To Be Filled in During Pre-Assessment (Onsite Visit) by PNAC Assessor

/ Documents Review & Pre-assessment report
for Certification Bodies
(ISO/IEC 17021) / F-02/29
Issue Date:19/08/16
Rev No: 00
Instructions on filling this document
The lab personnel should fill it completely and send it to PNAC while submitting the application form and quality system and give cross references to its clauses in the quality manual/ procedures/ forms etc. Please note that only giving reference to a particular procedure may not be sufficient in most of the cases.
PNAC’s Assessors Verification & remarks column will be filled in by the concerned officer in PNAC
Name of the Certification Body (CB): / Name of PNAC’s assessor
Address
CLAUSE No. of ISO 17021-1: 2015
Requirements / CB’s Reference to its QSD / PNAC’s Assessor verification & remarks
5 Generalrequirements
5.1 Legaland contractualmatters
5.1.1 Legalresponsibility
Isthecertificationbodyalegalentity, ora defined partofa legalentity,that canbeheld legally responsibleforallitscertificationactivities? (A governmentalcertificationbodyisdeemedtobea legalentityonthebasisof itsgovernmental
status)
5.1.2 Certificationagreement
Doesthecertification bodyhavealegally enforceable agreementwitheachclientforthe provisionofcertificationactivities inaccordance withtherelevantrequirements ofthispartof ISO/IEC 17021-1?
Wheretherearemultipleofficesofa certification bodyormultiplesitesofa client,does thecertificationbodyensurethatthereisalegally enforceableagreementbetweenthecertification bodygrantingcertification,andtheclientthat coversallthesiteswithinthescopeof the
certification?Does theCB applyIAF MD1:2007
MD19:2016requirementsappropriately?
5.1.3 Responsibilityforcertificationdecisions
Isthecertificationbodyresponsiblefor,anddoes itretainauthorityfor,itsdecisionsrelatingto certification,includingthegranting,refusing, maintainingofcertification,expandingor reducing thescopeof certification,renewing, suspendingorrestoringfollowingsuspension,or
withdrawingof certification?
5.2 Managementof impartiality
5.2.1 Isthecertificationbodyresponsibleforthe impartialityofitsconformityassessment
activities?Doesthe certificationbodyallow commercial,financialorotherpressuresto compromiseimpartialityorensurethat conformity assessmentactivitiesareundertakenimpartially?
5.2.2 Doesthecertification bodyhaveapolicy demonstrating thatitunderstandstheimportance ofimpartiality incarryingoutitsmanagement system certification activitiesandmanaging conflictsofinterestthusensuringtheobjectivity of itsmanagementsystemcertificationactivities?
5.2.3 Doesthecertificationbodyhaveaprocesstoidentify,analyse,evaluate,treat, monitor anddocument therisksrelatedtoconflictof interests arisingfromtheprovision ofcertification including anyconflicts arisingfromitsrelationships onan ongoingbasis?
Intheeventwhereanythreatstoimpartiality are identified, doesthecertification bodydocument anddemonstrate howiteliminatessuchthreats and documentanyresidualrisk
Does thedemonstrationcoverallpotentialthreats thatareidentified,whethertheyarisefromwithinthecertificationbodyorfromtheactivitiesof other persons,bodiesororganisations?
Does the top management of the certification bodyreviewtheresidualrisktodetermineiftheriskiswithinthelevelofacceptablerisk?
Does theriskassessmentprocessincludethe identificationof andconsultationwithappropriateinterestedpartiestoadviseonmattersaffecting
impartialityincludingopennessand public perception?
Istheconsultationcomprisedof appropriate interestedparties whichare balancedwithnosingleinterestpredominating?
5.2.4 Is there anyevidenceof the certificationbody certifyinganothercertificationbodyforitsqualitymanagementsystem?
5.2.5 Does the certificationbody or any part of the same legal entity and any entity under theorganizationalcontrolofthecertificationbody
(9.5.1.2b)offerorprovidemanagement system consultancy? Thisalsoappliestothatpartof governmentidentifiedas the certificationbody?
5.2.6 Doesthecertificationbodyoranypartofthe
same legal entityand any entityunder the organisationalcontrolof thecertificationbody (9.5.1.2b)offerorprovide internalauditstoits certifiedclients?The carryingout of internal auditsbythecertificationbodyandanypart ofthesamelegalentitytoitscertifiedclients isasignificant threat toimpartially.Doesthe certificationbodycertifyamanagementsystem onwhichthecertification bodycompleted the internalauditslessthantwo yearsago?
5.2.7 Hasthecertificationbody certifiedamanagement systemwherethereisarelationshipbetweentheconsultancy organization engaged by the
managementsystemandthecertificationbody? Inthiscase,doesthecertificationbodycertifyamanagement system less than two years followingtheend of theconsultancy?
