Checklist ISO/IEC 17021: 2006. Conformity assessment ... - Sanas

Checklist ISO/IEC 17021: 2006.Conformity assessment — Requirements for bodies providing auditandcertification of management systemsF 155-02SANASAccr. No/s.Organisation andCityDateArea / field ofoperationQMS EMS HACCP Other?Organisation’sRepresentativeAssessorThis reportDocument ReviewImplementation onDocument ReviewAssessment ofcovers theonlySite Visit onlyand Site Visitcompany filesfollowing:ISO/IEC 17021 Requirement CB’s References COMMENT BY ASSESSORCB identification ofspecific clause in their5 General requirementsdocumentation5.1 Legal and contractual mattersaddressing requirementsof 170215.1.1 Legal responsibilityLegal entity, or a defined part of a legal entity can be heldlegally responsible. (Pty) Ltd, CC or other? Verify CIPROregistration.Governmental CB is a legal entity based on its governmentalstatus. Identify department.5.1.2 Certification agreementLegally enforceable agreement (contract) for provision ofcertification activities to customer?Are multiple offices of a CB or multiple sites of a certifiedcustomer covered by the agreement?Are all the sites covered by the scope of the certification?5.1.3 Responsibility for certification decisionsDoes CB retain authority and responsibility for its decisionsrelating to certification?2008-07-25 ©SANAS Page 1 of 34

F 155-02ISO/IEC 17021 Requirement CB’s References COMMENT BY ASSESSORDoes the CB certify to ISO 9001:2000?Does it offer certification to ISO 14000?Does it offer certification to HACCP? Specify which oneDoes it offer certification to other schemes i.e. Eurepgap,BRC or others? (Name the schemes)What, if any, other documents does it offer certificationagainst. Are these documents/standards freely available?5.2 Management of impartiality5.2.1 Is CB top management commitment to impartiality?Is there a publicly available statement.Does it cover:• importance of impartiality• conflict of interest and• objectivity of its certification activities?5.2.2 Are conflict of interests identified, analysed anddocumented and managed through the system?Are relationships posing a threat to impartialitydocumented?How does the CB demonstrate that it eliminates orminimizes such threats?Information made available to the ImpartialityCommittee (see 6.2)?NOTE: A relationship that threatens the impartiality of thecertification body can be based on ownership,governance, management, personnel, sharedresources, finances, contracts, marketing andpayment of a sales commission or other inducementfor the referral of new clients, etc.2008-07-25 ©SANAS Page 2 of 34

F 155-02ISO/IEC 17021 Requirement CB’s References COMMENT BY ASSESSOR5.2.3 Not offering certification when relationships thatthreaten impartiality can not be eliminated orminimised.NOTE: See Note to 5.2.25.2.4 Does the CB certify another CB for its managementsystem certification activities?NOTE: See Note to 5.2.25.2.5 Does the CB and any part of the same legal entityoffer or provide management system consultancy?This applies also to that part of government identifiedas the CB.5.2.6 Does the CB provide internal audits to its certifiedcustomers?Does the CB certify a management system on whichit provided internal audits within two years followingthe end of the internal audits?This applies also to that part of government identifiedas the CBNOTE: See Note to 5.2.25.2.7 Does the CB certify a customer when the CB’srelationship with a management system consultancyor internal audits, poses an unacceptable threat tothe impartiality of the CB? See NOTES5.2.8 Does the CB outsource audits to a managementsystem consultancy organization? (Unacceptablethreat to impartiality, see 7.5).This clause does not apply to individuals contractedas auditors covered in 7.35.2.9 Are the CB’s activities marketed or linked withmanagement system consultancy?CB takes action to correct inappropriate claims byany consultancy organization?Are there any implications by CB that certificationwould be simpler, easier, faster or less expensive if a2008-07-25 ©SANAS Page 3 of 34

ISO/IEC 17021 Requirement CB’s References COMMENT BY ASSESSORspecified consultancy organization is used?F 155-025.2.10 Does CB ensure no conflict of interest of personnel?2-Years rule applied, how effective is the process?5.2.11 Is action taken to respond to any threats to CB’simpartiality arising from the actions of other persons,bodies or organizations?5.2.12 Does all CB personnel, internal, external orcommittees, act impartially and does the CB allowcommercial, financial or other pressures tocompromise impartiality?5.2.13 Does the CB require all personnel to reveal anyconflict of interest situations?Information used as input to identifying threats toimpartiality?5.3 Liability and financing5.3.1 Is risks and liability analysis done?5.3.2 Are finances and sources of income evaluated?Has the CB demonstrated to the impartialitycommittee (see 6.2) that impartiality is notcompromised?6 Structural requirements6.1 Organizational structure and topmanagement6.1.1 Organizational structure documented, includingduties, responsibilities and authorities for personneland committees; and relationships to other parts ofthe organisation?6.1.2 Does the CB identify the top management (board,group of persons, or person) having overall authorityand responsibility for each of the following:a) development of policies relating to the operation ofthe body?2008-07-25 ©SANAS Page 4 of 34

