ISO/IEC 17021—the IAF Perspective

Presented by Randy Dougherty

at the
Seventh IRCA International Forum
15 June 2008

1
 ISO/IEC 17021:2006
z Developed by ISO/CASCO Working Group 21

z Co-conveners
– Alister Dalrymple, France-AFNOR
z AFAQ, a management system certification body
– Randy Dougherty, US-ANSI
z ANAB, an accreditation body for management system
certification bodies

Note: CASCO is the Conformity Assessment Committee

2
 ISO/IEC 17021:2006
Intent of WG21 for 17021
z To replace Guides 62 and 66
z To be applicable to any management systems
z To incorporate IAF guidance
z To incorporate latest technology
z To be consistent with the common elements
(WG23)
z Principles-based performance requirements
(where possible)
3
 ISO/IEC 17021:2006
ISO/IEC 17021:2006
Conformity assessment—Requirements for
bodies providing audit and certification of
management systems

Published 15 September 2006

4
 ISO/IEC 17021:2006
z Contents
– 1 Scope
– 2 Normative references
– 3 Terms and definitions
– 4 Principles
– 5 General requirements
– 6 Structural requirements
– 7 Resource requirements
– 8 Information requirements
– 9 Process requirements
– 10 Management system requirements for CBs 5
 ISO/IEC 17021:2006
What is new?
– regarding the standard?

z Section 4 Principles [for third party

certification]
– Subsequent requirements are based on the
principles
– The principles are not auditable

6
 ISO/IEC 17021:2006
What is new?
– regarding CB and audit team competence?

z Requirements that result in a process for ensuring the

assignment of competent audit team
– competence analysis (7.1 & 7.2)
– records justifying decision to accept the client
(9.2.2.1.f)
– application review—competence needed (9.2.2.2)
– audit team selection—competence provided (9.2.2.3)
– competence to make certification decision (9.2.2.4)

7
 ISO/IEC 17021:2006
What is new?
– regarding the certification process?

z Certification and audit program (9.1.1)

– two-stage audit for initial certification
– three year certification cycle begins with certification
or re-certification decision
– surveillance audits in first and second years
– re-certification audit in the third year prior to
expiration
8
 ISO/IEC 17021:2006
What is new?
– regarding the certification process?

z stage 1 audit (9.2.3.1)

– Establishes seven objectives to be fulfilled during the
stage 1 audit
– Recommended, but not required, that at least part of
the stage 1 audit be carried out at client’s premises

9
 ISO/IEC 17021:2006
What is new?
– regarding impartiality?

z Eliminated the definition for, and use of the

term, “related body”, and instead describe
activities/relationships that are a threat to
impartiality
10
 ISO/IEC 17021:2006
What is new?
– regarding management system requirements for a
CB?

z Option 1—ISO 9001:2000 (10.2)

z Option 2—general management system requirements
(10.3)
– documented MS, polices and objectives
– control of documents and records
– internal audits & management review
– corrective & preventive actions

11
 ISO/IEC 17021:2006

z published 15 September 2006

z plan for implementation?

12
ISO/IEC 17021:2006 and IAF
– In November 2006, IAF resolved that the that
the transition to ISO/IEC 17021:2006 be
effective 24 months after publication
z based on the publication date of 15 September 2006,
the deadline is 15 September 2008
z the annexes to IAF GD2 and IAF GD6 should
continue to be applied until superseded
z NOT to develop any IAF guidance on the
application of ISO/IEC 17021

13
ISO/IEC 17021:2006 and IAF
z InMarch 2007, established seven IAF TC
TFs to review GD2 and GD6 annexes:
– Scopes of Accreditation for QMS
– Duration of Audits to ISO 9001:2000
– Duration of Audits to ISO 14001:2004
– Certification of Multiple Sites based on Sampling
– Transfer of Certification
– Advanced Surveillance and Recertification Procedures
(ASRP)
– Computer Assisted Audit Techniques (CAAT)

14
ISO/IEC 17021:2006 and IAF
z In May 2007, published IAF GD 8:2007
Informative Guidance on the Transition to
ISO/IEC 17021 Accreditation from ISO/IEC
Guide 62 and ISO/IEC Guide 66
– ABs…date for not accepting applications…to 62 or 66
– Verify implementation during normal AB surveillance
– Nonconformities to be resolved prior to transition
– CBs advised to make a transition plan and seek
agreement of their AB
– CBs advised to gain agreement with their AB for any
phased approach

15
ISO/IEC 17021:2006 and IAF
z IAF MD 1:2007 Certification of Multiple Sites
Based on Sampling
– Published 2007/11/20, Effective 2008/09/15
z IAF MD 2:2007 Transfer of Accredited
Certification of Management Systems
– Published 2007/12/14, Effective 2008/09/15
z IAF MD 3:2008 Advanced Surveillance and
Recertification Procedures (ASRP)
– Published 2008/02/01, Effective 2008/09/15

16
 ISO/IEC 17021:2006—
IAF and Competence
z 1 March 2008 Training Workshop Sponsored
by IAF
z Presented by Tim Inman & Randy Dougherty
z Purpose—To promote consistent
understanding and application of ISO/IEC
17021:2006 by accreditation body personnel,
including accreditation assessors, and by
certification body personnel.

