One of the most crucial steps to gaining your ISO certification is the completion of a Stage 1 and Stage 2 assessment, conducted by an accredited Certification Body. A quick reminder – your certification doesn’t mean much if you haven’t received certification from an accredited Certification Body – so make sure you do your research!
Businesses going through their final Assessments to gain ISO certification may see any decisions made by Certification Body Assessors as infallible, however there’s still a very human aspect which can lead to some common pitfalls.
Last week we dived into the requirements of ISO 17021 – the Conformity Assessment Standard designed for Certification Bodies, and more specifically the requirements in relation to you as a client.
In this weeks’ episode, Steve Mason joins Mel once again to share some issues raised by Blackmores’ clients against Certification Bodies, and explains the related rules in ISO 17021 which Certification Bodies should abide by.
You’ll learn
- What is ISO 17021?
- Key issues raised by Blackmores’ clients in relation to Certification Bodies
- Related ISO 17021 requirements
Resources
In this episode, we talk about:
[00:24] What is ISO 17021? It’s the Conformity Assessment Standard designed for Certification Bodies. In effect, it acts as a service level agreement. These are the rules that these certification bodies need to comply with if they are accredited by an accreditation body like UKAS. Listen to the previous episode to learn more.
[01:10] What are we focusing on in this episode? There have been some issues raised by some of our clients time and time again over the last 6 – 8 months. We want to break some of these issues down, and help listeners to understand what are the actual rules around these areas in relation to ISO 17021.
[01:40] Issue #1: Cancellations – Sometimes a cancellation is unavoidable, however there are still rules that any Certification Body needs to follow – most importantly they should notify the client.
Steve shares his experience with an Assessor who was due to show up on the 5th September 2023, and never turned up! it turned out that whilst the date was in the previous report, it had been removed from his diary, but it hadn’t then been put into somebody else’s diary, and because it hadn’t been put into somebody else’s diary, there was no flag to anybody to let the client know that the visits should take place. Now that visit had to be pushed back into January next year, which is the only time we can make it.
[02:50] Balancing Expectations – There’s an expectation from certification bodies that clients should not cancel a month or less than a month before they visit. Steve recommends that should apply to certification bodies cancelling for clients too.
There are many considerations to Certification Body visits, including:- cost, scheduling the right people to be present, setting time aside for the audit ect.
[04:30] One-sided penalties – Penalties seem to be very one-sided. For example: if the client cancelled two or three weeks beforehand because they had personal circumstances which meant that they couldn’t attend, they would be penalised and would have to pay in full for that visit. Yet the certification body can not show up on a day, and there’s no compensation whatsoever.
[05:10] This is not the norm for Certification Bodies – A reminder that the issues were raising are not the norm for Certification Bodies – however we are seeing an increase of complaints raised by our clients. This may have been exacerbated due to the recent shortage of Assessors.
[05:50] Issue #2: Planning Audits – Another issue that’s been cropping up is about planning audits – not just surveillance audits, but also stage 1 and stage 2 Assessments.
In regards to ISO 17021, Certification Bodies should be providing an Stage 1 Audit plan to the client to detail what will happen during the visit.
That plan is often not happening, or there’s a generic plan that gets sent out by the certification body which bears no relevance to what the assessor ends up doing. So that’s as useful as a chocolate teapot.
It should be sent a month ahead of the visit, not 2 -3 days before the visit takes place. Companies need time to organise the right people and Certification Bodies need to be considerate of that fact.
[07:35] Steve’s experience with a poor Audit plan from a Certification Body – Steve had an occasion where he had to write a plan on behalf of the Certification Body Assessor for the client as they’d neglected to even send one!
Steve used to be an Assessor, so is familiar with how these plans should be structured. The designated Assessor ended up using his plan – but this should not have been the case.
[07:58] Poor planning – There have been instances where the planning has been so poor that they send the wrong Assessor to a client site. We’ve had experiences where an ISO 27001 Audit was due to take place and the Assessor turned up expecting to Audit against ISO 9001.
