INTERNATIONAL ISO/IEC STANDARD 17021-1 irstedition 2015-06-15 Conformity assessment — Requirements for bodies providing audit and certification of management systems — Part 1: Requirements valuation de fa conformité ~ Rxigences pour les organismes procédant a audit et d la certification des systémes de management — Partie 1: Exigences Reference number Is0/lBC 17021-1:2015(8) oso/inc 2015,10 /1EC 17024-1:2015(6) {© 1S0/1EC 2015, Published im switzertand (nl rigutsreerved, Unless etherwse speded, no pat ofthis publetion may be reproduced or ulzed others ty frm ‘sah can, lectrontc or mechan, Including photaeapying, or posing on the Interact or an Intranet, without prior aay ea Paasion can bo requested fam elthes 10 atthe address below oF 80's member body nthe county of the requester 130 copyright ofce Chededlondonnet 6» cP 401 (11214 Verney, Geneva, Switrerland ‘ol eat22 70901 11 Panes 22749 09 47 congrats swwvasore ii (© 150/166 2015 - Alsghts reserved® Contents age Foreword - (© 180/166 2015 ~ Alleights reserved roduction, . - vi Scope Normative references. ‘Terms and definitions. Prinelples oo 41 General. 42 Impartiality 43° Competence 44° Responsibility, _ 45 Openness — own en 46 Confidentiality, So 47 Responsiveness to complaints - 48 Riskebased approach General requirements 5. Legal and contractual matters, 5.11 Legal responsibility 5.12 Certification agreement. - 5.13 Responsibility for certification decisions... 52 Management of impartially. - 53° Liability and financing. Structural requirements. 6.1 Organizational structure and top management. 62 Operational control Resource requirements . 74 Competence of personnel - 7.1.1 General considerations 712 — Determination of competence criteria, 7.1.3 Evaluation processes... 7.14 Otherconsiderations. 72 Personnel involved in the certification activities 73 Use of individual external auditors and external technical experts. CoML 74 — Personnel records - - 12 75 Outsourcing. - - cD Information requirements 81 Publicinformation a - B2_ Certification documents... 83 Reference to certification and use of marks ‘ 84 Confidentiallty - z 85 Information exchange between a certification body and its clients ‘1 Information on the certification activity and requirements, 85.2 Notice of changer by a cortifieation body. 853 Notice ofchanges by a certified client. Process requirements - 94 Pre-certifieation activities. 9.1 Application. - wo 9.1.2 Application review. 9.13 Auditprogramme 9.14 — Determining audit time. : 9.15 Mult-site sampling . 9.16 Multiple management systems standards...1S0/18C 17021-1:2015(E) 9.2. Planning aut. —ameemrenrnn 92.1 Determining audit objectives, scope and criteria. 9.22 Audit team selection and assignments. e 9.23. Audit plan. 9.4 Initial certification 93.1 Initial certification audit. 944 Conducting audits. BAL General nnn 9.42 Conducting the opening meeting —— 943 Communication during the audit. 9444 Obtaining and verifying information. SAS Tdentifying and recording audit findings 9.46 Preparing audit conclusions... 9447 Conducting the closing meeting. 7 94.8 Audit report. sheen 949 Cause analysis of nonconformithesn yan 9.4.10 Effectiveness of corrections and corrective actions 95 Certification decision. iter 9S General bcs 982 Actions prior to making a decision 983 Information for granting initial certification... 91544 _ Information for granting recertification, 96 Maintaining certification. 61 General ncn a 962 Surveillance activities. 9463 Recertification co 9,64 Special AUIS. nunnemnnnnnsn a GES Suspending, withdrawing or reducing the scope of CetiflcaOM wennmmr—nonmwe3 97 Appeals. - . 98 Complaints. - ~ 99 Client records. 10 Management system requirements for certification bodies. oo 10.1 Options. 10.2 Option 102.1 General... 102.2 Managementsystem manual 10.2.3 Control of documents. 102.4 Control of records. 102.5 Managementreview. 102.6 Internal audits... 10.2.7 Corrective actions... 103 Option B: Management system requ! 103.1 General. 1032 Scope... 103.3 Customer focus. 103.4 Managementreview Annex A (normative) Required knowledge and sldills.-..0.