ISO/IEC 17021:2011 Conformity assessment - IRCA

ISO/IEC 17021:2011 Conformity assessment –Requirements for bodies providing audit andcertification of management systemsThe publication of ISO/IEC 17021:2011 introduces some importantnew requirements for bodies providing audit and certification ofmanagement systems. This briefing note seeks to inform IRCAcertificated auditors and IRCA approved training organizations of thechanges and their likely impact.Who will the changes to ISO/IEC 17021:2011 affect?The simple answer is that ISO/IEC 17021:2011 is a requirementsstandard intended for use by accreditation bodies, for example theUKAS, to assess management systems certification bodies. The thirdpartycertification industry will use ISO 17021:2011 to definerequirements for audits and audit arrangements. Accreditation bodieswill determine whether a certification body’s auditing arrangementsand activities comply with those requirements. So primarily it will becertification bodies and certification body auditors who will be mostaffected.IRCA approved training organizations that deliver certificatedauditor/lead auditor courses and auditor conversion courses mayneed to make some minor changes to the content of their courses toreflect the changes in ISO/IEC 17021 as applicable to third-partyaudits. Tutors delivering these courses will need to be familiar withthe requirements for managing and conducting third-partycertification audits.What are the significant changes?1. Normative reference ISO 19011ISO 17021:2006 specified ISO 19011 as a normative reference. Thisis no longer the case. Amendments have been made to replacereferences to ISO 19011 with text adding specific requirements forthird-party certification auditing and the management of competenceof personnel involved in certification. Requirements for bodiesproviding audit and certification of management systems are nowfully contained within ISO/IEC 17021:2011.For both standard writers and users this has the advantage thatISO/IEC 17021 clearly defines requirements for bodies providingaudit and certification of management systems. Whereas ISO 19011is a guidance document covering all types of audit, for exampleinternal and supplier audits, and therefore is more general in contentand application.2. Competence of management and personnel (section 7.1)28 June 2011, Version 2

For some organizations revised requirements for competence ofmanagement and personnel may be a significant change.ISO/IEC 17021:2011 defines competence as – ability to applyknowledge and skills to achieve intended results.The significance of this is in the need to define intended results to beachieved for each certification activity, for example from the reviewof the initial application through to reviewing audit reports and takingcertification decisions. Also the requirement to implement evaluationprocesses, the output of which shall identify personnel who havedemonstrated the level of competence required for the differentfunctions of the audit process. Here the emphasis is on the need forpersonnel to have demonstrated their competence.Organizations that have previously relied exclusively on experiencebasedevidence will need to do more to evaluate the competence oftheir people. For example, where a certification body may previouslyhave relied on a CV review as evidence of technical competence, suchrecords alone are now unlikely to be sufficient. In future, certificationbodies may decide to carry out evidence-based interviews of traineeauditors to determine if they have the knowledge suggested by theirCV, using defined technical criteria as the basis of the interview andrecording the output of the interview to show the justification oftechnical competence.Other approaches may include examinations to test the knowledge ofthe auditor, the results of which are marked to determine if thepass/fail criteria are achieved. Although currently these are oftenlimited to knowledge of standards, they could be developed as amechanism by which an auditor could demonstrate knowledge of abusiness sector.Desired personal behaviours – Annex D (informative)Although the ISO/IEC 17021:2011 definition of competence refersonly to knowledge and skills, Annex D identifies personal behavioursthat are important for personnel involved in certification activities.ISO 17021:2011 makes it clear that this annex is informative and notintended to be applied as requirements. However, introducingbehaviour into the make-up of competence brings close alignmentwith other professions where competence is defined as thedemonstrated application of knowledge, skills and behaviour, toachieve a stated performance standard.It is likely that to achieve intended results, desired personalbehaviours will also need to be applied. Annex D recognizes thatbehaviour is situational, and advises that the certification body shouldtake appropriate action for any identified weakness that adverselyaffects the certification activity.28 June 2011, Version 2

