SADCASF40(a)

SADCASRef.No:

CHECKLISTISO/IEC17021:2011
ConformityAssessmentRequirementsforBodiesProvidingAudit
andCertificationofManagementSystems

Date(s)ofEvaluation:

Assessor(s)&Observer(s):

Organization:

Area/FieldofOperation:

OrganizationsRepresentative:

Thereportcoversthefollowing:
DocumentReviewonly

5
5.1
5.1.1

Implementationon
SiteVisitonly

ISO/IEC17021REQUIREMENTS

Generalrequirements
Legalandcontractualmatters

DocumentReviewand
SiteVisit

CBS
REFERENCES

Assessmentof
CompanyFiles

COMMENTBYASSESSOR

Legalresponsibility

Legal entity or a defined part of a legal

entitycanbeheldlegallyresponsible.(Pty)
Ltd,CCorother?
Verify registration with Registers of
Companies
GovernmentalCBisalegalentitybasedon
its
governmental
status.
Identity
department.

5.1.2 Certificationagreement

Legally enforceable agreement (contract)

for provision of certification activities to
customer?

AremultipleofficesofaCBormultiplesites
of a certified customer covered by the
agreement?

Areallthesitescoveredbythescopeofthe
certification?

5.1.3

Responsibilityforcertificationdecisions
DoesCBretainauthorityandresponsibility
for its decisions relating to certification?
e.g. granting, maintaining, renewing,
extending, reducing, suspending and
withdrawing.

IssueNo:1

Page1of41

Date:20130118

SADCASF40(a)

5.2
5.2.1

ISO/IEC17021REQUIREMENTS

Managementofimpartiality

CBS
REFERENCES

COMMENTBYASSESSOR

Is CB top management commitment to

impartiality?
Isthereapubliclyaccessiblestatement?
Doesitcover:

Importanceofimpartiality

Conflictofinterestand

Objectivityofitsmanagementsystem
certificationactivities?

5.2.2

Areconflictofinterestsidentified,nalyzed
anddocumentedandmanagedthrough
thesystem?

Are relationships posing a threat to

impartialitydocumented?

How does the CB demonstrate that it

eliminatesorminimizessuchthreats?

Information made available to the

impartialityCommittee?(see6.2)
Note: A relationship that threatens the impartiality
of the CB can be based on ownership, governance,
management,personnel,sharedresources,finances,
contracts, marketing and payment of a sales
commission or other inducement for the referral of
newclients,etc.

5.2.3

Not
offering
certification
when
relationships that threaten impartiality
cannotbeeliminatedorminimized.
SeeNote5.2.2

5.2.4 Does the CB certify another CB for its

management
system
certification
activities?
SeeNote5.2.2

5.2.5

Does the CB and any part of the same

legal entity offer or provide management
systemconsultancy?

This applies also to that part of

governmentidentifiedastheCB.
SeeNote5.2.2

5.2.6

DoestheCBprovideinternalauditstoits

certifiedcustomers?
DoestheCBcertifyamanagementsystem
onwhichitprovidedinternalauditswithin
2 years following the end of the internal
audits?
This applies also to that part of
governmentidentifiedasCB.
SeeNote5.2.2

5.2.7

Does the CB certify a customer when the

CBs relationship with a management
system consultancy or internal audits,
poses an unacceptable threat to the
impartialityoftheCB?SeeNotes.

IssueNo:1

Page2of41

Date:20130118

SADCASF40(a)

5.2.8

5.2.9

ISO/IEC17021REQUIREMENTS
CBS

REFERENCES
Does the CB outsource audits to a
management
system
consultancy
organization? (Unacceptable threat to
impartiality.See7.5).
This clause does not apply to individuals
contractedasauditorscoveredin7.3
Are the CBs activities marketed or linked
withmanagementsystemconsultancy?
CB takes action to correct inappropriate
claimsbyanyconsultancyorganization?
Are there any implications by CB that
certification would be simpler, easier,
faster or less expensive if a specified
consultancyorganizationisused?

5.2.10 Does CB ensure no conflict of interest of

personnel?
2 Years rule applied, how effective is the
process?

5.2.11

COMMENTBYASSESSOR

Is action taken to respond to any threats

to CBs impartiality arising from the
actions of other persons, bodies or
organizations?

5.2.12DoesallCBpersonnel,internal,externalor
committees act impartially and does the
CB allow commercial, financial or other
pressuretocompromiseimpartiality?

5.2.13DoestheCBrequireallpersonneltoreveal
anyconflictofinterestsituations?

Information used as input to identifying

threatstoimpartiality?

5.3LiabilityandFinancing

5.3.1 Is the CB able to demonstrate that it has

evaluated risks arising from its certification
activities and that it has adequate
arrangements (e.g. insurance or reserves) to
cover liabilities arising from its operations in
each of its field of activities and the
geographicareasinwhichitoperates?

5.3.2DoestheCBevaluateitsfinancesandsources
ofincomeanddemonstratetothecommittee
specified in 6.2 that initially and on an on
going basis, commercial, financial or other
pressuresdonotcompromiseitsimpartiality?

IssueNo:1

Page3of41

Date:20130118

SADCASF40(a)

6.
6.1
6.1.1

ISO/IEC17021REQUIREMENTS
CBS

REFERENCES
Structuralrequirements

Organizationalstructureandtop
management
Organizational structure documented
including duties, responsibilities and
authoritiesforpersonnelandcommittees;
andrelationshipstootherpartswithinthe
samelegalentity?

6.1.2

DoestheCBidentifythetopmanagement
(board, group of persons, or person)
havingoverallauthorityandresponsibility
foreachofthefollowing:
a) development of policies relating to the
operationofthebody?
b) supervision of the implementation of
policiesandprocedures?
c) supervisionofthefinancesofthebody?
d) development of management system
certificationservicesandschemes?
e) performance of audits and certification
andresponsivenesstocomplaints?
f) decisionsoncertification?
g) delegationofauthoritytocommitteesor
individuals,asrequired,toundertake
definedactivitiesonitsbehalf?
h) contractualarrangements?
i)providingadequateresourcesfor
certificationactivities?

COMMENTBYASSESSOR

6.1.3 Formal rules for the appointment, terms

of reference and operation of any
committees involved in the certification
activities?

6.2
Committeeforsafeguardingimpartiality

6.2.1

DoesthestructureoftheCBsafeguardthe
impartialityoftheactivitiesoftheCBand
doesitprovideforacommitteeto:
a)assistindevelopingthepoliciesrelatingto
impartialityofitscertificationactivities?
b) counteract any tendency on the part of a
CB to allow commercial or other
considerations to present the consistent
objective provision of certification
activities?
c) advise on matters affecting confidence
includingopennessandpublicperception?
d) conduct an annual review of the
impartiality of the audit, certification and
decisionmakingprocessesoftheCB?

IssueNo:1

Page4of41

Date:20130118

SADCASF40(a)

ISO/IEC17021REQUIREMENTS
CBS

REFERENCES
6.2.2
Is the composition, terms of reference,
duties, authorities, competence of
members and responsibilities of this
committee formally documented and
authorized by top management of the CB
toensure:
a) representationofabalanceofinterests?
b) access to all the information (see also
5.2.2&5.3.2)
c) the right to take independent action,
where the top management of the CB
does not respect the advice of the
committee (e.g. informing authorities,
ABs,stakeholders)?
Isconfidentialitymaintainedwhentaking
independentactions?See8.5
6.2.3

7
7.1
7.1.1

7.1.2

COMMENTBYASSESSOR

Arekeyinterestsidentifiedandinvitedto
thiscommittee?

Resourcerequirements
Competenceofmanagementand
personnel

Does a CB have a process to ensure that

personnel have appropriate knowledge
relevant to the types of management
systemsandgeographicalareasinwhichit
operates?
Iscompetencerequiredforeachtechnical
area and for each function in the
certification activity determined for each
technicalarea?
Is the means for the demonstration of
competencedetermined?

