28 June 2011, Version 2

ISO/IEC 17021:2011 Conformity assessment

Requirements for bodies providing audit and
certification of management systems
The publication of ISO/IEC 17021:2011 introduces some important
new requirements for bodies providing audit and certification of
management systems. This briefing note seeks to inform IRCA
certificated auditors and IRCA approved training organizations of the
changes and their likely impact.
Who will the changes to ISO/IEC 17021:2011 affect?

The simple answer is that ISO/IEC 17021:2011 is a requirements
standard intended for use by accreditation bodies, for example the
UKAS, to assess management systems certification bodies. The third-
party certification industry will use ISO 17021:2011 to define
requirements for audits and audit arrangements. Accreditation bodies
will determine whether a certification bodys auditing arrangements
and activities comply with those requirements. So primarily it will be
certification bodies and certification body auditors who will be most
affected.

IRCA approved training organizations that deliver certificated
auditor/lead auditor courses and auditor conversion courses may
need to make some minor changes to the content of their courses to
reflect the changes in ISO/IEC 17021 as applicable to third-party
audits. Tutors delivering these courses will need to be familiar with
the requirements for managing and conducting third-party
certification audits.
What are the significant changes?

1. Normative reference ISO 19011
ISO 17021:2006 specified ISO 19011 as a normative reference. This
is no longer the case. Amendments have been made to replace
references to ISO 19011 with text adding specific requirements for
third-party certification auditing and the management of competence
of personnel involved in certification. Requirements for bodies
providing audit and certification of management systems are now
fully contained within ISO/IEC 17021:2011.

For both standard writers and users this has the advantage that
ISO/IEC 17021 clearly defines requirements for bodies providing
audit and certification of management systems. Whereas ISO 19011
is a guidance document covering all types of audit, for example
internal and supplier audits, and therefore is more general in content
and application.

2. Competence of management and personnel (section 7.1)

28 June 2011, Version 2

For some organizations revised requirements for competence of
management and personnel may be a significant change.

ISO/IEC 17021:2011 defines competence as ability to apply
knowledge and skills to achieve intended results.

The significance of this is in the need to define intended results to be
achieved for each certification activity, for example from the review
of the initial application through to reviewing audit reports and taking
certification decisions. Also the requirement to implement evaluation
processes, the output of which shall identify personnel who have
demonstrated the level of competence required for the different
functions of the audit process. Here the emphasis is on the need for
personnel to have demonstrated their competence.

Organizations that have previously relied exclusively on experience-
based evidence will need to do more to evaluate the competence of
their people. For example, where a certification body may previously
have relied on a CV review as evidence of technical competence, such
records alone are now unlikely to be sufficient. In future, certification
bodies may decide to carry out evidence-based interviews of trainee
auditors to determine if they have the knowledge suggested by their
CV, using defined technical criteria as the basis of the interview and
recording the output of the interview to show the justification of
technical competence.
Other approaches may include examinations to test the knowledge of
the auditor, the results of which are marked to determine if the
pass/fail criteria are achieved. Although currently these are often
limited to knowledge of standards, they could be developed as a
mechanism by which an auditor could demonstrate knowledge of a
business sector.
Desired personal behaviours Annex D (informative)

Although the ISO/IEC 17021:2011 definition of competence refers
only to knowledge and skills, Annex D identifies personal behaviours
that are important for personnel involved in certification activities.
ISO 17021:2011 makes it clear that this annex is informative and not
intended to be applied as requirements. However, introducing
behaviour into the make-up of competence brings close alignment
with other professions where competence is defined as the
demonstrated application of knowledge, skills and behaviour, to
achieve a stated performance standard.

It is likely that to achieve intended results, desired personal
behaviours will also need to be applied. Annex D recognizes that
behaviour is situational, and advises that the certification body should
take appropriate action for any identified weakness that adversely
affects the certification activity.


28 June 2011, Version 2

3. Process requirements (section 9)
Process requirements for audit and certification of management
systems are now fully defined within ISO/IEC 17021:2011 and
previous references to ISO 19011 deleted. Guidance from ISO 19011
has been revised to better assure the certification audit process and
is now incorporated as requirements. For example, ISO/IEC
17021:2011 defines requirements for the opening meeting of a
certification audit whereas previously reliance was placed on
referencing the general guidance given in ISO 19011.

