ISO IEC 17021 2015 Checklist Approved

ISO/IEC 17021-1:2015 F07/06E
Checklist for Management System Certefication

For office use: ENAO Acc. No
Name of the CB
Accreditation applied for
Name of Nominated Representative
Assessor/s & Observers:

Date of Evaluation:
This report covers the following:
Type of Assessment (Tick box): Initial: Follow Up Re-assessment:
Document Review only: Site Visit only: Document Review and Site visit: Pre-assessment Other:
Certefication Bodies wishing to apply for accreditation shall indicate how requirements have been addressed, documented and implemented on the comment side of
each requirement. Assessors can use the space provide to write evidence for the assessment findings on the comment side of each requirement. (Key: C = Comply,
NC = not comply, NA = not applicable)
Clause Requirement Filled by CAB indicating Document review C/ On site assessment Objective C/NC/
in which document & by team leader NC Evidence NA
clause No. the (Reference /N (Provide supporting information to
requirements are Documents) A prove implementation; describe the
addressed observations; note which records
were reviewed.)
5 Requirement for Certification Bodies
5.1 Legal and contractual matters
Legal responsibility –
The certification body shall be a legal entity, or a
defined part of a legal entity, such that it can be
5.1.1 held legally responsible for all its certification
activities. A governmental certification body is
deemed to be a legal entity on the basis of its
governmental status.
Certification agreement - The certification body
shall have a legally enforceable agreement with
each client for the provision of certification
5.1.2 activities in accordance with the relevant
requirements of this part of ISO/IEC 17021. In
addition, where there are multiple offices of a
certification body or multiple sites of a client, the
Rev 1.1 25 October, 2020 Page 1 of 52
certification body shall ensure there is a legally
enforceable agreement between the certification
body granting certification and the client that
covers all the sites within the scope of the
certification.
Responsibility for certification decisions -
The certification body shall be responsible for,
and shall retain authority for, its decisions
relating to certification, including the granting,
5.1.3
refusing, maintaining of certification, expanding
or reducing the scope of certification, renewing,
suspending or restoring following suspension, or
withdrawing of certification.
5.2 Management of impartiality
Conformity assessment activities shall be
undertaken impartially. The certification body
shall be responsible for the impartiality of its
5.2.1
conformity assessment activities and shall not
allow commercial, financial or other pressures to
compromise impartiality.
The certification body shall have top
management commitment to impartiality in
management system certification activities. The
certification body shall have a policy that it
5.2.2 understands the importance of impartiality in
carrying out its management system certification
activities, manages conflict of interest and
ensures the objectivity of its management
system certification activities.
The certification body shall have a process

to identify, analyse, evaluate, treat, monitor,
and document the risks related to conflict of
interests arising from provision of certification
including any conflicts arising from its
relationships on an ongoing basis. Where there
are any threats to impartiality, the certification
5.2.3 body shall document and demonstrate how it
eliminates or minimizes such threats and
document any residual risk. The demonstration
shall cover all potential threats that are
identified, whether they arise from within the
certification body or from the activities of other
persons, bodies or organizations. When a
relationship poses an unacceptable threat to

impartiality (such as a wholly owned subsidiary
of the certification body requesting certification
from its parent), then certification shall not be
provided.
Top management shall review any residual risk

to determine if it is within the level of acceptable
risk.
The risk assessment process shall include

identification of and consultation with appropriate
interested parties to advise on matters affecting
impartiality including openness and public
perception. The consultation with appropriate
interested parties shall be balanced with no
single interest predominating.
NOTE 1 Sources of threats to impartiality

of the certification body can be based on
ownership, governance, management,
personnel, shared resources, finances,
contracts, training, marketing and payment of a
sales commission or other inducement for the
referral of new clients, etc.
NOTE 2 Interested parties can include

personnel and clients of the certification body,
customers of organizations whose management
systems are certified, representatives of
industry trade associations, representatives of
governmental regulatory bodies or other
governmental services, or representatives of
non-governmental organizations, including
consumer organizations.
NOTE 3 One way of fulfilling the

consultation requirement of this clause is by the
use of a committee of these interested parties.

A certification body shall not certify another
5.2.4 certification body for its management system
certification activities
The certification body and any part of the same

legal entity and any entity under the
organizational control of the certification body
[see 9.5.1.2, bullet b)] shall not offer or provide
management system consultancy. This also
applies to that part of government identified as
5.2.5
the certification body.
NOTE This does not preclude the possibility of

exchange of information (e.g. explanation of
findings or clarification of requirements) between
the certification body and its clients.
The carrying out of internal audits by the
certification body and any part of the same legal
entity to its certified clients is a significant threat
to impartiality. Therefore, the certification body
and any part of the same legal entity and any
entity under the organizational control of the
certification body [see 9.5.1.2, bullet b)] shall not
5.2.6 offer or provide internal audits to its certified
clients. A recognized mitigation of this threat is
that the certification body shall not certify a
management system on which it provided
internal audits for a minimum of two years
following the completion of the internal audits.
NOTE See Note 1 to 5.2.3.

Where a client has received management
systems consultancy from a body that has a
relationship with a certification body, this is a
significant threat to impartiality. A recognized
mitigation of this threat is that the certification
5.2.7
body shall not certify the management system
for a minimum of two years following the end of
the consultancy.
NOTE See Note 1 to 5.2.3.

The certification body shall not outsource
audits to a management system consultancy
organization, as this poses an unacceptable
5.2.8
threat to the impartiality of the certification body
(see 7.5). This does not apply to individuals
contracted as auditors covered in 7.3.
The certification body’s activities shall not be
marketed or offered as linked with the activities
of an organization that provides management
system consultancy. The certification body shall
take action to correct inappropriate links or
statements by any consultancy organization
5.2.9
stating or implying that certification would be
simpler, easier, faster or less expensive if the
certification body were used. A certification body
shall not state or imply that certification would be
simpler, easier, faster or less expensive if a
specified consultancy organization were used.
In order to ensure that there is no conflict of
interests, personnel who have provided
management system consultancy, including
those acting in a managerial capacity, shall not
be used by the certification body to take part in
5.2.10 an audit or other certification activities if they
have been involved in management system
consultancy towards the client. A recognized
mitigation of this threat is that personnel shall
not be used for a minimum of two years
following the end of the consultancy.
The certification body shall take action to
respond to any threats to its impartiality arising
5.2.11
from the actions of other persons, bodies or
organizations.
All certification body personnel, either internal or
external, or committees, who could influence the
5.2.12 certification activities, shall act impartially and
shall not allow commercial, financial or other
pressures to compromise impartiality.
Certification bodies shall require personnel,
internal and external, to reveal any situation
known to them that can present them or the
5.2.13 certification body with a conflict of interests.
Certification bodies shall record and use this
information as input to identifying threats to
impartiality raised by the activities of such

personnel or by the organizations that employ
them, and shall not use such personnel, internal
or external, unless they can demonstrate that
there is no conflict of interest.
5.3 Liability and financing
The certification body shall be able to
demonstrate that it has evaluated the risks
arising from its certification activities and that it
5.3.1 has adequate arrangements (e.g. insurance or
reserves) to cover liabilities arising from its
operations in each of its fields of activities and
the geographic areas in which it operates.
The certification body shall evaluate its finances
and sources of income and demonstrate that
5.3.2 initially, and on an ongoing basis, commercial,
financial or other pressures do not compromise
its impartiality.
6 Structural requirements
Organizational structure and top
6.1
management
The certification body shall document its
organizational structure, duties, responsibilities
and authorities of management and other
personnel involved in certification and any
6.1.1
committees. When the certification body is a
defined part of a legal entity, the structure shall
include the line of authority and the relationship
to other parts within the same legal entity.
Certification activities shall be structured and
6.1.2
managed so as to safeguard impartiality.
The certification body shall identify the top
management (board, group of persons, or
person) having overall authority and
responsibility for each of the following:
a) development of policies and

establishment of processes and procedures
6.1.3 relating to its operations;
b) supervision of the implementation of the
policies, processes and procedures;
c) ensuring impartiality;
d) supervision of its finances;
e) development of management system
certification services and schemes;
f) performance of audits and certification,
and responsiveness to complaints;
g) decisions on certification;
h) delegation of authority to committees or
individuals, as required, to undertake defined
activities on its behalf;
i) contractual arrangements;
j) provision of adequate resources for
certification activities.
The certification body shall have formal rules

for the appointment, terms of reference and
6.1.4 operation of any committees that are involved in
the certification activities.
6.2 Operational control

