*ISO/IEC 17021:2011Presented to by

*ISO/IEC 17021Developed by ISO/CASCO Working Group 21

Co-convenersAlister Dalrymple, France-AFNOR AFAQ, a management system certification bodyRandy Dougherty, US-ANSI ANAB, an accreditation body for management system certification bodies

Note: CASCO is the Conformity Assessment Committee

*ISO/IEC 17021Intent of WG21 for 17021To replace Guides 62 and 66To be applicable to any management systemsTo incorporate IAF guidanceTo incorporate latest technologyTo be consistent with the common elements (WG23)Principles-based performance requirements (where possible)

*ISO/IEC 17021:2006ISO/IEC 17021:2006 Conformity assessmentRequirements for bodies providing audit and certification of management systems

Published 15 September 2006

*ISO/IEC 17021 Part 2To replace references to ISO 19011 guidelines with requirements applicable to any third party MS auditAudit processCB management of competence, including the competence of audit teamsTemplate for specific auditing requirements that can be applied to other ISO TCsTC 176 for ISO 9001, TC 207 for ISO 14001, TC 34 for ISO 22000, etc.

*Generic Requirements for 3rd Party Auditing & Management of Competence(based on 19011)QMS Specific Competence RequirementsFramework for Developing Specific Requirements for 3rd Party Auditing & Management of CompetenceIncluded in 17021 Part 2, developed by WG 21 with input from competent bodiesEMS Specific Competence RequirementsFSMS Specific Competence RequirementsISMS Specific Competence RequirementsxMS Specific Competence RequirementsDeveloped by a competent body using the 17021 Part 2 framework, in consultation with CASCO, and published as separate sector documentsQMS Competent Body, e.g. ISO/TC176EMS Competent Body, e.g. ISO/TC207FSMS Competent Body, e.g. ISO/TC34ISMS Competent Body e.g. ISO/TC178xMS Competent Body ISO/IEC 17021 Part 2

WG 21 meetings on Part 2:December 2006, February and June 2007: WD1October 2007: WD2January 2008: DC1 for five-month commentOctober 2008: CD2 comment ballot passedApril and June 2009: DIS1 ballot passedJune 2010: FDISFebruary 2011: Published as ISO/IEC 17021:2011*ISO/IEC 17021 Part 2

*ISO/IEC 17021:2011ISO/IEC 17021:2011 Conformity assessmentRequirements for bodies providing audit and certification of management systems

Published 1 February 2011

*ISO/IEC 17021:2011with part 2 new text integrated in existing standard and shown with a grey background, and

As decided by ISO/CASCO prior to the ballot, there will be a systematic review of entire document 12 months after publication*ISO/IEC 17021:2011

*ISO/IEC 17021:2011Contents1 Scope2 Normative references3 Terms and definitions4 Principles5 General requirements6 Structural requirements7 Resource requirements8 Information requirements9 Process requirements10 Management system requirements for CBs

*ISO/IEC 17021:2011ContentsAnnex A (normative) Required knowledge and skillsAnnex B (informative) Possible evaluation methodsAnnex C (informative) Example of a process flow for determining and maintaining competenceAnnex D (informative) Desired personal behaviorsAnnex E (informative) Third-party audit and certification processAnnex F (informative) Considerations for the audit programme, scope or planBibliography

ChangesDeleted all normative references to ISO 19011Section 2 Normative referencesreference and noteSection 77.2.5, 7.2.11Section 99.1.2, 9.1.3, 9.1.9, 9.1.10Section 1010.2.5

*

ChangesReplaced most normative references to ISO 19011 with specific requirements related to competence and third party certification audits*

ChangesSection 3 Terms and definitionsAdded 7 new definitions3.4 third party certification audit3.5 client3.6 auditor3.7 competence3.8 guide3.9 observer3.10 technical area*

ChangesSection 4 PrinciplesEdited 4.3 to delete one sentence that was no longer consistent with the new definition (3.7) of competence *

