28 June 2011, Version 2
ISO/IEC 17021:2011 Conformity assessment –
Requirements for bodies providing audit and
certification of management systems
The publication of ISO/IEC 17021:2011 introduces some important new requirements for bodies providing audit and certification of management systems. This briefing note seeks to inform IRCA certificated auditors and IRCA approved training organizations of the changes and their likely impact.
Who will the changes to ISO/IEC 17021:2011 affect? The simple answer is that ISO/IEC 17021:2011 is a requirements standard intended for use by accreditation bodies, for example the UKAS, to assess management systems certification bodies. The third-party certification industry will use ISO 17021:2011 to define
requirements for audits and audit arrangements. Accreditation bodies will determine whether a certification body’s auditing arrangements and activities comply with those requirements. So primarily it will be certification bodies and certification body auditors who will be most affected.
IRCA approved training organizations that deliver certificated auditor/lead auditor courses and auditor conversion courses may need to make some minor changes to the content of their courses to reflect the changes in ISO/IEC 17021 as applicable to third-party audits. Tutors delivering these courses will need to be familiar with the requirements for managing and conducting third-party
certification audits.
What are the significant changes? 1. Normative reference ISO 19011
ISO 17021:2006 specified ISO 19011 as a normative reference. This is no longer the case. Amendments have been made to replace references to ISO 19011 with text adding specific requirements for third-party certification auditing and the management of competence of personnel involved in certification. Requirements for bodies
providing audit and certification of management systems are now fully contained within ISO/IEC 17021:2011.
For both standard writers and users this has the advantage that ISO/IEC 17021 clearly defines requirements for bodies providing audit and certification of management systems. Whereas ISO 19011 is a guidance document covering all types of audit, for example internal and supplier audits, and therefore is more general in content and application.
28 June 2011, Version 2
For some organizations revised requirements for competence of management and personnel may be a significant change. ISO/IEC 17021:2011 defines competence as – ability to apply knowledge and skills to achieve intended results.
The significance of this is in the need to define intended results to be achieved for each certification activity, for example from the review of the initial application through to reviewing audit reports and taking certification decisions. Also the requirement to implement evaluation processes, the output of which shall identify personnel who have demonstrated the level of competence required for the different functions of the audit process. Here the emphasis is on the need for personnel to have demonstrated their competence.
Organizations that have previously relied exclusively on experience-based evidence will need to do more to evaluate the competence of their people. For example, where a certification body may previously have relied on a CV review as evidence of technical competence, such records alone are now unlikely to be sufficient. In future, certification bodies may decide to carry out evidence-based interviews of trainee auditors to determine if they have the knowledge suggested by their CV, using defined technical criteria as the basis of the interview and recording the output of the interview to show the justification of technical competence.
Other approaches may include examinations to test the knowledge of the auditor, the results of which are marked to determine if the pass/fail criteria are achieved. Although currently these are often limited to knowledge of standards, they could be developed as a mechanism by which an auditor could demonstrate knowledge of a business sector.
Desired personal behaviours – Annex D (informative)
Although the ISO/IEC 17021:2011 definition of competence refers only to knowledge and skills, Annex D identifies personal behaviours that are important for personnel involved in certification activities. ISO 17021:2011 makes it clear that this annex is informative and not intended to be applied as requirements. However, introducing
behaviour into the make-up of competence brings close alignment with other professions where competence is defined as the
demonstrated application of knowledge, skills and behaviour, to achieve a stated performance standard.
It is likely that to achieve intended results, desired personal behaviours will also need to be applied. Annex D recognizes that behaviour is situational, and advises that the certification body should take appropriate action for any identified weakness that adversely affects the certification activity.
28 June 2011, Version 2
3. Process requirements (section 9)
Process requirements for audit and certification of management systems are now fully defined within ISO/IEC 17021:2011 and previous references to ISO 19011 deleted. Guidance from ISO 19011 has been revised to better assure the certification audit process and is now incorporated as requirements. For example, ISO/IEC
17021:2011 defines requirements for the opening meeting of a certification audit whereas previously reliance was placed on referencing the general guidance given in ISO 19011.
In practice the changes may appear small to auditors already undertaking certification audits. It is likely that many certification bodies will already have built these requirements into their own management system requirements and procedures their auditors follow.
