ISO 9001: Quality Management System

1. The International Organization for Standardization 

ISO (the International Organization for Standardization) is a worldwide federation of national standards bodies (ISO member bodies). ISO technical body prepares the International Standards. It collaborates closely with the International Electrotechnical Commission (IEC) on all matters of electrotechnical standardization.

ISO 9000 series was released in 1987 (1^st edition). It had 4 variants:

ISO 9000: Vocabulary

ISO 9001: Model Quality Assurance with Design and Development and Production

ISO 9002: Model for Quality Assurance in Production, Installation and Servicing, and

ISO 9003: Model for Quality Assurance in final Inspection and Test.

1.1 Revisions of ISO 9000 Series

The ISO 9000 series standards were revised in 1994 (2^nd edition) retaining the similar structure i.e. ISO 9001:1994 – Manufacturing with Design & Development; ISO 9002:1994 – Production and Installation (No Design) and ISO 9003: 1994 – Final inspection and test.

However the 3^rd revision i.e. ISO 9001: 2000, “Quality Management Systems – Requirements”, prepared by Technical Committee ISO/TC 176 ’Quality Management and Quality Assurance, Subcommittee SC 2, Quality Systems’ saw a major change. This replaced the three standard into one (ISO 9001: 2000) along with change in title. In this standard, the term ‘quality assurance’ is no longer used. The revision allowed exceptions to design and development procedures if a company does in fact not engage in the creation of new products, as well as introducing a few concepts. This version of the standard adopted:

a)     Process Approach replacing an inspection mentality.

b)    A focus on Management Commitment instead of only relying upon quality personnel.

c)    Performance metrics

d)    Continual Improvement 

e)    Customer Satisfaction

The fourth edition is ISO 9001: 2008. The clause wise there is no change between ISO 2000 and 2008. ISO 9001 is made applicable to any industry including software companies.

No new requirement included and some requirements were clarified or improved for clarity. It also made better alignment with ISO 14001:2004.

The fifth edition in 2015 cancels and replaces the fourth edition (ISO 9001:2008), which has been technically revised, through the adoption of a revised clause sequence and the adaptation of the revised quality management principles and of new concepts. It also cancels and replaces the Technical Corrigendum ISO 9001:2008/Cor.1:2009 issued on 29.07.2009 (which replaces the correlation between ISO 9001: 2000 and ISO 14001: 1996 by correlation matrix between ISO 9001: 2008 and ISO 14001:2004)

2. ISO 9001 Standards

ISO 9001 is the world’s most popular and commonly used standard for quality management systems across all industry. A standard is not a law, but an agreement or best practice that an organisation can apply voluntarily. A standard reflects a good level of professionalism. A quality management system is a tool with which an organisation can determine how it can meet the requirements of its customers and the other interested parties that are involved in its activities.

By conforming to ISO 9001 quality management system, a company can show that:

a)    The organization provides products and services of consistent quality;

b)    The organization provides products and services that meet the customer’s requirements, comply with the law and legislation, and meet the organisation’s own requirements

c)   The organization can streamline its business processes and continuously improve them.

Further, ISO 9001 helps the organization to increase customer satisfaction and improve its image by showing that the organization complies with internationally recognized quality standards. This is often a requirement for customers and suppliers to do business in many national and international domain.

2.1  Quality Management Principles of ISO 9001

ISO 9001:2000 as well as 9001:2008 are based on 8 quality management principles as shown below. ISO 9000 describes each principles as:

a)    Principle 1: Customer Focus – Organisations depend on their customers, therefore it should understand current and future customer needs, should meet customer requirements and strive to exceed customer expectations.

b)    Principle 2: Leadership – Leaders must establish unity of purpose and set direction the organisation should take.

c)    Principle 3: Involvement of people – Full involvement of people at all levels.

d)    Principle 4: Process approach – Process approach to manage activities and related resources. 

e)    Principle 5: System approach to management – Interrelated processes make a system. Organisation must use a system approach to manage interrelated processes.

f)     Principle 6: Continual improvement – Organisations must make a permanent commitment to continually improve their overall performance.

g)    Principle 7: Factual approach to decision making – Organisations must base decisions on the analysis of factual information and data.  

h)   Principle 8: Mutually beneficial supplier relationships – Organisations and its suppliers are independent and a mutually beneficial relationship between both will enhance their values.