ISO/IEC 17021 Requirement CB’s References COMMENT BY ASSESSORb) supervision of the implementation of the policies andprocedures?c) supervision of the finances of the body?d) development of management system certificationservices and schemes?e) performance of audits, certification andresponsiveness to complaints?f) decisions on certification?F 155-02g) delegation of authority to committees or individuals,as required, to undertake defined activities on itsbehalf?h) contractual arrangements?i) providing adequate, qualified resources forcertification activities?6.1.3 Formal rules for the appointment, terms of referenceand operation of any committees?6.2 Committee for safeguarding impartiality6.2.1 Does the structure of the CB safeguard theimpartiality of the activities of the CB and does itprovide for a committee to:a) assist in developing the policies?b) ensure consistent objective provision of certificationactivities?c) advise on matters affecting confidence, includingopenness and public perception?d) Conduct an annually review of the impartiality of theaudit, certification and decision making processes?6.2.2 Is the composition, terms of reference, duties,authorities, competence of members andresponsibilities of this committee formallydocumented and authorized by the top managementof the CB to ensure:a) representation of a balance of interests?b) access to all the information (see also 5.2.2 and5.3.2)?c) the right to take independent action (e g informingauthorities, ABs, stakeholders)? Is confidentiality2008-07-25 ©SANAS Page 5 of 34

ISO/IEC 17021 Requirement CB’s References COMMENT BY ASSESSORmaintained? See 8.5F 155-026.2.3 Are key interests identified and invited?7 Resource requirements7.1 Competence of management and personnel7.1.1 Does a Certification Body have a process to ensurethat personnel have appropriate knowledge?Is competence determined for each technical area?Is the means for the demonstration of competencedetermined?7.1.2 Are competence requirements determined for all CBpersonnel?7.1.3 Does the CB have access to the necessary technicalexpertise?7.2 Personnel involved in the certificationactivities7.2.1 Does the CB as part of its own organization havepersonnel with sufficient competence for managingthe type and range of audit programmes and othercertification work performed?7.2.2 Does the CB employ or have access to a sufficientnumber of auditors and technical experts to coveractivities and volume of work?7.2.3 Does the CB make clear to each person concernedtheir duties, responsibilities and authorities?7.2.4 Does the CB have defined processes for:• selecting,• training,• formally authorizing auditors and• selecting technical experts?Does the initial competence evaluation of an auditorinclude a demonstration of abilities, as determined bya competent evaluator observing (witnessing) the2008-07-25 ©SANAS Page 6 of 34

ISO/IEC 17021 Requirement CB’s References COMMENT BY ASSESSORauditor conducting an audit?F 155-027.2.5 Does the CB have a process to achieve anddemonstrate effective auditing, including the use ofauditors and audit team leaders possessing genericauditing skills and knowledge, as well as skills andknowledge appropriate for auditing in specifictechnical areas? Is this process defined indocumented requirements drawn up in accordancewith the relevant guidance provided in ISO 19011?7.2.6 Are auditors and technical experts knowledgeable ofthe CB’s audit processes, certification scheme andits requirements and other relevant requirements?Does the CB give auditors and technical expertsaccess to an up-to-date set of documentedprocedures giving audit instructions and all relevantinformation on the certification activities?7.2.7 Do auditors and technical experts used havedemonstrated competence? Note see 9.1.37.2.8 Are training needs identified?Is training offered or provided?7.2.9 Are person(s) taking the certification decisionsknowledgeable on the:• applicable standard;• certification scheme and requirements;• and have demonstrated competence to evaluatethe audit processes; and• related recommendations of the audit team?7.2.10 Does documented procedures and criteria formonitoring and measurement of performance of allpersonnel exist?Competence reviewed to identify training needs?7.2.11 Do procedures include a combination of on-siteobservation, review of audit reports and feedbackfrom customers or from the market? Documented as2008-07-25 ©SANAS Page 7 of 34

ISO/IEC 17021 Requirement CB’s References COMMENT BY ASSESSORper ISO 19011?F 155-027.2.12 Does the CB periodically observe the performance ofeach auditor on-site?Is the frequency of on-site observations based onneed determined from all monitoring informationavailable?7.3 Use of individual external auditors andexternal technical expertsDoes a CB have a written agreement with external auditorsand external technical experts in place by which they committhemselves to comply with applicable policies andprocedures as defined?Does the agreement address all relevant aspects?7.4 Personnel recordsDoes the CB maintain up-to-date personnel records,including:• relevant qualifications;• training;• experience;• affiliations;• professional status;• competence; and• any relevant consultancy services?Does this include management and administrative personnelin addition to those performing certification activities?7.5 Outsourcing7.5.1 Does the CB have a process in which it describesthe conditions under which outsourcing may takeplace?Legally enforceable agreement with each body thatprovides outsourced services? See Notes.7.5.2 Is the CB outsourcing certification decisions?2008-07-25 ©SANAS Page 8 of 34

ISO/IEC 17021 Requirement CB’s References COMMENT BY ASSESSOR7.5.3 Does the CB:a) take responsibility for all activities outsourced?b) ensure that the outsourced services conforms toCB’s requirements including competence, impartialityand confidentiality?c) ensure that the outsourced services are not involvedin any way that impartiality could be compromised?F 155-027.5.4 Documented procedures for the qualification andmonitoring of all outsourced services used forcertification activities?Records of the competence of auditors and technicalexperts maintained?8 Information requirements.8.1 Publicly accessible information8.1.1 Does the CB maintain and make publicly accessibleinformation describing its audit processes,certification processes and about the certificationactivities, types of management systems andgeographical areas in which it operates?8.1.2 Is the Information provided by the CB to anycustomer or to the marketplace, includingadvertising, accurate and not misleading?8.1.3 Does the CB make publicly accessible informationabout certifications granted, suspended orwithdrawn?8.1.4 Does the CB on request from any party, providemeans to confirm the validity of a given certification?See Notes8.2 Certification documents8.2.1 Does the CB provide certification documents to thecertified customer by any means it chooses?8.2.2 Is the effective date on a certification documentbefore the date of the certification decision?2008-07-25 ©SANAS Page 9 of 34