ChangesSection 7 Resource requirementsAdded 2 new requirements7.1.2 Determination of competence criteria with reference to normative Annex A7.1.3 Evaluation processes with reference to informative Annex BRevised 7.2.4Deleted applicable personal attributesAdded a note making reference desired personal behaviors in an informative Annex D *

ChangesSection 9 Process requirements9.1 General requirements9.2 Initial audit and certification9.3 Surveillance activities9.4 Recertification9.5 Special audits9.6 Suspending, withdrawing or reducing the scope of certification9.7 Appeals9.8 Complaints9.9 Records of applicants and clients

*

*Changes9.1 general requirements9.1.1 Audit programme9.1.2 Audit plan9.1.3 Audit team selection and assignments9.1.4 Determining audit time9.1.5 Multi-site sampling9.1.6 Communication of audit team tasks9.1.7 Communication concerning audit team members9.1.8 Communication of audit plan9.1.9 Conducting on-site audits9.1.10 Audit report9.1.11 Cause analysis of nonconformities9.1.12 Effectiveness of corrections and corrective actions9.1.13 Additional audits9.1.14 Certification decision9.1.15 Actions prior to making a decision

9.2 initial audit and certification

*Changes9.2 initial audit and certificationAdded 1 new requirement9.2.2.2 record of reasons for declining an application

An IAF Technical Committee task force to recommended the transition period of 24 months following publication, which was agreed by the IAF TC, IAF General Assembly, and IAF-ILAC-ISO Joint Working GroupJoint IAF-ISO CommuniquDeadline of 1 February 2013 for the transition *Transition

IAF ID2:2011Information on the Transition of Management System Accreditation to ISO/IEC 17021:2011 from ISO/IEC 17021:2006Published 1 February 2011

*Transition

*ISO/IEC 17021:2006 Transition Suspensions and Withdrawals Globally19 of 52 IAF member ABs suspended or withdrew accreditation of 68 CBsUKAS (12)RENAR (8)CAI (7)EMA (6)ENAC (5)ANAB, SINCERT, SAS (4 each)NAT, RVA (3 each)OAA, COFRAC, IPAC (2 each)CGRE/INMETRO, JAS-ANZ, BAS ESYD, INAB, LA (1 each)

IAAR-ANAB project to identify and agree on technical areas and how to apply them to QMS, EMS, and OHSMS to fulfill new ISO/IEC 17021 part 2 requirements on competencewww.anab.org*CB auditor competence

IAF Technical Committee task force to harmonize AB assessments of CBs for competence to ISO/IEC 17021:2011*AB assessment of CB competence

Joint program by RABQSA and IRCA based on ISO/IEC 17021:2011Plan to offer competence-based certification of auditors for specific technical areas. Tools to be made available to ABs and CBs*auditor competence

How to seek clarificationCASCO to ask a questionCASCO for an interpretationSean MacCurtain (maccurtain@iso.org)

IAF regarding the applicationNorbert Borzek (norbert.borzek@dakks.de)

*

*This is a train-the-trainer program developed by Randy Dougherty, one of the co-conveners of WG 21, which was reviewed and includes input by other members of WG21. This presentation is an overview of the standard and changes, as well as additional information about accreditation . Another presentation addresses the changes related to the audit process, and a third presentation addresses the changes related to competence.*When this project was initiated, the convener of WG21 was Lars Waldner of Swedac, appointed by the then chair of CASCO chair, John McDonald.

When Lars was unable to continue as convener, CASCO chair Mario Wittner appointed Dalrymple and Dougherty as co-conveners. This was the first time a CASCO WG had co-conveners. This has been a successful team effort lead by individuals working for CBs and ABs.

The standard was completed under the leadership of Mario Wittner as the CASCO chair. Graeme Drake, then Peter Dennehy, served as secretary of CASCO during the period of development of this standard when the Dalrymple and Dougherty were co-conveners.