The certification body shall have a process for
the effective control of certification activities
delivered by branch offices, partnerships,
agents, franchisees, etc., irrespective of their
legal status, relationship or geographical
6.2.1
location. The certification body shall consider the
risk that these activities pose to the competence,
consistency and impartiality of the certification
body.
The certification body shall consider the

appropriate level and method of control of
activities undertaken including its processes,
6.2.2 technical areas of certification bodies’
operations, competence of personnel, lines of
management control, reporting and remote
access to operations including records.
7 Resource requirements
7.1 Competence of personnel
General considerations
The certification body shall have processes to

ensure that personnel have appropriate
7.1.1 knowledge and skills relevant to the types of
management systems (e.g. environmental
management systems, quality management
systems, information security management
systems) and geographic areas in which it
operates.
determining the competence criteria for
personnel involved in the management and
performance of audits and other certification
activities. Competence criteria shall be
determined with regard to the requirements of
each type of management system standard or
specification, for each technical area, and for
each function in the certification process. The
output of the process shall be the documented
criteria of required knowledge and skills
necessary to effectively perform audit and
certification tasks to be fulfilled to achieve the
intended results. Annex A specifies the
knowledge and skills that a certification body
shall define for specific functions. Where
additional specific competence criteria have
7.1.2 been established for a specific standard or
certification scheme (e.g. ISO/IEC TS 17021-2,
ISO/IEC TS 17021-3 or ISO/TS 22003), these
shall be applied.
NOTE The term ―technical area‖ is applied

differently depending on the management
system standard being considered. For any
management system, the term is related to
products, processes and services in the context
of the scope of the management system
standard. The technical area can be defined by
a specific certification scheme (e.g. ISO/TS
22003) or can be determined by the certification
body. It is used to cover a number of other terms
such as ―scopes‖, ―categories‖, ―sectors‖, etc.,
which are traditionally used in different
management system disciplines.
The certification body shall have documented
processes for the initial competence evaluation,
and ongoing monitoring of competence and
performance of all personnel involved in the
7.1.3 management and performance of audits and
other certification activities, applying the
determined competence criteria. The certification
body shall demonstrate that its evaluation
methods are effective. The output from these

processes shall be to identify personnel who
have demonstrated the level of competence
required for the different functions of the audit
and certification process. Competence shall be
demonstrated prior to the individual taking the
responsibility for the performance of their
activities within the certification body.
NOTE 1 A number of evaluation methods

that can be used to evaluate competence are
described in Annex B.
NOTE 2 Annex C shows an example of a

process f low for determining and maintaining
competence.
Other considerations
The certification body shall have access to the

necessary technical expertise for advice on
matters directly relating to certification activities
7.1.4
for all technical areas, types of management
systems and geographic areas in which the
certification body operates. Such advice may be
provided externally or by certification body
personnel.
Personnel involved in the certification
7.2
activities
The certification body shall have sufficient,
competent personnel for managing and
7.2.1 supporting the type and range of audit
programmes and other certification work
performed.
The certification body shall employ, or have
access to, a sufficient number of auditors,
7.2.2 including audit team leaders, and technical
experts to cover all of its activities and to handle
the volume of audit work performed.
The certification body shall make clear to each
7.2.3 person concerned their duties, responsibilities
and authorities.
The certification body shall have processes for
selecting, training, formally authorizing auditors
7.2.4 and for selecting and familiarizing technical
experts used in the certification activity. The
initial competence evaluation of an auditor shall

include the ability to apply required knowledge
and skills during audits, as determined by a
competent evaluator observing the auditor
conducting an audit.
NOTE During the selection and training

process described above desired personal
behaviour can be considered. These are
characteristics that affect an individual’s ability to
perform specific functions. Therefore, knowledge
about the behaviour of individuals enables a
certification body to take advantage of their
strengths and to minimize the impact of their
weaknesses. Desired personal behaviour that is
important for personnel involved in certification
activities is described in Annex D.
The certification body shall have a process to
achieve and demonstrate effective auditing,
including the use of auditors and audit team
7.2.5 leaders possessing generic auditing skills and
knowledge, as well as skills and knowledge
appropriate for auditing in specific technical
areas.
The certification body shall ensure that auditors
(and, where needed, technical experts) are
knowledgeable of its audit processes,
certification requirements and other relevant
7.2.6 requirements. The certification body shall give
auditors and technical experts access to an up-
to-date set of documented procedures giving
audit instructions and all relevant information on
the certification activities.
The certification body shall identify training
needs and shall offer or provide access to
specific training to ensure its auditors, technical
7.2.7
experts and other personnel involved in
certification activities are competent for the
functions they perform.
The group or individual that takes the
decision on granting, refusing, maintaining,
renewing, suspending, restoring, or withdrawing
7.2.8 certification, or on expanding or reducing the
scope of certification, shall understand the
applicable standard and certification
requirements, and shall have demonstrated

competence to evaluate the outcomes of the
audit processes including related
recommendations of the audit team.
The certification body shall ensure the
satisfactory performance of all personnel
involved in the audit and other certification
activities. There shall be a documented process
for monitoring competence and performance of
all persons involved, based on the frequency of
7.2.9
their usage and the level of risk linked to their
activities. In particular, the certification body
shall review and record the competence of its
personnel in the light of their performance in
order to identify training needs.
The certification body shall monitor each auditor

considering each type of management system to
which the auditor is deemed competent. The
documented monitoring process for auditors
shall include a combination of on-site evaluation,
7.2.10 review of audit reports and feedback from clients
or from the market. This monitoring shall be
designed in such a way as to minimize
disturbance to the normal processes of
certification, especially from the client’s
viewpoint.
The certification body shall periodically evaluate
the performance of each auditor on-site. The
7.2.11 frequency of on-site evaluations shall be based
on need determined from all monitoring
information available.
Use of individual external auditors and
7.3
external technical experts
The certification body shall require external
auditors and external technical experts to have a
written agreement by which they commit
themselves to comply with applicable policies
and implement processes as defined by the
certification body. The agreement shall address
aspects relating to confidentiality and impartiality
and shall require the external auditors and
external technical experts to notify the
certification body of any existing or prior
relationship with any organization they may be
assigned to audit.

NOTE Use of an individual or employee of
another organization individually contracted to
serve as an external auditor or technical expert
does not constitute outsourcing.
Personnel records
The certification body shall maintain up-to-date
personnel records, including relevant
qualifications, training, experience, affiliations,
7.4
professional status and competence. This
includes management and administrative
personnel in addition to those performing
certification activities.
7.5 Outsourcing
The certification body shall have a process in
which it describes the conditions under which
outsourcing (which is subcontracting to another
organization to provide part of the certification
activities on behalf of the certification body) may
7.5.1
take place. The certification body shall have a
legally enforceable agreement covering the
arrangements, including confidentiality and
conflicts of interests, with each body that
provides outsourced services.
Decisions for granting, refusing, maintaining of
certification, expanding or reducing the scope of
7.5.2 certification, renewing, suspending or restoring,
or withdrawing of certification shall not be
outsourced.
The certification body shall:
a) take responsibility for all activities
outsourced to another body;
b) ensure that the body that provides
outsourced services, and the individuals that it
uses, conform to requirements of the certification
body and also to the applicable provisions of this
7.5.3 part of ISO/IEC 17021, including competence,
impartiality and confidentiality;
c) ensure that the body that provides
outsourced services, and the individuals that it
uses, are not involved, either directly or through
any other employer, with an organization to be
audited, in such a way that impartiality could be
compromised.

the approval and monitoring of all bodies that
provide outsourced services used for
certification activities, and shall ensure that
records of the competence of all personnel
involved in certification activities are maintained.
NOTE 1 For 7.5.1 to 7.5.4, where the

certification body engages individuals or
7.5.4 employees of other organizations to provide
additional resources or expertise, these
individuals do not constitute outsourcing
provided they are individually contracted to
operate under the certification body’s
management system (see 7.3).
NOTE 2 For 7.5.1 to 7.5.4, the terms

―outsourcing‖ and ―subcontracting‖ are
considered to be synonyms.
8 Information requirements
8.1 Public information
The certification body shall maintain (through
publications, electronic media or other means),
and make public, without request, in all the
geographical areas in which it operates,
information about
a) audit processes;
b) processes for granting, refusing,
maintaining, renewing, suspending, restoring or
8.1.1 withdrawing certification or expanding or
reducing the scope of certification;
c) types of management systems and
certification schemes in which it operates;
d) the use of the certification body’s name and
certification mark or logo;
e) processes for handling requests for
information, complaints and appeals;
f) policy on impartiality.
The certification body shall provide upon request
information about:
a) geographical areas in which it operates;
8.1.2 b) the status of a given certification;
c) the name, related normative document,
scope and geographical location (city and
country) for a specific certified client.

