Activity 2.1 - ISO 17021 - Cerri

Download as pdf or txt
Download as pdf or txt
You are on page 1of 48

Support for the National Accreditation Centre MOLDAC

to successfully undergo the EA peer evaluation process


Twinning Project MD14/ENPI/TR/20

ISO/IEC 17021-1: 2015


Key Changes
from ISO/IEC 17021:2011
Trainer: Marco Cerri

This project is funded by


The European Union
Slide 1 of 48
Support for the National Accreditation Centre MOLDAC
to successfully undergo the EA peer evaluation process
Twinning Project MD14/ENPI/TR/20

Purpose

To highlight the key changes of ISO/IEC 17021-1


Conformity assessmentRequirements for
bodies providing audit and certification of
management systems Part 1 Requirements
Published 15 June 2015
Full conformance of CBs after 24 months (IAF ID11:2015)

This project is funded by


The European Union
Slide 2 of 48
Support for the National Accreditation Centre MOLDAC
to successfully undergo the EA peer evaluation process
Twinning Project MD14/ENPI/TR/20

Overview Rationale for the revision

Several interpretation requests were addressed since the


publication of the standard and should be taken into
consideration in any revision.
Experience gained with the implementation of the
standard has highlighted the need for clarification of
some of the clauses

This project is funded by


The European Union
Slide 3 of 48
Support for the National Accreditation Centre MOLDAC
to successfully undergo the EA peer evaluation process
Twinning Project MD14/ENPI/TR/20

ISO/IEC 17021-1 : 2015

The Changes
Classification of nonconformities

This project is funded by


The European Union
Slide 4 of 48
Support for the National Accreditation Centre MOLDAC
to successfully undergo the EA peer evaluation process
Twinning Project MD14/ENPI/TR/20

Overview Some Key Changes

Defines/Classifies nonconformities as
major (3.12) and minor (3.13)

This project is funded by


The European Union
Slide 5 of 48
Support for the National Accreditation Centre MOLDAC
to successfully undergo the EA peer evaluation process
Twinning Project MD14/ENPI/TR/20

Changes Classification of nonconformities


A Nonconformity is a non-fulfilment of a requirement (3.11)

A Minor Nonconformity does not affect the capability of the


management system to achieve the intended results (3.13)
A Major Nonconformity affects the capability of the management
system to achieve the intended results:
if there is a significant doubt that effective process control is in
place, or that products or services will meet specified requirements;
when a number of minor nonconformities associated with the same
requirement or issue could demonstrate a systemic failure and thus
constitute a major nonconformity. (3.12)

This project is funded by


The European Union
Slide 6 of 48
Support for the National Accreditation Centre MOLDAC
to successfully undergo the EA peer evaluation process
Twinning Project MD14/ENPI/TR/20

ISO/IEC 17021-1 : 2015

The Changes
Risk based approach

This project is funded by


The European Union
Slide 7 of 48
Support for the National Accreditation Centre MOLDAC
to successfully undergo the EA peer evaluation process
Twinning Project MD14/ENPI/TR/20

Overview Some Key Changes

Adds one new principle for a risk-based


approach (4.8)

This project is funded by


The European Union
Slide 8 of 48
Support for the National Accreditation Centre MOLDAC
to successfully undergo the EA peer evaluation process
Twinning Project MD14/ENPI/TR/20

Changes Risk based approach


Certification bodies need to take into account the risks associated with
providing competent, consistent and impartial certification.
Risks may include, but are not limited to, those associated with (4.8):
the objectives of the audit; the sampling used in the audit process;
real and perceived impartiality; legal, regulatory and liability issues; the
client organization being audited and its operating environment;
impact of the audit on the client and its activities; health and safety of the
audit teams; perception of interested parties; misleading statements by
the certified client; use of marks.