ISO/IEC 17021 Requirement CB’s References COMMENT BY ASSESSOR8.2.3 Does the certification document(s) identify thefollowing:a) the name and geographic location of each customerand any sites within the scope of a multi-sitecertification?b) the dates of granting, extending or renewingcertification?c) the expiry date or re-certification due date consistentwith the re-certification cycle?d) a unique identification code?e) the standard and/or other normative document,including issue number and/or revision, used for auditof the certified customer?F 155-02f) the scope of certification with respect to product(including service), process, etc, as applicable ateach site?g) the name, address and certification mark of the CB;other marks (e.g. accreditation symbol)?h) any other information required by the standard and/orother normative document used for certification?i) in the event of issuing any revised certificationdocuments, a means to distinguish the reviseddocuments from any prior obsolete documents.8.3 Directory of certified customers.Does the CB maintain and make publicly accessible adirectory of valid certifications? See 8.3 for directory detail.8.4 Reference to certification and use of marks.8.4.1 Does the CB have a policy governing any mark thatit authorizes certified customers to use? See 8.4.1and ISO/IEC 17030 for detail.8.4.2 Does the CB permit its marks to be applied tolaboratory test, calibration or inspection reports; assuch reports are deemed to be products in thiscontext?2008-07-25 ©SANAS Page 10 of 34

ISO/IEC 17021 Requirement CB’s References COMMENT BY ASSESSOR8.4.3 Does the CB require that the customer organization:a) conforms to the requirements of the CB whenmaking reference to its certification status incommunication media?b) does not make or permit any misleading statementregarding its certification?c) does not use or permit the use of a certificationdocument or any part thereof in a misleadingmanner?d) upon suspension or withdrawal of its certification,discontinues its use of all advertising matter thatcontains a reference to certification, as directed bythe CB (see 9.6.3 and 9.6.6)?e) amends all advertising matter when the scope ofcertification has been reduced?F 155-02f) does not allow reference to its management systemcertification to be used to imply that the CB certifiesa product (including service) or process?g) does not imply that the certification applies toactivities that are outside the scope of certification?andh) does not use its certification in such a manner thatwould bring the CB and/or certification system intodisrepute and lose public trust?8.4.4 Does the CB exercise proper control of ownershipand take action to identify and deal with incorrectreferences to certification status or misleading use ofcertification marks or audit reports? See Note8.5 Confidentiality8.5.1 Does the CB have a policy to safeguard theconfidentiality of the information at all levels of itsstructure, including committees and external bodiesor individuals acting on its behalf?Are legally enforceable agreements in place coveringconfidentiality?8.5.2 Customer informed by the CB of the information itintends to place in the public domain?2008-07-25 ©SANAS Page 11 of 34

ISO/IEC 17021 Requirement CB’s References COMMENT BY ASSESSORF 155-028.5.3 Except as required in this International Standard, isinformation about a particular customer or individualdisclosed to a third party without the written consentof the customer/individual concerned?Where the CB is required by law to releaseconfidential information to a third party, is thecustomer or individual concerned, unless regulatedby law, notified in advance of the informationprovided?8.5.4 Is information about the customer treated asconfidential, consistent with the CB’s policy?8.5.5 Do all personnel acting on the CB’s behalf, keepconfidential all information obtained or created duringthe performance of the CB’s activities?8.5.6 Does the CB have available and use equipment andfacilities that ensure the secure handling ofconfidential information (e.g. documents, records)?8.5.7 When confidential information is made available toother bodies (e.g. AB, agreement group of a peerassessment scheme) does the CB inform itscustomer of this action?8.6 Information exchange between a CB and itscustomers.8.6.1 Information on the certification activity andrequirementsDoes the CB provide and update customers on the following:a) a detailed description of the initial and continuingcertification activity, including the application, initialaudits, surveillance audits, and the process forgranting, maintaining, reducing, extending,suspending, withdrawing certification and recertification?b) the normative requirements for certification?c) information about the fees for application, initialcertification and continuing certification?2008-07-25 ©SANAS Page 12 of 34

ISO/IEC 17021 Requirement CB’s References COMMENT BY ASSESSORd) the CB’s requirements for the prospective customer:1) to comply with certification requirements?2) to make all necessary arrangements for theconduct of the audits, including provision forexamining documentation and the access to allprocesses and areas, records and personnel forthe purposes of initial certification, surveillance,re-certification and resolution of complaints, and?3) to make provisions, where applicable, toaccommodate the presence of observers (e.g.accreditation auditors or trainee auditors)?e) documents describing the rights and duties ofcertified customers, including requirements, whenmaking reference to its certification in communicationof any kind in line with the requirements in 8.4?f) information on procedures for handling complaintsand appeals?F 155-028.6.2 Notice of changes by a CBDoes the CB give its certified customers due notice of anychanges to its requirements for certification?Does the CB verify that each certified customer complieswith the new requirements? See Note.8.6.3 Notice of changes by a customer.Legally enforceable arrangements to ensure that the certifiedcustomer informs the CB of matters that may affect themanagement system’s ability to continue to fulfil therequirements of the standard used for certification? Seeexamples a) to e)9 Process requirements9.1 General requirements9.1.1 Does the audit programme include a two-stage initialaudit, surveillance audits in the 1st and 2nd years,and a re-certification audit in the 3rd year prior toexpiration of certification? (The 3-year certificationcycle begins with the certification or re-certificationdecision.)Does the determination of the audit programme andany subsequent adjustments consider the size of the2008-07-25 ©SANAS Page 13 of 34