— ‘Annex B (informative) Possible evaluation methods... ‘Annex ¢ (informative) Example of process flow for determining and maintaining competence 8 ‘Annex D (informative) Desired personal behaviour. ———— {Annex & (informative) Audit and cer Bibliography. jeneral management system requirements... cathon process... Ww © 150/166 2025 - Al elghts reserved150 /1E¢ 17021-1:2015(E) Foreword 180 (the International Organization for Standardization) and IEC (Lhe International Electrotechnical Commission) form the specialized system for worldwide standardization. National bodies that are embers of 1S0 or IEC participate in the development of International Standards through technical committees established by the respective organization to deal with particular fields of technical activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international organizations, governmental and non-governmental, in liaison with ISO and (EC, also take part in the ‘work, In the field of conformity assessment, ISO and 1EC develop jotnt ISO/IRC documents under the management of the ISO Committee on Conformity assessment (IS0/CASCO}, ‘The procedures used to develop this document and those intended for Its further maintenance are described in the ISO/IEC Directives, Part 1. In particular the different approval criteria needed for the different types of document should be noted. This document was drafted in accordance with the editorial rules of the ISO/IEC Directives, Part 2 (see www.lso.org/directives) Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent rights. Details ofany patentrights identified during the development ofthe document will bein the Introduction and/or on the 1S0 list of patent declarations recelved (see wwwvuiso.org/natents). Any trade name used in this document is inform: constitute an endorsement. mn given for the convenience of users and does not For an explanation on the meaning of ISO specific terms and expressions related to conformity assessment, as well as information about I$0's adherence to the WTO principles in the Technical Barriers to Trade (1187) see the following URL: Foreword: Supplementary information 180/18C 17021-1 was prepared by the /S0 Committee on Conformity Assessment (CASCO).Itwas circulated for voting to the national bodies of both 1S0 and! IEC, and was approved by both organizations, This flrst edition of ISO/IEC 170211 cancels and replaces ISO/IEC 17021:2011, which has been technically revised. ISO/IEC 17021 consists of the following parts, under the general title Conformity assessment — Requirements for bodies providing audit and certification of management systems: = Part 1: Requirements = Part 2: Competence requirements for auditing and certification of environmental management systems [echnical Specification} — Part 3: Competence requirements for auditing and certification of quality management systems [Technical Specification] = Part 4; Competence requirements for auditing and certification of event sustainability management systems (Technical Specification] = Parts: Competence requirements for auditing and certification of asset management systems {Technical Specification] — Part 6: Competence requirements for auditing and certification of business continuity management systems [Techaical Specification} = Part 7: Competence requirements for auditing and certification of road traffic safety management systems [Technical Specification} (© 1s0ptee-2015 au igs reserved10 /1EC 17021-1:2015(E) Introduction certification of a management system, such as the environmental management system, quality CGagement system or information security management system of an organization, Is one means Ur peuvding assurance that the organtzation has implemented a system for the management of the Savant aapects ofits activities, products and services, in line with the organization's policy and the ‘requirements of the respective international management system standard, ‘This part of ISO/IEC 17021 specifies requirements for bodies providing audit and certfiation of sanagementsystems. ligives genericrequirements for such bodies performing auditand certification in thefiekd of quality the environmentanc other types of management systems. Such bodiesare referred to cae retileation hedies, Observance of these requirements is Intended to ensure that certification bodies Sperate management system certification ina competent, consistent and impartial mannet thereby estitating the recognition of such bodies and the acceptance of their certifications on a national and rturnatienal basis. This part of 1S0/IEC 17021 serves as a foundation for facilitating the recognition of ‘manajjement system certification in the interests of international trade, Certification of a management system provides independent demonstration that the management system of the organization: 4) conforms to specified requirements; ') is capable of consistently achieving its stated policy and objectives; ©) iseffectively implemented. Conformity assessment, such as the certification of a management system, thereby provides value to the organization, its customers and interested parties, ‘Clause 4 describes the principles on which credible certification is based. These principles help the user to understand the essential nature of certification and they area necessary prelude to Clauses. to 10. ‘These principles underpin the requirements in this part of I$0/1EC 17021, but such principles are not auuitable requirements in thelr own right, Clause 10 describes two