This project is funded by


The European Union
Slide 9 of 48
Support for the National Accreditation Centre MOLDAC
to successfully undergo the EA peer evaluation process
Twinning Project MD14/ENPI/TR/20

ISO/IEC 17021-1 : 2015

The Changes
Impartiality and Organisation

This project is funded by


The European Union
Slide 10 of 48
Support for the National Accreditation Centre MOLDAC
to successfully undergo the EA peer evaluation process
Twinning Project MD14/ENPI/TR/20

Overview Some Key Changes

Adopts a similar approach in ISO/IEC


17065 and not require, but still allow, an
impartiality committee (5.2.3)

This project is funded by


The European Union
Slide 11 of 48
Support for the National Accreditation Centre MOLDAC
to successfully undergo the EA peer evaluation process
Twinning Project MD14/ENPI/TR/20

The changes Impartiality and Organisation

5.2.3 The CB a process to identify, analyse,


evaluate, treat, monitor and document risks
related to conflicts of interest on an ongoing
basis.
...........
Top Management shall review any residual risks
to determine if they are within the level of
acceptable risk.
This project is funded by
The European Union
Slide 12 of 48
Support for the National Accreditation Centre MOLDAC
to successfully undergo the EA peer evaluation process
Twinning Project MD14/ENPI/TR/20

The changes Impartiality and Organisation

This project is funded by


The European Union
Slide 13 of 48
Support for the National Accreditation Centre MOLDAC
to successfully undergo the EA peer evaluation process
Twinning Project MD14/ENPI/TR/20

The changes Impartiality and Organisation

5.2.3 - No mandatory requirement for a committee


to safeguard impartiality BUT the risk assessment
process shall include identification of and
consultation with appropriate interested parties to
advise on matters affecting impartiality
consultation balanced , no single interest
predominating.

This project is funded by


The European Union
Slide 14 of 48
Support for the National Accreditation Centre MOLDAC
to successfully undergo the EA peer evaluation process
Twinning Project MD14/ENPI/TR/20

The changes Impartiality and Organisation

A committee is still acceptable provided the


requirements for terms of reference 6.1.4 establish
their input, structure, operation etc., and are
confirmed .
Note
Risks must be documented, interested parties
identified and consultation shall be balanced

This project is funded by


The European Union
Slide 15 of 48
Support for the National Accreditation Centre MOLDAC
to successfully undergo the EA peer evaluation process
Twinning Project MD14/ENPI/TR/20

The changes Impartiality and Organisation

5.2.4
A Management System certification body cannot
certify another certification body for its QMS.

now CB can certify other MANAGEMENT


SYSTEMS of CBs.( e.g. EMS; OHSAS; ISMS)

This project is funded by


The European Union
Slide 16 of 48
Support for the National Accreditation Centre MOLDAC
to successfully undergo the EA peer evaluation process
Twinning Project MD14/ENPI/TR/20

The changes Impartiality and Organisation

Introduces Organisational Control i.e. where the CB


 owns another entity
 has major participation on board of directors of entity
 has provided documented authority over another entity
in a network of legal entities in which CB resides, e.g. a
holding company or group with many divisions.
Entities under organisational control cannot offer:
Consultancy
Internal audits for certified clients

This project is funded by


The European Union
Slide 17 of 48
Support for the National Accreditation Centre MOLDAC
to successfully undergo the EA peer evaluation process
Twinning Project MD14/ENPI/TR/20

How a CB can be positioned in a bigger organisation?

Holding

Legal Entity Legal Entity Legal Entity


Legal Entity 1 Ext.
2 3 4

Div. 1.1 Reg. 1.1 Reg. 1.2 CB Legal Entity


3.1
Div. 4.1

Business Legal Entity


Dep. 2.1 Div. 4.2
Area 1.1.1 3.2

Business
Div. 4.3
Area . 1.1.2

This project is funded by


The European Union
Slide 18 of 48
Support for the National Accreditation Centre MOLDAC
to successfully undergo the EA peer evaluation process
Twinning Project MD14/ENPI/TR/20

The changes Impartiality and Organisation

5.2.5 The certification body and any part of the


same legal entity and any entity under the
organizational control of the certification body [see
9.5.1.2, bullet b)] shall not offer or provide
management system consultancy. This also applies
to that part of government identified as the
certification body.