NOTE 1 In exceptional cases, access to
certain information can be limited on the request
of the client (e.g. for security reasons).
NOTE 2 The certification body can also

make the information in 8.1.2 public by any
means it chooses without request, e.g. on its
internet website.
Information provided by the certification body to
any client or to the marketplace, including
8.1.3
advertising, shall be accurate and not
misleading.
8.2 Certification documents
The certification body shall provide by any
8.2.1 means it chooses certification documents to the
certified client.
The certification document(s) shall identify the
following:
a) the name and geographical location of
each certified client (or the geographical location
of the headquarters and any sites within the
scope of a multi-site certification);
b) the effective date of granting,
expanding or reducing the scope of
certification, or renewing certification which
shall not be before the date of the relevant
certification decision;
NOTE The certification body can keep the
original certification date on the certificate when
a certificate lapses for a period of time provided
8.2.2
that:
— the current certification cycle start and expiry
date are clearly indicated;
— the last certification cycle expiry date be
indicated along with the date of recertification
audit.
c) the expiry date or recertification due

date consistent with the recertification cycle;
d) a unique identification code;
e) the management system standard
and/or other normative document, including
indication of issue status (e.g. revision date or
number) used for audit of the certified client;

f) the scope of certification with respect to
the type of activities, products and services as
applicable at each site without being misleading
or ambiguous;
g) the name, address and certification
mark of the certification body; other marks (e.g.
accreditation symbol, client’s logo) may be used
provided they are not misleading or ambiguous;
h) any other information required by the
standard and/or other normative document
used for certification;
i) in the event of issuing any revised
certification documents, a means to distinguish
the revised documents from any prior obsolete
documents.
8.3 Reference to certification and use of marks
A certification body shall have rules governing
any management system certification mark that
it authorizes certified clients to use. These rules
shall ensure, among other things, traceability
back to the certification body. There shall be no
ambiguity, in the mark or accompanying text, as
to what has been certified and which certification
8.3.1
body has granted the certification. This mark
shall not be used on a product nor product
packaging nor in any other way that may be
interpreted as denoting product conformity.
NOTE ISO/IEC 17030 provides additional

information for use of third-party marks.
A certification body shall not permit its marks to
8.3.2 be applied by certified clients to laboratory test,
calibration or inspection reports or certificates.
A certification body shall have rules governing
the use of any statement on product packaging
or in accompanying information that the certified
client has a certified management system.
Product packaging is considered as that which
can be removed without the product
8.3.3
disintegrating or being damaged. Accompanying
information is considered as separately available
or easily detachable. Type labels or identification
plates are considered as part of the product. The
statement shall in no way imply that the product,
process or service is certified by this means. The

statement shall include reference to:
—identification (e.g. brand or name) of the
certified client;
—the type of management system (e.g. quality,
environment) and the applicable standard;
—the certification body issuing the certificate.
The certification body shall through legally
enforceable arrangements require that the
certified client:
a) conforms to the requirements of the
certification body when making reference to its
certification status in communication media such
as the internet, brochures or advertising, or other
documents;
b) does not make or permit any misleading
statement regarding its certification;
c) does not use or permit the use of a
certification document or any part thereof in a
misleading manner;
d) upon withdrawal of its certification,
discontinues its use of all advertising matter that
8.3.4
contains a reference to certification, as directed
by the certification body (see 9.6.5);
e) amends all advertising matter when the scope
of certification has been reduced;
f) does not allow reference to its management
system certification to be used in such a way as
to imply that the certification body certifies a
product (including service) or process;
g) does not imply that the certification applies to
activities and sites that are outside the scope of
certification;
h) does not use its certification in such a manner
that would bring the certification body and/or
certification system into disrepute and lose
public trust.
The certification body shall exercise proper
control of ownership and shall take action to deal
with incorrect references to certification status or
misleading use of certification documents, marks
8.3.5 or audit reports.
NOTE Such action could include requests for

correction and corrective action, suspension,
withdrawal of certification, publication of the

transgression and, if necessary, legal action.
8.4 Confidentiality
The certification body shall be responsible,
through legally enforceable agreements, for the
management of all information obtained or
8.4.1 created during the performance of certification
activities at all levels of its structure, including
committees and external bodies or individuals
acting on its behalf.
The certification body shall inform the client, in
advance, of the information it intends to place in
8.4.2 the public domain. All other information, except
for information that is made publicly accessible
by the client, shall be considered confidential.
Except as required in this part of ISO/IEC 17021,
information about a particular certified client or
8.4.3 individual shall not be disclosed to a third party
without the written consent of the certified client
or individual concerned.
When the certification body is required by law or
authorized by contractual arrangements (such
as with the accreditation body) to release
8.4.4
confidential information, the client or individual
concerned shall, unless prohibited by law, be
notified of the information provided.
Information about the client from sources other
than the client (e.g. complainant, regulators)
8.4.5
shall be treated as confidential, consistent with
the certification body’s policy.
Personnel, including any committee members,
contractors, personnel of external bodies or
individuals acting on the certification body’s
8.4.6 behalf, shall keep confidential all information
obtained or created during the performance of
the certification body’s activities except as
required by law.
The certification body shall have processes and
where applicable equipment and facilities that
8.4.7
ensure the secure handling of confidential
information.
Information exchange between a certification
8.5
body and its clients
Information on the certification activity and
8.5.1 requirements

The certification body shall provide information
and update clients on the following:
a) a detailed description of the initial and
continuing certification activity, including the
application, initial audits, surveillance audits, and
the process for granting, refusing, maintaining of
certification, expanding or reducing the scope of
certification, renewing, suspending or restoring,
or withdrawing of certification;
b) the normative requirements for certification;
c) information about the fees for application,
initial certification and continuing certification;
d) the certification body’s requirements for
clients to:
1) comply with certification requirements;
2) make all necessary arrangements for
the conduct of the audits, including
provision for examining documentation and
the access to all processes and areas,
records and personnel for the purposes of
initial certification, surveillance,
recertification and resolution of complaints;
3) make provisions, where applicable, to
accommodate the presence of observers
(e.g. accreditation assessors or trainee
auditor);
e) documents describing the rights and duties of

certified clients, including requirements, when
making reference to its certification in
communication of any kind in line with the
requirements in 8.3;
f) information on processes for handling
complaints and appeals.
Notice of changes by a certification body
The certification body shall give its certified
clients due notice of any changes to its
8.5.2
requirements for certification. The certification
body shall verify that each certified client
complies with the new requirements.
Notice of changes by a certified client
The certification body shall have legally
8.5.3 enforceable arrangements to ensure that the
certified client informs the certification body,
without delay, of matters that may affect the

capability of the management system to
continue to fulfil the requirements of the
standard used for certification. These include, for
example, changes relating to:
a) the legal, commercial, organizational status or
ownership;
b) organization and management (e.g. key
managerial, decision-making or technical staff );
c) contact address and sites;
d) scope of operations under the certified
management system; e) major changes to the
management system and processes.
The certification body shall take action as

appropriate.
9 Process requirements
9.1 Pre-certification activities
Application
The certification body shall require an authorized
representative of the applicant organization to
provide the necessary information to enable it to
establish the following:
a) the desired scope of the certification;
b) relevant details of the applicant organization
as required by the specific certification scheme,
including its name and the address(es) of its
site(s), its processes and operations, human and
9.1.1 technical resources, functions, relationships and
any relevant legal obligations;
c) identification of outsourced processes used by
the organization that will affect conformity to
requirements;
d) the standards or other requirements for which
the applicant organization is seeking
certification;
e) whether consultancy relating to the
management system to be certified has been
provided and, if so, by whom.
9.1.2 Application review
The certification body shall conduct a review of
the application and supplementary information
for certification to ensure that:
9.1.2.1
a) the information about the applicant
organization and its management system is
sufficient to develop an audit programme (see

9.1.3);
b) any known difference in understanding
between the certification body and the applicant
organization is resolved;
c) the certification body has the competence and
ability to perform the certification activity;
d) the scope of certification sought, the site(s) of
the applicant organization’s operations, time
required to complete audits and any other points
inf luencing the certification activity are taken
into account (language, safety conditions,
threats to impartiality, etc.).
Following the review of the application, the
certification body shall either accept or decline
an application for certification. When the
certification body declines an application for
9.1.2.2
certification as a result of the review of
application, the reasons for declining an
application shall be documented and made clear
to the client.
Based on this review, the certification body shall
9.1.2.3 determine the competences it needs to include
in its audit team and for the certification decision.
9.1.3 Audit programme
An audit programme for the full certification cycle
shall be developed to clearly identify the audit
activity/activities required to demonstrate that
the client’s management system fulfils the
9.1.3.1 requirements for certification to the selected
standard(s) or other normative document(s). The
audit programme for the certification cycle shall
cover the complete management system
requirements.
The audit programme for the initial certification
shall include a two-stage initial audit,
surveillance audits in the first and second years
following the certification decision, and a
recertification audit in the third year prior to
expiration of certification. The first three-year
9.1.3.2
certification cycle begins with the certification
decision. Subsequent cycles begin with the
recertification decision (see 9.6.3.2.3) The
determination of the audit programme and any
subsequent adjustments shall consider the size
of the client, the scope and complexity of its