ISO/IEC 17021 Requirement CB’s References COMMENT BY ASSESSORcustomer organization, the scope and complexity ofits management system, products and processes aswell as demonstrated level of management systemeffectiveness and the results of any previous audits?Where a CB is taking account of certification or otheraudits already granted to the customer, does it collectsufficient, verifiable information to justify and recordany adjustments to the audit programme?F 155-029.1.2 Is an audit plan established for each audit to providethe basis for agreement regarding the conduct andscheduling of the audit activities? Audit plan drawnup in accordance with the relevant guidanceprovided in ISO 19011?9.1.3 Process in place for selecting and appointing theaudit team taking into account the competenceneeded to achieve the objectives of the audit?Process in accordance with the relevant guidanceprovided in ISO 19011?9.1.4 Does the CB have documented procedures fordetermining audit time?Does the procedure include or make reference to therelevant Annexes in the IAF GD2 and GD6documents?Note: Guidance in respect of multi-sites remains applicableeven if it appears in the main body of the guidancedocument until such time that specific IAF ApplicationGuidance is publishedIs the audit time determined by the CB, and thejustification for the determination, recorded?In determining the audit time, does the CB consider,among other things, the following aspects:a) the requirements of the management systemstandard?b) size and complexity?c) technological and regulatory context?d) Any outsourcing?e) The results of any prior audits?f) number of sites and multi-site considerations?.2008-07-25 ©SANAS Page 14 of 34

ISO/IEC 17021 Requirement CB’s References COMMENT BY ASSESSOR9.1.5 Where multi-site sampling is utilized, did the CBdevelop an adequate sampling programme to ensureproper audit of the management system?Is the rationale for the sampling plan documented?(IAF guidance applies)F 155-029.1.6 Are the tasks given to the audit team defined andmade known to the customer? Does the audit team:a) examine and verify the structure, policies, processes,procedures, records and related documents of thecustomer organization relevant to the managementsystem?b) determine that these meet all the requirementsrelevant to the intended scope of certification?c) determine that the processes and procedures areestablished, implemented and maintained effectively,to provide a basis for confidence in the customermanagement system, and?d) communicate to the customer, for its action, anyinconsistencies between the customer’s policy,objectives and targets and the results?9.1.7 Does the CB provide the name and, whenrequested, make available background information ofeach member of the audit team, with sufficient timefor the customer organization to object to theappointment of any particular auditor or technicalexpert and for the CB to reconstitute the team inresponse to any valid objection?9.1.8 Is the audit plan communicated and the dates of theaudit agreed upon, in advance, with the customerorganization?9.1.9 Does the CB have a process for conducting on-siteaudits defined in documented requirements drawnup in accordance with the relevant guidanceprovided in ISO 19011? See Notes9.1.10 Does the CB provide a written report for each audit?Is the report based on relevant guidance provided inISO 19011?2008-07-25 ©SANAS Page 15 of 34

ISO/IEC 17021 Requirement CB’s References COMMENT BY ASSESSORIf the audit team identifies opportunities forimprovement do they recommend specific solutions?F 155-029.1.11 Does the CB require the customer to analyse thecause and describe the specific correction andcorrective actions taken, or planned to be taken, toeliminate detected non-conformities, within a definedtime?9.1.12 Does the CB review the corrections and correctiveactions submitted by the customer to determine ifthese are acceptable?9.1.13 Is the audited organization informed of what actionswill be taken by the CB to verify effective correctionand corrective actions?9.1.14 Does the CB ensure that the persons or committeesthat make the certification or re-certificationdecisions are different from those who carried outthe audits?9.1.15 Does the CB confirm, prior to making a decision,that:a) the information provided by the audit team issufficient?b) it has reviewed, accepted and verified theeffectiveness of correction and corrective actions, inrespect of:1) failure to fulfil one or more requirements of themanagement system standard? or2) a situation that raises significant doubt about theability of the customer’s management system toachieve its intended outputs?c) it has reviewed and accepted the customer’splanned correction and corrective action for anyother non-conformities?2008-07-25 ©SANAS Page 16 of 34

ISO/IEC 17021 Requirement CB’s References COMMENT BY ASSESSOR9.2 Initial audit and certification.9.2.1 ApplicationDoes the CB require an authorized representative of theapplicant organization to provide the necessary informationto enable it to establish:a) the desired scope of the certification?b) the general features of the applicant organization,including its name and the address(es) of its physicallocation(s), significant aspects of its process andoperations, and any relevant legal obligations?c) general information, relevant for the field ofcertification applied for, concerning the applicantorganization, such as its activities, human andtechnical resources, functions and relationship in alarger corporation, if any?d) information concerning all outsourced processesused by the organization that will affect conformity torequirements?e) the standards or other requirements for which theapplicant organization is seeking certification?f) information concerning the use of consultancyrelating to the management system?F 155-029.2.2 Application review.9.2.2.1 Before proceeding with the audit, does the CBconduct a review of the application andsupplementary information for certification to ensurethat:a) the information about the applicant and itsmanagement system is sufficient for the conduct ofthe audit?b) the requirements for certification are clearly definedand documented, and have been provided to theapplicant organization?c) any known difference in understanding between theCB and the applicant organization is resolved?d) the CB has the competence and ability to performthe certification activity?e) the scope of certification sought, the location(s) of2008-07-25 ©SANAS Page 17 of 34