This project is funded by


The European Union
Slide 19 of 48
Support for the National Accreditation Centre MOLDAC
to successfully undergo the EA peer evaluation process
Twinning Project MD14/ENPI/TR/20

The changes Impartiality and Organisation

Organisational Control could relate to:


A sister organisation
A company based overseas owned by the CB
A joint venture
A franchise
An agent.
Organisational Control is not:
Outsourcing
Individuals working directly for the CB
This project is funded by
The European Union
Slide 20 of 48
Support for the National Accreditation Centre MOLDAC
to successfully undergo the EA peer evaluation process
Twinning Project MD14/ENPI/TR/20

The changes Impartiality and Organisation


Improving control by CBs
Requirement for a CB to demonstrate effective operational
control of its remote offices and personnel regardless of their
organizational structure (6.2)
branch offices, partnerships, agents, franchisees, etc., irrespective of their legal
status, relationship or geographical location.
Requirement for a CB to demonstrate effective
organizational control for persons making certification
decisions (DM) (9.5)
The DM employed by, or under contract with, entities under organizational control
shall fulfil the same requirements as persons employed by, or under contract with,
the certification body.  shall have appropriate competence

This project is funded by


The European Union
Slide 21 of 48
Support for the National Accreditation Centre MOLDAC
to successfully undergo the EA peer evaluation process
Twinning Project MD14/ENPI/TR/20

This is one possibility for organizational control among many

Certification
Body

Organizational Control is to
supervise that the related Agreement to
company does not influence follow CB rules
the person in its work for the and procedure
CB

Related Person/employee
company
Work contract

This relates to Clauses 5.2.5 of ISO 17021-1 and 7.6.4 of ISO 17065.
This project is funded by
The European Union
Slide 22 of 48
Support for the National Accreditation Centre MOLDAC
to successfully undergo the EA peer evaluation process
Twinning Project MD14/ENPI/TR/20

Comparison with clause 7.6.4 of ISO/IEC 17065

This project is funded by


The European Union
Slide 23 of 48
Support for the National Accreditation Centre MOLDAC
to successfully undergo the EA peer evaluation process
Twinning Project MD14/ENPI/TR/20

ISO/IEC 17021-1 : 2015

The Changes
Information Requirements

This project is funded by


The European Union
Slide 24 of 48
Support for the National Accreditation Centre MOLDAC
to successfully undergo the EA peer evaluation process
Twinning Project MD14/ENPI/TR/20

The changes Information Requirements


8.1 Public Information
Adopted same approach as ISO/IEC 17024 regarding public
information with, or without, request (8.1)
Public without request in all geographical areas:
Audit process, certification grant, withdrawal, suspension
process, complaints appeals, impartiality, policy, use of
name/marks etc.
Information on request: -
Geographical areas, status of a given certificate, details re
certification of a specified client
No longer requiring a public directory of certifications granted
This project is funded by
The European Union
Slide 25 of 48
Support for the National Accreditation Centre MOLDAC
to successfully undergo the EA peer evaluation process
Twinning Project MD14/ENPI/TR/20

The changes Information Requirements


8.2 Certification Document
New note included regarding dates when certificate expires
and where there is a gap before re-certification decision /date.
NOTE: The certification body can keep the original certification
date on the certificate when a certificate lapses for a period of
time provided that:
The current certification cycle start and expiry date are clearly
indicated;
The last certification cycle expiry date be indicated along with
the date of recertification audit.

This project is funded by


The European Union
Slide 26 of 48
Support for the National Accreditation Centre MOLDAC
to successfully undergo the EA peer evaluation process
Twinning Project MD14/ENPI/TR/20

The changes Information Requirements

Marks on Products
Now allows a statement, but no mark, on product
packaging (not on product) and accompanying
literature that a company has a certified management
system (8.3.3)
cannot imply the product is certified.
to include the name of the CB.

This project is funded by


The European Union
Slide 27 of 48
Support for the National Accreditation Centre MOLDAC
to successfully undergo the EA peer evaluation process
Twinning Project MD14/ENPI/TR/20

ISO/IEC 17021-1 : 2015

The Changes
Competence criteria

This project is funded by


The European Union
Slide 28 of 48
Support for the National Accreditation Centre MOLDAC
to successfully undergo the EA peer evaluation process
Twinning Project MD14/ENPI/TR/20

Determination of competence criteria 7.1.2


No changes
The certification body shall have a process for determining the
competence criteria for personnel involved in the management
and performance of audits and other certification activities.
Competence criteria shall be determined with regard to the
requirements of each type of management system standard or
specification, for each technical area, and for each function in the
certification process.
The output of the process shall be the documented criteria of
required knowledge and skills necessary to effectively perform
audit and certification tasks to be fulfilled to achieve the intended
results.

