The creators of isology®

One of the most crucial steps to gaining your ISO certification is the completion of a Stage 1 and Stage 2 assessment, conducted by an accredited Certification Body. A quick reminder – your certification doesn’t mean much if you haven’t received certification from an accredited Certification Body – so make sure you do your research!

Businesses going through their final Assessments to gain ISO certification may see any decisions made by Certification Body Assessors as infallible, however there’s still a very human aspect which can lead to some common pitfalls.

Last week we dived into the requirements of ISO 17021 – the Conformity Assessment Standard designed for Certification Bodies, and more specifically the requirements in relation to you as a client.

In this weeks’ episode, Steve Mason joins Mel once again to share some issues raised by Blackmores’ clients against Certification Bodies, and explains the related rules in ISO 17021 which Certification Bodies should abide by.  

You’ll learn

• What is ISO 17021?
• Key issues raised by Blackmores’ clients in relation to Certification Bodies
• Related ISO 17021 requirements

Resources

• isologyhub
• ISO 17021

In this episode, we talk about:

[00:24] What is ISO 17021? It’s the Conformity Assessment Standard designed for Certification Bodies. In effect, it acts as a service level agreement. These are the rules that these certification bodies need to comply with if they are accredited by an accreditation body like UKAS. Listen to the previous episode to learn more.

[01:10] What are we focusing on in this episode? There have been some issues raised by some of our clients time and time again over the last 6 – 8 months.  We want to break some of these issues down, and help listeners to understand what are the actual rules around these areas in relation to ISO 17021.

[01:40] Issue #1: Cancellations – Sometimes a cancellation is unavoidable, however there are still rules that any Certification Body needs to follow – most importantly they should notify the client.

Steve shares his experience with an Assessor who was due to show up on the 5^th September 2023, and never turned up! it turned out that whilst the date was in the previous report, it had been removed from his diary, but it hadn’t then been put into somebody else’s diary, and because it hadn’t been put into somebody else’s diary, there was no flag to anybody to let the client know that the visits should take place. Now that visit had to be pushed back into January next year, which is the only time we can make it.

[02:50] Balancing Expectations –  There’s an expectation from certification bodies that clients should not cancel a month or less than a month before they visit. Steve recommends that should apply to certification bodies cancelling for clients too.

There are many considerations to Certification Body visits, including:- cost, scheduling the right people to be present, setting time aside for the audit ect.

[04:30] One-sided penalties – Penalties seem to be very one-sided. For example: if the client cancelled two or three weeks beforehand because they had personal circumstances which meant that they couldn’t attend, they would be penalised and would have to pay in full for that visit. Yet the certification body can not show up on a day, and there’s no compensation whatsoever.

[05:10] This is not the norm for Certification Bodies – A reminder that the issues were raising are not the norm for Certification Bodies – however we are seeing an increase of complaints raised by our clients. This may have been exacerbated due to the recent shortage of Assessors.

[05:50] Issue #2: Planning Audits – Another issue that’s been cropping up is about planning audits – not just surveillance audits, but also stage 1 and stage 2 Assessments.

In regards to ISO 17021, Certification Bodies should be providing an Stage 1 Audit plan to the client to detail what will happen during the visit.

That plan is often not happening, or there’s a generic plan that gets sent out by the certification body which bears no relevance to what the assessor ends up doing. So that’s as useful as a chocolate teapot.

It should be sent a month ahead of the visit, not 2 -3 days before the visit takes place. Companies need time to organise the right people and Certification Bodies need to be considerate of that fact.

[07:35] Steve’s experience with a poor Audit plan from a Certification Body – Steve had an occasion where he had to write a plan on behalf of the Certification Body Assessor for the client as they’d neglected to even send one!

Steve used to be an Assessor, so is familiar with how these plans should be structured. The designated Assessor ended up using his plan – but this should not have been the case.