5.2.8 Doesthecertificationbodyoutsourceauditstoa managementsystemconsultancyorganization?
This clause does not apply to individualscontractedas auditorscoveredin7.3
5.2.9 Isthecertificationbody'sactivitiesmarketedor offeredasbeinglinkedwiththeactivitiesofanorganizationthatprovidesmanagementsystem consultancy?
Doesthecertification bodytakeactiontocorrect inappropriate links or statements by anyconsultancy organizationstatingorimplyingthat certificationwouldbe simpler,easier,faster or less expensive if the certification body were used?
Does the certification body state or imply that certification would be simpler, easier, faster orless expensive if a specified consultancy
organizationwereused?
5.2.10 Doesthecertificationbodyensure personnelwho haveprovidedmanagement systemconsultancy, includingthoseactinginamanagerialcapacity, donottakepartinanauditorothercertificationactivitiesiftheyhavebeeninvolved in management systemconsultancy towardsthe client in order to ensure that there is no conflictof interest?
Arecognised mitigationofthisthreatisthat personnel shallnotbeusedforaminimum oftwo yearsfollowingtheendoftheconsultancy.
5.2.11 Doesthecertificationbody takeactiontorespond toanythreatstoitsimpartiality arisingfromthe actionsof otherpersons,bodiesororganizations?
5.2.12 Howdoesthecertificationbodyensurethatall personnel, eitherinternal orexternal,or committees, whocouldinfluencethecertification activities, act impartially and not allow commercial, financialorotherpressuresto compromiseimpartiality?
5.2.13 Does the certification body require personnel, bothinternal andexternal,torevealany situation known tothemthatcanpresent themorthe certificationbodywitha conflictof interests?
Doesthecertificationbodyrecordandusethisinformation asinputtoidentifyingthreatsto impartiality raisedbytheactivitiesofsuch personnelorbytheorganizations thatemploy them?
Doesthecertificationbodyusesuchpersonnel, either internal or external, that cannotdemonstratethatthereisnoconflictof interests?
5.3 Liabilityand financing
5.3.1 Canthecertification bodydemonstrate thatithas evaluated therisksarisingfromitscertification activities?
Doesthecertification bodyhaveadequate arrangements (e.g. insurance or reserves) tocoverliabilitiesarisingfromitsoperations ineach ofitsfieldsofactivitiesandthegeographic areas in whichit operates?
5.3.2 Doesthecertificationbodyevaluateitsfinances andsourcesofincome anddemonstrate that initially,andonan ongoingbasis,commercial, financialorotherpressuresdonot compromiseits impartiality
6 Structuralrequirements
6.1 Organisationalstructureand top management
6.1.1 Hasthecertificationbodydocumentedits organizationalstructure,duties,responsibilities and authoritiesof managementandother personnelinvolvedincertificationand any committees?
When thecertificationbodyisa definedpartof a legalentity,does thestructureincludethelineof authorityandtherelationshipto otherpartswithin
the samelegalentity?
6.1.2 Are the certification activities structured and managedsoas to safeguardimpartiality?
6.1.3 Hasthecertificationbodyidentifiedthetop management (board, group of persons, or
person)having overall authorityandresponsibility foreachof thefollowing:
a) developmentofpoliciesandestablishment
of processesandproceduresrelating to itsoperations;
b) supervision of the implementation of the policies,processesandprocedures
c) ensuringimpartiality;
d) supervisionof thefinancesof thebody;
e) development of management system certificationservicesandschemes
f) performanceofauditsandcertification,and responsivenesstocomplaints;
g) decisionsoncertification;
h) delegation of authority to committees or individuals, asrequired,toundertake defined
activitiesonitsbehalf;
i) contractualarrangements;
j) Provision of adequate resources for certificationactivities
6.1.4 Doesthecertificationbodyhaveformalrulesfor the appointment,terms of reference and operation ofcommittees involved inthe certificationactivities?
6.2 Committeeforsafeguardingimpartiality
6.2.1 Doesthecertificationbodyhaveaprocessfor effectivecontrolofcertificationactivitiesdeliveredby branch offices, partnerships, agents,franchisees,etc.,irrespectiveoftheirlegalstatus, relationshiporgeographicallocation?
Doesthecertificationbodyconsidertheriskthat thecertificationactivitiesposetothecompetence,consistency and impartiality of the certification body?
6.2.2 Does the certification body consider the appropriate level and method of control ofactivities undertaken including its processes,
technicalareasofcertification bodies’operations, competenceofpersonnel,linesofmanagementcontrol, reporting and remote access to operations including records?
7 Resourcerequirements
7.1 Competenceofmanagementand personnel
7.1.1 Does the certificationbodyhaveprocessesto ensurethatpersonnelhaveappropriate knowledgeandskillsrelevantto thetypesof managementsystems(e.g.environmental managementsystems,qualitymanagement systems,informationsecuritymanagement systems)and geographicareasin whichit operates?