This project is funded by


The European Union
Slide 29 of 48
Support for the National Accreditation Centre MOLDAC
to successfully undergo the EA peer evaluation process
Twinning Project MD14/ENPI/TR/20

The changes - Determination of competence


criteria (7.1.2)
The term technical area is applied differently depending on the
management system standard being considered.
For any management system, the term is related to products,
processes and services in the context of the scope of the
management system standard.
The technical area can be defined by a specific certification scheme
(e.g. ISO/TS 22003) or can be determined by the certification body.
It is used to cover a number of other terms such as scopes,
categories, sectors, etc., which are traditionally used in
different management system disciplines.

This project is funded by


The European Union
Slide 30 of 48
Support for the National Accreditation Centre MOLDAC
to successfully undergo the EA peer evaluation process
Twinning Project MD14/ENPI/TR/20

The changes - Competence criteria (Annex A)

Normative Annex A revised to include expanded statements


explaining competence requirements
Eliminates the X and X+ (felt to have created some confusion for the
users)
Now specifies the knowledge and skills that a certification body shall
define for specific functions.
Where additional specific competence criteria have been established
for a specific standard or certification scheme (e.g. ISO/IEC TS
17021-2, ISO/IEC TS 17021-3 or ISO/TS 22003), these shall be
applied.

This project is funded by


The European Union
Slide 31 of 48
Support for the National Accreditation Centre MOLDAC
to successfully undergo the EA peer evaluation process
Twinning Project MD14/ENPI/TR/20

Annex A - Technical specifications


Specific competence requirements
ISO/IEC 17021-1: generic competence requirements for any MS
ISO/IEC TS 17021-2: competence for EMS
ISO/IEC TS 17021-3: competence for QMS
ISO/IEC TS 17021-4: competence for event sustainability MS
ISO/IEC TS 17021-5: competence for asset MS
ISO/IEC TS 17021-6: competence for business continuity MS
ISO/IEC TS 17021-7: competence for road traffic safety MS
ISO TS 22003: includes competence for food safety MS
ISO 28003: includes competence for supply chain security MS
ISO 50003: includes competence for energy MS
ISO/IEC 27006: includes competence for information security MS

This project is funded by


The European Union
Slide 32 of 48
Support for the National Accreditation Centre MOLDAC
to successfully undergo the EA peer evaluation process
Twinning Project MD14/ENPI/TR/20

ISO/IEC 17021-1 : 2015

The Changes
Process Requirements

This project is funded by


The European Union
Slide 33 of 48
Support for the National Accreditation Centre MOLDAC
to successfully undergo the EA peer evaluation process
Twinning Project MD14/ENPI/TR/20

The changes Process Requirements

Section 9
Requirements now re-ordered to reflect how
certification audits and services are provided by
a CB

This project is funded by


The European Union
Slide 34 of 48
Support for the National Accreditation Centre MOLDAC
to successfully undergo the EA peer evaluation process
Twinning Project MD14/ENPI/TR/20

Process Requirements Determining audit time


Defined audit time from planning to reporting
3.16 - Time needed to plan and accomplish a complete and effective audit
of the client organizations
Defined audit duration from opening to closing meeting (3.17)
3.17 Part of audit time (3.16) spent conducting audit activities from the
opening meeting to the closing
Refocused requirements for justification on audit duration
9.1.4.3 - The duration of the management system audit and its justification
shall be recorded.
Consistent with ISO/IEC TS 17023 guidelines & revision of IAF MD5 defining
audit time
This clarification is important as it reinforced the existing requirement that the
CB shall determine the time needed to plan and accomplish a complete and
effective audit (9.1.4.1)
This project is funded by
The European Union
Slide 35 of 48
Support for the National Accreditation Centre MOLDAC
to successfully undergo the EA peer evaluation process
Twinning Project MD14/ENPI/TR/20