Only a fully responsive QMS will include the totality of the eight principles and offer the organization the maximum return against these principles. However, this potential for enhanced marketability, productivity, and profitability is dependent upon the supplier’s desire to fully comply with the Standard, write the documented system in a user-friendly manner for a very wide range of readers, make a total management commitment to this effort, and establish a QMS that can be maintained in a cost effective manner.

The goal is to improve organizational effectiveness, not just get certified. Most importantly, a unified, strategic, business-and-quality policy signals to all employees that the main purpose of the ISO 9000 certification is to improve the effectiveness of the operation, not just achieve certification.

2.1.1 Quality Management Principles of ISO 9001:2015

The most recent ISO 9001:2015 standard is constructed around seven quality management principles:

1. Customer focus;

2. Leadership;

3. Engagement of people;

4. Process approach;

5. Improvement;

6. Evidence-based decision making;

7. Relationship management.

ISO 9001:2015 describes for each part which requirements your products, services and organisation have to meet in order to enjoy the above benefits.

2.2 Process Approach

The ISO 9001 adopts a process approach the effectiveness of a quality management system to enhance customer satisfaction by meeting customer requirements. A process is defined as any interrelated activity or activities through which a given set of inputs can be converted to a useful output of product or service. The output of one process can be input to a subsequent process.

The application of process approach in a quality management system enables:

a)    Understanding and consistency in meeting requirements;

b)    The consideration of processes in terms of added value;

c)    The achievement of effective process performance;

d)    Improvement of processes based on evaluation of data and information.

A functional representation of any process approach is shown in figure -1.

Figure 1 — Schematic representation of the elements of a single process

For an organisation to function effectively, it has to determine and manage numerous linked activities interrelated processes and their management to produce the desired results could be referred to as ‘process approach’.

2.3 PDCA Cycle

The process approach involves the systematic definition and management of processes, and their interactions, so as to achieve the intended results in accordance with the quality policy and strategic direction of the organization. Management of the processes and the system as a whole can be achieved using the PDCA cycle (Deming Circle) with an overall focus on risk-based thinking aimed at taking advantage of opportunities and preventing undesirable results.

The PDCA cycle or Deming's circle has four stages as

1.    Plan – Establish the objectives of the system and its processes, and the resources needed to deliver results in accordance with customer’s requirements and the organisations policies and identify and address risks and opportunities.

2.    Do – Try the plan on a test basis

    3. Check – Evaluate the plan to see if it works.

    4.  Act – Permanently implement the plan.

The PDCA Cycle of ISO 9001:2015 is shown in figure -2.  

  (Figures in the bracket indicates the applicable clause numbers as per ISO 9001:2015)

Fig. - 2: PDCA Cycle as Per ISO 9001: 2015

2.4 Risk Based Approach

The concept of risk-based thinking has been implicit in ISO 9001:2008 through requirements for planning, review and improvement. ISO 9001:2015 on the other hand specifies the organization to understand its context (clause 4.1) and determine associated risks and opportunities and make these as the basis for planning (see clause 6.1). This represents the application of risk-based thinking to planning and implementing the QMS processes (see clause 4.4). This will also assist in determining the extent of documented information. 

The risk-based thinking applied in this version has enabled some reduction in prescriptive requirements and their replacement by performance-based requirements. There is greater flexibility than in ISO 9001:2008 in the requirements for processes, documented information and organizational responsibilities.

One of the key purposes of a QMS is to act as a preventive tool. Consequently, the 2015 version does not have a separate clause or sub-clause on preventive action. The concept of preventive action is expressed through the use of risk-based thinking in formulating QMS requirements.

Although clause 6.1 specifies that the organization shall plan actions to address risks, there is no requirement for formal methods for risk management or a documented risk management process. Organizations can decide whether or not to develop a more extensive risk management methodology than is required by this International Standard, e.g. through the application of other guidance or standards.

3.          ISO 9001:2015 CLAUSES

3.1 Clause 1: Scope

3.2 Clause 2: Normative References

     ISO 9000:2015: QMS – Fundamentals and Vocabulary.

3.3 Clause 3: Terms and Definitions

     The terms and Definition given in ISO 9000:2015 apply.

3.4. Clause 4: Context of the Organisation

1)    Understand your organization and its unique context.