7.1.2 Doesthecertificationbodyhaveaprocessfor determiningthecompetencecriteriafor personnel involvedinthemanagement andperformanceof auditsand othercertificationactivities?
Hasthecertification body determined the competencecriteriafor each type ofmanagementsystemstandardorspecification, foreach technical area,andforeachfunctioninthe certificationprocess?
Istheoutput oftheprocess ‘thedocumented criteria of required knowledge and skills necessary toeffectivelyperformauditand certificationtasks to be fulfilledto achievetheintendedresults?
Doesthecertificationbodyapplytheknowledge andskillsforspecificfunctionsdefinedinAnnexA?
Does the certificationbodyapplyanyadditional specificcompetencecriteriawheretheyhave beenestablishedforaspecificstandardor certificationscheme?Forexample:
- ISO/IEC TS 17021-2(EMS),
- ISO/IEC TS 17021-3(QMS),
- ISO/TS 22003(FSMS)
7.1.3 Evaluationprocesses
Doesthecertification bodyhavedocumented processesfortheinitialcompetence evaluation, andon-goingmonitoring ofcompetence and performance ofallpersonnelinvolvedinthe management and performance of audits and othercertification activities, applying the determinedcompetencecriteria?
Isthecertificationbodyabletodemonstratethat its evaluationmethodsareeffective?
Is the output from these processes being to identify personnel who have demonstratedthe
level of competence required for the different functionsoftheaudit andcertificationprocess?
Iscompetence demonstrated bytheindividual priortotakinguptheresponsibility forthe performance oftheiractivitieswithinthe certificationbody?
7.1.4 Otherconsiderations
Doesthecertification bodyhaveaccesstothe necessary technicalexpertiseforadviceon matters directly relating to certification for technical areas, types of management system andgeographic areasinwhichthecertification bodyoperates?
7.2 Personnelinvolvedinthecertification
activities
7.2.1 Doesthecertification bodyhavesufficient, competent personnel for managing and supporting the type and range of audit
programmes and other certification work performed?
7.2.2 Does the certification body employ, or have access to, a sufficient number of auditors,
including audit team leaders, and technical
expertstocoverallofitsactivitiesandtohandle the volumeof auditwork performed?
7.2.3 Doesthecertificationbodymakecleartoeach person concerned their duties, responsibilities
and authorities?
7.2.4 Doesthecertificationbodyhaveprocessesfor selecting, training, formally authorizing auditors
and for selecting and familiarizing technical
expertsusedinthecertificationactivity?
Doestheinitialcompetence evaluationofan auditorincludetheability toapplyrequired knowledgeandskillsduringaudits,asdetermined
byacompetent evaluator observingtheauditor conductinganaudit?
7.2.5 Does the certificationbody have a process to achieve and demonstrate effective auditing,
including the use of auditors and audit team
leaders possessing generic auditing skills and knowledge, as well as skills and knowledge
appropriate for auditing in specific technical areas?
7.2.6 Doesthecertificationbodyensurethatauditors (and,whereneeded,technicalexperts) are knowledgeableofitsauditprocesses,certification requirementsandotherrelevantrequirements?
Does the certification body give auditors and technicalexpert’saccesstoanup-to-datesetof
documentedproceduresgivingauditinstructions
andall relevantinformationon thecertification activities?
7.2.7 Doesthecertificationbodyidentifytrainingneeds andofferorprovideaccesstospecifictrainingto
ensureitsauditors,technical expertsandother personnelinvolved in certificationactivities are competentforthefunctionstheyperform?
7.2.8 Does the group or individual that takes the decision ongranting,refusing,maintaining, renewing, suspending,restoring,or withdrawingcertification,oronexpandingor
reducingthescopeofcertification shall understand theapplicable standardand certification requirements, and have demonstrated competence to evaluate the
outcomes of the audit processes including
relatedrecommendationsof theaudit team?
7.2.9 Doesthecertificationbodyensurethe satisfactory performanceofallpersonnelinvolvedintheaudit
andothercertificationactivities?
Isthereadocumentedprocessformonitoring
competence and performance of all persons
involved,basedonthefrequencyoftheirusage andthelevelof risklinkedto their activities?
Does thecertificationbody reviewandrecord the
competenceofitspersonnelinthelightoftheir performancein ordertoidentifytrainingneeds?
7.2.10 Doesthecertificationbodymonitoreachauditor considering eachtypeofmanagement systemto whichtheauditorisdeemedcompetent?
Is there a documented monitoring process for auditors?
Does the monitoring process include a combinationofon-siteobservation,reviewofaudit reportsandfeedback fromclients orfromthe market?
Isthemonitoring designed insuchawayasto minimize disturbancetothenormalprocessesof certification,especiallyfromtheclient'sviewpoint?
7.2.11 Doesthecertificationbodyperiodicallyevaluate
theperformanceofeachauditoron-site?