Are competence requirements deter

mined for all CB personnel and is this as
per documented process? Is the
documentedprocessasperAnnexureAor
aspercertificationscheme?

7.1.3 Evaluationprocesses
DoestheCBhavedocumentedprocesses
fortheinitialcompetenceevaluationand
ongoingmonitoringofcompetenceand
performanceofallpersonnelinvolvedin
themanagementandperformanceof
auditsandcertification?
Arethesemethodseffective?

IssueNo:1

Page5of41

Date:20130118

SADCASF40(a)

CBS
ISO/IEC17021REQUIREMENTS
REFERENCES

7.1.4 Otherconsiderations

7.1.4.1 Does the CB address the functions

undertaken by management and
administrative
personnel
while
determining
the
competence
requirements?

7.1.4.2 Does the CB have access to the necessary

technical expertise for technical areas,
types of management system and
geographicareasinwhichitoperates?

COMMENTBYASSESSOR

7.2

Personnelinvolvedinthecertification
activities

7.2.1

Does the CB as part of its own

organization have personnel with
sufficient competence for managing the
type and range of audit programmes and
othercertificationworkperformed?

Does the CB employ or have access to a

sufficient number of auditors including
audit team leaders and technical experts
tocoverallactivitiesandvolumeofwork?

7.2.2

7.2.3 Does the CB make clear to each person

concerned duties, responsibilities and
authorities?

7.2.4 DoestheCBhavedefinedprocessesfor:

Selecting

Training

Formallyauthorizingauditorsand

Selectingtechnicalexperts?

Doestheinitialcompetenceevaluationof
an auditor include the ability to apply
required knowledge and skill during
audits, as determined by a competent
evaluator observing (witnessing) the
auditorconductinganaudit?

7.2.5 DoestheCBhaveaprocesstoachieveand
demonstrate effective auditing, including
theuseofauditorsandauditteamleaders
possessing generic auditing skills and
knowledgeaswellasskillsandknowledge
appropriate for auditing in specific
technicalareas?

IssueNo:1

Page6of41

Date:20130118

SADCASF40(a)

7.2.6

ISO/IEC17021REQUIREMENTS
CBS

REFERENCES
Does the CB define the knowledge and
skills for specific certification functions as
perAnnexureAofISO/IEC17021:2011?
Are auditors and technical experts
knowledgeable of the CBs audit
processes, certification scheme and its
requirements and other relevant
requirements?
Does the CB give auditors and technical
experts access to an uptodate set of
documented procedures giving audit
instructions and all relevant information
onthecertificationactivities?

COMMENTBYASSESSOR

7.2.7 Are auditors and technical experts used in

these activities where they have
demonstratedcompetence?
SeeNote9.1.3

7.2.8 Aretrainingneedsidentifiedforfunctions
performed?

Wherethereisneed,istrainingofferedor
provided?

7.2.9

Are person(s) taking the certification

decisionsknowledgeableonthe:

applicablestandard;

certificationrequirements;

have demonstrated competence to

evaluate the audit processes; and
related recommendations of the
auditteam?

7.2.10 Does documented proceduresand criteria

for monitoring and measurement of
performanceofallpersonnelexist?

Competence reviewed to identify training

needs?

7.2.11 Do procedures include a combination of

onsite observation, review of audit
reports and feedback from customers or
fromthemarket?

7.2.12 Does the CB periodically observe the

performanceofeachauditoronsite?

Is the frequency of onsite observations

based on need determined from all
monitoringinformationavailable?

IssueNo:1

Page7of41

Date:20130118

SADCASF40(a)

7.3

ISO/IEC17021REQUIREMENTS

Useofindividualexternalauditorsand
externaltechnicalexperts

CBS
REFERENCES

COMMENTBYASSESSOR

DoesaCBhaveawrittenagreementwith
external auditors and external technical
experts in place by which they commit
themselves to comply with applicable
policiesandproceduresasdefined?
Does the agreement address all relevant
aspects?

7.4

Personnelrecords

7.4

DoestheCBmaintainuptodate
personnelrecordsincluding:

Relevantqualifications;

Training;

Experience;

Affiliations;

Professionalstatus;

Competence;and

Anyrelevantconsultancyservices?
Doesthisincludemanagementand
administrativepersonnelinadditionto
thoseperformingcertificationactivities?

Personnelrecords(cont.)

7.5

Outsourcing

Does the CB have a process in which it

describes the conditions under which
outsourcingmaytakeplace?

Legally enforceable agreement with each

bodythatprovidesoutsourcedservices?
SeeNotes

7.5.2 Is the CB outsourcing certification

decisions?

7.5.3 DoestheCB:

a) take responsibilities for all activities

outsourced?
b) ensure that the body that provides
outsourcesactivities:
conformstotheCBsrequirements
conformstotheapplicableprovisions
of this international standard
including competence, impartiality
andconfidentiality?
c) ensure that the outsourced services are
not involved in any way that impartiality
couldbecompromised?

7.5.1

IssueNo:1

Page8of41

Date:20130118

SADCASF40(a)

ISO/IEC17021REQUIREMENTS
CBS

REFERENCES
7.5.4 Documented procedures for the
qualification and monitoring of all
outsourced services used for certification
activities?

Records of the competence of auditors

andtechnicalexpertsmaintained?

8
Informationrequirements

8.1
Publiclyaccessibleinformation
8.1.1

COMMENTBYASSESSOR

Does the CB maintains and make publicly

accessible or provide upon request
informationdescribingitsauditprocesses,
certification processes and about the
certification
activities,
types
of
management systems and geographical
areasinwhichitoperates?
Is the information provided by the CB to
anyclientortothemarketplaceincluding
advertisingaccurateandnotmisleading?

8.1.3 Does the CB make publicly accessible

information about certifications granted,
suspendedorwithdrawn?

8.1.4 Does the CB on request from any party

providemeanstoconfirmthevalidityofa
givencertification:
SeeNotes

8.2
Certificationdocuments

8.2.1

8.1.2

Does the CB provide certification

documents to the certified client by any
meansitchooses?

8.2.2 Is the effective date on a certification

document the date before the
certificationdecision?

8.2.3 Doesthecertificationdocument(s)

identifythefollowing:
a)thenameandgeographiclocationofeach
client and any sites within the scope of a
multisitecertification?
b) the dates of granting, extending or
renewingcertification?
c)theexpirydateorrecertificationduedate
consistentwiththerecertificationcycle?
d)auniqueidentificationcode?
e) the standard and/or other normative
document including issue number and/or
revisionusedforthecertifiedcustomer?

IssueNo:1

Page9of41

Date:20130118

SADCASF40(a)

ISO/IEC17021REQUIREMENTS
CBS

REFERENCES
8.2.3
cont.

f) the scope of certification with respect to

product (including service), process, etc,
asapplicableateachsite?
g) the name, address and certification mark
of the CB; other marks (e.g. accreditation
symbol)?
h) any other information required by the
standard and/or other normative
documentusedforcertification?
i) in the event of issuing any revised
certification documents, a means to
distinguish the revised documents from
anypriorobsoletedocuments?

8.3
Directoryofcertifiedcustomers

Does the CB maintain and make publicly

accessibleorprovideuponrequest,byany
means it chooses, a directory of valid
certifications? See 8.3 for directory
detail.

Referencetocertificationanduseof
marks

8.4.1 Does the CB have a policy governing any

markthatitauthorizescertifiedcustomers
to use? See 8.4.1 and ISO/IEC 17030 for
detail.

Isthemarkusedonaproductorproduct
packagingseenbytheconsumer?

8.4.2 DoestheCBpermititsmarktobeapplied
to laboratory test, calibration or
inspectionreports?

8.4.3 Does the CB require that the client

organization:
a) conforms to the requirements of the CB
whenmakingreferencetoitscertification
statusincommunicationmedia?
b) does not make or permit any misleading
statementregardingitscertification?
c) does not use or permit the use of a
certificationdocumentoranypartthereof
inamisleadingmanner?
d) upon suspension or withdrawal of its
certification discontinues its use of all
advertising matter that contains a
reference to certification, as directed by
theCB?(See9.6.3and9.6.6)
e) amends all advertising matter when the
scopeofcertificationhasbeenreduced?

