Adopts ISO/IEC 17021-1:2015 to specify principles and requirements for the competence, consistency and impartiality of the audit and certification of management systems of all types (e.g. quality management systems or environmental management systems) and for bodies providing these activities.
Table of contents
Header
About this publication
Preface
Introduction
1 Scope
2 Normative references
3 Terms and definitions
4 Principles
4.1 General
4.1.1
4.1.2
4.1.3
4.2 Impartiality
4.2.1
4.2.2
4.2.3
4.2.4
4.3 Competence
4.3.1
4.3.2
4.3.3
4.4 Responsibility
4.4.1
4.4.2
4.5 Openness
4.5.1
4.5.2
4.6 Confidentiality
4.7 Responsiveness to complaints
4.8 Risk-based approach
5 General requirements
5.1 Legal and contractual matters
5.1.1 Legal responsibility
5.1.2 Certification agreement
5.1.3 Responsibility for certification decisions
5.2 Management of impartiality
5.2.1
5.2.2
5.2.3
5.2.4
5.2.5
5.2.6
5.2.7
5.2.8
5.2.9
5.2.10
5.2.11
5.2.12
5.2.13
5.3 Liability and financing
5.3.1
5.3.2
6 Structural requirements
6.1 Organizational structure and top management
6.1.1
6.1.2
6.1.3
6.1.4
6.2 Operational control
6.2.1
6.2.2
7 Resource requirements
7.1 Competence of personnel
7.1.1 General considerations
7.1.2 Determination of competence criteria
7.1.3 Evaluation processes
7.1.4 Other considerations
7.2 Personnel involved in the certification activities
7.2.1
7.2.2
7.2.3
7.2.4
7.2.5
7.2.6
7.2.7
7.2.8
7.2.9
7.2.10
7.2.11
7.3 Use of individual external auditors and external technical experts
7.4 Personnel records
7.5 Outsourcing
7.5.1
7.5.2
7.5.3
7.5.4
8 Information requirements
8.1 Public information
8.1.1
8.1.2
8.1.3
8.2 Certification documents
8.2.1
8.2.2
8.3 Reference to certification and use of marks
8.3.1
8.3.2
8.3.3
8.3.4
8.3.5
8.4 Confidentiality
8.4.1
8.4.2
8.4.3
8.4.4
8.4.5
8.4.6
8.4.7
8.5 Information exchange between a certification body and its clients
8.5.1 Information on the certification activity and requirements
8.5.2 Notice of changes by a certification body
8.5.3 Notice of changes by a certified client
9 Process requirements
9.1 Pre-certification activities
9.1.1 Application
9.1.2 Application review
9.1.2.1
9.1.2.2
9.1.2.3
9.1.3 Audit programme
9.1.3.1
9.1.3.2
9.1.3.3
9.1.3.4
9.1.3.5
9.1.4 Determining audit time
9.1.4.1
9.1.4.2
9.1.4.3
9.1.4.4
9.1.5 Multi-site sampling
9.1.6 Multiple management systems standards
9.2 Planning audits
9.2.1 Determining audit objectives, scope and criteria
9.2.1.1
9.2.1.2
9.2.1.3
9.2.1.4
9.2.2 Audit team selection and assignments
9.2.2.1 General
9.2.2.1.1
9.2.2.1.2
9.2.2.1.3
9.2.2.1.4
9.2.2.1.5
9.2.2.2 Observers, technical experts and guides
9.2.2.2.1 Observers
9.2.2.2.2 Technical experts
9.2.2.2.3 Guides
9.2.3 Audit plan
9.2.3.1 General
9.2.3.2 Preparing the audit plan
9.2.3.3 Communication of audit team tasks
9.2.3.4 Communication of audit plan
9.2.3.5 Communication concerning audit team members
9.3 Initial certification
9.3.1 Initial certification audit
9.3.1.1 General
9.3.1.2 Stage 1
9.3.1.2.1
9.3.1.2.2
9.3.1.2.3
9.3.1.2.4
9.3.1.3 Stage 2
9.3.1.4 Initial certification audit conclusions
9.4 Conducting audits
9.4.1 General
9.4.2 Conducting the opening meeting
9.4.3 Communication during the audit
9.4.3.1
9.4.3.2
9.4.3.3