2)    Clarify the needs and expectations of interested parties (Customers, supplier and competitors).

3)    Define the scope of your quality management system – Scope and Boundaries may be defined in Quality Manual. Also define other documentations.

4)    Develop a QMS and establish documented information – Establish processes required, documentation and records.

3.5. Clause 5: Leadership

1)  Provide leadership – main focus on quality and customers. Top management shall provide leadership by focusing on Quality and Customer.

2)  Provide leadership by establishing appropriate Quality Policy & implementing it.

3)  Provide leadership by defining and assign QMS roles and responsibilities and authorities and communicate.

3.6. Clause 6: Planning

1)  Define actions to manage risks and address opportunities – Consider risk and opportunities while developing QMS. Plan how to address risks and opportunities.

2)  Set quality objectives and develop plans to achieve them – Establish quality objectives for all relevant areas and develop plans to achieve objectives and evaluate results.

3)  Plan the procedure for changes (when required) to QMS and evaluate the impact of change.

3.7 Clause 7: Support

1)  Provide Resources - Support your QMS by providing necessary resources (internal/ external, people, infrastructure, environment and monitoring & measuring resources). Necessary traceability records for M&M to be provided. Organization shall determine and provide knowledge to facilitate process operation. 

2)  Competence - Support your QMS by ensuring that people are competent. Determine competency requirement, evaluate and train if necessary. Keep records.

3)  Awareness - Support your QMS by explaining people quality policy, quality objectives and requirement of QMS and how people can help the QMS.

4)  Communication - Support your QMS by managing your communications (how to handle internal/external communication).

5)  Documented Information - Support your QMS by controlling documented information. Determine the documented information that your QMS needs. Manage the creation and revision of documented information. Control how retained documented information (records) be protected from unintended alterations.

3.8 Clause 8: Operations

1)  Operational Planning and Control - Develop, implement, and control your operational processes (internal as well as external/outsourced).

2)  Requirements for Product and Services - Determine and document product and service requirements.

3)  Design and Development - Establish a process to design and develop products and services. This will include D&D planning, determination of inputs, Control of D&D process, D&D outputs are adequate for subsequent process. The organization shall review and control of D&D Changes and retain documented information for D&D outputs.  .

4)  Monitor and control external processes, products, and services (Purchase) - Confirm that external products and services meet requirements. For this develop controls for externally provided products and services. Discuss your organization’s requirements with external providers.

5)  Production and Service - Manage and control production and service provision activities. Establish controls for production and service provision, identify your outputs and control their unique identity (traceability). Protect property owned by customers and external providers. Preserve outputs during production and service provision. Clarify and comply with all post-delivery requirements. Control changes for production and service provision.

6)  Release of Product & Services - Implement arrangements to control product through verification at appropriate stages. Release of product and services to customer to be done only after all planned arrangements have appropriately been met.

7)  Control nonconforming outputs and document actions taken - Identify outputs that do not conform to their requirements. Take actions so that nonconforming product does not reach customer. If rectified, check that rectification meets requirements. Retain documented information.

3.9. Clause 9: Performance Evaluation

1) Monitor, measure, analyze, and evaluate QMS performance – Plan how and what to monitor. Find out how well customer needs and expectations are being met. Evaluate QMS performance, effectiveness, conformity, and satisfaction.

2) Internal Audit - Use internal audits to examine conformance and performance. Audit your quality management system at planned intervals.

3) Management Review - Carry out management reviews and document your results. Management review input to be so decided that the review output brings opportunities for improvements, resources needed and if any change in QMS is desirable.

3.10. Clause 10: Improvement

1) Determine improvement opportunities and make improvements – The improvements can include correction, corrective action, continual improvement, breakthrough change, innovation and reorganization.

2) Nonconformities and corrective Actions - Control nonconformities and address causes and consequences. Document your nonconformities and the actions that are taken. Update risk and opportunities determined during planning if necessary.

3) Continual Improvements - Enhance the suitability, adequacy, and effectiveness of your QMS.

Certification of Quality Management System (Against International Standards)

1.  QUALITY MANAGEMENT SYSTEM

A Management System (MS) is a set of policies, processes and procedures required for planning and execution of Products and Services in the core business area of the organization. The business activities may include manufacture (production), Design & Development of provide any service to the customer. The orgainsation may be involved in any one or all of the above activities. The main aim of a Quality Management System (QMS) is to impact the organization's ability to meet customer requirements.