In practice the changes may appear small to auditors already
undertaking certification audits. It is likely that many certification
bodies will already have built these requirements into their own
management system requirements and procedures their auditors
follow.
Two process requirements worth highlighting are:
a) Determining audit objectives, scope and criteria (section 9.1.2.2).
This section specifies clearly that audit objectives shall include:

Determination of the conformity of the clients management
system, or parts of it with audit criteria
Evaluation of the ability of the management system to ensure the
client
organization meets applicable statutory, regulatory and contractual
requirements
Evaluation of the effectiveness of the management system to
ensure the client organization is continually meeting its specified
objectives
As applicable, identification of areas for potential improvement of
the management system.

This makes it clear that certification audits are required to evaluate
the whole management system, not only for conformity with criteria
but also to evaluate its ability to meet the needs of the client
organization, their customers, and regulators. While this may not be
new to many, for auditors more used to determining conformance
with a set of procedures, it will be a significant change.

b) Determining audit time (9.1.4) this section specifies clearly that
in determining the audit time, the certification body shall consider,
among other things, the following aspects. It then goes on to list a
number of considerations including the risks associated with the
products, processes or activities of the organization.

This requirement states the expectation that when determining the
overall audit time, and also how time available is allocated in the
audit plan, consideration is given to the risks associated with the
products, processes or activities of the organization in other words,
consider the potential consequences to the organization, its clients
and interested parties if things go wrong and ensure adequate time is

28 June 2011, Version 2

available to fully evaluated the capability of the clients management
system to reduce the likelihood of failure occurring.
Impact on IRCA certificated training courses

The purpose of auditor/lead auditor and auditor conversion courses is
to provide students with the knowledge and skills required to perform
first, second and third-party audits of management systems.
Generally, IRCA certificated courses train students following the
guidance given in ISO 19011 as it applies to these three types of
audit. With the publication of ISO/IEC 17021:2011 requirements for
third-party certification audits are now more clearly defined and we
will require training providers to recognise this in their training
courses.

However we also need to be pragmatic and realistic. Auditor/lead
auditor courses and auditor conversion courses are aimed not only at
certification body auditors but also people who want to undertake
second-party or supplier audits, and also internal audits of their own
management system. Indeed, it is these last two groups who make
up the majority of course attendees.

We will require training organizations to:

Bring to the attention of students the purpose of ISO/IEC
17021:2011 making reference to ISO 19011 as appropriate
Use the definitions given in ISO/IEC 17021:2011 section 3 as
applicable when referring to third-party certification audits
Describe clearly the significant differences between first, second
and third-party certification audits making reference to requirements
for determining third-party certification audit objectives, scope and
criteria as described in ISO/IEC 17021:2011
Provide students with a general overview of the third-party
certification process as described in ISO/IEC 17021:2011 and making
reference as appropriate to similarities and differences to ISO 19011.

We do not require, and indeed we discourage training organizations
from seeking to provide students with detailed knowledge of ISO/IEC
17021:2011 as we believe the general principles within ISO/IEC
17021:2011 are already addressed through applicable IRCA course
criteria and ISO 19011.
How will the changes affect IRCA certificated auditors?

Auditors working for certification bodies may find their competence is
evaluated through more formal and more rigorous processes than
previously. This will especially be the case when the certification body
is seeking to extend the scope of their technical competence. Also it
is likely that periodic monitoring of auditor performance will in future
include ongoing evaluation of sector competence.


28 June 2011, Version 2

All certification bodies will be required to demonstrate conformance
with ISO/IEC 17021:2011. This requires them to demonstrate that
they have established competence criteria and performed evaluation
of their auditors. We do not expect that those certification bodies with
well-defined and established competence processes, procedures and
records will repeat their initial evaluation of sector or technical
competence of existing auditors. As part of their process for
evaluating the continued competence of auditors they may for
example take into account proven ability, based on results from
evaluating the outputs from the certification activity.

Other IRCA certificated auditors, for example those offering
consultancy services, may be required by their employers to adopt an
evidence-based approach to demonstrating competence.

Auditors carrying out certification audits will need to be aware of, and
implement, requirements for taking account of the risks associated
with the products, processes or activities of the organization when
planning audits.
Will there be changes to the IRCA auditor certification
criteria?

Currently we require applicants to have successfully completed an
IRCA certificated training course, have completed a minimum number
of years of relevant workplace experience and completed a minimum
number of audits, at least one of which must have been under the
direction and guidance of an auditor currently certified as a lead
auditor. At this time IRCA intends to continue with the current
system. However, we will keep this under review.