Two process requirements worth highlighting are:
a) Determining audit objectives, scope and criteria (section 9.1.2.2). This section specifies clearly that audit objectives shall include: • Determination of the conformity of the client’s management system, or parts of it with audit criteria
• Evaluation of the ability of the management system to ensure the client
organization meets applicable statutory, regulatory and contractual requirements
• Evaluation of the effectiveness of the management system to ensure the client organization is continually meeting its specified objectives
• As applicable, identification of areas for potential improvement of the management system.
This makes it clear that certification audits are required to evaluate the whole management system, not only for conformity with criteria but also to evaluate its ability to meet the needs of the client
organization, their customers, and regulators. While this may not be new to many, for auditors more used to determining conformance with a set of procedures, it will be a significant change.
b) Determining audit time (9.1.4) – this section specifies clearly that in determining the audit time, the certification body shall consider, among other things, the following aspects. It then goes on to list a number of considerations including the risks associated with the products, processes or activities of the organization.
This requirement states the expectation that when determining the overall audit time, and also how time available is allocated in the audit plan, consideration is given to the risks associated with the products, processes or activities of the organization – in other words, consider the potential consequences to the organization, its clients and interested parties if things go wrong and ensure adequate time is
28 June 2011, Version 2
available to fully evaluated the capability of the client’s management system to reduce the likelihood of failure occurring.
Impact on IRCA certificated training courses
The purpose of auditor/lead auditor and auditor conversion courses is to provide students with the knowledge and skills required to perform first, second and third-party audits of management systems.
Generally, IRCA certificated courses train students following the guidance given in ISO 19011 as it applies to these three types of audit. With the publication of ISO/IEC 17021:2011 requirements for third-party certification audits are now more clearly defined and we will require training providers to recognise this in their training courses.
However we also need to be pragmatic and realistic. Auditor/lead auditor courses and auditor conversion courses are aimed not only at certification body auditors but also people who want to undertake second-party or supplier audits, and also internal audits of their own management system. Indeed, it is these last two groups who make up the majority of course attendees.
We will require training organizations to:
• Bring to the attention of students the purpose of ISO/IEC 17021:2011 making reference to ISO 19011 as appropriate • Use the definitions given in ISO/IEC 17021:2011 section 3 as applicable when referring to third-party certification audits
• Describe clearly the significant differences between first, second and third-party certification audits making reference to requirements for determining third-party certification audit objectives, scope and criteria as described in ISO/IEC 17021:2011
• Provide students with a general overview of the third-party
certification process as described in ISO/IEC 17021:2011 and making reference as appropriate to similarities and differences to ISO 19011. We do not require, and indeed we discourage training organizations from seeking to provide students with detailed knowledge of ISO/IEC 17021:2011 as we believe the general principles within ISO/IEC 17021:2011 are already addressed through applicable IRCA course criteria and ISO 19011.
How will the changes affect IRCA certificated auditors?
Auditors working for certification bodies may find their competence is evaluated through more formal and more rigorous processes than previously. This will especially be the case when the certification body is seeking to extend the scope of their technical competence. Also it is likely that periodic monitoring of auditor performance will in future include ongoing evaluation of sector competence.
28 June 2011, Version 2
All certification bodies will be required to demonstrate conformance with ISO/IEC 17021:2011. This requires them to demonstrate that they have established competence criteria and performed evaluation of their auditors. We do not expect that those certification bodies with well-defined and established competence processes, procedures and records will repeat their initial evaluation of sector or technical competence of existing auditors. As part of their process for evaluating the continued competence of auditors they may for example take into account proven ability, based on results from evaluating the outputs from the certification activity.
Other IRCA certificated auditors, for example those offering
consultancy services, may be required by their employers to adopt an evidence-based approach to demonstrating competence.
Auditors carrying out certification audits will need to be aware of, and implement, requirements for taking account of the risks associated with the products, processes or activities of the organization when planning audits.
Will there be changes to the IRCA auditor certification criteria?
Currently we require applicants to have successfully completed an IRCA certificated training course, have completed a minimum number of years of relevant workplace experience and completed a minimum number of audits, at least one of which must have been under the direction and guidance of an auditor currently certified as a lead auditor. At this time IRCA intends to continue with the current system. However, we will keep this under review.
