ISO 17021

ISO 17021 Conformity Assessment — Requirements for Bodies Providing Audit and Certification of Management Systems

Introduction & Core Purpose

ISO/IEC 17021 is a fundamental international standard that specifies the requirements for organizations (Certification Bodies or CBs) that perform audits and issue certifications for management systems. It is not a standard for the management systems themselves (like ISO 9001 or ISO 14001), but rather the “rulebook” for the credibility and integrity of the certification process.

Its primary purpose is to ensure that when a company receives a certificate (e.g., “ISO 9001 Certified”), it is the result of a competent, consistent, and impartial audit conducted by a reputable body. This builds trust in certificates across global markets, reduces risks for organizations that rely on certified suppliers, and prevents the devaluation of management system standards through poor certification practices.

Key Principles & Structure

The standard is built on several critical principles that certification bodies must embed in their operations:

Impartiality: The single most important principle. The CB must be structurally, financially, and operationally independent from its clients. It must identify, analyze, document, and mitigate all potential conflicts of interest to ensure audit conclusions are objective and unbiased.
Competence: The CB must have a robust process to ensure that all personnel involved in the certification process (auditors, technical experts, decision-makers) possess the necessary education, experience, industry knowledge, and audit skills.
Responsibility: The CB is accountable for its audit decisions, certifications, and the actions of all its personnel and subcontractors.
Openness & Transparency: Information about certification processes, rules, fees, and rights of appeal must be publicly available.
Confidentiality: The CB has a legally enforceable duty to safeguard all client information obtained during the certification process.
Risk-Based Approach: The CB must manage its own risks (to impartiality, competence, etc.) and also apply a risk-based thinking to its audit planning, focusing on areas of higher risk within the client’s management system.

The standard is structured around requirements for the CB’s management system and the specific process it must follow for certification.

Major Requirements for the Certification Body

A. Management Requirements:

Legal & Contractual: Must be a legal entity, define its certification scope, and have enforceable agreements with clients.
Impartiality Management: Must have a top-level committee (Impartiality Committee) independent of its management to oversee neutrality. Must analyze and mitigate threats (self-interest, familiarity, intimidation, etc.).
Structural & Operational Safeguards: Cannot provide consultancy to its certification clients. Must have clear procedures for handling complaints and appeals.
Liability & Financing: Must address liability arrangements and ensure financial stability to operate effectively.

B. Resource Requirements:

Personnel Competence: Must define competence criteria for all roles, particularly for specific technical sectors (e.g., aerospace, food safety, healthcare). Must have processes for initial evaluation, ongoing monitoring, and training of auditors.
Use of External Experts & Subcontractors: Must maintain control and ensure the competence and impartiality of any external resources used.

C. Process Requirements (The Certification Cycle):
This is the heart of the standard, detailing every stage from application to certification:

Application Review: Assessing the client’s readiness, defining the audit scope, and determining audit duration based on factors like company size and complexity.
Audit Planning: Preparing a detailed audit plan, assigning a competent audit team (with a designated team leader), and ensuring no conflict of interest.
Stage 1 Audit (Documentation Review): Conducted on-site or remotely to review the client’s management system documentation, evaluate readiness, and gather information for Stage 2 planning.
Stage 2 Audit (On-Site Evaluation): The main audit to evaluate the implementation, effectiveness, and ability of the management system to meet the standard’s requirements. Includes interviews, observation, and document sampling.
Audit Reporting & Decision: The audit team reports findings (nonconformities, observations). A separate, impartial individual or committee within the CB (not the auditors) makes the final certification decision based on the audit evidence.
Surveillance Audits: Conducted annually (or over a prescribed cycle) after initial certification to ensure the management system continues to function and conforms. Surveillance is less extensive but must cover key processes and address any previous nonconformities.
Recertification Audit: Conducted before the certificate expires (typically every 3 years) to renew certification. It is a full-system audit similar in scope to Stage 2.
Managing Changes & Suspensions/Withdrawals: Procedures for handling changes to the client’s system or scope, and for suspending or withdrawing certificates in cases of serious nonconformity.