ISO/IEC 17021 Requirement CB’s References COMMENT BY ASSESSORthe applicants organisation’s operations, timerequired to complete audits and any other pointsinfluencing the certification activity are taken intoaccount (language, safety conditions, threats toimpartiality, etc.)?f) records of the justification for the decision toundertake the audit shall be maintained?F 155-029.2.2.2 Based on this review, does the CB determine thecompetences it needs to include in its audit team(see 7.2 7) and for the certification decision (see7.2.9)?9.2.2.3 Is the audit team appointed and do they have thetotality of the competences identified by the CB asset out in 9.2.2.2 for the certification of the applicantorganization?9.2.2.4 Is the individual(s) who will be conducting thecertification decision appointed to ensure appropriatecompetence is available (see 7.2.9 and 9.2.2.2)?9.2.3 Initial certification auditIs the initial certification audit of a management systemconducted in two stages - Stage 1 and Stage 2?9.2.3.1 Stage 1 audits9.2.3.1.1 Is the Stage 1 audit performed:a) to audit the customer’s management systemdocumentation;b) to evaluate the customer’s location and sitespecificconditions and to undertake discussionswith the customer’s personnel to determine thepreparedness for the Stage 2 audit;c) to review the customer’s status andunderstanding regarding requirements of thestandard, in particular with respect to theidentification of key performance or significantaspects, processes, objectives and operation of2008-07-25 ©SANAS Page 18 of 34

ISO/IEC 17021 Requirement CB’s References COMMENT BY ASSESSORthe management system?d) to collect necessary information regarding thescope of the management system, processesand location(s) of the customer, and relatedstatutory and regulatory aspects and compliance(e.g. quality, environmental, legal aspects of thecustomer’s operation, associated risks, etc.)?e) to review the allocation of resources for Stage 2audit and agree with the customer on the detailsof the Stage 2 audit?f) to provide a focus for planning the Stage 2 auditby gaining a sufficient understanding of thecustomer’s management system and siteoperations in the context of possible significantaspects?g) to evaluate if the internal audits and managementreview are being planned and performed, andthat the level of implementation of themanagement system substantiates that thecustomer is ready for the Stage 2 audit?For most management systems, it is recommended that atleast part of the Stage 1 audit be carried out at thecustomer’s premises in order to achieve the objectives statedabove.F 155-029.2.3.1.2 Are Stage 1 audit findings documented andcommunicated to the customer organizationincluding identification of any areas of concernthat could be classified as non-conformity duringthe Stage 2 audit?9.2.3.1.3 In determining the interval between Stage 1 andStage 2, is consideration given to the needs ofthe customer to resolve areas of concernidentified during the Stage 1 audit?The CB may also need to revise its arrangementsfor Stage 29.2.3.2 Stage 2 audit9.2.3.2.1 The purpose of the Stage 2 audit is to evaluatethe implementation, including effectiveness, of2008-07-25 ©SANAS Page 19 of 34

ISO/IEC 17021 Requirement CB’s References COMMENT BY ASSESSORthe customer’s management system.Is the Stage 2 audit taking place at the site(s) ofthe customer?Does it include at least the following:a) information and evidence about conformity to allrequirements of the applicable managementsystem standard or other normative document?b) performance monitoring, measuring, reportingand reviewing against key performanceobjectives and targets ?c) the customer’s management system andperformance as regards legal compliance?d) operational control of the customer’s processes?e) internal auditing and management review?f) management responsibility for the customerorganization’s policies?g) links between the normative requirements, policy,performance objectives and targets, anyapplicable legal requirements, responsibilities,competence of personnel, operations,procedures, performance data, and internal auditfindings and conclusions?F 155-029.2.4 Initial certification audit conclusionsDoes the audit team analyse all information and auditevidence gathered during the Stage 1 and Stage 2 audits toreview the audit findings and agree on the audit conclusions?9.2.5 Information for granting initial certification9.2.5.1 Does the information provided by the audit team tothe CB for the certification decision include, as aminimum:a) the audit reports?b) comments on the non-conformities and, whereapplicable, the correction and corrective actionstaken by the customer?c) confirmation of the information provided to thecertification body used in the application review(see 9 2.2)? andd) a recommendation whether or not to grant2008-07-25 ©SANAS Page 20 of 34

ISO/IEC 17021 Requirement CB’s References COMMENT BY ASSESSORcertification, together with any conditions orobservationsF 155-029.2.5.2 Does the CB make the certification decision on thebasis of an evaluation of the audit findings andconclusions and any other relevant information (e.g.public information, comments on the audit reportfrom the customer)?9.3 Surveillance activities9.3.1 General9.3.1.1 Did the CB developed its surveillance activities sothat representative areas and functions covered bythe scope of the management system aremonitored on a regular basis, and take into accountchanges to its certified customer and itsmanagement system?9.3.1.2 Do surveillance activities include on-site auditsassessing the certified customer’s managementsystem’s fulfilment of specified requirements withrespect to the standard to which the certification isgranted? Other surveillance activities may include:a) enquiries from the CB to the certified customer onaspects of certification;b) reviewing any customers statements with respectto its operations (e.g. promotional material,website);c) requests to the customer to provide documents andrecords (on paper or electronic media); andd) other means of monitoring the certified customer’sperformance?9.3.2 Surveillance audit9.3.2.1 Are on-site audits planned together with the othersurveillance activities, so that the CB can maintainconfidence that the certified management systemcontinues to fulfil requirements in between recertificationaudits?Does the annual surveillance audit programme2008-07-25 ©SANAS Page 21 of 34

