ISO 17021: One of the Most Important Standards for ISO Management System Certification

ISO 17021: A Professional Guide

The ISO 17021-1 standard is one of the pillars of the conformity assessment system, playing a crucial role in the process of auditing and certifying ISO management systems. It provides clear guidelines and standards that certification bodies must meet to ensure their actions are credible, reliable, and impartial. This guide aims to present the key requirements of ISO 17021-1, highlighting its impact on the functioning of certification bodies and the certification processes.

1. Scope of the Standard

The ISO 17021-1 standard specifies the requirements for certification bodies that audit and certify management systems. It serves as a foundation to ensure reliability, impartiality, and compliance with international standards. The standard also outlines the responsibilities of certification bodies and their obligations towards clients.

2. Normative References

ISO 17021-1 refers to other standards and international documents that support the conformity assessment and certification processes of management systems. Compliance with these references ensures that certification bodies operate in full accordance with global standards. These standards are an integral part of the requirements for certification bodies and must be considered when implementing the audit and certification processes.

3. Terms and Definitions

This section of the standard defines key concepts such as "audit," "certification," "management systems," and other essential terms necessary for understanding and uniformly applying the standard. Clear definitions of these terms allow for consistency in the interpretation of the standard’s requirements across different certification bodies worldwide.

4. Principles

ISO 17021-1 is based on several fundamental principles that ensure certification bodies operate in a transparent and reliable manner:

• 4.1 General Provisions: Certification bodies must comply with all provisions of the standard to guarantee the integrity of the certification process.
• 4.2 Impartiality: Certification bodies must remain independent and avoid conflicts of interest that could influence their certification decisions.
• 4.3 Competence: Personnel conducting audits must have the appropriate qualifications, knowledge, and experience to ensure the reliability of the process.
• 4.4 Responsibility: Certification bodies bear full responsibility for the certification decisions made and for the results of audits.
• 4.5 Openness: The audit processes must be transparent so that clients fully understand the actions of the certification body.
• 4.6 Confidentiality: Protecting information is crucial; all data obtained during audits must be treated as confidential.
• 4.7 Response to Complaints: Clear procedures for managing customer complaints must be established.
• 4.8 Risk-Based Approach: Certification bodies must implement a risk management system that identifies and assesses any potential threats to the impartiality of the certification process.

5. General Requirements

• 5.1 Legal and Contractual Matters: Certification bodies must have appropriate agreements with clients that define the legal responsibilities and conditions of certification.
• 5.2 Management of Impartiality: Effective mechanisms must be implemented to manage impartiality throughout the entire certification process.
• 5.3 Liability and Financing: The financing of certification bodies must not affect their impartiality and certification decisions.

6. Structural Requirements

• 6.1 Organizational Structure: Certification bodies must have a clearly defined organizational structure, with the responsibilities of management clearly outlined to ensure proper functioning.
• 6.2 Operational Control: The management of the certification body must ensure effective oversight of all activities related to audits and certification.

7. Resource Requirements

• 7.1 Competence of Personnel: Auditors and other staff involved in the certification process must have the appropriate qualifications. Their competencies must be regularly evaluated to ensure they meet the standard’s requirements.
• 7.2 Personnel Involved in Certification Activities: All staff members must act in accordance with the standard's requirements, and their roles in the certification process must be clearly defined.
• 7.3 Use of External Auditors: If the certification body uses external auditors or experts, their competencies must be properly evaluated and monitored.
• 7.4 Records of Personnel: Certification bodies must maintain detailed records of the qualifications, training, and experience of their personnel.

8. Information Requirements

• 8.1 Public Information: Certification bodies must provide clear and understandable information about their processes, policies, and certification conditions.
• 8.2 Certification Documents: Certificates must be issued based on transparent and standard-compliant procedures, and all documents must meet the requirements of the standard.
• 8.3 Reference to Certification: Certification bodies must clearly define the rules for using certificates and certification marks by their clients.
• 8.4 Confidentiality: All data and information obtained during audits must be treated as confidential and protected from unauthorized access.
• 8.5 Communication between the Certification Body and Clients: Communication between the certification body and the client must be clear, and the body must inform the client of any changes to the certification process.

9. Process Requirements

• 9.1 Initial Certification: The certification body must conduct a thorough review of the certification application and establish an audit schedule.
• 9.2 Audit Planning: The planning of audits should take into account the objectives, scope, and criteria of the audit, as well as the selection of the appropriate audit team.
• 9.3 Initial Certification Audit: The certification process begins with the initial audit, which assesses the client’s management system for compliance with the standard.
• 9.4 Conducting Audits: Audits must be conducted in accordance with specified principles, and their results must be documented.
• 9.5 Certification Decision: The final decision to grant certification must be made based on the results of the audit, and the decision-making process must be independent.
• 9.6 Maintaining Certification: The certification body must monitor the client’s management system by conducting regular surveillance audits.
• 9.7 Appeals: Clients have the right to appeal certification decisions, and the certification body must provide procedures to handle such actions.
• 9.8 Complaints: Procedures for handling complaints must be clearly defined, and certification bodies must respond to complaints in a professional manner in line with the standard’s requirements.
• 9.9 Records of Clients: All documents and records related to the certification process must be properly stored and secured.

10. Management System Requirements for Certification Bodies

• 10.1 Options: Certification bodies may implement a management system based on the requirements of the ISO 17021 standard or ISO 9001.
• 10.2 Option A: General Management System Requirements: In this option, the certification body must implement its own management system that ensures compliance with the standard’s requirements.
• 10.3 Option B: Management System in Accordance with ISO 9001: Alternatively, certification bodies can base their management processes on the ISO 9001 standard, which provides greater flexibility in the operational management of processes.

Source: ISO/IEC 17021-1:2015