Discussions about part 2 were initiated under Wittner and Drake, but concluded under the leadership of Olivier Peyrat as CASCO Chair and Sean MacCurtain as CASCO Secretary.*The original intent was to simply replace Guides 62 and 66 while also incorporating applicable IAF guidance. This was soon expanded to make it applicable to any MS standard. CB associations influenced the additional intent to incorporate latest technology, and to have principles-based requirements. WG21 developed 17021 during the same period that WG23 was developing the common elements, so work by WG21 influenced the work of WG23, and the work or WG23 influenced the work of WG 21, for the sections dealing with impartiality, complaints and appeals, confidentiality, and management systems.*The standard was published in September 2006 as ISO/IEC 17021:20XX entitled Conformity assessmentRequirements for bodies providing audit and certification of management systems*The primary goal is to replace in 17021 any reference to ISO 19011.

The secondary goal is to improve the understanding, and management, of competence.*This graphic was include in the NWIP for CASCO, and explains in graphic the scope of the NWIP. WG21 will be developing requirements generic to any management system----and not any requirements specific to specific management systems.

In other words, WG21 will not specify QMS o rEMS specific requirements.

However, it plans to develop a framework for others to add the specific requirements. The best current example is 22003, which adds specific requirements for food safety management systems under ISO 22000: for scoping, competence, audit duration and multi-site sampling.The development of part 2 was approved in September 2006, the same month that ISO/IEC 17021:2006 was published, and the entire process for developing part 2 took about 4.5 years.**The standard was published in 1 Febuary 2011 as ISO/IEC 17021:2011 with the same title, Conformity assessmentRequirements for bodies providing audit and certification of management systemsIt was published as a revision an expanded scope. The review and revision process was limited, though, to the scope of the NWIP. So it was limited to CB competence and replacing references to ISO 19011 with requirements specific to third party certification audits. So the document with show the new text and also show any deleted text.*It was decided that all other comments received about other requirements in the 2006 first edition will be held over and considered during the systematic review, which will begin in early 2012. So far Dalrymple and Dougherty have agreed to stay on as co-conveners of WG21 for the systematic review.**There were no changes to the 10 sections of the standard. However, of the 10 sections, 6 sections had changes. Some, such as Sections 2, 4 and 10, simply has some deletions. So the three sections with significant changes were Section 3 in which definitions had to be added, Section 7 of course to address competence requirements, and Section 9 for the audit processes adding detail that in the past was by reference to ISO 19011.*The new standard has 6 annexes: one normative and five informative.

The one normative annex and 3 of the 5 informative annexes (A, B, C, and D) all relate to the competence and performance of CB personnel.

The other 2 informative annexes, E and F) related to the audit and certification processes.There is one remaining reference to ISO 19011, in addition to the Bibliography, which is the note to 10.3.6.1, the requirement for the CB to conduct internal audits, but being in a note it is not a normative reference.**Many of the new definitions were necessary because we deleted reference to ISO 19011. However, we also had to define a third party certification audit because some members of ISO/TC176 (which is responsible for revising ISO 19011) feel that there are other kinds of third party audits.We also decided on a different definition of competence, deleting the word demonstrated from the definition. Competence still has to be demonstrated , but this is state in requirements in section 7.We also defined technical area and further elaborated with specific examples as notes in section 7.**There are only two new clauses added to Section 7 and a very slight revision to another clause, but the changes are quite significant. It takes our industry a few steps further down the road toward competence and away from qualifications.We are now focused on knowledge and skills, having remove personal attributes from the definition.The new requirements are process focused: determine and document competence criteria then evaluate personnel for conformance to the documented criteria. *Considering that ISO 19011 was focused on QMS and EMS management system audits, it makes sense that most of the changes are in Section 9, the audit and certification process requirements of the standard. And nearly all of the changes are an expansion of the general requirements in 9.1. There is only one slight change to the initial audit and certification process.**This is a list of the 15 general requirements of section 9.1 of ISO/IEC 17021:2006 except that each clause now has a title. With the exception of the title, the subject is the same. However, there are significant additions for each of the clauses shown in color to add in additional requirements based on what was in ISO 19011. And of these, 9.1.9 has been expanded the most. The other clauses have no changes or very minor changes.9.1.1 1 new requirement9.1.26 new requirements9.1.34 new requirements9.1.41 new requirement9.1.916 new requirements9.1.101 new requirement-content of report9.1.111 new requirement-records of verification of effectiveness