Some of the common types of Management System are Environmental Management system (EMS), Information security Management System (ISMS) and Quality Management System (QMS).

2.  STANDARDS

A standard is a document that provides requirements, specifications, guidelines or characteristics that can be used consistently to ensure that materials, products, processes and services are fit for their purpose.

2.1   National Standards

Standards published by any national body for country wise use is a national standard. The Bureau of Indian Standards (BIS) is the national Standards Body of India working under the aegis of Ministry of Consumer Affairs, Food & Public Distribution, Government of India. It is established by the Bureau of Indian Standards Act, 1986 which came into effect on 23 December 1986.The organisation was formerly the Indian Standards Institution (ISI), set up under the Resolution of the then Department of Industries and Supplies No. 1 Std.(4)/45, dated 3 September 1946. BIS is responsible for issuing national standards (e.g. IS 456: 2005: Indian Standard Plain and Reinforced Concrete – Code of Practice).

Similarly British Standards (BS) are the standards produced by the BSI Group (British Standards Institute) which is incorporated under a Royal Charter (and which is formally designated as the National Standards Body (NSB) for the UK).The American National Standards Institute (ANSI) is a private non-profit organization that oversees the development of voluntary consensus standards for products, services, processes, systems, and personnel in the United States.The organization also coordinates U.S. standards with international standards so that American products can be used worldwide.

2.1 International Standards

ISO (the International Organisations for Standardization) is a network of the national standards institutes (one member per member country: present strength 157) countries, with a Central Secretariat in Geneva, Switzerland, that coordinates the system. ISO is a non-governmental organization: its members are not, as is the case in the United Nations system, delegations of national governments. Nevertheless, ISO occupies a special position between the public and private sectors. This is because, on the one hand, many of its member institutes are part of the governmental structure of their countries, or are mandated by their government. On the other hand, other members have their roots uniquely in the private sector, having been set up by national partnerships of industry associations.

Because "International Organization for Standardization" would have different abbreviations indifferent languages ("IOS" in English, "OIN" in French for Organisation Internationale de Normalisation), it was decided at the outset to use a word derived from the Greek isos, meaning "equal". Therefore, whatever the country, whatever the language, the short form of the organization's name is always ISO.

Three very important management systems are: ISO 9001: 2015 - Quality Management Systems – Requirements, ISO 14001:2015- “Environmental Management System – Requirements with Guidelines for Use”, and ISO 27001:2013 –“Information Security Management System – Requirements”.

3.  QUALITY CERTIFICATION

3.1 Certification and Certification Bodies

Definition under “Certification” means the action of independent third party (auditor’s belonging to Certification Bodies may be Government or non- governmental), which verifies that product, process or service in question fulfills all the specified requirements of relevant standards, technical regulations or other normative acts in force. The management system audits are performed according to ISO 19011: “Guidelines for Auditing Management Systems”.

            Certification = Confirmation that prescribed requirements are fulfilled.

Organizations that recognize the benefits of implementing management systems often seek independent verification of conformance to standards by any independent third-party. These independent bodies who take up third party certification of organizations are known as Certification Bodies (CBs). These third party organizations who wish to take QMS Certification must get themselves accredited by a recognized and respected body known as “Accreditation Bodies” to ensure the impartiality and competence of the CB and fosters confidence and acceptance of the CB's certifications by end users in the public and private sectors. The CBs for all types of management systems are required to conform to the most recent versions of: ISO/IEC 17021-1: 2015, ‘Conformity assessment - Requirements for bodies providing audit and certification of management systems’. 

3.2 Accreditation

Accreditation is the independent evaluation of certification bodies against the accreditation requirement standard ISO/IEC 17021-1: 2005, “Requirements for bodies providing audit and certification of management systems” to ensure their impartiality, competence and consistency. The standard sets out the principles and requirements for the competence, consistency and impartiality of bodies providing audit and certification of management systems services. In many countries, accreditation is not mandatory. It should be noted that the fact that a certification body is not accredited does not by itself, mean that it is not a reputable organization. However, many certification bodies choose to seek accreditation in order to be able to demonstrate an independent confirmation of their competence against the requirement of the standard.