ISO/IEC 17021 Requirement CB’s References COMMENT BY ASSESSORinclude, at least:a) internal audits and management review?b) a review of action taken on non-conformitiesidentified during the previous audit?c) treatment of complaints?d) effectiveness of the management system with regardto achieving the certified customer’s objectives?e) progress of planned activities aimed at continualimprovement?f) continuing operational control?g) review of any changes? andh) use of marks and/or any other reference tocertification?F 155-029.3.2.2 Are surveillance audits conducted at least once ayear?Is the date of the 1st surveillance audit followinginitial certification not more than 12 months fromthe last day of the Stage 2 audit?9.3.3 Maintaining certificationDoes the CB maintain certification based on demonstrationthat the customer continues to satisfy the requirements of themanagement system standard?Does the CB maintain an organization’s certification basedon a positive recommendation by the audit team leaderwithout further independent review, provided that:a) for any non-conformity or other situation that maylead to suspension or withdrawal of certification, theCB needs to initiate a review by appropriatelycompetent personnel (see 7.2.9), andb) competent personnel of the CB monitor itssurveillance activities, including monitoring thereporting by its auditors, to confirm that thecertification activity is operating effectively?9.4 Re-certification9.4.1 Re-certification cycle9.4.1.1 Is a re-certification audit planned and conducted toevaluate the continued fulfilment of all of the2008-07-25 ©SANAS Page 22 of 34

ISO/IEC 17021 Requirement CB’s References COMMENT BY ASSESSORrequirements of the relevant management systemstandard or other normative document?F 155-029.4.1.2 Does the re-certification audit consider theperformance of the management system over theperiod of certification, and include the review ofprevious surveillance audit reports?9.4.1.3 In situations where there have been significantchanges (e.g. changes to legislation, management,processes etc.) do the re-certification auditactivities include a Stage 1 audit?9.4.1.4 In the case of multiple sites or certification multiplemanagement system standards being provided bythe CB, does the planning for the audit ensureadequate on-site audit coverage to provideconfidence in the certification?9.4.2 Re-certification audit9.4.2.1 Does the re-certification audit include an on-siteaudit that addresses the following:a) the effectiveness of the management system?b) demonstrated commitment to maintain theeffectiveness and improvement?c) whether the operation of the certified managementsystem contributes to the achievement of theorganization’s policy and objectives?9.4.2.2 When, during a re-certification audit, instances ofnon-conformity or lack of evidence of conformity areidentified, does the CB define time limits forcorrection and corrective actions to be implementedprior to the expiry of certification?9.4.3 Information for granting re-certificationDoes the CB make decisions on renewing certification basedon:• the results of re-certification audit?2008-07-25 ©SANAS Page 23 of 34

ISO/IEC 17021 Requirement CB’s References COMMENT BY ASSESSOR• the results of the review of the system over the period ofcertification? and• the complaints received from users of certification?F 155-029.5 Special audits9.5.1 Extensions to scopeDoes the CB, in response to an application for extension tothe scope of a certification already granted, undertake areview of the application and determine any audit activitiesnecessary to decide whether or not the extension may begranted? (This may be conducted in conjunction with asurveillance audit)9.5.2 Short-notice auditsIf it is necessary for the CB to conduct audits of certifiedcustomers at short notice to investigate complaints (see 9.8),or in response to changes (see 8.6.3), or as follow up onsuspended customers (see 9.6):a) does the CB describe and make known in advanceto the certified customers (e.g. in documents asdescribed in 8.6 1) the conditions under whichthese short notice visits are to be conducted? andb) does the CB exercise additional care in theassignment of the audit team because of the lack ofopportunity for the customer to object to audit teammembers?9.6 Suspending, withdrawing or reducing scopeof certification9.6.1 Does the CB have a policy and documentedprocedure(s) for suspension, withdrawal or reductionof the scope of certification, and does it specify thesubsequent actions by the CB?9.6.2 Does the CB suspend certification in cases when, forexample:• the customer’s certified management system haspersistently or seriously failed to meet certificationrequirements, including requirements for the2008-07-25 ©SANAS Page 24 of 34

ISO/IEC 17021 Requirement CB’s References COMMENT BY ASSESSOReffectiveness of the management system?• the certified customer does not allow surveillance orre-certification audits to be conducted at the requiredfrequencies? or• the certified customer has voluntarily requested asuspensionF 155-029.6.3 Under suspension the customer’s managementsystem certification is temporarily invalid.• Does the CB have enforceable arrangementswith its customers to ensure that in case ofsuspension the customer refrains from furtherpromotion of its certification?• Does the CB make the suspended status of thecertification publicly available (see 8.1.3) andtake any other measures it deems appropriate?9.6.4 Does failure to resolve the issues that have resultedin the suspension in a time established by CB resultin withdrawal or reduction of the scope ofcertification? See Note9.6.5 Does the CB reduce the customer’s scope ofcertification to exclude the parts not meeting therequirements, when the customer has persistently orseriously failed to meet the certification requirementsfor those parts of the scope of certification?Are such reductions in line with the requirements ofthe standard used for certification?9.6.6 Does the CB have enforceable arrangements withthe certified customer concerning conditions ofwithdrawal (see 8.4.3 d) ensuring upon notice ofwithdrawal of certification that the customerdiscontinues its use of all advertising matter thatcontains any reference to a certified status?9.6.7 Upon request by any party, does the CB correctlystate the status of certification of a customer’smanagement system as being suspended,withdrawn or reduced?2008-07-25 ©SANAS Page 25 of 34