Isthefrequencyofon-siteobservationsbasedon the need determined from all monitoring
informationavailable?
7.3 Useofindividualexternalauditorsandexternal technicalexperts
Does the certification body require external auditorsandexternaltechnicalexpertstohavea
written agreement by which they commit
themselvestocomplywith applicablepoliciesand implement processes as defined by the
certificationbody?
Doestheagreementaddressaspectsrelatingto confidentialityandimpartiality?
Doestheagreement requiretheexternalauditors andexternaltechnical expertstonotifythe certification bodyofany existingorprior relationshipwithanyorganization theymaybe assignedtoaudit?
7.4 Personnelrecords
Does thecertificationbodymaintainup-to-date personnelrecords, including relevant qualifications, training, experience, affiliations,
professionalstatusandcompetence?
Doesthisincludemanagementand administrative personnel in addition to those performing
certificationactivities?
7.5 Outsourcing
7.5.1 Does the certification body have a process in which it describes the conditions under which
outsourcing(whichissubcontractingtoanother
organizationto provide part of the certification activitiesonbehalfofthecertificationbody)may
takeplace?
Does the certification body have a legally enforceable agreement covering the
arrangements, including confidentiality and
conflictofinterests,witheachbodythatprovides outsourcedservices?
7.5.2 Howdoesthecertificationbodyensurethatthe decisionsforgranting,refusing,maintaining of certification,expandingorreducingthescopeof
certification,renewing,suspendingorrestoringor withdrawingof certificationarenotoutsourced?
7.5.3 Does theCB:
a) Takeresponsibilityforallactivitiesoutsourcedto anotherbody?
b) Ensurethatthebodythatprovides outsourced services, andtheindividualsthatituses,conform torequirements ofthecertification bodyandalso to theapplicableprovisionsofthis partof ISO/IEC
17021, including competence, impartiality and confidentiality?
c) Ensurethatthebodythatprovidesoutsourced services,andtheindividualsthatituses,isnot
involved, eitherdirectly orthroughanyother employer,withanorganization tobeaudited,in suchawaythatimpartiality couldbe compromised?
7.5.4 Does thecertificationbodyhave aprocessforthe approvalandmonitoringofallbodiesthatprovide outsourced services used for certification
activities?
Doesthecertificationbodyensurethatrecordsof the competence of all personnel involved in
certificationactivitiesaremaintained?
8 Informationrequirements
8.1 Publiclyinformation
8.1.1 Does the certification body maintain (through
publications, electronic media or other means), andmakepublic,withoutrequest, inall thegeographical areasinwhichitoperates, informationabout?
a) auditprocesses;
b) processes forgranting,refusing, maintaining, renewing, suspending, restoringorwithdrawing certification, orexpandingorreducingthe scopeof certification;
c) typesofmanagementsystemsandcertification
schemesinwhich itoperates;
d) the use of the certification body’s name and certificationmarkorlogo;
e) processesforhandlingrequestsfor information, complaintsandappeals;
f) Policyonimpartiality
8.1.2 Doesthecertificationbodyuponrequestprovide informationabout?
a) geographicalareasin whichitoperates;
b) the statusofa givencertification;
c) thename,relatednormativedocument, scope andgeographical location(cityandcountry)fora specificcertifiedclient.
8.1.3 Doesthecertification bodyprovideinformation to anyclientortoanymarketplace, including advertising, which is accurate and not
misleading?
8.2 Certificationdocuments
8.2.1 Howdoesthecertificationbodyprovidebyany
meansitchoosescertificationdocumentstothe certifiedclient?
8.2.2 Do the certification document(s) identify the following?
a) the name and geographic location of each
certified client whose management system is
certified(orthegeographic locationofthe headquarters andanysiteswithinthescopeofa multi-sitecertification);
b) the effective dates of granting, expanding or reducing the scope of certification or renewing
certificationwhichshallnotbebeforethedateof therelevantcertificationdecision?
c) the expiry date or recertification due date consistentwith therecertificationcycle?
d) a uniqueidentificationcode;
e) Themanagementsystemstandardand/orother
normative document, including indication of issue status (e.g. revision date or number) usedforauditof thecertifiedclient;
f) Themanagementsystemstandardand/orother
normative document, including indication of issue status (e.g. revision date or number)
usedforauditof thecertifiedclient;
g) thename,addressandcertificationmarkofthe certificationbody;othermarks(e.g.accreditation
symbolclient’slogo)maybeusedprovidedthey
arenotmisleadingorambiguous;
h) any other informationrequired by the standard and/orothernormativedocument usedfor certification;
i) in theeventofissuinganyrevisedcertification documents,a meansto distinguishthe revised documentsfromanypriorobsoletedocuments
8.3 Directoryof certifiedcustomers
8.3.1 Doesthecertificationbodyhaverulesgoverning
any management system certification mark
thatit authorizescertifiedclientstouse?