Definition under “Accreditation” means the procedure by which an authoritative body gives formal recognition that a conformity assessment body in accordance to the standards and technical regulations, is competent to carry out specific tasks as testing, calibration, certification, and inspection. The accreditation is a third party attestation of any certification body conveying formal demonstration of its competence to carry out specific conformity assessment (QMS certification) task. 

 Accreditation = Confirmation and recognition of technical competence

The difference between the two seemingly similar definitions of ‘Accreditation’ and ‘Certification’ lies in the fact that in the case of accreditation, the formal recognition of competence is based on proven technical knowledge and therefore requires the consultation of a technical expert for the scope to be accredited, while the second case of certification primarily involves ensuring conformity with a given norm, e.g. a management system or a product.

Accreditation therefore relates to specific technical tasks such as those of a testing or calibration laboratory, or of a certification or inspection body, for which specific norms set out the required degree of competence.

3.3 Accreditation Bodies

Quality Council of India (QCI) is the national accreditation body of India. It is an autonomous body jointly set up by the Ministry of Commerce, FICCI (Federation of Indian Chambers of Commerce and Industry), CII (Confederation of Indian Industries) and ASSOCHAM (Associated Chambers of Commerce and Industry of India). It was set up in 1997. The Chairman of QCI is appointed by the Prime Minister on recommendation of the industry.

QCI functions through executive boards in the specific areas i.e. accreditation. The various accreditation boards are NABCB (National Accreditation Board for Certification Bodies), NABET (National Accreditation Board for Education and Training), NABH (National Accreditation Board for Hospitals and Healthcare Providers) and NABL (National Accreditation Board for Testing and Calibration Laboratories).

The scope of accreditation of NABCB however does not include the AQMS (Aerospace Quality Management Systems i.e. AS 9100 series).

ANSI-ASQ National Accreditation Board (ANAB) is a US-based non-governmental standards organization known for providing ISO accreditation services to manufacturers, laboratories and other public and privately held organizations/ companies. ANAB is an underwriter for the International Accreditation Forum (IAF) and the International Laboratory Accreditation Cooperation (ILAC) providing documentations recognized by government agencies from a number of participating nations. The American National Standard Institute (ANSI) and the American Society for Quality (ASQ) jointly own ANAB.

UKAS (United Kingdom Accreditation Service) provides accreditation to ISO/IEC 17021, ISO/IEC 17065, ISO/IEC 17024, ISO 14065 and EMAS (EU Council Regulation (EC) No 1221/2009) to organisations providing certification of management systems, products, processes and services and persons.

3.4. International Accreditation Forum

The International Accreditation Forum, Inc. (IAF) is the world association of Conformity Assessment Accreditation bodies and other bodies interested in conformity assessment in the fields of management systems, products, services, personnel and other similar programs of conformity assessment. Its primary function is to develop a single worldwide program of conformity assessment which reduces risk for business and its customers by assuring them that accredited certificates may be relied upon. Accreditation assures users of the competence and impartiality of the body accredited. IAF members accredit certification or registration bodies that issue certificates attesting that an organization's management, products or personnel comply with a specified standard (called conformity assessment).

The primary purpose of IAF is two-fold.

a)    Firstly, to ensure that its accreditation body members only accredit bodies that are competent to do the work they undertake and are not subject to conflicts of interest.

b)    The second purpose of the IAF is to establish mutual recognition arrangements, known as Multilateral Recognition Arrangements (MLA), between its accreditation body members which reduce risk to business and its customers by ensuring that an accredited certificate may be relied upon anywhere in the world.

The MLA contributes to the freedom of world trade by eliminating technical barriers to trade. IAF works to find the most effective way of achieving a single system that will allow companies with an accredited conformity assessment certificate in one part of the world, to have that certificate recognized elsewhere in the world. The objective of the MLA is that it will cover all accreditation bodies in all countries in the world, thus eliminating the need for suppliers of products or services to be certified in each country where they sell their products or services. Certified once - accepted everywhere.

IAF Mandatory Document 5 (IAF MD 5, Issue 2: 2013) gives the audit duration (man days) required for QMS and EMS audit. IAF MD 11 gives additional factor for integrated management system Audit.