9.4.4 Obtaining and verifying information
9.4.4.1
9.4.4.2
9.4.5 Identifying and recording audit findings
9.4.5.1
9.4.5.2
9.4.5.3
9.4.5.4
9.4.6 Preparing audit conclusions
9.4.7 Conducting the closing meeting
9.4.7.1
9.4.7.2
9.4.7.3
9.4.8 Audit report
9.4.8.1
9.4.8.2
9.4.8.3
9.4.9 Cause analysis of nonconformities
9.4.10 Effectiveness of corrections and corrective actions
9.5 Certification decision
9.5.1 General
9.5.1.1
9.5.1.2
9.5.1.3
9.5.1.4
9.5.2 Actions prior to making a decision
9.5.3 Information for granting initial certification
9.5.3.1
9.5.3.2
9.5.3.3
9.5.4 Information for granting recertification
9.6 Maintaining certification
9.6.1 General
9.6.2 Surveillance activities
9.6.2.1 General
9.6.2.1.1
9.6.2.1.2
9.6.2.2 Surveillance audit
9.6.3 Recertification
9.6.3.1 Recertification audit planning
9.6.3.1.1
9.6.3.1.2
9.6.3.1.3
9.6.3.2 Recertification audit
9.6.3.2.1
9.6.3.2.2
9.6.3.2.3
9.6.3.2.4
9.6.3.2.5
9.6.4 Special audits
9.6.4.1 Expanding scope
9.6.4.2 Short-notice audits
9.6.5 Suspending, withdrawing or reducing the scope of certification
9.6.5.1
9.6.5.2
9.6.5.3
9.6.5.4
9.6.5.5
9.7 Appeals
9.7.1
9.7.2
9.7.3
9.7.4
9.7.5
9.7.6
9.7.7
9.7.8
9.8 Complaints
9.8.1
9.8.2
9.8.3
9.8.4
9.8.5
9.8.6
9.8.7
9.8.8
9.8.9
9.8.10
9.8.11
9.9 Client records
9.9.1
9.9.2
9.9.3
9.9.4
10 Management system requirements for certification bodies
10.1 Options
10.2 Option A: General management system requirements
10.2.1 General
10.2.2 Management system manual
10.2.3 Control of documents
10.2.4 Control of records
10.2.5 Management review
10.2.5.1 General
10.2.5.2 Review inputs
10.2.5.3 Review outputs
10.2.6 Internal audits
10.2.6.1
10.2.6.2
10.2.6.3
10.2.6.4
10.2.7 Corrective actions
10.3 Option B: Management system requirements in accordance with ISO 9001
10.3.1 General
10.3.2 Scope
10.3.3 Customer focus
10.3.4 Management review
Annex A
A.1 General
A.2 Competence requirements for management systems auditors
A.2.1 Knowledge of business management practices
A.2.2 Knowledge of audit principles, practices and techniques
A.2.3 Knowledge of specific management system standards/normative documents
A.2.4 Knowledge of certification body’s processes
A.2.5 Knowledge of client’s business sector
A.2.6 Knowledge of client products, processes and organization
A.2.7 Language skills appropriate to all levels within the client organization
A.2.8 Note-taking and report-writing skills
A.2.9 Presentation skills
A.2.10 Interviewing skills
A.2.11 Audit-management skills
A.3 Competence requirements for personnel reviewing audit reports and making certification decisions
A.3.1 Knowledge of audit principles, practices and techniques
A.3.2 Knowledge of specific management system standards/normative documents
A.3.3 Knowledge of certification body’s processes
A.3.4 Knowledge of client’s business sector
A.4 Competence requirements for personnel conducting the application review to determine audit team competence required, to select the audit team members, and to determine the audit time
A.4.1 Knowledge of specific management system standards/normative documents
A.4.2 Knowledge of certification body’s processes
A.4.3 Knowledge of client’s business sector
A.4.4 Knowledge of client products, processes and organization