management system, products and processes
as well as demonstrated level of management
system effectiveness and the results of any
previous audits.
NOTE 1 Annex E provides a f lowchart of
a typical audit and certification process.
NOTE 2 The following list contains
additional items that can be considered when
developing or revising an audit
programme, they might also need to be
addressed when determining the audit scope
and developing the audit plan:
— complaints received by the certification body
about the client;
— combined, integrated or joint audit
— changes to the certification requirements;
— changes to legal requirements;
— changes to accreditation requirements;
— organizational performance data (e.g. defect
levels, key performance indicators data);
— relevant interested parties’ concerns.
NOTE 3 If specified by the industry
specific certification scheme, the certification
cycle can be different from three years.
Surveillance audits shall be conducted at least
once a calendar year, except in recertification
years. The date of the first surveillance audit
following initial certification shall not be more
than 12 months from the certification decision
9.1.3.3 date.
NOTE It can be necessary to adjust the
frequency of surveillance audits to
accommodate factors such as seasons or
management systems certification of a limited
duration (e.g. temporary construction site).
Where the certification body is taking account of
certification already granted to the client and to
audits performed by another certification body, it
shall obtain and retain sufficient evidence, such
as reports and documentation on corrective
9.1.3.4
actions, to any nonconformity. The
documentation shall support the fulfilling of the
requirements in this part of ISO/IEC 17021. The
certification body shall, based on the information
obtained, justify and record any adjustments to

the existing audit programme and follow up the
implementation of corrective actions concerning
previous nonconformities.
Where the client operates shifts, the activities
that take place during shift working shall be
9.1.3.5
considered when developing the audit
programme and audit plans.
9.1.4 Determining audit time
The certification body shall have documented
procedures for determining audit time. For each
client the certification body shall determine the
9.1.4.1
time needed to plan and accomplish a complete
and effective audit of the client’s management
system.
In determining the audit time, the certification
body shall consider, among other things, the
following aspects:
a) the requirements of the relevant management
system standard;
b) complexity of the client and its management
system;
c) technological and regulatory context;
d) any outsourcing of any activities included in
the scope of the management system;
e) the results of any prior audits;
f ) size and number of sites, their geographical
locations and multi-site considerations;
g) the risks associated with the products,
processes or activities of the organization;
9.1.4.2 h) whether audits are combined, joint or
integrated.
NOTE 1 : Time spent travelling to and from

audited sites is not included in the calculation of
the duration of the management system audit
days.
NOTE 2 : The certification body can use the

guidelines established in ISO/IEC TS 17023 for
determining the duration of management system
audit when documenting these procedures.
Where specific criteria have been established for

a specific certification scheme, e.g. ISO/TS
22003 or

ISO/IEC 27006, these shall be applied.
The duration of the management system audit

9.1.4.3
and its justification shall be recorded.
The time spent by any team member that is not
assigned as an auditor (i.e. technical experts,
translators, interpreters, observers and auditors-
in-training) shall not count in the above
9.1.4.4 established duration of the management system
audit.
NOTE The use of translators and interpreters

can necessitate additional time.
Multi-site sampling
Where multi-site sampling is used for the audit of
a client’s management system covering the
same activity in various geographical locations,
the certification body shall develop a sampling
programme to ensure proper audit of the
management system. The rationale for the
sampling plan shall be documented for each
client. Sampling is not allowed for some specific
9.1.5
certification schemes, and where specific criteria
have been established for a specific certification
scheme, e.g. ISO/TS 22003, these shall be
applied.
NOTE Where there are multiple sites not

covering the same activity sampling is not
appropriate.
When certification to multiple management

system standards is being provided by the
9.1.6 certification body, the planning for the audit shall
ensure adequate on-site auditing to provide
confidence in the certification.
9.2 Planning audits
Determining audit objectives, scope and
9.2.1
criteria
The audit objectives shall be determined by the
certification body. The audit scope and criteria,
9.2.1.1 including any changes, shall be established by
the certification body after discussion with the
client.
9.2.1.2 The audit objectives shall describe what is to be
accomplished by the audit and shall include
the following:
a) determination of the conformity of the client’s
management system, or parts of it, with audit
criteria;
b) determination of the ability of the
management system to ensure the client meets
applicable statutory, regulatory and contractual
requirements;
NOTE A management system certification audit

is not a legal compliance audit.
c) determination of the effectiveness of the

management system to ensure the client can
reasonably expect to achieving its specified
objectives;
d) as applicable, identification of areas for
potential improvement of the management
system.
The audit scope shall describe the extent and
boundaries of the audit, such as sites,
organizational units, activities and processes to
be audited. Where the initial or re-certification
process consists of more than one audit (e.g.
9.2.1.3
covering different sites), the scope of an
individual audit may not cover the full
certification scope, but the totality of audits shall
be consistent with the scope in the certification
document.
The audit criteria shall be used as a reference
against which conformity is determined, and
shall include:
—the requirements of a defined normative
9.2.1.4
document on management systems;
—the defined processes and documentation of
the management system developed by the
client.
9.2.2 Audit team selection and assignments
9.2.2.1 General
selecting and appointing the audit team,
9.2.2.1.1 including the audit team leader and technical
experts as necessary, taking into account the
competence needed to achieve the objectives of

the audit and requirements for impartiality. If
there is only one auditor, the auditor shall have
the competence to perform the duties of an audit
team leader applicable for that audit. The audit
team shall have the totality of the competences
identified by the certification body as set out in
9.1.2.3 for the audit.
In deciding the size and composition of the audit
team, consideration shall be given to the
following:
a) audit objectives, scope, criteria and estimated
audit time;
b) whether the audit is a combined, joint or
integrated;
c) the overall competence of the audit team
needed to achieve the objectives of the audit
(see Table A.1);
9.2.2.1.2
d) certification requirements (including any
applicable statutory, regulatory or
contractual requirements);
e) language and culture.
NOTE The team leader of a combined or

integrated audit is expected to have in-depth
knowledge of at least one of the standards and
an awareness of the other standards used for
that particular audit.
The necessary knowledge and skills of the audit
team leader and auditors may be supplemented
by technical experts, translators and interpreters
who shall operate under the direction of an
auditor. Where translators or interpreters are
used, they shall be selected such that they do
9.2.2.1.3
not unduly influence the audit.
NOTE The criteria for the selection of technical

experts are determined on a case-by-case basis
by the needs of the audit team and the scope of
the audit.
Auditors-in-training may participate in the audit,
provided an auditor is appointed as an evaluator.
9.2.2.1.4 The evaluator shall be competent to take over
the duties and have final responsibility for the
activities and findings of the auditor-in-training.
9.2.2.1.5 The audit team leader, in consultation with the

audit team, shall assign to each team member
responsibility for auditing specific processes,
functions, sites, areas or activities. Such
assignments shall take into account the need for
competence, and the effective and efficient use
of the audit team, as well as different roles and
responsibilities of auditors, auditors-in-training
and technical experts. Changes to the work
assignments may be made as the audit
progresses to ensure achievement of the audit
objectives.
9.2.2.2 Observers, technical experts and guides
Observers
The presence and justification of observers
during an audit activity shall be agreed to by the
certification body and client prior to the conduct
of the audit. The audit team shall ensure that
observers do not unduly influence or interfere in
9.2.2.2.1
the audit process or outcome of the audit.
NOTE Observers can be members of the

client’s organization, consultants, witnessing
accreditation body personnel, regulators or other
justified persons.
Technical experts
The role of technical experts during an audit
activity shall be agreed to by the certification
body and client prior to the conduct of the audit.
A technical expert shall not act as an auditor in
9.2.2.2.2 the audit team. The technical experts shall be
accompanied by an auditor.
NOTE The technical experts can provide

advice to the audit team for the preparation,
planning or audit.
Guides
Each auditor shall be accompanied by a guide,
unless otherwise agreed to by the audit team
leader and the client. Guide(s) are assigned to
the audit team to facilitate the audit. The audit
9.2.2.2.3
team shall ensure that guides do not influence or
interfere in the audit process or outcome of the
audit.
NOTE 1 : The responsibilities of a guide can
include:

a) establishing contacts and timing for
interviews;
b) arranging visits to specific parts of the site or
organization;
c) ensuring that rules concerning site safet y
and securit y procedures are known and
respected by the audit team members;
d) witnessing the audit on behalf of the client;
e) providing clarification or information as
requested by an auditor.
NOTE 2 : Where appropriate, the auditee can
also act as the guide.
9.2.3 Audit Plan
General
The certification body shall ensure that an audit
plan is established prior to each audit identified
in the audit programme to provide the basis for
agreement regarding the conduct and
9.2.3.1
scheduling of the audit activities.
NOTE It is not expected that a certification

body will develop an audit plan for each audit at
the time that the audit programme is developed.
Preparing the audit plan
The audit plan shall be appropriate to the
objectives and the scope of the audit. The audit
plan shall at least include or refer to the
following:
a) the audit objectives;
b) the audit criteria;
c) the audit scope, including identification of the
organizational and functional units or processes
to be audited;
d) the dates and sites where the on-site audit
9.2.3.2
activities will be conducted, including visits to
temporary sites and remote auditing activities,
where appropriate;
e) the expected duration of on-site audit
activities;
f) the roles and responsibilities of the audit team
members and accompanying persons, such as
observers or interpreters.
NOTE The audit plan information can be

contained in more than one document.