4.0 ISO – 19011: GUIDELINES FOR AUDITING MANAGEMENT SYSTEMS

As mentioned in section 3.1 that certification audits are performed as per ISO 19011 -2011. This International Standard does not state requirements, but provides guidance on the management of an audit programme, on the planning and conducting of an audit of the management system, as well as on the competence and evaluation of an auditor and an audit team. The guidance in this International Standard can also be used for the purpose of self-declaration, and can be useful to organizations involved in auditor training or personnel certification.The guidance is applicable to both combined audit (i.e. when a two or more management systems are audited together) and joint audit (when two or more auditing organizations cooperate to audit a single auditee).

4.1 Principles of Auditing (§ 4 ISO 19011)

The “Principles of auditing” is defined in paragraph 4 of ISO 19011, as based on:

a)    Integrity: The foundation of professionalism

b)    Fair presentation: the obligation to report truthfully and accurately

c)    Due professional care: the application of diligence and judgement in auditing

d)    Confidentiality: Security of Information

e)    Independence: the basis  for the impartiality of the audit and objectivity of audit conclusion

f)  Evidence based approach: the rational method for reaching reliable and reproducible audit conclusion in a systematic audit process.

4.2 Managing Audit Programme (§ 5 ISO 19011)

The top management should ensure that the audit programme objectives are established and assign one or more competent persons to manage the audit programme. The extent of an audit programme should be based on the size and nature of the organization being audited, as well as on the nature, functionality, complexity and the level of maturity of the management system to be audited. Priority should be given to allocating the audit programme resources to audit those matters of significance within the management system. These may include the key characteristics of product quality or hazards related to health and safety, or significant environmental aspects and their control. (This concept is commonly known as risk-based auditing).

The audit programme should include information and resources necessary to organize and conduct its audits effectively and efficiently within the specified time frames and can also include the following:

— Objectives for the audit programme and individual audits;

— extent/number/types/duration/locations/schedule of the audits;

— audit programme procedures;

— audit criteria;

— audit methods;

— Selection of audit teams;

— Necessary resources, including travel and accommodation;

— processes for handling confidentiality, information security, health and safety, and other similar matters.

The implementation of the audit programme should be monitored and measured to ensure its objectives have been achieved. The audit programme should be reviewed in order to identify possible improvements.Figure 1 illustrates the process flow for the management of an audit programme.

Figure 1 — Process flow for the management of an audit programme

4.3 Performing an audit (§ 6 ISO 19011)

ISO 19011 gives guidance on guidance on preparing and conducting audit activities as part of an audit programme. Figure 2 provides an overview of typical audit activities. The extent to which the provisions of this clause are applicable depends on the objectives and scope of the specific audit.

Figure 2 — Typical audit activities

4.4 Competence and Evaluation of Auditors (§ 7 ISO 19011)

Confidence in the audit process and the ability to achieve its objectives depends on the competence of those individuals who are involved in planning and conducting audits, including auditors and audit team leaders. Competence should be evaluated through a process that considers personal behaviour and the ability to apply the knowledge and skills gained through education, work experience, auditor training and audit experience.

This process should take into consideration the needs of the audit programme and its objectives. It is not necessary for each auditor in the audit team to have the same competence; however, the overall competence of the audit team needs to be sufficient to achieve the audit objectives. The evaluation of auditor competence should be planned, implemented and documented in accordance with the audit program.

4.5 ISO 19011-2011: Appendices

a) Appendix A: Guidance and Illustrative Examples of Disciplines Specific Knowledge and Skills of Auditors.

b) Appendix B: Additional Guidance for Auditors for Planning and Conducting Audits.

5.  ISO/IEC 17021 – 1: 2015, “CONFORMITY ASSESSMENT – REQUIREMENTS FOR BODIES PROVIDING AUDIT AND CERTIFICATION OF MANAGEMENT SYSTEM”, PART-1: REQUIREMENT

ISO/IEC 17021 contains principles and specifies requirements for the competence, consistency and impartiality of the audit and certification of management systems (EMS, ISMS and QMS) and for the bodies providing these activities i.e. the certification bodies (Certification of a management system is sometimes also called "registration” and certification bodies’ are sometimes called "registrars"). The document uses the verbal forms as: “shall” indicating a requirement, “should” indicating a recommendation, “may” indicates a permission and “can” denotes a possibility or capability. 