*

As most of you may note, the length of the transition period, 24 months, is the same as we had when we first published ISO/IEC 17021:2006.Many CBs are already close to conformance with this revision. But we expect that some CBs (and perhaps some ABs) will struggle to truly understand competence as compared to qualifications. NOTE THAT THE DEADLINE FOR CONFORMANCE IS 24 MONTHS AFTER PUBLICATION.*Roger Bennett who lead the IAF TC TF that developed the IAF guidance on the transition to the 2006 standard also lead the TF that has developed the informative document on the transition to the 2011 standard.The document is informative which means CBs and ABs are not required to follow it.

*Many have asked if ISO/IEC 17021:2006 made any difference. These were results of the transition to the 2006 standard, as reported to IAF in October 2008. You can see that not all CBs made the transition.

What about the transition from ISO/IEC 17021:2006 to ISO/IEC 17021:2011? Will it make a difference?

Many certification bodies will need to re-visit their report formats and include more free text areas where the auditor indicates how audit objectives were evaluated and confirmed.

Auditors will require further training in the process approach to auditing (even after all this time), but better audit plans should help.

Auditors will be expected to understand the client processes better in order to effectively audit the system to ensure it meets/delivers against customer/contractual requirements, regulatory and statutory requirements.

Audit reports should indicate/justify why the audit team are confident to recommend certification,

Accreditation bodies will need to review and challenge audit reports more critically to ascertain if the information confirms all the audit objectives were met and sufficient information is available an informed decision.

Accreditation bodies will need to witness more critically to confirm the audit evaluates effectiveness.This said, we do not anticipate similar drop out due to the 2011 standard.

*Recognizing that identification of technical areas will be one of the more significant challenges, ANAB is working with the IAAR to document key processes related to the products or services identified for the NACE 2 revision of codes, then to document the significant environmental aspects and impacts associated with those processes, and the worker health and safety risks.Our plan it is to make this compendium of information publicly available. *Trevor Nash is leading an IAF TC TF to develop an IAF document on how ABs assess CBs to the competence requirements of the 2011 standard. The goal is to have consistent application by all ABs.*RABQSA and IRCA are working together to try to develop processes and services related to auditor competence. Their plans included evaluating competence for specific technical areas.Their processes and services will lead to a competence based auditor certification program, but they are planning to make some of the processes available to CBs (and ABs) that may help the CBs and ABs manage competence without necessarily having their auditor s and assessors certified.*Questions will arise about a requirement in the standard. Even though the standard was written to be unambiguous, on occasion two individuals will have a different understanding of what is stated, or sometimes upon translation into other languages the requirement may not be as clear. So how do you obtain clarification?The first step would be to contact the CASCO Secretary, probably by email. If Sean cannot answer the question directly, he will send it to the co-conveners, Alister and Randy. Although the response to a question will not be official, it will come from knowledgeable sources.If there is a question about what the words actually mean, there may be a need for an interpretation. CASCO has a documented process for making interpretations. This process takes about 3 months. Note, however, that the interpretations have no legal status in that no party is obliged to accept or use an interpretation until a standard is revised to take on such wording.If the question is about how the requirement is to be applied by a CB, the question can be put to the IAF Technical Committee for its decision. This is be means of a discussion paper to the IAF TC. This can be initiated by contacting the IAF TC Chair, Norbert Borzek of Dakks, who will send a form to be completed to initiate a discussion paper. Discussion papers are considered twice a year.*