3. Process requirements (section 9)Process requirements for audit and certification of managementsystems are now fully defined within ISO/IEC 17021:2011 andprevious references to ISO 19011 deleted. Guidance from ISO 19011has been revised to better assure the certification audit process andis now incorporated as requirements. For example, ISO/IEC17021:2011 defines requirements for the opening meeting of acertification audit whereas previously reliance was placed onreferencing the general guidance given in ISO 19011.In practice the changes may appear small to auditors alreadyundertaking certification audits. It is likely that many certificationbodies will already have built these requirements into their ownmanagement system requirements and procedures their auditorsfollow.Two process requirements worth highlighting are:a) Determining audit objectives, scope and criteria (section 9.1.2.2).This section specifies clearly that audit objectives shall include:• Determination of the conformity of the client’s managementsystem, or parts of it with audit criteria• Evaluation of the ability of the management system to ensure theclientorganization meets applicable statutory, regulatory and contractualrequirements• Evaluation of the effectiveness of the management system toensure the client organization is continually meeting its specifiedobjectives• As applicable, identification of areas for potential improvement ofthe management system.This makes it clear that certification audits are required to evaluatethe whole management system, not only for conformity with criteriabut also to evaluate its ability to meet the needs of the clientorganization, their customers, and regulators. While this may not benew to many, for auditors more used to determining conformancewith a set of procedures, it will be a significant change.b) Determining audit time (9.1.4) – this section specifies clearly thatin determining the audit time, the certification body shall consider,among other things, the following aspects. It then goes on to list anumber of considerations including the risks associated with theproducts, processes or activities of the organization.This requirement states the expectation that when determining theoverall audit time, and also how time available is allocated in theaudit plan, consideration is given to the risks associated with theproducts, processes or activities of the organization – in other words,consider the potential consequences to the organization, its clientsand interested parties if things go wrong and ensure adequate time is28 June 2011, Version 2

available to fully evaluated the capability of the client’s managementsystem to reduce the likelihood of failure occurring.Impact on IRCA certificated training coursesThe purpose of auditor/lead auditor and auditor conversion courses isto provide students with the knowledge and skills required to performfirst, second and third-party audits of management systems.Generally, IRCA certificated courses train students following theguidance given in ISO 19011 as it applies to these three types ofaudit. With the publication of ISO/IEC 17021:2011 requirements forthird-party certification audits are now more clearly defined and wewill require training providers to recognise this in their trainingcourses.However we also need to be pragmatic and realistic. Auditor/leadauditor courses and auditor conversion courses are aimed not only atcertification body auditors but also people who want to undertakesecond-party or supplier audits, and also internal audits of their ownmanagement system. Indeed, it is these last two groups who makeup the majority of course attendees.We will require training organizations to:• Bring to the attention of students the purpose of ISO/IEC17021:2011 making reference to ISO 19011 as appropriate• Use the definitions given in ISO/IEC 17021:2011 section 3 asapplicable when referring to third-party certification audits• Describe clearly the significant differences between first, secondand third-party certification audits making reference to requirementsfor determining third-party certification audit objectives, scope andcriteria as described in ISO/IEC 17021:2011• Provide students with a general overview of the third-partycertification process as described in ISO/IEC 17021:2011 and makingreference as appropriate to similarities and differences to ISO 19011.We do not require, and indeed we discourage training organizationsfrom seeking to provide students with detailed knowledge of ISO/IEC17021:2011 as we believe the general principles within ISO/IEC17021:2011 are already addressed through applicable IRCA coursecriteria and ISO 19011.How will the changes affect IRCA certificated auditors?Auditors working for certification bodies may find their competence isevaluated through more formal and more rigorous processes thanpreviously. This will especially be the case when the certification bodyis seeking to extend the scope of their technical competence. Also itis likely that periodic monitoring of auditor performance will in futureinclude ongoing evaluation of sector competence.28 June 2011, Version 2