ISO/IEC 17021 Requirement CB’s References COMMENT BY ASSESSORF 155-029.7 Appeals9.7.1 Does the CB have a documented process to receive,evaluate and make decisions on appeals?9.7.2 Is a description of the appeals handling processpublicly available?9.7.3 Is the CB responsible for all decisions at all levels ofthe appeals handling process?Does the CB ensure that the persons engaged inappeals handling process are different from thosewho carried out the audits and made the certificationdecisions?9.7.4 Do submission, investigation and decision onappeals result in any discriminatory actions againstthe appellant?9.7.5 Does the appeal handling process include at leastthe following elements and methods:a) an outline of the process for receiving, validating,investigating the appeal, and for deciding whatactions are to be taken in response to it, taking intoaccount the results of previous similar appeals;b) tracking and recording appeals, including actionsundertaken to resolve them;c) ensuring that any appropriate correction andcorrective action is taken9.7.6 Does the CB acknowledge receipt of the appeal andprovide the appellant with progress reports and theoutcome?9.7.7 Are the decision to be communicated to theappellant made by, or reviewed and approved by,individual(s) not previously involved in the subject ofthe appeal?9.7.8 Does the CB give formal notice of the end of theappeal handling process to the appellant?2008-07-25 ©SANAS Page 26 of 34

9.5 ComplaintsISO/IEC 17021 Requirement CB’s References COMMENT BY ASSESSOR9.8.1 Is a description of the complaints handling processpublicly available?F 155-029.8.2 Upon receipt of a complaint, does the CB confirmwhether the complaint relates to certificationactivities that it is responsible for and, if so, dealswith it?If the complaint relates to a certified customer doesthe examination of the complaint consider theeffectiveness of the certified management system?9.8.3 Is a complaint about a certified customer alsoreferred by the CB to the certified customer inquestion at an appropriate time?9.8.4 Does the CB have a documented process to receive,evaluate and make decisions on complaints?Is this process subject to requirements forconfidentiality, as it relates to the complainant and tothe subject of the complaint?9.8.5 Does the complaints handling process include atleast the following elements and methods:a) an outline of the process for receiving, validating,investigating the complaint, and for deciding whatactions are to be taken in response to it?b) tracking and recording complaints, including actionsundertaken to resolve them;?c) ensuring that any appropriate correction andcorrective action is taken?See Note9.8.6 Is the CB receiving the complaint responsible forgathering and verifying all necessary information tovalidate the complaint?9.8.7 Whenever possible, does the CB acknowledgereceipt of the complaint, and provide the complainantwith progress reports and the outcome?2008-07-25 ©SANAS Page 27 of 34

ISO/IEC 17021 Requirement CB’s References COMMENT BY ASSESSOR9.8.8 Is the decision to be communicated to thecomplainant made by, or reviewed and approved by,individual(s) not previously involved in the subject ofthe complaint?F 155-029.8.9 Whenever possible, does the CB give formal noticeof the end of the complaint handling process to thecomplainant?9.8.10 Does the CB determine together with the customerand the complainant, whether and, if so to whatextent, the subject of the complaint and its resolutionshall be made public?9.9 Records of applicants and customers9.9.1 Does the CB maintain records on the audit and othercertification activity for all customers, including allorganizations that submitted applications, and allorganizations audited, certified, or with certificationwithdrawn?9.9.2 Do the records on certified customers include thefollowing:a) application information and initial, surveillance andre-certification audit reports?b) certification agreement?c) justification of the methodology used for sampling?d) justification for auditor time determination (see9.1.4)?e) verification of correction and corrective actions?f) records of complaints and appeals, and anysubsequent correction or corrective actions?g) committee deliberations and decisions, if applicable?h) documentation of the certification decisions?i) certification documents including the scope ofcertification with respect to product, process orservices as applicable? andj) related records necessary to establish the credibilityof the certification, such as evidence of thecompetence of auditor and technical expert?See Note.2008-07-25 ©SANAS Page 28 of 34

ISO/IEC 17021 Requirement CB’s References COMMENT BY ASSESSOR9.9.3 Does the CB keep the records on applicants andcustomers secure to ensure that the information iskept confidential?Are records transported, transmitted or transferred, ina way that ensures that confidentiality is maintained?F 155-029.9.4 Does the CB have a documented policy anddocumented procedures on retention of records?Are records retained for the duration of the currentcycle plus one (1) full certification cycle?See Note10 Management system requirements for CBs10.1 OptionsIn addition to meeting the requirements of Clauses 5 to 9, didthe CB implement a management system in accordance witheithera) management system requirements in accordancewith ISO 9001 (Option 1)? orb) general management system requirements (Option2)?10.2 Option 1: Management system requirementsin accordance with ISO 900110.2.1 GeneralIs the ISO 9001 system capable of supporting anddemonstrating the consistent achievement of therequirements of this International Standard, amplified by10.2.2 to 10.2 5?10.2.2 ScopeDoes the scope of the management system include thedesign and development requirements for its certificationservices?10.2.3 Customer focusDoes the CB consider the credibility of certification andaddress the needs of all parties (as set out in 4.1.2) that relyupon its audit and certification services, not just itscustomers?2008-07-25 ©SANAS Page 29 of 34