alternative ways of supporting and omonstrating the consistent achievement of the requirements in thls part of ISO/IEC 17021 through the establishment of a management system by the certification body. Certificaton activities are the individual activities that make up the entire certification process, from pplicatin review to termination of certification, Annex f provides an illustration of the way in which many of hese activities can interact. cortfication activities involve the audit ofan organization's management system, The form ofattestation of conformity of an organization's management system to a specific management system standard or ther normative requirements is usually a certification document or a certificate This patt of 1S0/18C 17021 is applicable to the auditing and certification of any type of management system, tls recognized that some ofthe requirements, in particular those related to auditor competence, Cdnbesupplemented with additional eriteria inorder toachieve the expectations ofthe interested partes tn this part of $0/1C 17021, the following verbal forms are used: = “shall” indicates a requirement; — “should” indicates a recommendation; ay" indicates a permission; — “can indicates a possibility ora capability. Further details can be found in the ISQ/II¢ Directives, Part 2. vi {© 180/18 2015 - A sgh reservedINTERNATIONAL STANDARD 1S0/1EC 17021-1:2015(6) Conformity assessment — Requirements for bodies providing audit and certification of management systems — Part 1: Requirements 1 Scope ‘This part of ISO/IEC 17021 contains principles and requirements for the competence, consistency and impartiality of bodies providing audit and certification of all types of management systems, Certification bodies operating to this part of S0/IEC 17021 do not need to offer all types of management system certification, Certification of management systems Is a third-party conformity assessment activity (See ISO/IEC 17000:2004, 5.5) and bodies performing this activity are therefore third-party conformity assessment bodies. NOVEL Examples of management systems Include environmental management systems, quality management systems and Information security management systems NOTE2 _ inthis pare of ISO/IEC 17021, certification of managoment systems is referred to as certification" and {hird party conformity assessment bodies are referred to as "certification bodies" NOTES A certification body can be non-governmental ar governmental, with or without regulatory authority. NOTE4 ‘This part of IS0/I6C 17022 can be used as a criteria document for accreditation, peer assessment or other audit processes, 2 Normative references The following documents, in whole or in part, are normatively referenced in this document and are Indispensable for its application, For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies 180 9000, Quality management systens — Fundamentals and vocabulary ISO/IEC 17000, Conformity assessment — Vocabulary and general principles 3. Terms and definitions For the purposes of this document, the terms and definitions given in ISO 9000, ISO/IEC 17000 and the following apply. aa. certified client organization whose management system has been certified 32 impartiality presence of objectivity Note 1 to entry: Objectivity means that couflets of interest do not exist, of are resolved so as not to adversely influence subsequent activities of the certification body. ©1s0/t80 201 Altrghts reserved10/18 17021-1:2015(E) useful in conveying the element of impartiality include independence’, stpeedomn trom bias, “lack of prejudice", “neutrality “falrness’, “open: yment’ "balance Note 2 to entry: Other terms that “ireedom from conflet of inter iindedness, “evenshandedness 33 ‘management system consultancy articipation in establishing, Implementing or maintaining a management system EXAMPLE — Preparing or producing manuals or procedures. EXAMPLE2 Gling specific advice, structions or solutions towards the development and Implenventation of management system. Note 1 tw entry: Arranging training and partelpting asa traler isnot considered consultancy, provided at, Note 1 ten ates te managementsystem rating its confined tthe provision of generinformasion ire the trainer should not provide elientspeeific solutions. Note 2 to entry: The provision of gener Information, but not cent specie solutions forthe improvement of venccasee or systems is not considered to be consultancy. Such information may Include: = explaining the meaning ana intention of ertifieation crterl — \dentiying improvement opportunities; — explaining associated theories, methodologles techniques or tots; — sharing non-confidential information on related best practices; — other management aspeets that are not covered by the management system belng audited. 