Dotheserulesensure,amongotherthings, traceabilitybackto the certificationbody?
Dotheserulesensure,amongotherthings, traceabilitybackto the certificationbody?
Isthereanyambiguity,inthemarkor accompanyingtext,as to whathasbeencertified andwhichcertificationbodyhasgrantedthe certification?
Isthe mark usedona productorproduct
packagingorinanyother waythat maybe
interpretedasdenotingproductconformity?
8.3.2 Doesthecertificationbodypermititsmarkstobe applied by certified clients to laboratory test,
calibrationorinspectionreportsorcertifications?
8.3.3 Doesthecertificationbodyhaverulesgoverning theuse ofanystatementonproductpackagingor
in accompanying information that the certified clienthasa certifiedmanagementsystem?
Productpackagingisconsideredasthatwhich can beremovedwithouttheproductdisintegrating
orbeingdamaged.Accompanying informationis considered asseparatelyavailableoreasily detachable. Type labels or identification plates areconsideredas partoftheproduct
Does the statement imply that the product, processor serviceiscertifiedbythismeans?
Does the statementincludereferenceto:
-identification (e.g. brand or name) of the certifiedclient;
-thetypeofmanagementsystem(e.g. quality, environment) andtheapplicable standard; and
- the certificationbodyissuingthe certificate.
8.3.4 Does the certification body require that the
certifiedclient?
a) conformstotherequirementsofthecertification bodywhenmakingreferencetoitscertification
statusincommunication mediasuchasthe internet,brochures oradvertising, orother documents;
b) does not make or permit any misleading statementregardingitscertification;
c) doesnotuseorpermittheuseofacertification document oranypartthereofinamisleading manner;
d) uponwithdrawalofitscertification,discontinues itsuseofalladvertisingmatterthatcontainsa
reference to certification, as directed by the certificationbody(see9.6.5);
e) amendsalladvertisingmatterwhenthescopeof certificationhasbeenreduced;
f) does not allow reference to its management systemcertificationtobeusedinsuchawayas
to imply that the certification body certifies a
product(includingservice)orprocess;
g) does not imply that the certificationapplies to activities that are outside the scope of certification;and
h) doesnotuseitscertificationinsuchamanner thatwouldbringthecertification bodyand/or certificationsystemintodisreputeandlosepublic
trust.
8.3.5 Does the certification body exercise proper controlofownershipandtakeactiontodealwith
incorrect references to certification status or
misleadinguseofcertificationdocuments,marks orauditreports?
8.4 Confidentiality
8.4.1 Does the certification body be responsible, throughlegallyenforceableagreements,forthe
management of all information obtained or
createdduringtheperformance ofcertification activitiesatall levelsofitsstructure,including committees andexternalbodiesorindividuals actingonits behalf?
8.4.2 Doesthecertificationbodyinformtheclient,in advance,oftheinformationitintendstoplacein
thepublicdomain?
Is allotherinformation,exceptforinformationthat ismadepubliclyaccessiblebytheclient,
consideredconfidential?
8.4.3 Isinformation aboutaparticularcertifiedclientor
individual disclosed toathirdpartywithoutthe written consent ofthecertifiedclientorindividual concerned?
8.4.4 Wherethecertificationbodyisrequiredbylawor authorizedbycontractualarrangement(such as withtheaccreditationbody)to release confidentialinformationtoa thirdparty,isthe clientorindividualconcerned,unlessprohibited bylaw,notifiedoftheinformationprovided?
8.4.5 Is informationabouttheclientfrom sourcesother than theclient(e.g.complainant,regulators)
treatedasconfidential?
Is this treatment consistent with the certification body's policy?
8.4.6 Dopersonnel,includinganycommitteemembers, contractors,personnelofexternalbodiesor individualsactingonthecertificationbody's
behalf,keepallinformationobtainedorcreated duringtheperformanceof thecertificationbody's activitiesconfidentialexceptasrequiredby law?
8.4.7 Doesthecertificationbodyhaveprocessesand
whereapplicableequipmentandfacilitiesthat
ensure the secure handling of confidential information?
8.5 Informationexchangebetweena CBand itsclient
8.5.1 Information on the certification activityand
Requirements
Doesthecertificationbodyprovideinformation
and updateclientsonthefollowing:
a) adetaileddescriptionoftheinitialandcontinuing certification activity, including the application,
initialaudits,surveillance audits,andtheprocess forgranting, refusing,maintainingofcertification,
expanding, or reducing the scope of
certification, renewing,suspendingor restoring,orwithdrawing ofcertificationand recertification;
b) thenormativerequirementsforcertification;
c) informationaboutthefeesforapplication,initial certificationandcontinuingcertification;
d) the certification body's requirements for prospectiveclients:
1) to complywithcertificationrequirements;
2) tomakeallnecessary arrangements forthe conduct oftheaudits,including provision for examiningdocumentation andtheaccessto allprocesses andareas,recordsand personnel forthepurposes ofinitial certification,surveillance, recertification and resolutionofcomplaints;and
3) tomakeprovisions, where applicable, to accommodate the presence of observers (e.g. accreditation auditors or trainee
auditors);
e) documents describing the rights and duties of certified clients, including requirements, when
making reference to its certification in
communication of any kind in line with the requirementsin 8.3;
f) information on procedures for handling complaintsandappeals.