Communication of audit team tasks
The tasks given to the audit team shall be
defined, and require the audit team to:
a) examine and verify the structure, policies,
processes, procedures, records and related
documents of the client relevant to the
management system standard;
b) determine that these meet all the
requirements relevant to the intended scope of
9.2.3.3
certification;
c) determine that the processes and
procedures are established, implemented and
maintained
effectively, to provide a basis for confidence in
the client’s management system;
d) communicate to the client, for its action, any
inconsistencies between the client’s policy,
objectives and targets.
Communication of audit plan
The audit plan shall be communicated and the
9.2.3.4
dates of the audit shall be agreed upon, in
advance, with the client.
Communication concerning audit team
members
The certification body shall provide the name of
and, when requested, make available
background information on each member of the
9.2.3.5
audit team, with sufficient time for the client to
object to the appointment of any particular audit
team member and for the certification body to
reconstitute the team in response to any valid
objection.
9.3 Initial certification
9.3.1 Initial certification audit
General
The initial certification audit of a management
9.3.1.1
system shall be conducted in two stages: stage
1 and stage 2.
9.3.1.2 Stage 1
Planning shall ensure that the objectives of
stage 1 can be met and the client shall be
informed
9.3.1.2.1
of any ―on site‖ activities during stage 1.
NOTE Stage 1 does not require a formal audit

plan (see 9. 2.3).
The objectives of stage 1 are to:

a) review the client’s management system
documented information;
b) evaluate the client’s site-specific conditions
and to undertake discussions with the client’s
personnel to determine the preparedness for
stage 2;
c) review the client’s status and understanding
regarding requirements of the standard, in
particular with respect to the identification of key
performance or significant aspects, processes,
objectives and operation of the management
system;
d) obtain necessary information regarding the
scope of the management system, including:
—the client’s site(s);
—processes and equipment used;
—levels of controls established (particularly in
9.3.1.2.2 case of multisite clients);
—applicable statutory and regulatory
requirements;
e) review the allocation of resources for stage 2
and agree the details of stage 2 with the client;
f) provide a focus for planning stage 2 by gaining
a sufficient understanding of the client’s
management system and site operations in the
context of the management system standard or
other normative document;
g) evaluate if the internal audits and
management reviews are being planned and
performed, and that the level of implementation
of the management system substantiates that
the client is ready for stage 2.
NOTE If at least part of stage 1 is carried out at

the client’s premises, this can help to achieve
the objectives stated above.
Documented conclusions with regard to
fulfilment of the stage 1 objectives and the
readiness for stage 2 shall be communicated to
9.3.1.2.3
the client, including identification of any areas of
concern that could be classified as a
nonconformity during stage 2.

NOTE The stage 1 output does not need to
meet the full requirements of a report (see
9.4.8).
In determining the interval between stage 1 and
stage 2, consideration shall be given to the
needs of the client to resolve areas of concern
identified during stage 1. The certification body
may also need to revise its arrangements for
9.3.1.2.4 stage 2. If any significant changes which would
impact the management system occur, the
certification body shall consider the need to
repeat all or part of stage 1. The client shall be
informed that the results of stage 1 may lead to
postponement or cancellation of stage 2.
Stage 2
The purpose of stage 2 is to evaluate the
implementation, including effectiveness, of the
client’s management system. The stage 2 shall
take place at the site(s) of the client. It shall
include the auditing of at least the following:
a) information and evidence about conformity to
all requirements of the applicable management
system standard or other normative documents;
b) performance monitoring, measuring, reporting
and reviewing against key performance
9.3.1.3
objectives and targets (consistent with the
expectations in the applicable management
system standard or other normative document);
c) the client’s management system ability and its
performance regarding meeting of applicable
statutory, regulatory and contractual
requirements;
d) operational control of the client’s processes;
e) internal auditing and management review;
f) management responsibility for the client’s
policies.
Initial certification audit conclusions
The audit team shall analyse all information and
9.3.1.4 audit evidence gathered during stage 1 and
stage 2 to review the audit findings and agree on
the audit conclusions.
9.4 Conducting audits
General
9.4.1

conducting on-site audits. This process shall
include an opening meeting at the start of the
audit and a closing meeting at the conclusion of
the audit.
Where any part of the audit is made by

electronic means or where the site to be audited
is virtual, the certification body shall ensure that
such activities are conducted by personnel with
appropriate competence. The evidence obtained
during such an audit shall be sufficient to enable
the auditor to take an informed decision on the
conformity of the requirement in question.
NOTE ―On-site‖ audits can include remote

access to electronic site(s) that contain(s)
information that is relevant to the audit of the
management system. Consideration can also be
given to the use of electronic means for
conducting audits.
Conducting the opening meeting
A formal opening meeting, shall be held with the
client’s management and, where appropriate,
those responsible for the functions or processes
to be audited. The purpose of the opening
meeting, usually conducted by the audit team
leader, is to provide a short explanation of how
the audit activities will be undertaken. The
degree of detail shall be consistent with the
familiarity of the client with the audit process and
shall consider the following:
a) introduction of the participants, including an
9.4.2 outline of their roles;
b) confirmation of the scope of certification;
c) confirmation of the audit plan (including type
and scope of audit, objectives and criteria), any
changes, and other relevant arrangements with
the client, such as the date and time for the
closing meeting, interim meetings between the
audit team and the client’s management;
d) confirmation of formal communication
channels between the audit team and the client;
e) confirmation that the resources and facilities
needed by the audit team are available;
f) confirmation of matters relating to

confidentiality;
g) confirmation of relevant work safety,
emergency and security procedures for the audit
team;
h) confirmation of the availability, roles and
identities of any guides and observers;
i) the method of reporting, including any grading
of audit findings;
j) information about the conditions under which
the audit may be prematurely terminated;
k) confirmation that the audit team leader and
audit team representing the certification body is
responsible for the audit and shall be in control
of executing the audit plan including audit
activities and audit trails;
l) confirmation of the status of findings of the
previous review or audit, if applicable;
m) methods and procedures to be used to
conduct the audit based on sampling;
n) confirmation of the language to be used
during the audit;
o) confirmation that, during the audit, the client
will be kept informed of audit progress and any
concerns;
p) opportunity for the client to ask questions.
9.4.3 Communication during the audit
During the audit, the audit team shall periodically
assess audit progress and exchange
information. The audit team leader shall reassign
9.4.3.1 work as needed between the audit team
members and periodically communicate the
progress of the audit and any concerns to the
client.
Where the available audit evidence indicates
that the audit objectives are unattainable or
suggests the presence of an immediate and
significant risk (e.g. safety), the audit team
leader shall report this to the client and, if
possible, to the certification body to determine
9.4.3.2
appropriate action. Such action may include
reconfirmation or modification of the audit plan,
changes to the audit objectives or audit scope,
or termination of the audit. The audit team leader
shall report the outcome of the action taken to
the certification body.

The audit team leader shall review with the client
any need for changes to the audit scope which
9.4.3.3
becomes apparent as on-site auditing activities
progress and report this to the certification body.
9.4.4 Obtaining and verifying information
During the audit, information relevant to the audit
objectives, scope and criteria (including
information relating to interfaces between
9.4.4.1
functions, activities and processes) shall be
obtained by appropriate sampling and verified to
become audit evidence.
Methods to obtain information shall include, but
are not limited to:
9.4.4.2 a) interviews;
b) observation of processes and activities;
c) review of documentation and records.
9.4.5 Identifying and recording audit findings
Audit findings summarizing conformity and
detailing nonconformity shall be identified,
9.4.5.1 classified and recorded to enable an informed
certification decision to be made or the
certification to be maintained.
Opportunities for improvement may be identified
and recorded, unless prohibited by the
requirements of a management system
9.4.5.2
certification scheme. Audit findings, however,
which are nonconformities, shall not be recorded
as opportunities for improvement.
A finding of nonconformity shall be recorded
against a specific requirement, and shall contain
a clear statement of the nonconformity,
identifying in detail the objective evidence on
which the nonconformity is based.
Nonconformities shall be discussed with the
9.4.5.3
client to ensure that the evidence is accurate
and that the nonconformities are understood.
The auditor however shall refrain from
suggesting the cause of nonconformities or their
solution.
The audit team leader shall attempt to resolve