The audit activities normally include:

a)    Conducting opening meeting,

b)    Performing document review while conducting the audit

c)    Communicating during the audit

d)    Assigning roles and responsibilities of guides and observers

e)    Generating audit findings

f)     Preparing audit conclusion and

g)    Conducting closing meeting.

5.1 Audit Principles (§ 4 ISO/IEC17026-1: 2015)

The overall aim of certification is to give confidence to all parties that a management system fulfils specified requirements. The value of certification is the degree of public confidence and trust that is established by an impartial and competent assessment is based on the following principles:

a)    Impartiality - certification be based on objective evidence of conformity (or nonconformity) and are not influenced by other interests or by other parties.

b)    Competence - Competence of the personnel & CB. Competence is the demonstrated ability to apply knowledge and skills.

c)    Confidentiality – It is essential for the CB not to disclose any confidential information of the client.

d)    Responsibility – CB is responsible to assess sufficient objective evidences upon which to base a certification decision.

e)    Openness - A CB needs to provide public access to, or disclosure of, appropriate and timely information about its audit, certification process, and status.

f)     Responsiveness to complaints - Confidence in certification activities is safeguarded when complaints are processed appropriately.

g)    Risk based Approach – CB needs to take into account the risk associated with providing competent, consistent and impartial certification.

5.2 General Requirement of Audit (§ 5 ISO/IEC17026-1: 2015)

a)    Legal and Contractual Requirement – CB shall be a legal entity and held responsible for Certification decision. CB shall have a legally enforceable agreement with client

b)    Management impartiality – Top management shall be held responsible for impartiality. A CB shall not certify another CB.

c)    Liability and Financing – CB shall ensure that financial liability does not impair impartiality.

5.3 Structural Requirements (§ 6 ISO/IEC17026-1: 2015)

a)    Organizational Structure and Top Management – Organization structure, duties, authorities and responsibilities of management and other personnel shall be documented so as to safeguard impartiality. 

b)    Operational Control – the CB shall have a process for effective control of certification activities.

5.4 Resource Requirements (§ 7 ISO/IEC17026-1: 2015)

a)    Competency of Personnel – CB shall have process to determine competency and shall ensure that personnel have appropriate competency. CB shall have a documented procedure for initial competency evaluation, ongoing monitoring of competence and performance of all personnel. (App A to this ISO gives the details of the required knowledge and skills).

b)    Personnel Involved in the Certification Activities – The CB shall have sufficient competent personnel for managing and supporting certification activities. 

c)    Use of individual external auditors and external technical experts – If services of external auditors and external technical experts are used, there shall be a written agreement with them to comply with applicable policies and procedures as defined by the certification body.

d)    Personal Records – Up to date personal records of all personnel including management and administrative personnel shall be maintained.

e)    Outsourcing – Outsourcing procedure shall be defined. The CB shall have a legally enforceable agreement, however shall be responsible for all activities of the outsourced agency. Outsourcing and subcontracting are synonymous.

5.5 Information Requirements (§ 8 ISO/IEC17026-1: 2015)

1.      Public Information –The CB shall maintain (through publication /electronic media) about geographical area of its operation, scope of audit and certification activities. 
2.        Certification Documents – The CB shall provide certificate document to certified client. Each certificate shall have unique identification and clearly specify scope and effective dates of granting as well as expiry.
3.             Reference to Certification and use of Marks - A certification body shall have a policy governing any mark that it authorizes certified clients to use.
4.        Confidentiality - The CB shall, through legally enforceable agreements, have a policy and arrangements to safeguard the confidentiality of the information obtained or created during the performance of certification activities.
5.        Information Exchange between a certification – The information shall include certification activity requirement, continuing certification activity and notice of changes.