8.5.2 Noticeofchangesbya certificationbody?
Doesthecertificationbodygive its certified clients duenoticeofanychanges toitsrequirements for certification?
Does the certification body verify that each certified client complies with the new
requirements?
8.5.3 Noticeofchangesbya certifiedclient
Doesthecertification bodyhavelegally enforceablearrangements toensurethatthe certified client informsthecertification body, without delay,ofmatters thatmayaffectthe capabilityofthemanagement systemtocontinue tofulfiltherequirements ofthestandardusedfor certification? Dotheseinclude,forexample, changesrelatingto:
a) the legal, commercial, organizational status or ownership;
b) organization and management (e.g. key managerial,decision-makingortechnicalstaff);
c) contactaddressandsites;
d) scope of operations under the certified managementsystem;and
e) majorchangestothemanagementsystemand processes
9 Processrequirements
NB.Clauses9.1.1to 9.6.4arecoveredin checklists,F146&F154
9.6.5 Suspending,withdrawingorreducingscope
of certification
9.6.5.1 Does the certification body have a policy and documented procedure(s) for suspension,
withdrawal or reduction of the scope of certification?
Does the certification body specify the subsequentactionsbythecertificationbody?
9.6.5.2 Doesthecertificationbodysuspendcertification in cases when,forexample:
-the client'scertifiedmanagementsystemhas persistentlyorseriouslyfailedto meet certificationrequirements,including
requirementsfortheeffectivenessof the managementsystem,
-the certifiedclientdoes notallowsurveillance orrecertificationauditsto be conductedat
therequiredfrequencies,or
-the certifiedclienthas voluntarilyrequesteda suspension.
9.6.5.3 Undersuspension,istheclient’smanagement systemcertificationtemporaryinvalid?
9.6.5.4 Does thecertificationbodyrestorethesuspended certificationiftheissuethathasresultedinthe
suspensionhasbeenresolved?
Doesfailuretoresolve theissuesthathave resultedinthesuspensioninatimeestablished bythecertificationbodyresultinwithdrawalor
reductionof thescopeof certification?
9.6.5.5 Does the certification body reduce the client's scope of certification to exclude the parts not
meetingtherequirements,whentheclienthas
persistently or seriously failed to meet the certificationrequirementsforthosepartsofthe
scopeofcertification?
Is any such reduction in line with the requirements of the standard used for
certification?
9.7 Appeals
9.7.1 Doesthecertificationbodyhaveadocumented processtoreceive,evaluateandmakedecisions
onappeals?
9.7.2 Is the certification body responsible for all decisions at all levels of the appeals-handling
process?
Doesthecertification body ensurethatthe personsengagedin theappeals-handlingprocess aredifferentfromthose whocarriedouttheaudits andmadethecertificationdecisions?
9.7.3 Does thecertificationbodyensuresubmission, investigation and decision on appeals do not resultinanydiscriminatoryactionsagainstthe
appellant?
9.7.4 Does the appeals-handling process include at leastthefollowingelementsandmethods:
a) anoutlineoftheprocessforreceiving,validating, investigatingtheappeal,andfordecidingwhat
actionsaretobetakeninresponsetoit,taking intoaccounttheresultsofprevious similar appeals;
b) trackingandrecordingappeals,includingactions undertakento resolvethem;
c) ensuring that any appropriate correction and correctiveactionistaken
9.7.5 Doesthecertificationbodyreceivingtheappeal responsible forgathering andverifyingall necessaryinformationto validatetheappeal?
9.7.6 Doesthecertificationbodyacknowledgereceipt of theappeal?
Doesthecertification bodyprovidetheappellant with progress reports and the result of the appeal?
9.7.7 Is the decision to be communicated to the appellantmade by,orreviewedandapprovedby, individual(s) notpreviouslyinvolvedinthesubject of theappeal?
9.7.8 Doesthecertificationbodygiveformalnoticeto theappellant oftheendoftheappeals-handling process?
9.8 Complaints
9.8.1 Is the certification body responsible for all decisions atalllevelsofthecomplaints-handling process?
9.8.2 Dothesubmission,investigationanddecisionon complaints result in any discriminatory actions
againstthecomplainant?
9.8.3 Uponreceiptofa complaint,does thecertification bodyconfirm whetherthe complaintrelatesto
certificationactivitiesthatitisresponsiblefor?
If so,does the certificationbodydealwithit?