17
 ISO/IEC 17021:2006—
IAF and Competence
z The publication of ISO 19011:2002 initiated the
change from qualifications to competence
– 3.14 competence — demonstrated personal
attributes and demonstrated ability to apply
knowledge and skills (ISO 19011)

– Note: In ISO 9000 and ISO/IEC 17021, competence is defined

as the demonstrated ability to apply knowledge and skills

18
 ISO/IEC 17021:2006—
IAF and Competence
z ISO 19011:2002, Table 1 and 7.4
reinforce qualifications—education, work
experience, auditor training and audit
experience.
– Or do they?
z “…education sufficient to acquire the knowledge
and skills…(7.4.1a)
z “…work experience that contributes to the
development of the knowledge and
skills…(7.1.4b)
19
 ISO/IEC 17021:2006—
IAF and Competence
z IAF guidance introduced some of the current
concepts of competence as currently required in
ISO/IEC 17021:2006—for EMS first, and then for
QMS
– Expectation of a CB to determine types of management
systems (e.g, the standards) and the technical areas a CB is
competent to operate in (eg. GD2 – G.2.2.2 & G.2.2.3)
z Note, as there is no standardization or harmonization of
‘technical areas’ for any standard, this remains a source of
inconsistency.
– Expectation to determine the competence needed by an
audit team based on needs of a specific client
– Assigning a team collectively possessing the necessary
competence

20
 ISO/IEC 17021:2006—
IAF and Competence
z ISO/IEC 17021:2006 requirements include
the concepts from IAF guidance, but also
references ISO 19011:2002
– Reinforces the concept of competence rather than
qualifications
z Qualifications can provide information on knowledge and
skills that is useful in the determination of competence
– Each CB is to specify its processes and
requirements for competence
z Promotes ownership and encourages innovation

21
 ISO/IEC 17021 Part 2
z In response to demand from
stakeholders, especially industry end-
users of ISO 9001 accredited
certification, ISO/CASCO WG21 is
developing part 2 of 17021 to replace
references to ISO 19011, and to specify
requirements for competence

22
 ISO/IEC 17021 Part 2
z To replace references to ISO 19011 guidelines
with requirements applicable to any third
party MS audit
– Audit process
– CB management of competence, including the
competence of audit teams
z Template for specific auditing requirements
that can be applied to other ISO TCs
– TC 176 for ISO 9001, TC 207 for ISO 14001, TC 34
for ISO 22000, etc.

23
ISO/IEC Generic Requirements for 3rd Party
17021 Auditing & Management of Competence
Part 2 (based on 19011)

Framework for Developing Specific Requirements for 3rd Party

Auditing & Management of Competence

QMS Competent EMS Competent FSMS Competent ISMS Competent xMS Competent
Body, e.g. Body, e.g. Body, e.g. Body e.g.
Body
ISO/TC176 ISO/TC207 ISO/TC34 ISO/TC178

QMS Specific EMS Specific FSMS Specific ISMS Specific xMS Specific
Competence Competence Competence Competence Competence
Requirements Requirements Requirements Requirements Requirements

Developed by a competent body using the 17021

Included in 17021 Part 2, developed by Part 2 framework, in consultation with CASCO, and
WG 21 with input from competent bodies published as separate sector documents24
 ISO/IEC 17021 Part 2
z WG21 Meetings on Part 2
– December 2006
– February 2007
– June 2007
z Initial working draft
– October 2007
– January 2008
z Committee draft (CD1) for comment closing 2008/07/12
– October 2008
z To address comments and CD2 for comment and ballot?

25
 ISO/IEC 17021 Part 2
z 7 Management of competence
z 7.1 Competence criteria determination process
– “…CB shall have a documented process for
determining competence criteria…for each type of
management system, for each technical area, and for
each function…”
– “…the output of the process shall be the required
personal attributes, knowledge and skills necessary to
effectively perform…”

26
 ISO/IEC 17021 Part 2
z 7 Management of competence
z 7.3 Evaluation processes
– “…CB shall have process for initial competence
evaluation, and on-going monitoring of continuing
competence and performance…”
– “…number of evaluation methods that may be used to
evaluate the knowledge, skills and attributes…”
– “…CB shall validate that its processes, including the
evaluation methods that is uses, are effective…”

27