[08:50] What should Certification Bodies be providing following a Stage 1 Assessment visit? – After your Stage 1, you should have another plan come out of that stage, after what’s known as the Programme Management Day. The reason for that is because the assessor sometimes needs to go away, look at what they’ve written up, and take into account what they’ve heard from the client, and put a reasonable plan in place.
The assessor should then sit down with the client to discuss the plan and what sites are going to be visited during the Stage 2 Assessment.
[09:30] Using the right language – Often we see plans come out with language in the plans that is alright for certification body, but the client has no idea what the assessor is going on about. Steve always used to sit down with his clients and say right, ‘what language do you want me to use?’ And then would use their language and would also put the clause from the related standard next to that and say ‘that’s the bit I’m going to audit’. You’re writing the plan for the customer, not for yourself.
It also acts as assurance for a potential replacement Assessor if the first Assessor is off sick and can’t make the next visit.
[11:33] What does ISO 17021 say? – In clause 9, ISO 17021 states that: the certification should ensure that the audit plan is established prior to each audit identified in the audit programme to provide the basis for agreement regarding the conduct and scheduling of the audit activities.
If they fail to put a plan in place, they are not meeting a requirement.
ISO 17021 also says that if you’ve got an organisation that’s got different sites, then the plan should take into account the different sites and whether the visit is going to be on site off site – as remote audits have become more common place post-pandemic.
[12:35] Steve’s experience with a flimsy plan provided by a Certification Body – ‘I came across an audit plan which was just a list of all the requirements a standard. It was across 5 days. But there was no indication as to which day those requirements were going to be assessed. There’s no indication as to how long each of those requirements are going to be assessed? So what could the client do to prepare for that?’
Steve did say to client send it back and get a proper plan, but they have absolutely no joy with the certification body.
[13:50] Issue #3: Unnecessary charges – Mel recounts a recent incident where a Certification Body cancelled 2 site visits, and due to the long delay between rebooking, the client had moved office. However, they only relocated a few doors down in one instance and across the road in another. The client then received a quote for an extension to scope – amounting to 3 extra days due to the address change!
Mel checked ISO 17021 and confirmed that an extension to scope is only applicable if changing what you’re doing or you’re adding a new location to the scope – however if you’re using the exact same scope and are only moving your business from one location to the next – it is not an extension to scope, it’s just a change of address.
Steve recounts a similar instance where a client was charged £160 for the address to be changed on their certificate! Which is a ridiculous and unnecessary admin fee which only serves to upset the client.
[17:50] Issue #4: No disclosure of the appeals process – if client a company isn’t happy with their nonconformities, there is an appeals process, which is a requirement of ISO 17021.
Steve highlights an incident where an Assessor told a client ‘don’t bother with the appeals process because it’ll only delay the delivery your certificate’ – Which was highly unprofessional of that particular Assessor to say.
The appeals process there is there to help clients if they disagree with their assessor, and allow them to go to a sort of third party that’s within the certification body and say, look, I don’t agree with this. Can you explain why it’s a nonconformity?
Top tip: If you do get a non-conformity that you’re confused about – Ask the Assessor to show you where in the standard it requires you to do that. If an assessor cannot show you that, then it is not a nonconformity.
[20:30] The complaints process – The complaints process really is not about appealing against a nonconformity, but complaining against perhaps not getting your plans in your reports and all that sort of thing.
[21:20] These issues are not the norm – don’t be put off ISO certification! – While we have noticed an increase in complaints in the last year, we also want to highlight that these have mostly been for 1 or 2 select Certification Bodies.
On the whole, Certification Bodies provide a wonderful service to their clients. We just wanted to bring their code of practice to your attention, that you can check ISO 17021 to verify that the Certification Body is being fair to you and fulfilling their own requirements in relation to customer service.
[23:35] Receiving reports – Lastly a reminder that reports to clients following visits should not take months to get to them. Clients should expect reports from Assessors in 2 – 3 days – not months!
We’d love to hear your views and comments about the ISO Show, here’s how:
- Share the ISO Show on Twitter or Linkedin
- Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one.
Subscribe to keep up-to-date with our latest episodes’:
Stitcher | Spotify | YouTube | iTunes | Soundcloud |
Download the ISO Standards Blueprint
A step-by-step checklist for getting ISO certified