Ifthecomplaintrelatesto acertifiedclient,does examinationof thecomplaintconsiderthe effectivenessof the certifiedmanagement system?
9.8.4 Isanycomplaintaboutacertifiedclientreferred bythecertificationbodytothecertifiedclientin
questionat anappropriatetime?
9.8.5 Doesthecertificationbodyhaveadocumented processtoreceive,evaluateandmakedecisions
on complaints?
Is this process subject to requirements for confidentiality,as itrelatesto thecomplainantand
to thesubjectofthecomplaint?
9.8.6 Doesthecomplaints-handlingprocessincludeat leastthefollowingelementsandmethods?
a) anoutlineoftheprocess forreceiving,validating, investigating thecomplaint, andfordecidingwhat actionsare to betakenin responseto it;
b) tracking and recording complaints, including actionsundertakenin responseto them;
c) Ensuring that any appropriate correction and correctiveactionaretaken?
9.8.7 Isthecertificationbodyreceivingthecomplaint responsible for gathering and verifying all
necessaryinformationto validatethe complaint?
9.8.8 Wheneverpossible,doesthe certificationbody acknowledgereceiptof the complaint?
Does the certification body provide the complainant with progress reports and the
outcome?
9.8.9 Is the decision to be communicated to the complainantmadeby,orreviewedandapproved
by, individual(s) not previously involved in the
subjectof thecomplaint?
9.8.10 Wheneverpossible,doesthe certificationbody giveformalnoticeoftheendofthecomplaints-
handlingprocessto thecomplainant?
9.8.11 Doesthecertificationbodydetermine,together with the certified client and the complainant,
whetherand,ifsotowhatextent,thesubjectof the complaintand itsresolutionmadepublic?
9.9 ClientRecords
9.9.1 Doesthecertificationbodymaintainrecordson theauditandother certification activitiesforall clients,includingallorganizations thatsubmitted applications, andallorganizations audited, certified,orwithcertificationsuspended or withdrawn?
9.9.2 Do records on certified clients include the following?
a) application information and initial, surveillance andrecertificationauditreports;
b) certificationagreement?
c) justificationofthemethodologyusedforsampling
of sites,asappropriate?
d) justification for auditor time determination (see
9.1.4)?
e) verificationofcorrectionandcorrectiveactions;
f) records of complaints and appeals, and any subsequentcorrectionorcorrectiveactions;
g) committee deliberations and decisions, if applicable;
h) documentationof thecertificationdecisions?
i) certification documents, including the scope of certificationwithrespecttoproduct,processor
service,as applicable;
j) Related records necessary to establish the credibilityofthecertification,suchasevidenceof
the competence of auditors and technical
experts?
k) Audit programmes?
9.9.3 Doesthecertificationbodykeeptherecordson applicantsandclientssecuretoensurethatthe
informationiskeptconfidential?
Are records transported, transmitted or transferred, in a way that ensures that
confidentialityis maintained?
9.9.4 Doesthecertificationbodyhaveadocumented policyanddocumented procedures onthe retentionof records?
Arerecordsofcertifiedclientsandpreviously
certifiedclientsretainedforthedurationofthe
currentcycleplusonefull certificationcycle?
10 Managementsystemrequirementsfor
certificationbodies
10.1Options
Doesthecertificationbodyestablish,document,
implementandmaintainamanagementsystem
thatiscapableofsupporting anddemonstrating the consistentachievementoftherequirementsof thispartof ISO/IEC 17021?
In additiontomeetingtherequirementsof Clause
5 to 9,does thecertificationbodyimplementa managementsystemin accordancewitheither:
a) generalmanagementsystemrequirements
(10.2)or
b) Managementsystemrequirementsin accordancewithISO 9001(see10.3)?
10.2 Option A:Managementsystemrequirements
10.2.1 General
Has the certification body's top management established and documented policies and
objectivesforitsactivities?
Does thetopmanagementprovideevidenceof its commitment to the development and
implementation of the management system in
accordance with the requirements of this
InternationalStandard?
Does the top management ensure that the policies are understood, implemented and
maintainedatalllevelsofthecertificationbody's organization?
Has the certification body's top management, assignedresponsibilityandauthorityfor:
a) ensuring that processes and procedures needed for the management system are
established, implemented and maintained,
and
b)Reportingtotopmanagement onthe performanceofthemanagementsystemand anyneedforimprovement?
10.2.2 Managementsystemmanual
Have all applicable requirements of this
InternationalStandard beenaddressedeither ina manualorinassociateddocuments?
Does the certification body ensure that the manualandrelevantassociateddocuments are accessibletoallrelevantpersonnel?
10.2.3 Controlof documents
Hasthecertificationbodyestablishedprocedures tocontrolthedocuments(internalandexternal)
thatrelatetothefulfilmentofthisInternational
Standard?