34 certification audit ceri aried out by an auditing organization independent of the client and the parties that rely on certification, for the purpose of certifying the client’s management system Note 1 to entry n the definitions which follow, the term “audit” has been used for simplicity to refer to third party cortifiation aul Note 2to entry: Certification audits inchude inital, surveillance, re-certifieation audits, and can also Ince special audits. Note’ to entry: Cartification audits are typically conducted by audit team ofthose bodies providing certification Dreanformnity to the requirements of management system standards Note4to entry Aoint audit is when two or more auliting or Jinations cooperate to audit a single client, ote $ to entry: A combined audit is when » clint is being audited against the requirements of two oF rore management systems standards together Note 6 to entry: An integrated audit is when a cient has integrated the aplication of requirements of two of vot es ntapatnsstandardsnioasinglemanagementsystemandisbeingaultedapastmere thanonestandard 35 client Srganiation whose management system is being audited for certification purposes 3.6 auditor person who conducts an audit 37 competence ability to apply knowledge and skills to achleve intended results 2 (© 150/1HC 2015 - All rghts reserved180/1EC 17021-1:2015(E) 38 guide person appointed by the client to assist the audit team 39 observer person who accompanies the audit team but does not audit, 3.10 technical area area characterized by commonalities of processes relevant to a specific type of management system and. its intended results Note 1 to entry: See Note to 21.2. ity non-fulfilment ofa requirement 32 major nonconformity hnonconformity (3.11) thataffects the capability of the management system to achieve the intended results Note 1 to entry: Nonconformities could be classified as major in the following circumstances: = Sfehere is a significant doubt that effective process control Is in place, or that products or services will meet, specified requirements = a number of minor nonconformitios associated with the same requirement ar Issite could demonstrate a systemic allure and thus constitute a major nonconformity. 3.13 minor nonconformity hnonconformity (3.11) that does not affect the capability of the management system to achieve the Intended results 3.44 technical expert person who provides specific knowledge or expertise to the audit team Note 1 to entry: Specific knowledge or expertise Is that which relates to the organteation, the process ar activity tobe audited 31s certification scheme conformity assessmentsystemrelatedto managementsystemsto which thesamespecified requirements, specific rules and procedures apply 3.16 audit chne time needed to plan and accomplish a complete and effective audit of the client organization's management system 37 ‘duration of management system certification audits part of audit time (3.16) spent conducting audit activities from the opening meeting to the closing ‘meeting, Inclusive Note 1 to entry: Ault activities normally Include — conducting the opening meetin — performing document review while conducting the aud (© S0/1EC 2015 — All rights reserved1s0/1BC 17021-1:2015(E) = communicating during the audits — assigning roles and responsibilities of guldes and observers; — collecting and verlfying information: — generating ait ndings: — preparing audit conclusions: ~ conducting the closing meeting 4 Principles 4. General “AAA. The principles described in this lause provide the basis fr the subsequent specific performance 44% eceipive requirements in this part of S0/1EC 17021. This part of ISO/IEC 17021 docs not ahve a tc requltement forall situations that can occur These principles shouldbe applied as gudance for Teeciecisions that may need to be made for unanticipated situations, Principles are not requirements, 442. The overall aim of covtfication is to give confidence to all parties that a management systcn fits spetfed requirements, The value of certification is the degree of public confidence andl wus Ht seeeeatshed by an impartial and competent assessment by a third-party. Parties that have an interest in certification include, butare not limited to 4) the lients ofthe certification bodies; 1) the customers ofthe organtzations whose management systems are certified; 6) governmental authorities; 6) non-governmental organizations; 2) constimers and other members of the public. 44.3. Principles for inspring confidence include: = impartiality: = competence; — responsibility; = openness: = confidentiality; — responsiveness to complains; = riskcbased approach. NOTE This part of ISO/I6C 17021 sets out the principles of certifietion tn Chasse the corresponding Principles related to ating can be found bn 150 19031:2021, Clause 4.2. Impartiality 42.1. beingimpartial,and being perceived tobe impartahisnecessaty fra csrtiication body to deliver oan arovider confidence Iris important thatall internal and external personne aeaware of the need for impartiality. 