Another question that we get asked a lot is “during surveillance audits, why does my certification body always seems to audit the same things?”
In the same way that your company is assessed against the requirements of ISO 9001, certification bodies* are assessed against the requirements of ISO 17021 – Requirements for bodies providing audit and certification of management systems. This means that certification bodies* must follow the specific requirements of ISO 17021 in order to maintain their status as a certification body (CB).
ISO 17021 clause 9.3.2.1 states that CB’s must conduct on-site surveillance audits (not necessarily full system audits) covering at least:
a) internal audits and management review,
b) a review of actions taken on nonconformities identified during the previous audit,
c) treatment of complaints,
d) effectiveness of the management system with regard to achieving the certified client’s objectives,
e) progress of planned activities aimed at continual improvement,
f) continuing operational control,
g) review of any changes, and
h) use of marks and/or any other reference to certification.
Clause 9.3.2.2 also states that these audits must be conducted at least once per year and that there can be no longer than 12 months between 2 audits.
Those of you that know the ISO 9001 clauses inside-out will quickly see which clauses of ISO 9001 the CB’s will be looking at on a regular basis, but for those that don’t lets break it down:
a) internal audits and management review,
This should be any easy one – internal audits = ISO 9001 clause 8.2.2 and management review = clause 5.6
b) a review of actions taken on nonconformities identified during the previous audit,
This is corrective action = clause 8.5.2
c) treatment of complaints,
This is less obvious. Clause 8.2.1 states how you should monitor and measure customer satisfaction; and clause 8.5.2 (corrective action) requires you to review nonconformities – and specifically states customer complaints.
d) effectiveness of the management system with regard to achieving the certified client’s objectives,
How you audit the “effectiveness of the management system” is clause 5.4.1 (quality objectives), and by definition that leads you back to clause 5.3 (quality policy).
e) progress of planned activities aimed at continual improvement,
Another easy one – clause 8.5.1 (continual improvement)
f) continuing operational control,
This is a difficult one as there is no direct translation of this. However, clause 8.1 (measurement, analysis and improvement – general) requires the organization to plan and implement the monitoring, measurement, analysis, and improvement processes needed to demonstrate that both the product and management systems requirements are met, and that you continually improve the effectiveness of the QMS. You could also look at clause 8.2.3 (monitoring and measurement of processes) and 8.4 (analysis of data).
g) review of any changes, and
The most obvious clause is 5.4.2 (quality management system planning) specifically 5.4.2 b “the integrity of the quality management system is maintained when changes to the quality management system are planned and implemented”. You could also look at clause 4.2.2 (quality manual).
h) use of marks and/or any other reference to certification.
Many companies are not aware of the rules regarding this, and there a lot of them. Your CB should have guidance notes for you to use to ensure you are using the certification logo’s correctly, but there is official guidance available on the iso.org website – https://www.iso.org/iso/publicizing_iso9001_iso14001_certification_2010.pdf
It is worth noting that CB’s will include more than the mandatory clauses stated above as part of their annual surveillance visits, and also that they may have a slightly different take on ISO 17021 clause 9.3.2.1, if you are in any doubt you can always ask your CB for clarification, after all they are just one of your suppliers.
* Certification bodies that are formally accredited by a national accreditation body such as UKAS.