8.4

IssueNo:1

COMMENTBYASSESSOR

Page10of41

Date:20130118

SADCASF40(a)

ISO/IEC17021REQUIREMENTS

cont..

CBS
REFERENCES

8.4.3

f) does not allow reference to its

management system certification to be
used to imply that the CB certifies a
product(includingservice)orprocess?
g) does not imply that the certification
applies to activities that are outside the
scopeofcertification?and
h) does not use its certification in such a
manner that would bring the CB and/or
certification system into disrepute and
losepublictrust?

8.4.4 Does the CB exercise proper control of

ownership and take action to deal with
incorrectreferencestocertificationstatus
ormisleadinguseofcertificationmarksor
auditreports?
SeeNote

8.5

Confidentiality

8.5.1/8.5.5

Does the CB through legally enforceable

agreements have a policy and
arrangements
to
safeguard
the
confidentiality of the information at all
levels of its structure, including
committees and external bodies or
individualsactingonitsbehalf?

8.5.2 Client informed by the CB of the

confidential information it intends to
placeinthepublicdomain?

8.5.3 Except as required in this international

standard,isinformationaboutaparticular
client or individual disclosed to a third
party without the written consent of the
clientorindividualconcerned?

WheretheCBisrequiredbylawtorelease
confidentialinformationtoathirdparty,is
the customer or individual concerned,
unless regulated by law, notified in
advanceoftheinformationprovided?

8.5.4 Isinformationabouttheclienttreatedas
confidential,consistentwiththeCBs
policy?

IssueNo:1

COMMENTBYASSESSOR

Page11of41

Date:20130118

SADCASF40(a)

ISO/IEC17021REQUIREMENTS
CBS

REFERENCES
8.5.5 DoallpersonnelactingontheCBsbehalf
keepconfidentialallinformationobtained
or created during the performance of the
CBsactivities?

8.5.6 Does the CB have available and use

equipment and facilities that ensure the
secure
handling
of
confidential
information(e.g.documents,records)?

8.5.7 When confidential information is made

available to other bodies (e.g. AB,
agreement group of a peer assessment
scheme) does the CB inform its client of
thisaction?

8.6
InformationexchangebetweenaCBand
itscustomers
8.6.1

a)

b)
c)

d)

Informationonthecertificationactivity
andrequirements

COMMENTBYASSESSOR

DoestheCBprovideandupdateclientson
thefollowing:
a detailed description of the initial and
continuing certification activity including
the application, initial audits, surveillance
audits and the process for granting,
maintaining,
reducing,
extending,
suspending, withdrawing certification and
recertification?
The normative requirements for
certification?
Informationaboutthefeesforapplication,
initial certification and continuing
certification?
TheCBsrequirementsfortheprospective
customer:
1 To
comply
with
certification
requirements?
2 To make all necessary arrangements
fortheconductoftheauditsincluding
provision
for
examining
documentation and the access to all
processes and areas, records and
personnel for the purposes of initial
certification,
surveillance,
re
certification and resolution of
complaints,and?
3 To make provisions where applicable
to accommodate the presence of
observers (e.g. accreditation auditors
ortraineeauditors)?

IssueNo:1

Page12of41

Date:20130118

SADCASF40(a)

e)

f)
8.6.2

ISO/IEC17021REQUIREMENTS
CBS

REFERENCES
Documents describing the rights and
duties of certified clients including
requirements when making reference to
its certification in communication of any
kindinlinewiththerequirementsin8.4?
Information on procedures for handling
complaintsandappeals?
NoticeofchangesbyaCB

Does the CB give its certified clients due

noticeofanychangestoitsrequirements
forcertification?
Does the CB verify that each certified
client complies with the new
requirements?

COMMENTBYASSESSOR

SeeNote
8.6.3

Noticeofchangesbyaclient
Legallyenforceablearrangementsto
ensurethatthecertifiedcustomerinforms
theCBofmattersthatmayaffectthe
managementsystemsabilitytocontinue
tofulfilltherequirementsofthestandard
usedforcertification?
Seeexamplesa)toe)inthestandard

9.1.1
Auditprogramme

9.1.1.1 Is the audit programme for the full

certification cycle developed and does it
clearly identify the audit activity(ies)
required for certification to the selected
standard(s)
or
other
normative
documents?

9
9.1

Processrequirements
Generalrequirements

9.1.1.2 Doestheauditprogrammeincludeatwo
stage initial audit, surveillance audits in
the1stand2ndyearsandarecertification
auditinthe3rdyearpriortoexpirationof
certification? (The 3year certification
cycle begins with the certification or re
certificationdecision).

9.1.1.3 Where a CB is taking account of

certification or other audits already
granted to the customer, does it collect
sufficient, verifiable information to justify
and record any adjustments to the audit
programme?
9.1.2Auditplan

9.1.2.1General
Isanauditplanestablishedforeachaudit
to provide the basis for agreement
regarding the conduct and scheduling of
theauditactivities?

IssueNo:1

Page13of41

Date:20130118

SADCASF40(a)

ISO/IEC17021REQUIREMENTS
CBS

REFERENCES
Is the audit plan based on documented
requirementsofthecertificationbody?

COMMENTBYASSESSOR

9.1.2.2 Determining audit objectives, scope and

criteria

9.1.2.2.1 Does the CB determine the audit

objectives?
Is the audit scope and criteria including
changes established by the CB after
discussionswiththeclient?

9.1.2.2.2 Are audit objectives describe what is to be

accomplished by the audit and does it
includethefollowing:

a) determination of the conformity of the

clientsmanagementsystem,orpartsofit,
withtheauditcriteria

b) evaluation of the ability of the

management system to ensure the client
organization meets applicable statutory,
regulatoryandcontractualrequirements
SeeNote

c) evaluation of the effectiveness of the

management system to ensure the client
organization is continually meeting its
specifiedobjectives
d) as applicable, identification of areas of
potentialimprovementofthemanagement
system

9.1.2.2.3 Does the audit scope describe the extent

and boundaries of the audit? Where the
initialorrecertificationprocessconsistsof
more than one audit, are total audits
consistent with the scope in the
certification?

9.1.2.2.4Is the audit criteria used as a reference

againstwhichconformityisdeterminedand
doesitinclude:

The requirements of a defined normative

documentonmanagementsystems

The defined processes and documentation

of the management system developed by
theclient

9.1.2.3 Preparingtheauditplan
Is the audit plan appropriate to the
objectivesandthescopeoftheauditand

IssueNo:1

Page14of41

Date:20130118

SADCASF40(a)

ISO/IEC17021REQUIREMENTS
CBS

REFERENCES
9.1.2.3 Preparingtheauditplan(cont.)

Does it at least include or refer to the

following:
a) Theauditobjectives
b) Theauditcriteria
c) The audit scope including identification of
the organizational and functional units or
processestobeaudited
d) Thedatesandsiteswheretheonsiteaudit
activities are to be conducted including
visitstotemporarysites,asappropriate
e) The expected time and duration of onsite
auditactivities
f) The roles and responsibilities of the audit
teammembersandaccompanyingpersons

SeeNotes1and2

9.1.3 Auditteamselectionandassignments

9.1.3.1 Process in place for selecting and

appointing the audit team taking into
accountthecompetenceneededtoachieve
theobjectivesoftheaudit?

Where there is only one auditor, is the

auditorcompetenttoperform?

9.1.3.2 Indecidingthesizeandcompositionofthe
auditteamwasthefollowingconsidered:

a) audit objectives, scope, criteria and

estimatedtimeoftheaudit
b)whethertheauditisacombined,integrated
orjointaudit
c) the overall competence of the audit team
needed to achieve the objectives of the
audit
d) certification requirements (including any
applicable statutory, regulatory or
contractualrequirements?
e)Languageandculture
f) Whether the members of the audit team
have previously audited the clients
managementsystem.