Dotheproceduresdefinethecontrolsneededto:
a) approve documents for adequacy prior to issue,
b) reviewandupdatewherenecessaryandre- approvedocuments,
c) ensurethatchangesandthecurrentrevision statusofdocumentsareidentified,
d) ensurethatrelevantversionsofapplicable documentsareavailableat points of use,
e) ensure that documentsremain legibleand readilyidentifiable,
f) ensurethatdocumentsofexternaloriginare identifiedandtheir distributioncontrolled,and
g) Preventtheunintended useofobsolete documents, and to apply suitable identification tothemiftheyareretainedfor anypurpose?
10.2.4 Controlof records
Hasthecertification bodyestablished procedures to definethecontrolsneededfortheidentification, storage,protection,retrieval,retentiontimeand
dispositionofitsrecordsrelatedtothefulfilment of this partofISO/IEC 17021?
Hasthecertificationbodyestablishedprocedures forretainingrecordsfora periodconsistentwith
itscontractualandlegalobligations?
Isaccessto theserecordsconsistentwith the confidentialityarrangements?
10.2.5 Managementreview
10.2.5.1General
Has the certification body's top management establishedprocedurestoreviewitsmanagement
system at planned intervals to ensure its
continuing suitability, adequacy and effectiveness,includingthe stated policies and
objectives related to the fulfilment of this
InternationalStandard?
Are thesereviewsconductedat leastoncea year?
10.2.5.2Reviewinputs
Does theinputto the managementreviewinclude informationrelatedto:
a) resultsof internalandexternalaudits;
b) feedbackfrom clientsandinterestedparties;
c) safeguardingimpartiality;
d) the statusofpreventiveandcorrective actions;
e) the statusofactionsto addressrisks;
f) follow-upactionsfrompreviousmanagement reviews;
g) thefulfilmentofobjectives;
h) changesthatcouldaffect themanagement system;and
i) Appeals andcomplaints?
10.2.5.3Reviewoutputs
Does theinputto the managementreviewinclude informationrelatedto:
a) improvementof theeffectivenessof the managementsystemanditsprocesses,
b) Improvementof the certificationservices relatedtothefulfilmentof thispartofISO/IEC
17021;
c) resourceneeds,and
d) Revisionof theorganisation’spolicyand objectives?
10.2.6Reviewoutputs
10.2.6.1Hasthecertificationbodyestablishedprocedures for internal audits to verify that it fulfils the
requirements ofthisInternationalStandardand thatthemanagement systemiseffectively implementedandmaintained?
10.2.6.2Istheauditprogramme planned,takinginto consideration the importance of the processes andareastobeaudited, aswellastheresultsof previousaudits?
10.2.6.3Areinternalauditsperformedatleast onceevery
12 months?
10.2.6.4Does thecertificationbodyensurethat:
a) internal audits are conducted by competentpersonnel knowledgeable in certification, auditingandtherequirementsofthisInternational Standard,
b) auditorsdonotaudittheirownwork,
c) personnelresponsiblefortheareaauditedare informedof theoutcomeof theaudit,
d) any actions resulting from internal audits are takenina timelyandappropriatemanner,and
e) Anyopportunitiesforimprovementareidentified?
10.2.7Correctiveaction
Hasthecertification bodyestablished procedures foridentification andmanagementof nonconformitiesinitsoperations?
Does the certification body also, where necessary,takeactionstoeliminatethecausesof
nonconformitiesinorderto preventrecurrence?
Arecorrectiveactionsappropriatetotheimpactof theproblemsencountered?
Dotheproceduresdefinerequirementsfor:
a) identifying nonconformities (e.g. from valid complaintsandinternalaudits);
b) determiningthecausesofnonconformity;
c) correctingnonconformities;
d) evaluatingthe need for actionsto ensurethat nonconformitiesdonotrecur;
e) determiningand implementingin a timelymanner, theactionsneeded;
f) recordingtheresultsof actionstaken;and
g) Reviewingtheeffectivenessofcorrectiveactions?
10.3 Option B:Generalmanagement
systemrequirements
10.3.1 General
Hasthecertification body established and maintainedamanagementsystem,in accordance
withtherequirementsofISO9001thatiscapable ofsupporting anddemonstrating theconsistent achievement oftherequirementsofthis International Standard, amplified by 10.3.2 to
10.3.4?
10.3.2 Scope
Does the scope of the management system includethedesignand developmentrequirements
foritscertificationservices?
10.3.3 Customerfocus
Whendevelopingits managementsystem,has thecertificationbodyconsideredthecredibilityof
certification?
Hasthecertificationbody addressed theneedsof allparties(assetoutin4.1.2)thatrelyuponits
auditandcertificationservices,notjustitsclients?
10.3.4 Managementreview
Doesthecertification bodyincludeasinputfor management review,information onrelevant appealsandcomplaintsfrom usersofcertification activities and a review of impartiality for applicationof therequirementsof ISO9001?

To be filled in during pre-assessment (onsite visit) by PNAC Assessor