any diverging opinions between the audit team
9.4.5.4 and the client concerning audit evidence or
findings, and unresolved points shall be
recorded.
Preparing audit conclusions
Under the responsibility of the audit team leader
and prior to the closing meeting, the audit team
shall:
a) review the audit findings, and any other
appropriate information obtained during the
audit, against the audit objectives and audit
criteria and classify the nonconformities;
9.4.6 b) agree upon the audit conclusions, taking into
account the uncertainty inherent in the audit
process;
c) agree any necessary follow-up actions;
d) confirm the appropriateness of the audit
programme or identify any modification required
for future audits (e.g. scope of certification, audit
time or dates, surveillance frequency, audit team
competence).
9.4.7 Conducting the closing meeting
A formal closing meeting, where attendance
shall be recorded, shall be held with the client’s
management and, where appropriate, those
responsible for the functions or processes
audited. The purpose of the closing meeting,
usually conducted by the audit team leader, is to
present the audit conclusions, including the
9.4.7.1
recommendation regarding certification. Any
nonconformities shall be presented in such a
manner that they are understood, and the
timeframe for responding shall be agreed.
NOTE ―Understood‖ does not necessarily mean
that the nonconformities have been accepted by
the client.
The closing meeting shall also include the
following elements where the degree of detail
shall be consistent with the familiarity of the
client with the audit process:
a) advising the client that the audit evidence
obtained was based on a sample of the
9.4.7.2 information; thereby introducing an element of
uncertainty;
b) the method and timeframe of reporting,
including any grading of audit findings;
c) the certification body’s process for handling
nonconformities including any consequences
relating to the status of the client’s certification;

d) the timeframe for the client to present a
plan for correction and corrective action for
any nonconformities identified during the audit;
e) the certification body’s post audit activities;
f) information about the complaint and appeal
handling processes.
The client shall be given opportunity for
questions. Any diverging opinions regarding the
audit findings or conclusions between the audit
9.4.7.3 team and the client shall be discussed and
resolved where possible. Any diverging opinions
that are not resolved shall be recorded and
referred to the certification body.
9.4.8 Audit Report
The certification body shall provide a written
report for each audit to the client. The audit team
may identify opportunities for improvement but
9.4.8.1
shall not recommend specific solutions.
Ownership of the audit report shall be
maintained by the certification body.
The audit team leader shall ensure that the audit
report is prepared and shall be responsible for
its content. The audit report shall provide an
accurate, concise and clear record of the audit to
enable an informed certification decision to be
made and shall include or refer to the following:
a) identification of the certification body;
b) the name and address of the client and the
client’s representative;
c) the type of audit (e.g. initial, surveillance or
recertification audit or special audits);
d) the audit criteria;
9.4.8.2 e) the audit objectives;
f) the audit scope, particularly identification of
the organizational or functional units or
processes audited and the time of the audit;
g) any deviation from the audit plan and their
reasons;
h) any significant issues impacting on the audit
programme;
i) identification of the audit team leader, audit
team members and any accompanying persons;
j) the dates and places where the audit activities
(on site or offsite, permanent or temporary sites)
were conducted;

k) audit findings (see 9.4.5), reference to
evidence and conclusions, consistent with the
requirements
of the type of audit;
l) significant changes, if any, that affect the
management system of the client since the last
audit took place;
m) any unresolved issues, if identified;
n) where applicable, whether the audit is
combined, joint or integrated;
o) a disclaimer statement indicating that auditing
is based on a sampling process of the available
information;
p) recommendation from the audit team
q) the audited client is effectively controlling the
use of the certification documents and marks, if
applicable;
r) verification of effectiveness of taken corrective
actions regarding previously identified
nonconformities, if applicable.
The report shall also contain:
a) a statement on the conformity and the
effectiveness of the management system
together with a summary of the evidence relating
to:
—the capability of the management system to
meet applicable requirements and expected
9.4.8.3
outcomes;
—the internal audit and management review
process;
b) a conclusion on the appropriateness of the
certification scope;
c) confirmation that the audit objectives have
been fulfilled.
Cause analysis of nonconformities
The certification body shall require the client to
analyse the cause and describe the specific
9.4.9
correction and corrective actions taken, or
planned to be taken, to eliminate detected
nonconformities, within a defined time.
Effectiveness of corrections and corrective
actions
9.4.10 The certification body shall review the
corrections, identified causes and corrective
actions submitted by the client to determine if

these are acceptable. The certification body
shall verify the effectiveness of any correction
and corrective actions taken. The evidence
obtained to support the resolution of
nonconformities shall be recorded. The client
shall be informed of the result of the review and
verification. The client shall be informed if an
additional full audit, an additional limited audit, or
documented evidence (to be confirmed during
future audits) will be needed to verify effective
correction and corrective actions.
NOTE Verification of effectiveness of correction

and corrective action can be carried out based
on a review of documented information provided
by the client, or where necessary, through
verification on-site. Usually this activity is done
by a member of the audit team.
9.5 Certification decision
9.5.1 General
The certification body shall ensure that the
persons or committees that make the decisions
for granting or refusing certification, expanding
or reducing the scope of certification,
suspending or restoring certification, withdrawing
9.5.1.1
certification or renewing certification are different
from those who carried out the audits. The
individual(s) appointed to conduct the
certification decision shall have appropriate
competence.
The person(s) [excluding members of
committees (see 6.1.4)] assigned by the
certification body to make a certification decision
shall be employed by, or shall be under legally
enforceable arrangement with either the
certification body or an entity under the
organizational control of the certification body. A
9.5.1.2 certification body’s organizational control shall
be one of the following:
a) whole or majority ownership of another entity
by the certification body;
b) majority participation by the certification body
on the board of directors of another entity;
c) a documented authority by the certification
body over another entity in a network of legal

entities
(in which the certification body resides), linked
by ownership or board of director control.
NOTE For governmental certification bodies,

other parts of the same government can be
considered to be ―linked by ownership‖ to the
certification body.
The persons employed by, or under contract
with, entities under organizational control shall
9.5.1.3 fulfil the same requirements of this part of
ISO/IEC 17021 as persons employed by, or
under contract with, the certification body.
The certification body shall record each
certification decision including any additional
9.5.1.4
information or clarification sought from the audit
team or other sources.
Actions prior to making a decision
The certification body shall have a process to
conduct an effective review prior to making a
decision for granting certification, expanding or
reducing the scope of certification, renewing,
suspending or restoring, or withdrawing of
certification, including, that
a) the information provided by the audit team is
9.5.2 sufficient with respect to the certification
requirements and the scope for certification;
b) for any major nonconformities, it has
reviewed, accepted and verified the correction
and corrective actions;
c) for any minor nonconformities it has reviewed

and accepted the client’s plan for correction and
corrective action.
9.5.3 Information for granting initial certification
The information provided by the audit team to
the certification body for the certification decision
shall include, as a minimum:
a) the audit report;
b) comments on the nonconformities and, where
9.5.3.1
applicable, the correction and corrective actions
taken by the client;
c) confirmation of the information provided to the
certification body used in the application review
(see 9.1.2);

d) confirmation that the audit objectives have
been achieved;
e) a recommendation whether or not to grant
certification, together with any conditions or
observations.
If the certification body is not able to verify the
implementation of corrections and corrective
actions of any major nonconformity within 6
9.5.3.2
months after the last day of stage 2, the
certification body shall conduct another stage 2
prior to recommending certification.
When a transfer of certification is envisaged
from one certification body to another, the
accepting certification body shall have a process
for obtaining sufficient information in order to
9.5.3.3
take a decision on certification.
NOTE Certification schemes can have specific

rules regarding the transfer of certification.
Information for granting recertification
The certification body shall make decisions on
renewing certification based on the results of the
9.5.4 recertification audit, as well as the results of the
review of the system over the period of
certification and complaints received from users
of certification.
9.6 Maintaining certification
General
The certification body shall maintain certification
based on demonstration that the client continues
to satisfy the requirements of the management
system standard. It may maintain a client’s
certification based on a positive conclusion by
the audit team leader without further
independent review and decision, provided that:
a) for any major nonconformity or other situation
9.6.1
that may lead to suspension or withdrawal of
certification, the certification body has a system
that requires the audit team leader to report to
the certification body the need to initiate a review
by competent personnel (see 7.2.8), different
from those who carried out the audit, to
determine whether certification can be
maintained;
b) competent personnel of the certification body

monitor its surveillance activities, including
monitoring the reporting by its auditors, to
confirm that the certification activity is operating
effectively.
9.6.2 Surveillance activities
9.6.2.1 General
The certification body shall develop its
surveillance activities so that representative
areas and functions covered by the scope of the
9.6.2.1.1
management system are monitored on a regular
basis, and take into account changes to its
certified client and its management system.
Surveillance activities shall include on-site
auditing of the certified client’s management
system’s fulfilment of specified requirements
with respect to the standard to which the
certification is granted. Other surveillance
activities may include:
a) enquiries from the certification body to the
certified client on aspects of certification;
9.6.2.1.2
b) reviewing any certified client’s statements
with respect to its operations (e.g.
promotional material, website);
c) requests to the certified client to provide
documented information (on paper or electronic
media);
d) other means of monitoring the certified client’s
performance.
Surveillance audit
Surveillance audits are on-site audits, but are
not necessarily full system audits, and shall be
planned together with the other surveillance
activities so that the certification body can
maintain confidence that the client’s certified
management system continues to fulfil
requirements between recertification audits.
9.6.2.2 Each surveillance for the relevant management
system standard shall include:
a) internal audits and management review;
b) a review of actions taken on nonconformities
identified during the previous audit;
c) complaints handling;
d) effectiveness of the management system with
regard to achieving the certified client’s
objectives and the intended results of the