9.1.3.3Wherethenecessaryknowledgeandskillof
the audit team leader and auditors was
supplemented by technical experts,
translators and interpreters, were they
selected such that they do not unduly
influencetheaudit?

IssueNo:1

COMMENTBYASSESSOR

Page15of41

Date:20130118

SADCASF40(a)

ISO/IEC17021REQUIREMENTS
CBS

REFERENCES
9.1.3.4 Where auditorsintraining are included in
the audit team as participants, was an
evaluatorappointed?

Wastheevaluatorcompetenttotakeover
thedutiesandhavefinalresponsibilityfor
theactivitiesandfindingsoftheauditorin
training?

COMMENTBYASSESSOR

9.1.3.5Doestheauditteamleader,inconsultation
with the audit team assign to each team
member responsibility for specific
processes, functions, sites, areas or
activities and are such assignments taking
intoaccounttheneedforcompetence?

Were changes to assignments made to

ensure achievement of the audit
objectives?

9.1.4 Determiningaudittime

9.1.4.1 Does the CB have documented procedures

fordeterminingaudittimeneedtoplanand
accomplishacompleteandeffectiveaudit?

Does the procedure include or make

referencetotherelevantannexesintheIAF
GD2andGD6documents?

Indeterminingtheaudittime,doestheCB
consider among other things the following
aspects:

a) The requirements of the management

systemstandard?
b) Sizeandcomplexity?
c) Technologicalandregulatorycontext?
d)Anyoutsourcing?
e)Theresultsofanyprioraudits?
f)Numberofsitesandmultisite
considerations?
g) The risks associated with the product,
processesoractivitiesoftheorganization?
h) When audits are combined, joint or
integrated?
i) Specific criteria for specific certification
schemewhereestablished?

9.1.4.2 Does the CB include time spent by any

team member that is not assigned as an
auditor?

IssueNo:1

Page16of41

Date:20130118

SADCASF40(a)

9.1.5

ISO/IEC17021REQUIREMENTS
CBS

REFERENCES
Multisitesampling

Where multisite sampling is utilized, did

the CB develop an adequate sampling
programme to ensure proper audit of the
managementsystem?
Is the rationale for the sampling plan
documented?(IAFguidanceapplies)

COMMENTBYASSESSOR

9.1.6 Communicationofauditteamtasks

Are the tasks given to the audit team

defined and make known to the client?
Doestheauditteam:

a) Examine and verify the structure, policies,

processes, procedures, recordsand related
documents of the customer organization
relevanttothemanagementsystem?
b) Determine that these meet all the
requirements relevant to the intended
scopeofcertification?
c) Determine that the processes and
procedures are established, implemented
and maintained effectively, to provide a
basis for confidence in the client
managementsystem?and
d) Communicate to the customer, for its
action, any inconsistencies between the
customers policy, objectives and targets
andtheresults?

9.1.7 Communication concerning audit team

members

Does the CB provide the name and, when

requested, make available background
information of each member of the audit
team with sufficient time for the client
organization to object to the appointment
ofanyparticularauditorortechnicalexpert
and for the CB to reconstitute the team in
responsetoanyvalidobjection?

9.1.8

Communicationofauditplan

Is the audit plan communicated and the

datesoftheauditagreedupon,inadvance,
withtheclientorganization?

9.1.9 Conductingonsiteaudits
9.1.9.1 General

DoestheCBhaveaprocessforconducting

IssueNo:1

Page17of41

Date:20130118

SADCASF40(a)

ISO/IEC17021REQUIREMENTS
CBS

REFERENCES
9.1.9.1 General(cont.)

Onsiteaudits?
Does the process include opening meeting
atthestartoftheauditandclosingmeeting
attheconclusionoftheaudit?

9.1.9.2 Conductingtheopeningmeeting
Doestheauditteamhaveaformalopening
meetingwiththeclientsmanagementand
those responsible for the functions or
processestobeaudited?
Are the opening meeting conducted by the
Leadauditor?
Are audit activities explained including the
following:

a) Introduction of the participants including

anoutlineoftheirroles
b) Confirmationofthescopeofcertification
c) Confirmation of the audit plan (including
type and scope of audit, objectives and
criteria), any changes and other relevant
arrangements with the client such as the
date and time for the closing meeting,
interim meetings between the audit team
andclientsmanagement
d) Confirmation of formal communication
channels between the audit team and the
client
e) Confirmation that the resources and
facilitiesneededbyauditteamareavailable
f) Confirmation of matters relating to
confidentiality
g) Confirmation of relevant work safety,
emergencyandsecurityproceduresforthe
auditteam
h) Confirmation of the availability, roles and
identitiesofanyguidesandobservers
i) The method of reporting including any
gradingofauditfindings
j) Information about the conditions under
which the audit may be prematurely
terminated
k) Confirmation that the audit team leader
and audit team representing the CB is
responsible for the audit and shall be in
control of executing the audit plan
includingauditactivitiesandaudittrails

IssueNo:1

Page18of41

COMMENTBYASSESSOR

Date:20130118

SADCASF40(a)

ISO/IEC17021REQUIREMENTS
CBS

REFERENCES
9.1.9.2(cont.)

l)confirmationofthestatusoffindingsofthe
previousrevieworaudit,ifapplicable
m) methods and procedures to be used to
conducttheauditbasedonsampling
n) confirmation of the language to be used
duringtheaudit
o confirmation that during the audit the
client will be kept informed of audit
progressandanyconcerns
p)opportunityfortheclienttoaskquestions

9.1.9.3 Communicationduringtheaudit

9.1.9.3.1 During the audit does the audit team

periodically assess audit progress and
exchange information and does the team
leader reassign work as needed between
the audit team members and periodically
communicatetheprogressoftheauditand
anyconcernstotheclient?

9.1.9.3.2 Does the audit team leader report to the

client and where possible to the CB
presence of an immediate and significant
risk(e.g.safety)?

Istheoutcomeoftheactiontakenreported
totheCB?

9.1.9.3.3 Doestheteamleaderreviewwiththeclient
any need for changes to the audit scope
which becomes apparent as onsite
auditing activities progress and report this
totheCB?

9.1.9.4 ObserversandGuides

COMMENTBYASSESSOR

9.1.9.4.1Observers

Prior to the conduct of the audit does the

client agree to the presence and
justification of observers during an audit
activity?

9.1.9.4.2Guides

Doeseachauditoraccompaniedbyaguide,
unless otherwise agreed to by the audit
teamleaderandtheclient?

Doestheauditteamensurethatguidesdo
not influence or interfere in the audit
processoroutcomeoftheaudit?

SeeNote

IssueNo:1

Page19of41

Date:20130118

SADCASF40(a)

ISO/IEC17021REQUIREMENTS
CBS

REFERENCES

9.1.9.5 Collectingandverifyinginformation

9.1.9.5.1 Is information relevant to the audit

objective, scope and criteria collected by
appropriate sampling and verified to
becomeauditevidence?

9.1.9.5.2 Are methods to collect information

included?
a)interviews
b)observationofprocessesandactivities
c)reviewofdocumentationandrecords

9.1.9.6 Identifyingandrecordingauditfindings

9.1.9.6.1 Are audit findings summarizing conformity

anddetailingnonconformityauditsandits
supporting evidence recorded and
reported?

9.1.9.6.2 Where opportunities for improvement are

not prohibited by the requirements of a
management system scheme, are they
identifiedandrecorded?

9.1.9.6.3 Is a finding of nonconformity recorded

against a specific requirement of the audit
criteria and does it contain a clear
statement of the nonconformity and
identify in detail the objective evidence on
whichthenonconformityisbased?

Are nonconformities discussed with the

client to ensure that the evidence is
accurateandthatthenonconformitiesare
understood?

9.1.9.6.4 Does the audit team leader attempt to

resolveanydivergingopinionsbetweenthe
audit team and the client concerning audit
evidence on findings and are unresolved
pointsrecorded?

