for third party
auditing and management of competence for different
types of management systems or sector applications.

14 Rfrences
ISO/IEC 17021 (Part 2)

Working Title:
Third Party Auditing of Management Systems
Milestones :
- Approval of the New Work Item Proposal
- 2 Co-Convenors of the original Working Group 21
- 3 meetings were held to draft a Committee Draft
currently out for comment to CASCO Membership
- Following review of the comments on CD1, a second
Initial document (CD2) is expected to be circulated for
Comment and Ballot at the end of 2008

15 Rfrences
Auditing & Auditors

However, requirements standards can only stipulate the

rules !! There is a continuing need for implementation
guidance, benchmarking and identification of best practices,
exchanges of experience and recognition

Guidance e.g. through sector guidance, IAF informative criteria, etc

Benchmarking and identification of Best Practices e.g. through
documents published by competent bodies of knowledge such as the
APG (Audit Practices group)
Exchanges of experience e.g. through participation in auditor forums
(physical meetings, electronic forums, etc.)
Recognition e.g. through formal recognition schemes such as IPC

16 Rfrences
ISO/IEC 17021

The conclusion is taken from the Introduction to

ISO/IEC 17021

The value of certification is

the degree of public confidence
and trust that is established by an
impartial and competent
assessment by a third-party

17 Rfrences
 Thanks for listening to

alister.dalrymple@afnor.org

18 Rfrences