[07:58] Poor planning –  There have been instances where the planning has been so poor that they send the wrong Assessor to a client site. We’ve had experiences where an ISO 27001 Audit was due to take place and the Assessor turned up expecting to Audit against ISO 9001.

[08:50] What should Certification Bodies be providing following a Stage 1 Assessment visit? –  After your Stage 1, you should have another plan come out of that stage, after what’s known as the Programme Management Day.  The reason for that is because the assessor sometimes needs to go away, look at what they’ve written up, and take into account what they’ve heard from the client, and put a reasonable plan in place.

The assessor should then sit down with the client to discuss the plan and what sites are going to be visited during the Stage 2 Assessment.

[09:30] Using the right language –  Often we see plans come out with language in the plans that is alright for certification body, but the client has no idea what the assessor is going on about. Steve always used to sit down with his clients and say right, ‘what language do you want me to use?’ And then would use their language and would also put the clause from the related standard next to that and say ‘that’s the bit I’m going to audit’. You’re writing the plan for the customer, not for yourself.

It also acts as assurance for a potential replacement Assessor if the first Assessor is off sick and can’t make the next visit.

[11:33] What does ISO 17021 say? –  In clause 9, ISO 17021 states that: the certification should ensure that the audit plan is established prior to each audit identified in the audit programme to provide the basis for agreement regarding the conduct and scheduling of the audit activities.

If they fail to put a plan in place, they are not meeting a requirement.

ISO 17021 also says that if you’ve got an organisation that’s got different sites, then the plan should take into account the different sites and whether the visit is going to be on site off site – as remote audits have become more common place post-pandemic.

[12:35] Steve’s experience with a flimsy plan provided by a Certification Body –  ‘I came across an audit plan which was just a list of all the requirements a standard. It was across 5 days. But there was no indication as to which day those requirements were going to be assessed. There’s no indication as to how long each of those requirements are going to be assessed? So what could the client do to prepare for that?’

Steve did say to client send it back and get a proper plan, but they have absolutely no joy with the certification body.

[13:50] Issue #3: Unnecessary charges –  Mel recounts a recent incident where a Certification Body cancelled 2 site visits, and due to the long delay between rebooking, the client had moved office. However, they only relocated a few doors down in one instance and across the road in another. The client then received a quote for an extension to scope – amounting to 3 extra days due to the address change!

Mel checked ISO 17021 and confirmed that an extension to scope is only applicable if changing what you’re doing or you’re adding a new location to the scope – however if you’re using the exact same scope and are only moving your business from one location to the next – it is not an extension to scope, it’s just a change of address.

Steve recounts a similar instance where a client was charged £160 for the address to be changed on their certificate! Which is a ridiculous and unnecessary admin fee which only serves to upset the client.

[17:50] Issue #4: No disclosure of the appeals process –  if client a company isn’t happy with their nonconformities, there is an appeals process, which is a requirement of ISO 17021.

Steve highlights an incident where an Assessor told a client ‘don’t bother with the appeals process because it’ll only delay the delivery your certificate’ – Which was highly unprofessional of that particular Assessor to say.

The appeals process there is there to help clients if they disagree with their assessor, and allow them to go to a sort of third party that’s within the certification body and say, look, I don’t agree with this. Can you explain why it’s a nonconformity?

Top tip: If you do get a non-conformity that you’re confused about – Ask the Assessor to show you where in the standard it requires you to do that. If an assessor cannot show you that, then it is not a nonconformity.

[20:30] The complaints process –  The complaints process really is not about appealing against a nonconformity, but complaining against perhaps not getting your plans in your reports and all that sort of thing.

[21:20] These issues are not the norm – don’t be put off ISO certification! –  While we have noticed an increase in complaints in the last year, we also want to highlight that these have mostly been for 1 or 2 select Certification Bodies.

On the whole, Certification Bodies provide a wonderful service to their clients. We just wanted to bring their code of practice to your attention, that you can check ISO 17021 to verify that the Certification Body is being fair to you and fulfilling their own requirements in relation to customer service.