9.1.9.7 Preparingauditconclusions

Priortotheclosingmeetingdoestheaudit
team:

a)

review the audit findings and any other

appropriate information collected during
theauditagainsttheauditobjectives
agree upon the audit conclusions taking
intoaccounttheuncertaintyinherentinthe
auditprocess

COMMENTBYASSESSOR

b)

IssueNo:1

Page20of41

Date:20130118

SADCASF40(a)

ISO/IEC17021REQUIREMENTS
CBS

REFERENCES
9.1.9.7 (cont.)

c) identifyanynecessaryfollowupactions
d) confirm the appropriateness of the audit
programme or identify any modification
required (e.g. scope, audit time or dates,
surveillancefrequency,competence)

9.1.9.8 Conducttheclosingmeeting

9.1.9.8.1 Does the team hold a formal closing

meeting with management and are non
conformities presented in such a manner
that they are understood, and are
timeframesforrespondingagreed?

Isattendancerecorded?

9.1.9.8.2 Does the closing meeting include the

following:
a) advising the client that the audit evidence
collected was based on sample of the
information; thereby introducing an
elementofuncertainty
b) the method and timeframe of reporting
includinganygradingofauditfindings
c) thecertificationbodysprocessforhandling
nonconformities
including
any
consequences relating to the status of the
clientscertification
d) the timeframe for the client to present a
planforcorrectionandcorrectiveactionfor
any nonconformities identified during the
audit
e) theCBspostauditactivities
f) information about the complaint handling
andappealprocesses

9.1.9.8.3 Is the client given opportunity for

questions?

Are diverging opinions regarding the audit

findings or conclusions discussed, resolved
wherepossible?

Areunresolveddivergingopinionsrecorded
andreferredtotheCB?

9.1.10 Auditreport

9.1.10.1 Does the CB provide a written report for

each audit and is ownership of the report
maintainedbytheCB?

If the audit team identifies opportunities

for improvement, do they recommend
specificsolutions?

IssueNo:1

COMMENTBYASSESSOR

Page21of41

Date:20130118

SADCASF40(a)

ISO/IEC17021REQUIREMENTS
CBS

REFERENCES
9.1.10.2 Does the team leader ensure that the
report is prepared and takes responsibility
ofthecontentofthereport?

Does the report provide accurate, concise

and clear record of the audit and does it
includethefollowing:

a) identificationofthecertificationbody
b) name and address of the clients
managementrepresentative
c) type of audit (e.g. initial, surveillance or
recertification)
d) auditcriteria
e) auditobjectives
f) audit scope, particularly identification of
the organizational of functional units or
processesauditedandthetimeoftheaudit
g) identification of the audit team leader,
audit team members and any
accompanyingpersons
h) dates andplaces where the audit activities
(onsiteofoffsite)wereconducted
i) audit findings, evidence and conclusions,
consistent with the requirements of the
typeofaudit
j) anyunresolvedissues,ifidentified

9.1.11 Causeanalysisofnonconformities

Does the CB require the client to analyze
the cause and describe the specific
correction and corrective actions taken or
planned to be taken to eliminate detected
nonconformitieswithinadefinetimeline?

9.1.12 Effectivenessofcorrectionsandcorrective
actions

Does the CB review the corrections,

identified causes and corrective actions
submittedbythecustomertodetermineif
theseareacceptable?

DoestheCBverifytheeffectivenessofany
correctionandcorrectiveactiontaken?

Is the evidence obtained to support the

resolutionofnonconformitiesrecorded?

Doestheclientgetinformedoftheresultof
thereviewandverification?

SeeNote

IssueNo:1

Page22of41

COMMENTBYASSESSOR

Date:20130118

SADCASF40(a)

ISO/IEC17021REQUIREMENTS
CBS

REFERENCES
9.1.13 Certificationdecision

Is the client informed if an additional full

audit, an additional limited audit or
documented evidence (to be confirmed
during future surveillance audits) will be
needed to verify effective correction and
correctiveactions?

9.1.14 Does the CB ensure that the persons or

committees that make the certification or
recertification decisions are different from
thosewhocarriedouttheaudits?

9.1.15 Actionspriortomakingadecision

Does the CB confirm, prior to making a

decisionthat:

a)

Theinformationprovidedbytheauditteam
issufficient?
It has reviewed, accepted and verified the
effectiveness of corrections and corrective
actions for all nonconformities that
represent:
failure to fulfill one or more requirements
ofthemanagementsystemstandard?or
a situation that raises significant doubt
about the ability of the customers
management system to achieve its
intendedoutputs
It has reviewed and accepted the clients
planned correction and corrective action
foranyothernonconformity?

COMMENTBYASSESSOR

b)

1
2

c)

9.2

Initialauditandcertification

9.2.1

Application
Does the CB require an authorized
representativeoftheapplicantorganization
to provide the necessary information to
enableittoestablish:

a)
b)

c)

Thedesiredscopeofthecertification?
The general features of the applicant
organization including its name and the
address(es) of its physical location(s),
significant aspects of its process and
operations and any relevant legal
obligations?
General information relevant for the field
of certification applied for, concerning the
applicantorganization,suchasitsactivities,
human and technical resources, functions
and relationship in a larger corporation, if
any?

IssueNo:1

Page23of41

Date:20130118

SADCASF40(a)

9.2.1

d)

ISO/IEC17021REQUIREMENTS

(cont.)

CBS
REFERENCES

COMMENTBYASSESSOR

9.2.2 Applicationreview

9.2.2.1 Before proceeding with the audit does the

CBconductareviewoftheapplicationand
supplementaryinformationforcertification
toensurethat:

a)Theinformationabouttheapplicantandits
management system is sufficient for the
conductoftheaudit?
b) The requirements for certification are
clearly defined and documented and have
been provided to the applicant
organization?
c) Any known difference in understanding
between the CB and the applicant
organizationisresolved?
d) The CB has the competence and ability to
performthecertificationactivity?
e) The scope of certification sought, the
location(s) of the applicants organizations
operations, time required to complete
auditsandanyotherpointsinfluencingthe
certificationactivityaretakenintoaccount
(language, safety conditions, threats to
impartiality,etc)?
f) Recordsofthejustificationforthedecision
toundertaketheauditshallbemaintained?

9.2.2.2 Following the review of the application

does the CB accept or decline an
applicationorcertification?

When declined, are reasons for declining

documentedmadecleartotheclient?

SeeNote

e)

f)

Information concerning all outsourced

processesusedbytheorganizationthatwill
affectconformitytorequirements?
The standards or other requirements for
whichtheapplicantorganizationisseeking
certification?
Information concerning the use of
consultancy relating to the management
system?

IssueNo:1

Page24of41

Date:20130118

SADCASF40(a)

ISO/IEC17021REQUIREMENTS
CBS

REFERENCES
9.2.2.3 Based on this review does the CB
determine the competences it needs to
includeinitsauditteam(see7.2.7)andfor
thecertificationdecision(see7.2.9)?

9.2.2.4 Is the audit team appointed and do they

have the totality of the competences
identifiedbytheCBassetoutin9.2.2.3for
the certification of the applicant
organization?

Is selection of the team performed with

reference to the designations of
competence of auditors and technical
expertsmadeunder7.2.5?

9.2.2.5 Is the individual(s) who will be conducting

the certification decision appointed to
ensure appropriate competence is
available?(See7.2.9and9.2.2.3)

9.2.3

Initialcertificationaudit

Is the initial certification audit of a

management system conducted in two
stagesStage1andStage2

COMMENTBYASSESSOR

9.2.3.1Stage1audit

9.2.3.1.1 Isthestage1auditperformed:

a) to audit the clients management system

documentation;
b) to evaluate the clients location and site
specific conditions and to undertake
discussions with the clients personnel to
determine to the preparedness for the
Stage2audit;
c) to review the clients status and
understanding regarding requirements of
the standard, in particular with respect to
the identification of key performance or
significant aspects, processes, objectives
andoperationofthemanagementsystem?
d) to collect necessary information regarding
the scope of the management, processes
and location(s) of the client, and related
statutory and regulatory aspects and
compliance (e.g. quality, environmental,
legal aspects of the clients operation,
associatedrisks,etc.)?