respective management system (s);
e) progress of planned activities aimed at
continual improvement;
f) continuing operational control;
g) review of any changes;
h) use of marks and/or any other reference to
certification.
9.6.3 Recertification
9.6.3.1 Recertification audit planning
The purpose of the recertification audit is to
confirm the continued conformity and
effectiveness of the management system as a
whole, and its continued relevance and
applicability for the scope of certification. A
recertification audit shall be planned and
9.6.3.1.1 conducted to evaluate the continued fulfilment of
all of the requirements of the relevant
management system standard or other
normative document. This shall be planned and
conducted in due time to enable for timely
renewal before the certificate expiry date.
The recertification activity shall include the

review of previous surveillance audit reports and
9.6.3.1.2
consider the performance of the management
system over the most recent certification cycle.
Recertification audit activities may need to have
a stage 1 in situations where there have been
significant changes to the management system,
the organization, or the context in which the
management system is operating (e.g. changes
to legislation).
9.6.3.1.3
NOTE Such changes can occur at any time
during the certification cycle and the certification
body might need to perform a special audit (see
9.6.4), which might or might not be a two-stage
audit.
9.6.3.2 Recertification audit
The recertification audit shall include an on-site
audit that addresses the following:
9.6.3.2.1 a) the effectiveness of the management system
in its entirety in the light of internal and external
changes and its continued relevance and
applicability to the scope of certification;
b) demonstrated commitment to maintain the
effectiveness and improvement of the
management system in order to enhance overall
performance;
c) the effectiveness of the management system
with regard to achieving the certified client’s
objectives and the intended results of the
respective management system (s).
For any major nonconformity, the certification
body shall define time limits for correction and
9.6.3.2.2 corrective actions. These actions shall be
implemented and verified prior to the expiration
of certification.
When recertification activities are successfully
completed prior to the expiry date of the existing
certification, the expiry date of the new
9.6.3.2.3 certification can be based on the expiry date of
the existing certification. The issue date on a
new certificate shall be on or after the
recertification decision.
If the certification body has not completed the
recertification audit or the certification body is
unable to verify the implementation of
corrections and corrective actions for any major
nonconformity (see 9.5.2.1) prior to the expiry
9.6.3.2.4
date of the certification, then recertification shall
not be recommended and the validity of the
certification shall not be extended. The client
shall be informed and the consequences shall
be explained.
Following expiration of certification, the
certification body can restore certification within
6 months provided that the outstanding
recertification activities are completed, otherwise
at least a stage
9.6.3.2.5
2 shall be conducted. The effective date on the
certificate shall be on or after the recertification
decision and the expiry date shall be based on
prior certification cycle.
9.6.4 Special audits

Expanding scope
9.6.4.1 The certification body shall, in response to an
application for expanding the scope of a

certification already granted, undertake a review
of the application and determine any audit
activities necessary to decide whether or not the
extension may be granted. This may be
conducted in conjunction with a surveillance
audit.
Short-notice audits
It may be necessary for the certification body to
conduct audits of certified clients at short notice
or unannounced to investigate complaints, or in
response to changes, or as follow up on
suspended clients. In such cases:
a) the certification body shall describe and make
9.6.4.2
known in advance to the certified clients (e.g. in
documents as described in 8.5.1) the conditions
under which such audits will be conducted;
b) the certification body shall exercise additional
care in the assignment of the audit team
because of the lack of opportunity for the client
to object to audit team members.
Suspending, withdrawing or reducing the
9.6.5
scope of certification
The certification body shall have a policy and
documented procedure(s) for suspension,
9.6.5.1 withdrawal or reduction of the scope of
certification, and shall specify the subsequent
actions by the certification body.
The certification body shall suspend certification
in cases when, for example:
—the client’s certified management system has

persistently or seriously failed to meet
certification requirements, including
9.6.5.2 requirements for the effectiveness of the
management system;
—the certified client does not allow surveillance
or recertification audits to be conducted at the
required frequencies;
—the certified client has voluntarily requested a
suspension.
Under suspension, the client’s management
9.6.5.3
system certification is temporarily invalid.
The certification body shall restore the
9.6.5.4 suspended certification if the issue that has
resulted in the suspension has been resolved.

Failure to resolve the issues that have resulted
in the suspension in a time established by the
certification body shall result in withdrawal or
reduction of the scope of certification.
NOTE In most cases, the suspension would not

exceed six months.
The certification body shall reduce the scope of
certification to exclude the parts not meeting the
requirements, when the certified client has
persistently or seriously failed to meet the
9.6.5.5
certification requirements for those parts of the
scope of certification. Any such reduction shall
be in line with the requirements of the standard
used for certification.
9.7 Appeals
The certification body shall have a documented
9.7.1 process to receive, evaluate and make decisions
on appeals.
The certification body shall be responsible for all
decisions at all levels of the appeals-handling
process. The certification body shall ensure that
9.7.2
the persons engaged in the appeals-handling
process are different from those who carried out
the audits and made the certification decisions.
Submission, investigation and decision on
9.7.3 appeals shall not result in any discriminatory
actions against the appellant.
The appeals-handling process shall include at
least the following elements and methods:
a) an outline of the process for receiving,
validating and investigating the appeal, and for
deciding what
actions need to be taken in response to it, taking
9.7.4
into account the results of previous similar
appeals;
b) tracking and recording appeals, including
actions undertaken to resolve them;
c) ensuring that any appropriate correction and
corrective action are taken.
The certification body receiving the appeal shall
9.7.5 be responsible for gathering and verifying all
necessary information to validate the appeal.
The certification body shall acknowledge receipt
9.7.6
of the appeal and shall provide the appellant
with progress reports and the result of the
appeal.
The decision to be communicated to the
appellant shall be made by, or reviewed and
9.7.7
approved by, individual(s) not previously
involved in the subject of the appeal.
The certification body shall give formal notice to
9.7.8 the appellant of the end of the appeals-handling
process.
9.8 Complaints
The certification body shall be responsible for all
9.8.1 decisions at all levels of the complaints-handling
process.
Submission, investigation and decision on
9.8.2 complaints shall not result in any discriminatory
actions against the complainant.
Upon receipt of a complaint, the certification
body shall confirm whether the complaint relates
to certification activities that it is responsible for
9.8.3 and, if so, shall deal with it. If the complaint
relates to a certified client, then examination of
the complaint shall consider the effectiveness of
the certified management system.
Any valid complaint about a certified client shall
9.8.4 also be referred by the certification body to the
certified client in question at an appropriate time.
process to receive, evaluate and make decisions
on complaints. This process shall be subject to
9.8.5
requirements for confidentiality, as it relates to
the complainant and to the subject of the
complaint.
The complaints-handling process shall include at
least the following elements and methods:
a) an outline of the process for receiving,
validating, investigating the complaint, and for
deciding
what actions need to be taken in response to it;
9.8.6 b) tracking and recording complaints, including
actions undertaken in response to them;
c) ensuring that any appropriate correction and
corrective action are taken.
NOTE ISO 10002 provides guidance for

complaints handling.
The certification body receiving the complaint
shall be responsible for gathering and verifying
9.8.7
all necessary information to validate the
complaint.
Whenever possible, the certification body shall
acknowledge receipt of the complaint, and shall
9.8.8
provide the complainant with progress reports
and the result of the complaint.
The decision to be communicated to the
complainant shall be made by, or reviewed and
9.8.9
approved by, individual(s) not previously
involved in the subject of the complaint.
Whenever possible, the certification body shall
9.8.10 give formal notice of the end of the complaints-
handling process to the complainant.
The certification body shall determine, together
with the certified client and the complainant,
9.8.11 whether and, if so to what extent, the subject of
the complaint and its resolution shall be made
public.
9.9 Client records
The certification body shall maintain records on
the audit and other certification activities for all
clients, including all organizations that submitted
9.9.1
applications, and all organizations audited,
certified, or with certification suspended or
withdrawn.
Records on certified clients shall include the
following:
a) application information and initial, surveillance
and recertification audit reports;
b) certification agreement;
c) justification of the methodology used for
sampling of sites, as appropriate;
NOTE Methodology of sampling includes the

9.9.2
sampling employed to audit the specific
management system and/or to select sites in the
context of multi-site audit.
d) justification for auditor time determination (see