Process Requirements Audit programme


New requirement on transfers requiring a CB to
obtain and retain sufficient evidence such as reports
and documentation on corrective actions for prior
nonconformities (9.1.3.4) - (see also MD2:2007)
New requirement for consideration of shifts in the
audit program (9.1.3.5) - (see also MD5:2015)
New requirement to plan for adequate auditing when
certifying to multiple management systems standards
(9.1.6) - (see also MD11:2013)
This project is funded by
The European Union
Slide 36 of 48
Support for the National Accreditation Centre MOLDAC
to successfully undergo the EA peer evaluation process
Twinning Project MD14/ENPI/TR/20

Process Requirements Granting Certification


If a CB is unable to verify effective correction and corrective
action 6 months after an initial audit, another Stage 2 shall be
conducted (9.5.3.2)
Based on the change above the requirement for the first
surveillance audit after initial certification is now 12 months
after the initial certification decision date (9.1.3.3) (No longer 12
months after stage 2)
When a transfer of certification is envisaged from one
certification body to another, the accepting certification shall
have a process for obtaining sufficient information in order to
take a decision on certification (9.5.3.3) (see MD-02:2007)

This project is funded by


The European Union
Slide 37 of 48
Support for the National Accreditation Centre MOLDAC
to successfully undergo the EA peer evaluation process
Twinning Project MD14/ENPI/TR/20

Process Requirements Maintaing certification


When recertification is completed prior to expiration, the expiration
date can be based on the existing certification so certification may
be longer than 3 years) (9.6.3.2.3)
The issue date on a new certificate shall be on or after the
recertification decision.
If the recertification audit is not completed, or any major
nonconformity not verified, by the expiration date, then
recertification cannot be recommended and the validity of the
certification cannot be extended (9.6.3.2.4)
Six months allowed for recertification following expiration of
certification; otherwise, a Stage 2 shall be conducted (9.6.3.2.5)

This project is funded by


The European Union
Slide 38 of 48
Support for the National Accreditation Centre MOLDAC
to successfully undergo the EA peer evaluation process
Twinning Project MD14/ENPI/TR/20

Process Requirements Audit report


9.4.8.3 (a) - New requirement (from consideration of ISO/IEC TS
17022:2012)
The report shall also contain:
a) statement on the conformity and the effectiveness of the
management system together with a summary of the evidence
relating to:
the capability of the management system to meet applicable
requirements and expected outcomes;
the internal audit and management review process;
b) a conclusion on the appropriateness of the certification scope;
c) confirmation that the audit objectives have been fulfilled.

This project is funded by


The European Union
Slide 39 of 48
Support for the National Accreditation Centre MOLDAC
to successfully undergo the EA peer evaluation process
Twinning Project MD14/ENPI/TR/20

ISO/IEC 17021-1 : 2015

Workshop Exercises

This project is funded by


The European Union
Slide 40 of 48
Support for the National Accreditation Centre MOLDAC
to successfully undergo the EA peer evaluation process
Twinning Project MD14/ENPI/TR/20

Workshop Exercise 1
THE FOLLOWING IS / IS NOT CONSIDERED CONSULTANCY? YES NO
1 - Preparing or producing manuals or procedures
2 - Giving solutions towards the development and implementation of a management system.
3 - Arranging training and participating as a trainer in a course related to management systems or auditing,
which provides client-specific solutions.
4 - Explaining the meaning and intention of certification criteria;
5 - Arranging training and participating as a trainer in a course related to management systems or auditing,
which provides generic information

6 - Explaining associated theories, methodologies, techniques or tools;


7 - Sharing non-confidential information on related best practices;

8 - Explaining management aspects that are not covered by the management system being audited.
9 - Giving specific advice, instructions towards the development and implementation of a management
system.
10 - Identifying generic improvement opportunities;
11 - Is any kind of training a threat to impartiality of the CB that need that shal subject to risk analys of conflict
of interest?
12 Is the preparation of a risk analysis to be considered an implementation of a management system?

This project is funded by


The European Union
Slide 41 of 48
Support for the National Accreditation Centre MOLDAC
to successfully undergo the EA peer evaluation process
Twinning Project MD14/ENPI/TR/20

Workshop Exercise 2
Based on the presentation, please consider the following
question:

According to 5.2.5 an entity under the organizational control of


the CB cannot offer or provide consultancy.