IssueNo:1

Page25of41

Date:20130118

SADCASF40(a)

ISO/IEC17021REQUIREMENTS
CBS

REFERENCES
9.2.3.1.1 (cont.)

e) to review the allocation of resources for

Stage 2 audit and agree with the client on
thedetailsoftheStage2audit?
f) to provide a focus for planning the Stage 2
audit by gaining a sufficient understanding
oftheclientsmanagementsystemandsite
operations in the context of possible
significantaspects?
g) to evaluate if the initial audits and
managementreviewarebeingplannedand
performed and that the level of
implementation of the management
systemsubstantiatesthattheclientisready
fortheStage2audit?

For most management systems it is

recommended that at least part of the
Stage 1 audit be carried out at the clients
premisesinordertoachievetheobjectives
statedabove.

9.2.3.1.2 AreStage1auditfindingsdocumentedand
communicated to the client organization
including identification of any areas of
concern that could be classified as non
conformityduringStage2audit?

9.2.3.1.3 In determining the interval between Stage

1andStage2,isconsiderationgiventothe
needs of the client to resolve areas of
concernidentifiedduringtheStage1audit?

The CB may also need to revise its

arrangementforStage2

9.2.3.2 Stage2audit

9.2.3.2.1 The purpose of the Stage 2 audit is to

evaluate the implementation including
effectiveness
of
the
customers
managementsystem.

Is the Stage 2 audit taking place at the

site(s)oftheclient?

Doesitincludeatleastthefollowing:

a) Informationandevidenceaboutconformity
to all requirements of the applicable
management system standard or other
normativedocument?

IssueNo:1

Page26of41

COMMENTBYASSESSOR

Date:20130118

SADCASF40(a)

ISO/IEC17021REQUIREMENTS
CBS

REFERENCES
9.2.3.2.1(cont.)

b) performance monitoring, measuring,

reporting and reviewing against key
performanceobjectivesandtargets?
c) the clients management system and
performanceasregardslegalcompliance?
d) operational control of the clients
processes?
e)internalauditingandmanagementreview?
f) management responsibility for the client
organizationspolicies?
g)linksbetweenthenormativerequirements,
policy,performanceobjectivesandtargets,
any applicable legal requirements,
responsibilities, competence of personnel,
operations, procedures, performance data
andinternalauditfindingsandconclusions?

9.2.4 Initialcertificationauditconclusions

Doestheauditteamanalyzeallinformation
and audit evidence gathered during the
Stage 1 and Stage 2 audits to review the
audit findings and agree on the audit
conclusions?

9.2.5 Informationforgrantinginitial

certification

9.2.5.1Doestheinformationprovidedbytheaudit
teamtotheCBforthecertificationdecision
includeasaminimum:

a) theauditreports?
b) comments on the nonconformities and,
where applicable, the correction and
correctiveactionstakenbytheclient?
c)confirmationontheinformationprovidedto
the certification body used in the
applicationreview?(See9.2.2)and
d) arecommendationwhetherornottogrant
certification together with any conditions
orobservations?

9.2.5.2 DoestheCBmakethecertificationdecision
on the basis of an evaluation of the audit
findings and conclusions and any other
relevant
information
(e.g.
public
information,commentsontheauditreport
fromthecustomer)?

IssueNo:1

Page27of41

COMMENTBYASSESSOR

Date:20130118

SADCASF40(a)

ISO/IEC17021REQUIREMENTS

Surveillanceactivities

CBS
REFERENCES

9.3

9.3.1 General

9.3.1.1 DidtheCBdevelopitssurveillanceactivities
so that representative areas and functions
covered by the scope of the management
system are monitored on a regular basis
and take into account changes to its
certified client and its management
system?

9.3.1.2 Do surveillance activities include onsite

audits assessing the certified clients
managementsystemfulfillmentofspecified
requirements with respect to the standard
towhichthecertificationisgranted?

Othersurveillanceactivitiesmayinclude:

a) Enquiries from the CB to the certified on

aspectsofcertification;
b) Reviewing any clients statements with
respect to its operations (e.g. promotional
material,website);
c) Requests to the client to provide
documents and records (on paper or
electronicmedia);and
d) Other means of monitoring the certified
clientsperformance.

9.3.2 Surveillanceaudit

9.3.2.1 Are onsite audits planned with other

surveillance activities, so that the CB can
maintain confidence that the certified
management
continues
to
fulfill
requirements in between recertification
audits?

Does the surveillance audit programme

includeatleast:

a) Internalauditsandmanagementreview?
b) Reviewofactiontakenonnonconformities
identifiedduringthepreviousaudits?
c) Treatmentofcomplaints?
d) Effectiveness of the management system
with regard to achieving the certified
clientsobjectives?
e) Progress of planned activities aimed at
continualimprovement?

IssueNo:1

COMMENTBYASSESSOR

Page28of41

Date:20130118

SADCASF40(a)

ISO/IEC17021REQUIREMENTS
CBS

REFERENCES
9.3.2.1 (cont.)

f)continuingoperationalcost?
g)reviewofanychanges?and
h)useofmarksand/oranyotherreferenceto
certification?

9.3.2.2 Are surveillance audits conducted at least

onceayear?
st

Is the date of the 1 surveillance audit

followinginitialcertificationnotmorethan
12monthsfromthelastdayoftheStage2
audit?
9.3.3

Maintainingcertification

COMMENTBYASSESSOR

DoestheCBmaintaincertificationbasedon
demonstration that the client continues to
satisfy the requirements of the
managementsystemstandard?

Does the CB maintain an organizations

certification based on a positive
recommendation by the audit team leader
without further independent review
providedthat:

a)

For any nonconformity or other situation

thatmayleadtosuspensionorwithdrawal
of certification, the CB needs to initiate a
review by appropriately competent
personneldifferentfromthosewhocarried
out the audit to determine whether
certificationcanbemaintained?(See7.2.9)
and
CompetentpersonneloftheCBmonitorits
surveillance activities, including monitoring
the reporting by its auditors, to confirm
that the certification activity is operating
effectively?

b)

9.4

Recertification

9.4.1

Recertificationcycle

9.4.1.1 Is a recertification audit planned and

conducted to evaluate the continued
fulfillment of all the requirements of the
relevant management system standard or
othernormativedocument?

9.4.1.2Doestherecertificationauditconsiderthe
performance of the management system
overtheperiodofcertificationandinclude
the review of previous surveillance audit
reports?

IssueNo:1

Page29of41

Date:20130118

SADCASF40(a)

ISO/IEC17021REQUIREMENTS

CBS
REFERENCES

COMMENTBYASSESSOR

99.4.1.3 In situations where they have been

significant changes (e.g. changes to
legislation, management, processes, etc.)
do the recertification audit activities
includeaStage1audit?

9.4.1.4 Inthecaseofmultiplesitesorcertification
multiple management system standards
being provided by the CB, does the
planningfortheauditensureadequateon
siteauditcoveragetoprovideconfidencein
thecertification?

9.4.2 Recertificationaudit

9.4.2.1 Does the recertification audit include an

onsiteauditthataddressesthefollowing:

a) the effectiveness of the management

system?
b)demonstratedcommitmenttomaintainthe
effectivenessandimprovement?
c) whether the operation of the certified
management system contributes to the
achievement of the organizations policy
andobjectives?

9.4.2.2 When during a recertification audit

instances of nonconformity or lack of
evidenceofconformityareidentified,does
theCBdefinetimelimitsforcorrectionand
correctiveactionstobeimplementedprior
theexpiryofcertification?

9.4.3 Informationforgrantingrecertification

Does the CB make decisions on renewing

certificationbasedon:

Theresultsofrecertificationaudit?