[23:35] Receiving reports –  Lastly a reminder that reports to clients following visits should not take months to get to them. Clients should expect reports from Assessors in 2 – 3 days – not months!

We’d love to hear your views and comments about the ISO Show, here’s how:

• Share the ISO Show on Twitter or Linkedin
• Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one.

Subscribe to keep up-to-date with our latest episodes’:

Stitcher | Spotify | YouTube | iTunes | Soundcloud |

If you are going for certification, or currently manage a certified ISO Management System, then you should also be aware of ISO 17021 ahead of any Assessments or Surveillance audits conducted by an accredited Certification Body.

ISO 17021 sets out requirements for bodies providing audit and certification of management systems. It ensures that Certification Bodies provide a reliable assessment of compliance with the applicable requirements, carried out by a competent impartial audit team, to achieve a consistent result for all clients.

So, why should you be aware of this Standard in particular? ISO 17021 also establishes what you as a client should expect from your Certification Body.

Steve Mason, Managing Consultant at Blackmores, joins Mel to discuss what ISO 17021 is, why you should be aware of it and the requirements related to expected service delivery from Certification Bodies.

You’ll learn

• What is ISO 17021
• The difference between accredited and non-accredited certification bodies
• A brief overview of the Standard and client related requirements

Resources

• isologyhub
• International Accreditation Forum
• ISO 17021

In this episode, we talk about:

[01:40] Why are we talking about ISO 17021 now? In our internal Team Meetings, Certification Bodies are an established talking point. Highlighting the good and the bad, but in recent months it’s been more on the negative side. Steve had highlighted ISO 17021 as the Standard to look at in regard to expected service delivery requirements from Certification Bodies – so here we are!

[03:00] What is ISO 17021? The reason for the standard is that it ensures that all certification bodies are delivering the same level of service to all customers. Certification Bodies don’t need to be certified to other standards such as ISO 9001, as ISO 17021 was specifically designed for the purpose of delivering certifications.

It’s also the standard where you can find out what’s expected of Certification Bodies – like a Terms and Conditions or service level agreement.

[05:00] The difference between accredited and non-accredited Certification Bodies – Go back and watch episode 19 to learn more.

[06:10] Why is it important that the Certification Body is accredited? –  Accreditation proves that the Certification Body is being checked by another body. Accreditation is also recognised worldwide – it’s trusted as a gold standard of performance. There are many different accreditation bodies around the world, here in the UK it’s UKAS, but there are others such as ANAB in the US. Check out the International Accreditation Forum website to confirm the accreditation body for your country.

[08:10] Ultimately, a Certification Body can’t offer accredited certification services unless they’ve actually been assessed by the applicable accreditation body to ISO 17021, and they need to do that on an ongoing basis like any other certification.

They also may not be accredited to deliver every standard they offer – so make sure you verify with the certification body that they are in fact accredited to ISO 9001, ISO 27001 ect.

[09:15] A brief overview of what’s included in ISO 17021 – A lot of the clauses before this are really about the management of certification body, but when it comes to clause 9, this is where the customer becomes a lot more involved in the requirements. It covers topics such as planning audits, conducting audits, certification decision making, maintaining certification, the appeals process, the complaints process and then keeping client records.

Clause 9 in particular is where you, as a client, should focus.

[11:00] What core principles are described in ISO 17021? – Impartiality, competence, responsibility, openness, confidentiality, responsiveness to complaints, risk based approach and legal responsibilities.

[12:20] What personal behaviors should you expect from your assessor? – In Steve’s experience, he’s seen more and more assessors not living up to the requirements of ISO 17021. This could be for a number of reasons, i.e. they could have an uncooperative client, they may not have had adequate training, perhaps there’s a break down between clients and client managers. Either way, these are a few of the qualities that Assessors should embody: ethical, fair, truthful, sincere, honest, discrete and open-minded.