But what if the CB is under the organisational control of the


consultancy organisation, for example if the consultancy
organisation has a major participation in the board of directors
of the CB?

This project is funded by


The European Union
Slide 42 of 48
Support for the National Accreditation Centre MOLDAC
to successfully undergo the EA peer evaluation process
Twinning Project MD14/ENPI/TR/20

Workshop Exercise 3

Based on the presentation, please consider the following


question:

What are the implications of the changes to impartiality


requirements, especially with regard to the removal of the
specific requirement for an impartiality committee;

what changes and alternatives might be implemented by


Certification Bodies?
what do NABs need to do differently to assess them?

This project is funded by


The European Union
Slide 43 of 48
Support for the National Accreditation Centre MOLDAC
to successfully undergo the EA peer evaluation process
Twinning Project MD14/ENPI/TR/20

Workshop Exercise 4
Based on the presentation, please consider the following question:

Consider clauses 9.6.3.2.4 and 9.6.3.2.5. Please offer a practical


interpretation of these clauses in terms of decision dates and
information on certificates.

Can a CB take a recertification decision after the expiry date of the


certification ?

This project is funded by


The European Union
Slide 44 of 48
Support for the National Accreditation Centre MOLDAC
to successfully undergo the EA peer evaluation process
Twinning Project MD14/ENPI/TR/20

Workshop Exercise 5
Based on the presentation, please choose the only acceptable combination of
requirements to be fulfilled prior to making a decision to grant a certification:

A - the information provided by the audit team is sufficient


with respect to the certification requirements and the scope Combination YES NO
for certification;
B - for any nonconformities, it has reviewed, accepted and B+C
verified the correction and corrective actions; C+D
C - for any minor nonconformities it has reviewed and
A+C+D
accepted the clients plan for correction and corrective
action. A+E
D - for any major nonconformities, it has reviewed, accepted A+B+D
and verified the correction and corrective actions;
E - for any nonconformities it has reviewed and accepted the
clients plan for correction and corrective action.

This project is funded by


The European Union
Slide 45 of 48
Support for the National Accreditation Centre MOLDAC
to successfully undergo the EA peer evaluation process
Twinning Project MD14/ENPI/TR/20

Workshop Exercise 6 - Acceptable?


Board of
Directors
Legal Entity 1

CEO

Management Board of
Standards Consulting, Directors Administration -
Systems
Development Training HR and QA
Registrar Legal Entity 2

Mechanism
Management Administrative Certification Impartiality
Systems Auditors Staff Body Review
Committee

Certification Inspection
Testing
Final Evaluation, Surveillance
Evaluation of
Review and Auditors
Products
Decision

This project is funded by


The European Union
Slide 46 of 48
Support for the National Accreditation Centre MOLDAC
to successfully undergo the EA peer evaluation process
Twinning Project MD14/ENPI/TR/20

Workshop Exercise 7 - Acceptable?


Board of
Directors
Legal Entity 1

CEO

Management Board of
Standards Consulting, Directors Administration -
Systems
Development Training HR and QA
Registrar Legal Entity 2

Mechanism
Management Administrative Certification Impartiality
Systems Auditors Staff Body Review
Committee

Certification Inspection
Testing
Final Evaluation, Surveillance
Evaluation of
Review and Auditors
Products
Decision

This project is funded by


The European Union
Slide 47 of 48
Support for the National Accreditation Centre MOLDAC
to successfully undergo the EA peer evaluation process
Twinning Project MD14/ENPI/TR/20

Workshop Exercise 8 - Acceptable?


Board of
Directors
Legal Entity 1

CEO

Management Board of
Standards Consulting, Directors Administration -
Systems
Development Training HR and QA
Registrar Legal Entity 2

Mechanism
Management Administrative Certification Impartiality
Systems Auditors Staff Body Review
Committee

Inspection Certification
Testing
Surveillance Final Evaluation,
Evaluation of
Auditors Review and
Products
Decision

This project is funded by


The European Union
Slide 48 of 48

You might also like