4 {© 150/14 2015 - Alright reserved180/1EC 17021-1:2015(6) 4.2.2. Itisrecognized thatthe source of revenue for acertification body isitscllentpaying for certification, and that this isa potential threat to impartia 4.2.3 To obtain and maintain confidence, itis essential that a certification body's decisions be based ‘on objective evidence of conformity (or nonconforinity) obtained by the certification body, and that its decisions are not influenced by other interests or by other parties. 4.24 Threats to impartiality may include but are not limited to the following. a) Selfinterest: threats thatarise froma person or body acting In thelr own interest, A concern related to certification, as a threat to impartiality, fs financial self-interest, b) Selfreview: threats that arise from a person or body reviewing the work done by themselves. ‘Auditing the management systems ofa client to whom the certification body provided management systems consultancy would be a selfreviow threat. ©) Familiarity (or trust); threats that arise from a person or body betng too familiar with or trusting of another person instead of seeking audit evidence. 4) Intimidation: threats that arise from a person or body having a perception of being coerced openly or secretively, such as a threat to be replaced or reported to a supervisor. 4.3 Competence 434 Competence of the personnel of the certification body in all functions Involved in certification activities is necessary to deliver certification that provides confidence, 43.2 The competence also needs to be supported by the management system of the certification body. 43.3. Itisa key issue for the management ofthe certification body to have an implemented process for the establishment of competence criteria for the personnel involved in the audit and other certification activities and to perform evaluation against the criteria, 4A Responsibility 441 The certified client, and notthe certification body, has the responsibility for consistently achieving the Intended results of implementation of the management system standard! and conformity with the roquirements for certification. 44.2. The certification body has the responsibility to assess sufficient objective evidence upon which to base a certification decision, Based on audit conclusions, makes a decision to grant certification if there is sufficient evidence of conformity, or nt ta grant certification Ifthere is not sufficient evidence of conformity. NOTE Any audit (s based on sampling within an organization's menagement system and therefore is not a iuatantee of 100 % conformity with requirements. 4.5 Openness 4.5: A certification body needs to provide public access to, or disclosure of, appropriate and timely information about its audit process and certification process, and about the certification status (l the granting, maintaining of certification, expanding or reducing the scope of certification, renewing, suspending or restoring, o: withdrawing of certification) of any organization, in order to gain confidence in the integrity and credibility of certification, Openness is a principle of access to, of disclosure of, appropriate information, (© 1s0/16C 2015 ~ Aleghtsresorved1s0/1EC 17021-1:2015(E) 452 ‘To gain or malntain confidence in certification, a certification body should provide abpeSpt ee 15 Oa ate of non-confidential information about the conclusions of specific audits (¢— audits in response to complaints) to specific interested parties, 46 Confidentiality ‘To gainthe privileged accessto information thatisneeded forthe certifcation ly east conformity roan rics as corification alequatry.isessential that a certification body oes nor dscose ny confidential information. 4.7, Responsiveness to complaints parties that rely on certification oxpect to have complaints Investigated and, if these are found te Parte aaa rid hove confidence that these complaints will be appropriately adiressed and that ve vai ie atort will be made by the certification body to resolve them. liffective responsiveness Wt ‘eauplaints is an important means of protection for the certification body Its clits and over Ware of cor tion against errors, omissions or unreasonable behaviour, Confidence in certfieation activities is safeguarded when complaints are processed appropriately. NOTE An appropriate balance between the principles of openness and confidentiality, nding NOTE vente Wr complaints necessary inorder to demonstrate integrity and credibility to al wets of cerlfeation. 