Theresultsofthereviewofthesystemover
theperiodofcertification?and

The complaints received from users of

certification?

IssueNo:1

Page30of41

Date:20130118

SADCASF40(a)

ISO/IEC17021REQUIREMENTS

Specialaudits

9.5

9.5.1 Extensionstoscope

CBS
REFERENCES

COMMENTBYASSESSOR

Suspending, withdrawing or reducing

scopeofcertification

DoestheCBhaveapolicyanddocumented
procedure(s)forsuspension,withdrawalor
reduction of the scope of certification and
does it specify the subsequent actions by
theCB?

Does the CB in response to an application

forextensiontothescopeofacertification
alreadygranted,undertakeareviewofthe
application and determine any audit
activities necessary to decide whether or
not the extension may be granted? (This
may be conducted in conjunction with a
surveillanceaudit)

9.5.2 Shortnoticeaudits

If it is necessary for the CB to conduct

auditsofcertifiedclientsatshortnoticeto
investigate complaints (see 9.8) or in
responsetochanges(see8.6.3)orasfollow
uponsuspendedcustomers(see9.6):

a)

Does the CB describe and make known in

advance to the certified clients (e.g. in
documents as described in 8.6 1) the
conditions under which these short notice
visitsaretobeconducted?And

DoestheCBexerciseadditionalcareinthe
assignment of the audit team because of
the lack of opportunity for the client to
auditteammembers?

b)
c)

9.6
9.6.1

9.6.2 Does the CB suspend certification in cases

whenforexample:

The customers certified management

system has persistently or seriously failed
to meet certification requirements
including
requirements
for
the
effectivenessofthemanagementsystem?

The certified client does not allow

surveillance or recertification audits to be
conductedattherequiredfrequencies?or

The certified client has voluntarily

requestedasuspension?

IssueNo:1

Page31of41

Date:20130118

SADCASF40(a)

9.6.3

ISO/IEC17021REQUIREMENTS
CBS

REFERENCES
Under suspension the customers
management system certification is
temporarilyinvalid.

Does the CB have enforceable

arrangementswithitsclientstoensurethat
in case of suspension the client refrains
fromfurtherpromotionofitscertification?

DoestheCBmakethesuspendedstatusof
the certification publicly available (see
8.1.3) and take any other measures it
deemsappropriate?

9.6.4

Doesfailuretoresolvetheissuesthathave
resulted in the suspension in a time
established by CB result in withdrawal or
reductionofthescopeofcertification?

9.7
9.7.1

9.7.2

SeeNote

9.6.5
Does the CB reduce the customers scope
of certification to exclude the parts not
meeting the requirements when the client
has persistently or seriously failed to meet
the certification requirements for those
partsofthescopeofcertification?

9.6.6

COMMENTBYASSESSOR

Does the CB have enforceable

arrangements with the certified customer
concerning conditions of withdrawal (see
8.4.3d)ensuringuponnoticeofwithdrawal
of certification that the customer
discontinuesitsuseofalladvertisingmatter
that contains any reference to a certified
status?

Appeals

DoestheCBhaveadocumentedprocessto
receive, evaluate and make decisions on
appeals?

Is a description of the appeals handling

processpubliclyavailable?

IssueNo:1

Page32of41

Date:20130118

SADCASF40(a)

9.7.3

9.7.4

ISO/IEC17021REQUIREMENTS
CBS

REFERENCES
IstheCBresponsibleforalldecisionsatall
levelsoftheappealshandlingprocess?

Does the CB ensure that the persons

engaged in appeals handling process are
different from those who carried out the
auditsandmadethecertificationdecisions?

COMMENTBYASSESSOR

Do submission, investigation and decision

on appeals result in any discriminatory
actionsagainsttheappellant?

Doestheappealhandlingprocessincludeat
leastthefollowingelementsandmethods:

9.7.5

a) an outline of the process for receiving,

validating, investigating the appeal and for
deciding what actions are to be taken in
response to it, taking into account the
resultsofprevioussimilarappeals;
b) tracking and recording appeals including
actionsundertakentoresolvethem;
c) ensuring that any appropriate correction
andcorrectiveactionistaken.

9.7.6 Does the CB acknowledge receipt of the

appeal and provide the appellant with
progressreportsandtheoutcome?

9.7.7 Are the decision to be communicated to

the appellant made by, or reviewed and
approved by, individual(s) not previously
involvedinthesubjectoftheappeal?

9.7.8 Does the CB give formal notice of the end

of the appeal handling process to the
appellant?

9.8Complaints

9.8.1

Is a description of the complaints handling

processpubliclyaccessible?

9.8.2

Upon receipt of a complaint does the CB

confirm whether the complaint relates to
certificationactivitiesthatisresponsiblefor
and,ifso,dealswith?

Ifthecomplaintrelatestoacertifiedclient
does the examination of the complaint
consider the effectiveness of the certified
managementsystem?

IssueNo:1

Page33of41

Date:20130118

SADCASF40(a)

9.8.3

9.8.4

ISO/IEC17021REQUIREMENTS
CBS

REFERENCES
Is a complaint about a certified client also
referredbytheCBtothecertifiedclientin
questionatanappropriatetime?
DoestheCBhaveadocumentedprocessto
receive, evaluate and make decisions on
complaints?

COMMENTBYASSESSOR

Is this process subject to requirements for

confidentiality as it relates to the
complainant and to the subject of the
complaint?

9.8.5 Does the complaints handling process

includeatleastthefollowingelementsand
methods:

a) an outline of the process for receiving,

validating,investigatingthecomplaintand
for deciding what actions are to be taken
inresponsetoit?

b) trackingandrecordingcomplaintsincluding
actionsundertakentoresolvethem?

c)ensuringthatanappropriatecorrectionand
correctiveactionsaretaken?

SeeNote

9.8.6 Is the CB receiving the complaint

responsible for gathering and verifying all
necessary information to validate the
complaint?

9.8.7 Whenever possible does the CB

acknowledge receipt of the complaint and
provide the complainant with progress
reportsandtheoutcome?

9.8.8 Is the decision to be communicated to the

complainant made by, or reviewed and
approved by, individual(s) not previously
involvedinthesubjectofthecomplaint?

9.8.9 WheneverpossibledoestheCBgiveformal
noticeoftheendofthecomplainthandling
processtothecomplainant?

IssueNo:1

Page34of41

Date:20130118

SADCASF40(a)

ISO/IEC17021REQUIREMENTS
CBS

REFERENCES
9.8.10 Does the CB determine together with the
clientand thecomplainantwhetherand,if
so to what extent, the subject of the
complaint and its resolution shall be made
public?

9.9
Recordsofapplicantsandclients

COMMENTBYASSESSOR

9.9.1 Does the CBmaintain records on theaudit

andothercertificationactivityforallclients
including all organizations that submitted
applications and all organizations audited,
certifiedorwithcertificationwithdrawn?

9.9.2 Do the records on certified clients include

thefollowing:

a) application information and initial,

surveillance and recertification audit
reports?
b)certificationagreement?
c) justification of the methodology used for
sampling?
d) justification
for
auditor
time
determination?(See9.1.4)
e) verification of correction and corrective
actions?
f) records of complaints and appeals and any
subsequent correction and corrective
actions?
g) committee deliberations and decisions, if
applicable?
h) documentation of the certification
decisions?
i) certificationdocumentsincludingthescope
of certification with respect to product,
processorservicesasapplicable?
j) related records necessary to establish the
credibility of the certification such as
evidenceofthecompetenceofauditorand
technicalexpert?

SeeNote

9.9.3

DoestheCBkeeptherecordsonapplicants
and customers, secure to ensure that the
informationiskeptconfidential?

Are records transported, transmitted or

transferred in a way that ensures that
confidentialityismaintained?

IssueNo:1

Page35of41

Date:20130118

SADCASF40(a)

ISO/IEC17021REQUIREMENTS
CBS

REFERENCES
9.9.4 DoestheCBhaveadocumentedpolicyand
documented procedures on retention of
records?