[14:00] A lack of open mindedness –  Steve had encountered an Assessor that stated ‘This must be wrong because I’ve never seen it done that way’ – which is not open minded in the least. This resulted in a non-conformity which should have never been raised.

ISO 17021, clause 9.4.5 states that any non-conformity raised shall be recorded against a specific requirement in the Standard being audited. Assessors need to take heed not to assess to their preference.

[15:15] Top Tip –  If you get asked a question, then give an answer and they raise that as a non-conformity that you’re unsure as to why it’s being raised – it’s always worth asking the Assessor to show you where in the standard they’re raising the non-conformity against.

It’s a case of clarifying the question and verifying what they’re raising a non-conformity against, and if there’s a justification for it. If there is, then great, they’re doing a great job! If not, it may be the Assessor’s personal bias, and there’s a chance you can get that non-conformity down to an opportunity for improvement.

[17:05] Other expected traits for Assessors to be aware of –  Collaborative: It should be a partnership between the client and Assessor – they want what’s best for you.

Tenacious: This can sometimes be taken too far. For example, if your Assessor it still assessing past 5pm, tell them to go home. If they need more time, then it’s up to the certification body to work that one out.

Other basic traits include: Observational, being perceptive and versatile.

We’d love to hear your views and comments about the ISO Show, here’s how:

• Share the ISO Show on Twitter or Linkedin
• Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one.

Subscribe to keep up-to-date with our latest episodes’

Stitcher | Spotify | YouTube | iTunes | Soundcloud

So this is for our ISO Show listeners that are already certified to ISO Standards, in some cases – not that often, some companies can get really fed up or frustrated with their certification body provider.

Now on the whole, accredited CB’s are great – however over the last 14 years we’ve come across the good, the bad and the ugly too!

So, this podcast is for those companies that maybe looking to switch, so we’ll cover…….

Why companies decide to change CB’s

• Can’t get hold of anyone to help them – inform them of change in business and the CB is not adaptable.

• Frustrated with lack of organisation – not keeping client informed, assessor showing up to audit the wrong standard.

• Their CB is not listening to them

• Not happy with the assessor – No really a hard reason – Just request a different Assessor

• Lack of value – assessor shows up later and leaves at 2.00pm and you don’t get the report for another 2 -3 weeks after chasing.

Why switch?

Because you can – you have a choice

• You are the customer – if you raise your concerns and are not being heard, go to another CB that will look after your every need.
• You may get a more competitive service and costs – example clients grown through acquisition
• You are expanding internationally – need a CB with an international presence

How to switch

1. Here in the UK – If you are certified by a UKAS accredited certification body the switch is free of charge to another UKAS accredited CB.
2. Establish your scope of certification and requirements – sites, services, standards.
3. Review your timings – should it be before or after your next surveillance visit?
4. Get three quotes from accredited Certification bodies – explain you’d like a quote for the period of certification including the recertification costs.
5. Provide your requirements – also explain why you are looking to change CB’s as you want assurance that they will be able to provide you with the service you need.

• Consider –
  • Costs
  • number of assessors for your standards on the payrole,
  • Continuity of assessors
  • Location of assessors and your locations
  • Support
  • Key Account Manager / customer services
  • Experience/reputation in your sector / standards
  • Any value adds i.e. webinars, whitepapers, events.

How we can help? – Free service to send an RFQ to CB’s so you can get comparative quotes. We don’t have an exclusive relationship with any 1 Certification Body, but we can help you gain a quote as a free service we offer. If you need help getting a quote, contact us!

Look out for our directory of recommended CB’s in 2021.

We’d love to hear your views and comments about the ISO Show, here’s how:Share the ISO Show on twitter or Linkedin

Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one.