ISO/IEC 17021 Requirement CB’s References COMMENT BY ASSESSORF 155-0210.2.4 Management reviewDoes the CB include as input for management review,information on relevant appeals and complaints from users ofcertification activities?10.2.5 Design and developmentWhen developing a new management system certificationscheme, or adapting an existing one to specialcircumstances, does the CB ensure that the guidance givenin ISO 19011, and which is appropriate to third-partysituations, is included as a design input?10.3 Option 2: General management systemrequirements10.3.1 GeneralDoes the CB establish, document, implement and maintain amanagement system that is capable of supporting anddemonstrating the consistent achievement of therequirements of this International Standard?Does the CB’s top management establish and documentpolicies and objectives for its activities?Does top management provide evidence of its commitmentto the development and implementation of the managementsystem in accordance with the requirements of thisInternational Standard?Does top management ensure that the policies areunderstood, implemented and maintained at all levels of thecertification body’s organisation?Did the CB’s top management appoint a member ofmanagement who, irrespective of other responsibilities, shallhave responsibility and authority that includes:a) ensuring that processes and procedures needed forthe management system are established,implemented and maintained? andb) reporting to top management on the performance ofthe management system and any need forimprovement?2008-07-25 ©SANAS Page 30 of 34

ISO/IEC 17021 Requirement CB’s References COMMENT BY ASSESSOR10.3.2 Management system manualAre all applicable requirements of this International Standardaddressed either in a manual or in associated documents?Does the CB ensure that the manual and relevant associateddocuments are accessible to its personnel?F 155-0210.3.3 Control of documentsDid the CB establish procedures to control the documents(internal and external) that relate to the fulfilment of thisInternational Standard?Does the procedures define the controls needed:a) to approve documents for adequacy prior to issue?b) to review and update as necessary and re-approvedocuments?c) to ensure that changes and the current revisionstatus of documents are identified?d) to ensure that relevant versions of applicabledocuments are available at points of use?e) to ensure that documents remain legible and readilyidentifiable?f) to ensure that documents of external origin areidentified and their distribution controlled? andg) to prevent the unintended use of obsoletedocuments, and to apply suitable identification tothem if they are retained for any purpose?See Note.10.3.4 Control of RecordsDoes the CB establish procedures to define the controlsneeded for the identification, storage, protection, retrieval,retention time and disposition of its records related to thefulfilment of this International Standard?Does the CB establish procedures for retaining records for aperiod consistent with its contractual and legal obligations?Is access to these records consistent with the confidentialityarrangements?See Note2008-07-25 ©SANAS Page 31 of 34

ISO/IEC 17021 Requirement CB’s References COMMENT BY ASSESSOR10.3.5 Management review10.3.5.1 GeneralDid the CB’s top management establish procedures to reviewits management system at planned intervals to ensure itscontinuing suitability, adequacy and effectiveness includingthe stated policies and objectives related to the fulfilment ofthis International Standard?Are these reviews conducted at least once a year?F 155-0210.3.5.2 Review inputsDoes the input to management review include informationrelated to:a) results of internal and external audits?b) feedback from customers and interested partiesrelated to the fulfilment of this InternationalStandard?c) feedback from the committee for safeguardingimpartiality?d) status of preventive and corrective actions?e) follow-up actions from previous managementreviews?f) fulfilment of objectives?g) changes that could affect the management system?andh) appeals and complaints?10.3.5.3 Review outputsDo the outputs from the management review includedecisions and actions related to:a) improvement of the effectiveness of themanagement system and its processes?b) improvement of the certification services related tothe fulfilment of this International Standard? andc) resource needs?10.3.6 Internal Audits10.3.6.1 Does the CB establish procedures for internalaudits to verify that it fulfils the requirements ofthis International Standard and that themanagement system is effectively implementedand maintained? See Note2008-07-25 ©SANAS Page 32 of 34

ISO/IEC 17021 Requirement CB’s References COMMENT BY ASSESSORF 155-0210.3.6.2 Is an audit programme planned, taking intoconsideration the importance of the processesand areas to be audited as well as the results ofprevious audits?10.3.6.3 Are internal audits performed at least once every12 months?10.3.6.4 Does the CB ensure that:a) internal audits are conducted by qualifiedpersonnel knowledgeable in certification, auditingand the requirements of this InternationalStandard?b) auditors shall not audit their own work?c) personnel responsible for the area audited areinformed of the outcome of the audit?d) any actions resulting from internal audits aretaken in a timely and appropriate manner? ande) any opportunities for improvement are identified?10.3.7 Corrective ActionsDoes the CB establish procedures for identification andmanagement of non-conformities in its operations?Does the CB also, where necessary, take actions toeliminate the causes of non-conformities in order to preventrecurrence?Are corrective actions appropriate to the impact of theproblems encountered?Do the procedures define requirements for:a) identifying non-conformities (e g. from complaintsand internal audits)?b) determining the causes of non-conformity?c) correcting non-conformities?d) evaluating the need for actions to ensure thatnon-conformities do not recur?e) determining and implementing in a timelymanner, the actions needed?f) recording the results of actions taken? andg) reviewing the effectiveness of corrective actions?2008-07-25 ©SANAS Page 33 of 34

ISO/IEC 17021 Requirement CB’s References COMMENT BY ASSESSOR10.3.8 Preventive ActionsDoes the CB establish procedures for taking preventiveactions to eliminate the causes of potential non-conformities?Are preventive actions taken appropriate to the probableimpact of the potential problems?Do the procedures for preventive actions define requirementsfor:a) identifying potential non-conformities and theircauses?b) evaluating the need for action to prevent theoccurrence of non-conformities?c) determining and implementing the actionneeded?d) recording the results of actions taken? ande) reviewing the effectiveness of the preventiveactions taken.?See Note.F 155-02Signed :Lead Assessor/AssessorDate2008-07-25 ©SANAS Page 34 of 34