ISO 17021-2:
what will it mean?
gives an up-to-date insight into the controversial auditor competency standard
ISO/IEC 17021 took seven years to develop and brought together text from ISO Guide 62 (quality management systems), ISO Guide 66 (environmental management systems) and their associated International Accreditation Forum guidance documents. When it was published it brought together all the requirements for third-party certification for the first time. However, the standard was not restricted to quality and environmental management systems and has been widely used as the basis for third-party certification for other schemes.
The impact of its publication was profound and it introduced principles upon which requirements were built. It required certification bodies to refocus on the competence of their auditors and certification staff and the impartiality of their operations. Two years were allowed for transition to the standard; a period needed by both certification bodies and the bodies that accredited them.
A new work item for part 2 of ISO/IEC 17021 was proposed in June 2006. It sought to complement ISO/IEC 17021 with requirements based on guidance in ISO 19011 and to provide a framework for the development of specific criteria for sector applications. In spite of reservations from several countries, the project was given the go ahead and work started immediately.
Work was conducted in two streams working in parallel: one on processes and the other on competence. As the new text was effectively an extension of that already in ISO/IEC 17021, it was realized early on that it would be easier for users if the standard contained the full part 1 text in addition to any new requirements and that it would be preferable to publish the standard as a new combined document.
After two committee drafts, a draft international standard (DIS) was published for comment and voted to proceed to final draft standard (FDIS) in September 2009. This ballot succeeded and ISO/WG 21 completed the review of more than 400 comments to enable the FDIS to be published at their postponed meeting at the end of June 2010.
Structure and significant changes
The existing structure of ISO/IEC 17021 has been retained and the principles remain unchanged. Changes include the removal of all references to ISO 19011 and the incorporation of essential text. There are several new definitions, but the one that matters is ' ‘competence’. This is now defined as: ‘Ability to apply knowledge and skills to achieve intended results’.
Reference to ‘personal attributes’ has been removed as has the need to demonstrate the knowledge and skills which have been included in the process section. Sections 4, 5 and 6 are unchanged. Section 7 (resource requirements) has been expanded to include a section on the need for a certification body to determine and document competence criteria for its auditors and certification staff, and then to have a process for evaluating its personnel against those criteria. It is otherwise unchanged, as is section 8.
Section 9 (process requirements) has been developed to include requirements for a number of areas including the determination of audit objectives and scope, the audit plan, audit team selection, opening and closing meetings, audit findings, communication with the client and the audit report. The use of observers and guides is clarified as is the use of opportunities for improvement. The rest of section 9 (clause 9.2 onwards) and the whole of section 10 are unchanged.
There are, however, a number of new annexes. There is a one page normative annex and several informative annexes. Annex A (normative) simply lists the knowledge and skills required of key certification body personnel (application reviewers, report reviewers, auditors, lead auditors) and indicates a level of achievement (see figure 1).
For example, a lead auditor would be expected to have very good knowledge of a client’s business and technology and an audit report reviewer a little less and the application reviewer less again. The absolute requirements are not specified as these will vary according to standard or scheme and will be left to scheme owners or certification bodies to define.
Figure 1 – Simplified extract from annex A
| Knowledge and skills | Certification functions | ||||
| Application reviewers | Audit report reviewers and certification decision makers | Auditors | Audit team leaders | ||
| Specific management system standards/normative documents | X | XXX | XXX | XXX | |
| Client business techonology | X | XX | XXX | XXX | |
The informative annexes provide some guidance on possible competence evaluation methods, an example of how to determine competence, the personal behaviours expected of people involved in certification and additional areas that a certification body may need to consider when constructing an audit plan.
From DIS to FDIS
The DIS included complex informative annexes on examples of competence evaluation and determination. These gave many respondents difficulty and may not have translated well into other languages. With the simplification of annex A and incorporation of an indication of different levels, it was possible to remove these annexes.
Compared with the gestation of ISO/IEC 17021, this project has progressed quickly. If all goes well, the FDIS should be published in late 2010 and published as ISO/IEC 17021 in the spring of 2011.About the author
Roger Bennett is a member of the International Accreditation Forum (IAF) board and has been involved in the drafting of ISO/IEC 17021-2. He represents the Independent International Organisation for Certification at meetings of the IAF and ISO