48 R Jkebased approach Certification bodies need to take Into accountthe risks assoctated with providing competent, consistent gna impartial ertfication, Riskes may inclu, but are no Limited to, those associated with: — the objectives ofthe ait — the sampling used inthe audit process — real and perceived impartiality — legal regulatory and liability issues: — the client organization being audited and its operating environment; — impact ofthe audit onthe client and its activitie — heatth and safety f the audit teams: — perception afinterestad parties; — misleading statements by the certified elient; — use of marks. 5 General requirements 5.1 Legal and contractual matters, S.A Legal responsibility ‘The certification body shall be a legal entity, ora defined part of alega entity that can be held legay TeSponaibe for alls confication activities. A governmental certification body Is deemed robe Tegal temtty on the basis of its governmental status, 6 (© 180/126 2015 - Aleghts reserved180/1E¢ 17021-1:2015(8) 5.2 Certification agreement ‘The certification body shall have a legally enforceable agreement with each client for the provision of certification activities in accordance with the relevant requirements of this part of ISO/IEC 17021. In addition, where there are multiple offices of a certification body or multiple sites ofa client, the certification body shall ensure there {sa legally enforceable agreement between the certification body granting certification and the client that covers all the sites within the scope of the certification, NOTE An agrecment can be achleved through multiple agreements that reference or otherwise lnk to one snather 54.3 Responsibility for certification decisions The certification body shall be responsible for, and shall retain authority for, ts decisions relating to certification, inclucing the granting, refusing, maintaining of certification, expanding or reducing the scope of certification, renewing, suspending or restoring following suspensicn, or withdrawing of certification. 5.2. Management of impartiality 5.2.1 Conformity assessment activitis shall be undertaken impartially. The certification body shall be responsible for the impartiality ofits conformity assessment activities and shall rot allow commercial, financial or other pressures to compromise impartiality, 5.2.2. The certification body shall have top management commitment to impartiality in management system certification activities. The certification body shall havea policy that it understands the importance of impartiality in carrying outits management system certification activities, manages conflict of interest and ensures the objectivity ofits management system certification activities, 5.2.3 The certification body shall have a process to Identify, analyse, evaluate, treat, monitor, and document the risks related to conflict of interests arising from provision of certification including any conflicts arising from its relationships on an ongolng basis, Where there are any tareats to impartiality, the certification body shall dacument and demonstrate how It eliminates or minimizes such threats and document any residual risk. The demonstration shall cover all potential threats that are identified, whether they arise from within the certification body or from the activitles of other persons, bedles or organtzatio When a relationship poses an unacceptable threat to impartiality (such as a wholly owned subsidiary oft certification body requesting certification from its parent), then certification shall nct be provided. ‘Top management shall review any residual risk to determine if it is within the level of acceptable risk, The risk assessment process shall inchide identification of and consultation with appropriate interested parties to advise on matters affecting impartiality including openness and ptblic perception. The consultation with appropriateinterested parties shall bebalanced with no single interestpredominating, NOTE Sources of threats to impartiality of the certification body can be based on ewnership, governance, management, personnel, shared resources, iuances, contracts, training, marketing and payment of a sales oimmission or other inducement for the referral of new clients, ete NOTE2 Interestedpartiescanineludepetsonnelandelients ofthe certification body, customers oforyantzations luhose manegement systems are certified, representatives of industry trade associations, representatives, bf governmental regulatory badles or other governmental services, or representatives of non-governmental organizations, including consumer organtaations NOTE3 One way of fulfilling the consultation requirement ofthis clause I by the use of committee of these Interested parties, 524 Acertification body shall not cortty another cortifIcation body for its quality management system. (© 60/16C 2015 A rights reserved