Subscribe to keep up-to-date with our latest episodes:

Stitcher | Spotify | YouTube |iTunes | Soundcloud

Fail to prepare, then prepare to fail.  If you don’t want to fail an assessment before you’ve even begun, be prepared.

I’m just going to take you through the top 5 mistakes companies make that can lead to stress and failure – now this isn’t a definitive list – there are of course many things that could go wrong, I’m just going to share with you my 5 favourite blunders that you can very easily avoid.

1. Not informing employees

Yes – pretty obvious, but you’d be surprised to hear how many times a Management systems is just kept to one person and a communications plan has not been implemented to inform all employees.  The best informed employees make the best people to be assessed.

Imagine – you are an assessor and you rock up only to hear an employee when asked about their process say ‘What process? What Environmental Policy?

• Business Continuity Planning – What’s the point in having a BCP if no one know how to how to respond to an incident?
• By not informing employees – As it triggers bad vibes i.e nervous, wary, stressed
• Communication plan – CEO, Champions, agenda of meetings, launch, newsletter updates, online comms i.e. slack

• Not having access to the right people
• The assessor doesn’t need to see every single person.
• Does need to see the key process owners and some representatives from the leadership team.
• Quality – operations, HR, key process owners i.e. heads of functions
• Environment – Facilities Managers, an Environnemental Champion.
• Information Security – IT, back-ups, incident reporting, HR (starters/leavers) and physical security i.e. Office Manager or if you are in services offices – give the person on reception the heads up.
• Make sure you have the agenda for the visits well in advance – all reputable UKAS accredited certification bodies should send this to you weeks in advance – if they haven’t chase it.
• This helps you to ensure that the right people are available at the right time.

• Not having access to your management system

Sounds silly, but you’d be surprised.

• We’ve even come across cases of rogue consultants where the Management system is owned (IP and all) by the consultant – not the company. Scary!
• Make sure you have access to your policies, procedures, documents and templates
• These can be online, displayed, hard copy or audio/visual
• Nothing more embarrassing than missing a key document or you’ve got 3 versions of it, and no one know which is the right one.
• Accessiblity is key – Sharepoint/intranet/wiki’s/dropboc

• Not having access to your records.
• Stage 2 Assessment is a ‘Show and tell’ –make sure the right people and have access to the right records.
• Pre-empt any pitfalls  – a disorganised business will have records all over the place – because there is no structure.
• Also, make sure your supplier records are compliant – one of the main causes of non-conformities in Environmental management and Health and Safety is lack of accurate supplier records
• Waste records, Lift maintenance records, FGas records – most of these aren’t ISO Standards requirements – they are LEGAL requirements.
• Legal register/due diligence

And last but not least……

• Don’t make any assumptions

• Don’t make any assumptions that that your assessor will know your business inside out – they won’t understand your culture, vision, values and USP’s.
• Use this as an opportunity to showcase all the strengths of your business and how well managed it is.  With our clients we’ll always get the representative of the leadership in the room for the kick-off meeting –
• Don’t worry the assessor doesn’t need to be glued to the assessors hip all day every day, 30 mins attendance at the kick-off meeting max is suffice. This shows the business is serious about their ISO Commitment and demonstrates that there is full leadership support and that employees are onboard. 
• Likewise – don’t assume that your assessor knows nothing about your industry – in many cases, if you are in a sector, chances are that your assessor i.e. construction, engineering, manufacturing your assessor has seen the good, the bad and the ugly.
• Take notes, so you can refer back to these – as there can be some valuable observations that an assessor may make which you could take back to your continual improvement process.  Don’t assume that these will be captured in the report at the end of the assessment.

So to recap – the 5 mistakes to avoid in an ISO assessment are……

1. Not informing employees
2. Not having access to the right people on the days of the assessment
3. Not having access to your management system
4. Not having access to your records.
5. Don’t make any assumptions

And don’t forget, these mistakes can easily be prevented if you prepare well before an assessment.

In the words of Benjamin Franklin, By failing to prepare, you are preparing to fail.