Arerecordsretainedforthedurationofthe
current cycle plus one (1) full certification
cycle?

COMMENTBYASSESSOR

SeeNote

10
Management system requirements for
CBs

10.1 Options

Inadditiontomeetingtherequirementsof
Clauses 5 to 9 did the CB implement a
management system in accordance with
either:

a)

Management system requirements in

accordancewithISO9001(Option1)?or
Generalmanagementsystemrequirements
(Option2)?

b)

10.2

Option1:Managementsystem
requirementsinaccordancewithISO9001

10.2.2Scope

Doesthescopeofthemanagementsystem
include the design and development
requirementsforitscertificationservices?

10.2.3 CustomerFocus

10.2.1 General

Is the ISO 9001 system capable of

supporting and demonstrating the
consistent
achievement
of
the
requirementsofthisinternationalstandard,
amplifiedby10.2.2to10.2.4?

Does the CB consider the credibility of

certification and address the needs of all
parties (as set out in 4.1.2) that rely upon
its audit and certification services, not just
itsclients?

10.2.4Managementreview

Does the CB include as input for

management review information on
relevantappealsandcomplaintsfromusers
ofcertificationactivities?

IssueNo:1

Page36of41

Date:20130118

SADCASF40(a)

10.3

ISO/IEC17021REQUIREMENTS
CBS

REFERENCES
Option 2: General management system
requirements

COMMENTBYASSESSOR

10.3.1General

Does the CB establish, document,

implement and maintain a management
system that is capable of supporting and
demonstrating the consistent achievement
of the requirements of this international
standard?
Does the CBs top management establish
anddocumentpoliciesandobjectivesforits
activities?
Doestopmanagementprovideevidenceof
its commitment to the development and
implementation of the management
system in accordance with the
requirements of this international
standard?
Does top management ensure that the
policies are understood, implemented and
maintained at all levels of the certification
bodysorganization?
Did the CBs top management appoint a
member of management who, irrespective
of other responsibilities, shall have
responsibilityandauthoritythatincludes:

a)

b)

Ensuring that processes and procedures

needed for the management system are
established,implementedandmaintained?
and
Reporting to top management on the
performance of the management system
andanyneedforimprovement?

10.3.2 Managementsystemmanual

Are all applicable requirements of this

internationalstandardaddressedeitherina
manualorinassociateddocuments?

Does the CB ensure that the manual and

relevant associated documents are
accessibletoitspersonnel?

10.3.3 Controlofdocuments

Did the CB establish procedures to control

the documents (internal and external) that
relatetothefulfillmentofthisinternational
standard?

IssueNo:1

Page37of41

Date:20130118

SADCASF40(a)

ISO/IEC17021REQUIREMENTS
CBS

REFERENCES
Does the procedures define the control
needed:

COMMENTBYASSESSOR

a)
b)
c)
d)

e)
f)

g)

To approve documents for adequacy prior

toissue?
To review and update as necessary and
approvedocuments?
To ensure that changes and the current
revisionstatusofdocumentsareidentified?
To ensure that relevant versions of
applicable documents are available at
pointsofuse?
To ensure that documents remain legible
andreadilyidentifiable?
Toensurethatdocumentsofexternalorigin
are identified and their distribution
controlled?and
Topreventtheunintendeduseofobsolete
documents and to apply suitable
identification to them if they are retained
foranypurpose?

SeeNote

10.3.4Controlofrecords

DoestheCBestablishprocedurestodefine
the controls needed for the identification,
storage, protection, retrieval, retention
time and disposition of its records related
to the fulfillment of this international
standard?

Does the CB establish procedures for
retaining records for a period consistent
withitscontractualandlegalobligations?

Is access to these records consistent with
theconfidentialityarrangements?
SeeNote

10.3.5 Managementreview
10.3.5.1General

Did the CBs top management establish
procedures to review its management
system at planned intervals to ensure its
continuing suitability, adequacy and
effectiveness including the stated policies
and objectives related to the fulfillment of
thisinternationalstandard?

Arethesereviewsconductedatleastoncea
year?

IssueNo:1

Page38of41

Date:20130118

SADCASF40(a)

ISO/IEC17021REQUIREMENTS

10.3.5.2Reviewinputs

Does the input to management review

includeinformationrelatedto:

a)
b)

Resultsofinternalandexternalaudits?
Feedback from clients and interested
parties related to the fulfillment of this
internationalstandard?
Feedback from the committee for
safeguardingimpartiality?
Statusofpreventiveandcorrectiveactions?
Followup
actions
from
previous
managementreviews?
Fulfillmentofobjectives?
Changes that could affect the
management?and
Appealsandcomplaints?

CBS
REFERENCES

COMMENTBYASSESSOR

c)
d)
e)
f)
g)

h)

10.3.5.3 Reviewoutputs

Do the outputs from the management

review include decisions and actions
relatedto:

a)
b)

Improvement of the effectiveness of the

managementsystemanditsprocesses?
Improvement of the certification services
related to the fulfillment of this
internationalstandard?and
Resourceneeds?

c)

10.3.6 Internalaudits

10.3.6.1 Does the CB establish procedures for

internal audits to verify that it fulfills the
requirementsofthisinternationalstandard
and that the management system is
effectivelyimplementedandmaintained?
SeeNote

10.3.6.2 Is an audit programme planned taking into

consideration the importance of the
processes and areas to be audited as well
astheresultsofpreviousaudits?

10.3.6.3 Areinternalauditsperformedatleastonce
every12months?

10.3.6.4 DoestheCBensurethat:

a) Internal audits are conducted by qualified

personnel knowledgeable in certification,
auditing and the requirements of this
internationalstandard?
b) Auditorsshallnotaudittheirownwork?

IssueNo:1

Page39of41

Date:20130118

SADCASF40(a)

ISO/IEC17021REQUIREMENTS

10.3.6.4(cont.)

CBS
REFERENCES

COMMENTBYASSESSOR

c) Personnel responsible for the area audited

areinformedoftheoutcomeoftheaudit?
c) Any actions resulting from internal audits
are taken in a timely and appropriate
manner?and
d) Any opportunities for improvement are
identified?

10.3.7 Correctiveactions

Dotheproceduresdefinerequirementsfor:

a)

Identifying nonconformities (e.g. from

complaintsandinternalaudits)?
Determiningthecausesofnonconformity?
Correctingnonconformities?
Evaluating the need for actions to ensure
thatnonconformitiesdonotrecur?
Determining and implementing in a timely
mannertheactionsneeded?
Recordingtheresultsofactionstaken?and
Reviewing the effectiveness of corrective
actions?

b)
c)
d)
e)
f)
g)

Does the CB establish procedures for

identification and management of non
conformitiesinitsoperations?
Does the CB also, where necessary, take
actions to eliminate the causes of non
conformities in order to prevent
recurrence?
Are corrective actions appropriate to the
impactoftheproblemencountered?

10.3.8Preventiveactions

DoestheCBestablishproceduresfortaking
preventive actions to eliminate the causes
ofpotentialnonconformities?
Arepreventiveactionstakenappropriateto
the probable impact of the potential
problems?

Do the procedures for preventive actions

definerequirementsfor:

a)

Identifying potential nonconformities and

theircauses?
Evaluating the need for action to prevent
NNtheoccurrenceofnonconformities?
Determining and implementing the action
needed?

b)

IssueNo:1

Page40of41

Date:20130118

SADCASF40(a)

ISO/IEC17021REQUIREMENTS
CBS

REFERENCES
10.3.8(cont.)

c) Recordingtheresultsofactionstaken?and
d) Reviewing the effectiveness of the
preventiveactions?

SeeNote

COMMENTBYASSESSOR

Additional/GeneralComments(Thisspacemaybeusedtoexpandoncommentsinspecificsections)

Signed
Lead/TechnicalAssessor:

Date:

IssueNo:1

Page41of41

Date:20130118