5.6 Process Requirements (§ 9 ISO/IEC17026-1: 2015)  

a)    Pre Certification activities – These shall include application, application review, audit program (full certification cycle for three years: two stage initial audit, surveillance audits and recertification), audit time (depending on single or multiple sites), multiple management system audits etc. ISO/IEC TS 17023 gives guidelines for determining management system audit.  For surveillance audit one third and for recertification two third audit time is normally allotted.

b)    Planning Audit – The audit objectives, scope and criteria shall be determined, the CB shall have a process for selecting the audit team, observer, technical experts and guides. The audit plan prepared shall be appropriate to the objectives and it shall be communicated to the audit team members.

c)    Initial Certification – Initial certification shall be conducted in two stages. The objectives of the stage 1 audit is to review the clients management system documented information. The purpose of the stage 2 is to evaluate the implementation including effectiveness of the client’s management system. The stage 2 shall take place at the site of the client.

d)    Conducting Audits – The CB shall have a process for conducting on site audit. The process shall include an opening meeting at the start and a closing meeting at the conclusion of the audit. The CB shall provide a written audit report for each audit to the client.

e)    Certification Decision – The CB shall ensure the persons or the committee that make decision on certification (granting or refusing), (expanding or reducing the scope), (suspending/withdrawing or restoring/renewing) are different from those who carried out audit.

f)     Maintaining Certification – The CB shall maintain certification based on demonstration, surveillance audit, recertification audit etc.

g)    Special Audit – CB shall undertake special audit to expand the scope, follow up audit at short notice or unannounced audits in order to investigate complaints. The CB shall have a policy and documented procedure for suspension, withdrawal or reduction of the scope of certification, and shall specify subsequent actions by the CB.

h)   Appeals – The CB shall have documented process to receive, evaluate and make decision on appeals.

i)     Complaints – The CB shall be responsible for all decision at all levels of the complaints handling process.

j)      Client Record – The CB shall maintain records on the audit and other certification activities for all clients including all organisations that submitted applications, and all organisations audited, certified or with certification suspended or withdrawn.

5.7 Management System Requirements for CBs (§ 10 ISO/IEC17026-1: 2015)

The certification body shall establish and maintain a management system that is capable of supporting administrating the consistent achievement of the requirements of this International Standard. In addition to meeting the requirements of Clauses 5 to 9, the certification body shall implement a management system in accordance with either

a)    General management system requirements (see below)or,

b)    Management system requirements in accordance with ISO 9001 

5.7.1     General Management System Requirement

a)    The certification body shall establish, document, implement and maintain a management system that is capable of supporting and demonstrating the consistent achievement of the requirements of this International Standard.The certification body's top management shall establish and document policies and objectives for its activities. The top management shall provide evidence of its commitment to the development and implementation of the management system in accordance with the requirements of this International Standard. The top management shall ensure that the policies are understood, implemented and maintained at all levels of the certification body's organization'.

The certification body's top management shall assign responsibility for:

i) Ensuring that processes and procedures needed for the management system are established,implemented and maintained, and

ii) Reporting to top management on the performance of the management system and any need for improvement.

b) Management system manual - All applicable requirements of this International Standard shall be addressed in a manual or associated document which should be accessible to all relevant personnel.

c) Control of Documents – CB shall establish a procedure for control of documents

d) Control of Record – The CB shall establish procedures to define the control needed for the identification, storage, protection, retrieval, retention time and disposition of records related to the fulfillment of this International Standard.

e) Management Review – The CB shall establish procedure to review its management system at planned intervals. The review inputs and review outputs (defined in the standard) are related to management function. 

f)  Internal Audit – The CB shall establish procedure for carrying out internal audits to verify that it fulfils the requirement of this standard.

g) Corrective Actions – The CB shall establish procedure for identification and management of nonconformities in its operation. 

5.7.2 Option 2: Management system requirements in accordance with ISO 9001

The certification body shall establish and maintain a management system, in accordance with the requirements of ISO 9001 that is capable of supporting and demonstrating the consistent achievement of the requirements of this International Standard. .

a)    Scope – for application of the requirements of ISO 9001, the scope of the management system shall include the desiqn and development requirements for its certification services.

b)    Customer focus - For application of the requirements of ISO 9001, when developing its management system, the CB shall consider the credibility of certification and shall address the needs of all parties that rely upon its audit and certification services, not just its clients.

c)    Management review - For application of the requirements of ISO 9001, the CB shall include as input for management review, information on relevant appeals and complaints from users of certification activities and review of impartiality.

5.8     Appendices of ISO/IEC17026-1: 2015)

a)    Appendix A: Required Knowledge and Skill

b)    Appendix B (Informative): Possible Evaluation Method

c)    Appendix C (Informative): Example of a Process flow for determining and maintaining Competence.

d)    Appendix D (Informative): Desired personal behaviour

--------------- x-x --------------