9.1.4);
e) verification of correction and corrective
actions;
f) records of complaints and appeals, and any
subsequent correction or corrective actions;
g) committee deliberations and decisions, if
applicable;
h) documentation of the certification decisions;
i) certification documents, including the scope of
certification with respect to product, process or
service, as applicable;
j) related records necessary to establish the
credibility of the certification, such as evidence
of the competence of auditors and technical
experts;
k) audit programmes.
The certification body shall keep the records on
applicants and clients secure to ensure that the
9.9.3 information is kept confidential. Records shall be
transported, transmitted or transferred in a way
that ensures that confidentiality is maintained.
policy and documented procedures on the
retention of records. Records of certified clients
and previously certified clients shall be retained
for the duration of the current cycle plus one full
9.9.4
certification cycle.
NOTE In some jurisdictions, the law stipulates

that records need to be maintained for a longer
time period.
Management system requirements for
10
certification bodies
Options
The certification body shall establish, document,
implement and maintain a management system
that is capable of supporting and demonstrating
the consistent achievement of the requirements
of this part of ISO/IEC 17021. In addition to
10.1 meeting the requirements of Clauses 5 to 9, the
certification body shall implement a
management system in accordance with either:
a) general management system requirements
(see 10.2); or
b) management system requirements in
accordance with ISO 9001 (see 10.3).
Option A: General management system
10.2
requirements
10.2.1 General

The certification body shall establish, document,
implement and maintain a management system
that is capable of supporting and demonstrating
the consistent achievement of the requirements
of this part of ISO/IEC 17021.
The certification body’s top management shall
establish and document policies and objectives
for its activities. The top management shall
provide evidence of its commitment to the
development and implementation of the
management system in accordance with the
requirements of this part of ISO/IEC 17021. The
top management shall ensure that the policies
are understood, implemented and maintained at
all levels of the certification body’s organization.
assign responsibility and authority for:
a) ensuring that processes and procedures
needed for the management system are
established, implemented and maintained;
b) reporting to top management on the
performance of the management system and
any need for improvement.
Management system manual
All applicable requirements of this part of
ISO/IEC 17021 shall be addressed either in a
10.2.2 manual or in associated documents. The
certification body shall ensure that the manual
and relevant associated documents are
accessible to all relevant personnel.
Control of documents
The certification body shall establish procedures
to control the documents (internal and external)
that relate to the fulfilment of this part of ISO/IEC
17021. The procedures shall define the controls
needed to:
a) approve documents for adequacy prior to
10.2.3 issue;
b) review and update where necessary and re-
approve documents;
c) ensure that changes and the current revision
status of documents are identified;
d) ensure that relevant versions of applicable
documents are available at points of use;
e) ensure that documents remain legible and

readily identifiable;
f) ensure that documents of external origin are
identified and their distribution controlled;
g) prevent the unintended use of obsolete
documents, and to apply suitable identification to
them if they are retained for any purpose.
NOTE Documentation can be in any form or

type of medium.
to define the controls needed for the
identification, storage, protection, retrieval,
retention time and disposition of its records
related to the fulfilment of this part of ISO/IEC
17021.
10.2.4 The certification body shall establish procedures

for retaining records for a period consistent with
its contractual and legal obligations. Access to
these records shall be consistent with the
confidentiality arrangements.
NOTE For requirements for records on certified

clients, see also 9.9.
10.2.5 Management review
General
establish procedures to review its management
system at planned intervals to ensure its
10.2.5.1 continuing suitability, adequacy and
effectiveness, including the stated policies and
objectives related to the fulfilment of this part of
ISO/IEC 17021. These reviews shall be
conducted at least once a year.
Review inputs
The input to the management review shall
include information related to:
a) results of internal and external audits;
b) feedback from clients and interested parties;
10.2.5.2 c) safeguarding impartiality;
d) the status of corrective actions;
e) the status of actions to address risks;
f) follow-up actions from previous management
reviews;
g) the fulfilment of objectives;

h) changes that could affect the management
system;
i) appeals and complaints.
Review outputs
The outputs from the management review shall
include decisions and actions related to
a) improvement of the effectiveness of the
management system and its processes;
10.2.5.3 b) improvement of the certification services
related to the fulfilment of this part of ISO/IEC
17021;
c) resource needs;
d) revisions of the organization’s policy and
objectives.
10.2.6 Internal audits
for internal audits to verify that it fulfils the
requirements of this part of ISO/IEC 17021 and
that the management system is effectively
10.2.6.1
implemented and maintained.
NOTE ISO 19011 provides guidelines for

conducting internal audits.
An audit programme shall be planned, taking
into consideration the importance of the
10.2.6.2 processes and areas to be audited, as well as
the results of previous audits.
Internal audits shall be performed at least once

every 12 months. The frequency of internal
audits may be reduced if the certification body
10.2.6.3 can demonstrate that its management system
continues to be effectively implemented
according to this part of ISO/IEC 17021 and has
proven stability.
The certification body shall ensure that:
a) internal audits are conducted by competent
personnel knowledgeable in certification,
auditing and the requirements of this part of
ISO/IEC 17021;
10.2.6.4
b) auditors do not audit their own work;
c) personnel responsible for the area audited are
informed of the outcome of the audit;
d) any actions resulting from internal audits are
taken in a timely and appropriate manner;

e) any opportunities for improvement are
identified.
Corrective actions
for identification and management of
nonconformities in its operations. The
certification body shall also, where necessary,
take actions to eliminate the causes of
nonconformities in order to prevent recurrence.
Corrective actions shall be appropriate to the
impact of the problems encountered. The
procedures shall define requirements for:
10.2.7 a) identifying nonconformities (e.g. from valid
complaints and internal audits);
b) determining the causes of nonconformity;
c) correcting nonconformities;
d) evaluating the need for actions to ensure that
nonconformities do not recur;
e) determining and implementing in a timely
manner, the actions needed;
f) recording the results of actions taken;
g) reviewing the effectiveness of corrective
actions.
Option B: Management system requirements
10.3
in accordance with ISO 9001
General
The certification body shall establish and
maintain a management system, in accordance
with the requirements of ISO 9001, which is
10.3.1
capable of supporting and demonstrating the
consistent achievement of the requirements of
this part of ISO/IEC 17021, amplified by 10.3.2
to 10.3.4.
Scope
For application of the requirements of ISO 9001,
10.3.2 the scope of the management system shall
include the design and development
requirements for its certification services.
Customer focus
when developing its management system, the
10.3.3 certification body shall consider the credibility of
certification and shall address the needs of all
parties (as set out in 4.1.2) that rely upon its
audit and certification services, not just its

clients.
Management review
the certification body shall include as input for
10.3.4
management review, information on relevant
appeals and complaints from users of
certification activities and a review of impartiality.
Nominated representative Team Leader
Signature signature:
Date Date:

ISO IEC 17021 2015 Checklist Approved

Uploaded by

Copyright:

Available Formats

ISO IEC 17021 2015 Checklist Approved

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

ISO IEC 17021 2015 Checklist Approved

Uploaded by

Copyright:

Available Formats

ISO/IEC 17021-1:2015 F07/06E

Checklist for Management System Certefication

Accreditation applied for

Name of Nominated Representative

Assessor/s & Observers:

The certification body shall have a process

Rev 1.1 25 October, 2020 Page 2 of 52

Top management shall review any residual risk

The risk assessment process shall include

NOTE 1 Sources of threats to impartiality

NOTE 2 Interested parties can include

NOTE 3 One way of fulfilling the

Rev 1.1 25 October, 2020 Page 3 of 52

The certification body and any part of the same

NOTE This does not preclude the possibility of

NOTE See Note 1 to 5.2.3.

NOTE See Note 1 to 5.2.3.

Rev 1.1 25 October, 2020 Page 5 of 52

a) development of policies and

The certification body shall have formal rules

6.2 Operational control

The certification body shall consider the

The certification body shall have processes to

NOTE The term ―technical area‖ is applied

Rev 1.1 25 October, 2020 Page 8 of 52

NOTE 1 A number of evaluation methods

NOTE 2 Annex C shows an example of a

The certification body shall have access to the

Rev 1.1 25 October, 2020 Page 9 of 52

NOTE During the selection and training

Rev 1.1 25 October, 2020 Page 10 of 52

The certification body shall monitor each auditor

Rev 1.1 25 October, 2020 Page 11 of 52

Rev 1.1 25 October, 2020 Page 12 of 52

NOTE 1 For 7.5.1 to 7.5.4, where the

NOTE 2 For 7.5.1 to 7.5.4, the terms

Rev 1.1 25 October, 2020 Page 13 of 52

NOTE 2 The certification body can also

c) the expiry date or recertification due

Rev 1.1 25 October, 2020 Page 14 of 52

NOTE ISO/IEC 17030 provides additional

Rev 1.1 25 October, 2020 Page 15 of 52

NOTE Such action could include requests for

Rev 1.1 25 October, 2020 Page 16 of 52

Rev 1.1 25 October, 2020 Page 17 of 52

e) documents describing the rights and duties of

Rev 1.1 25 October, 2020 Page 18 of 52

The certification body shall take action as

Rev 1.1 25 October, 2020 Page 19 of 52

Rev 1.1 25 October, 2020 Page 20 of 52

Rev 1.1 25 October, 2020 Page 21 of 52

NOTE 1 : Time spent travelling to and from

NOTE 2 : The certification body can use the

Where specific criteria have been established for

Rev 1.1 25 October, 2020 Page 22 of 52

The duration of the management system audit

NOTE The use of translators and interpreters

NOTE Where there are multiple sites not

When certification to multiple management

NOTE A management system certification audit