If you need any assistance with ISO standards, contact us!

We’d love to hear your views and comments about the ISO Show, here’s how:Share the ISO Show on twitter or Linkedin

Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one.

Subscribe to keep up-to-date with our latest episodes:

Stitcher | Spotify | YouTube |iTunes | Soundcloud

You’ve worked hard on creating all the necessary policies and procedures, systemised your way of working, informed the workforce and carried out internal audits to verify compliance.  Well done!  The next, and final stage towards achieving ISO certification is the so-called ‘dreaded’ assessment.  However, with the right approach and preparation, you may even enjoy your assessment!  Hard to believe? Read on…….

So what should you expect to happen?

The assessment, regardless of which ISO Standard you are implementing is split into two stages.  The Stage 1 Assessment is quite simply a Document Review.  This is where the assessor will expect to see all the key documented information that the standard requires.  So where the standard states that you ‘shall provide documented procedure/policy for XXXX’, this is what you need to have available i.e. a documented Environmental Policy if your assessment is for ISO 14001.  Make sure you have all of this documentation easily accessible on the day of the assessment.  Otherwise, you will be wasting your time and the assessor’s time if the information isn’t readily available either online (electronic information available on your server/intranet/Sharepoint), or if it’s easier for you, a hard copy (paper version of a Policy document).  It doesn’t matter if it is a hard or soft copy, so long as it is available and meets the requirements of the ISO Standard, and most importantly, your own business requirements.  If you have a small business the Stage 1 Assessment for one ISO Standard is likely to be just the one day. If you have a micro business, some certification bodies offer a remote Stage 1 Assessment, whereby you submit the documentation electronically.

Typically, by mid-afternoon the assessor is likely to be writing up the findings of the assessment, so by the end of the visit you will be provided with a Stage 1 report, which will outline the scope of certification, and the key findings for all the clauses within the standard/s.  The report will highlight any positive aspects of the documentation and will also raise any minor or major non-conformities which you will need to address prior to the Stage 2 Assessment.  Do not be worried to ask questions if some of the terminology may seem rather technical (ISO gobbledegook), your assessor will be happy to explain their findings so that you are clear on the next steps.  You may feel like your question is a bit silly, but don’t worry about this, they are there to ensure that you fully understand the findings and will be happy to explain the findings and recommendations in a slightly different way so it makes sense for your business.

Most Certification Bodies also provide ‘opportunities for improvement’ which can be very helpful in terms of identifying further improvements that can be made within the business.

The Stage 2 Assessment can be carried out anytime up to 3 months after the Stage 1. We would normally recommend booking this approximately 4 – 6 weeks after the Stage 1 Assessment to ensure that you keep the momentum going on continual improvement, yet still have time to address any improvements to your management system that need to be made.

The Stage 2 Assessment is carried out to simply demonstrate compliance that you operate in the way that you say you do in your Management System! In effect it is a ‘show and tell’.

So, for example if you have a procedure for training, you need to prove that it’s working.  How? Show evidence of your records i.e.  your company Training and Skills Matrix or individual training records.   If you have a procedure for internal audits, simply show your Audit Schedule for the year, and the internal audit reports.  It is basically proving how you are running a successful business.  This is your opportunity to shine, enjoy and be proud of your company’s operations – from Leadership to operatives.

If you’ve got a brilliant way of working for sales or operations, great! show it off!  The assessor will be shadowing you and individual process owners to listen, observe and make notes on how you operate your business.  At the end of the visit, they will provide you with a report on their findings and all being well, you will be recommended for certification.  Worst case scenario if there are any major non-conformances at the end of Stage 2, you will be given time to provide a corrective action plan.

At Blackmores I’m proud to say we have a 100% success rate at helping our clients achieving certification, so if the thought of an assessment is still daunting, we can be there to give you a helping hand and act as your ISO ambassador to support the management team if needed.