Importance & Impact

For Certified Organizations: Provides confidence that their certification is globally recognized and adds real value. It levels the playing field by ensuring all CBs operate to the same high standards.
For Customers & Regulators: Reduces the need for “second-party” audits by providing reliable, independent assurance about a supplier’s management system. Many governments reference ISO/IEC 17021 in regulations.
For Certification Bodies: It is the benchmark for their accreditation. To demonstrate compliance, CBs are typically accredited by a national accreditation body (like UKAS in the UK, ANAB in the USA, or DAkkS in Germany). Accreditation is an independent attestation that the CB meets all the requirements of ISO/IEC 17021.
For the Overall System: Protects the integrity and reputation of management system standards (ISO 9001, ISO 14001, etc.) by preventing “certificate mills” and ensuring audits are meaningful assessments.

Evolution & Relationship with Other Standards

ISO/IEC 17021 is part of the broader ISO/IEC 17000 series of conformity assessment standards. It is periodically revised. A significant evolution is its integration with ISO/IEC 17021-1 (general requirements) and companion standards like ISO/IEC 17021-2 for environmental management systems and ISO/IEC 17021-3 for quality management systems, which add sector-specific competence requirements for auditors.

In essence, ISO/IEC 17021 is the quality standard for the certification industry itself. It is the critical linchpin that transforms a management system standard from a document of good intentions into a tool for verified, trusted, and continuous improvement within organizations worldwide. Without it, the value and recognition of management system certifications would be significantly diminished.

What is Required ISO 17021

ISO/IEC 17021 sets the foundational requirements for bodies that audit and certify management systems (e.g., for ISO 9001 or ISO 14001). Its goal is to ensure the competence, consistency, and impartiality of certification worldwide. The requirements fall into two main categories: the Certification Body’s (CB) management system and the certification process.

1. Management & Governance Requirements

Impartiality: The paramount requirement. The CB must be structurally and financially independent. It must establish an Impartiality Committee (independent of management) to oversee conflicts of interest. It cannot provide internal audits or consultancy to its certification clients.
Competence: The CB must define and maintain rigorous competence criteria for all personnel—especially auditors and technical experts. This includes evaluating their education, work experience, sector-specific knowledge, and audit skills, then ensuring their ongoing competence.
Responsibility & Liability: The CB is a legal entity fully responsible for all certification decisions and activities, including those performed by subcontractors. It must have adequate arrangements to cover liabilities arising from its operations.
Confidentiality & Transparency: The CB must legally safeguard all client information. Simultaneously, it must publicly provide clear information on its processes, fees, and appeal procedures.

2. Certification Process Requirements

The standard mandates a rigorous, multi-stage audit cycle:

Application & Review: The CB formally reviews the client’s application to define the audit scope, complexity, and required resources (including audit time).
Audit Planning: A competent audit team is assigned, with a clear plan and no conflicts of interest.
Two-Stage Audit:
- Stage 1 reviews the client’s management system documentation and readiness.
- Stage 2 is the on-site evaluation of implementation, effectiveness, and conformity.
Certification Decision: A critical requirement is that the final decision to grant certification must be made by impartial individuals or a committee separate from the auditors who conducted the assessment.
Surveillance & Recertification: Certificates are valid for three years, subject to annual surveillance audits. A full recertification audit is required before expiry to renew the certificate for another cycle.
Managing Nonconformities & Appeals: The CB must have documented procedures for handling client nonconformities, complaints, and appeals against its decisions.

The Role of Accreditation

A key outcome of ISO/IEC 17021 is that it provides the benchmark for accreditation. Independent national accreditation bodies (like UKAS or ANAB) assess certification bodies against ISO/IEC 17021. When a CB is “accredited,” it provides formal recognition that it operates to the standard’s stringent requirements, thereby lending ultimate credibility to the certificates it issues.

In summary, ISO/IEC 17021 is the essential “rulebook” that transforms a management system certificate from a simple paper into a globally trusted mark of assurance. It requires certification bodies to operate with structured integrity, impartiality, and technical rigor at every stage of the certification lifecycle.

Who is Required ISO 17021

ISO/IEC 17021 is not a requirement for general organizations or manufacturers. Instead, its requirements are mandated for a specific entity: Management System Certification Bodies (CBs).

These are the independent, third-party organizations that audit companies against standards like ISO 9001 (quality) or ISO 14001 (environment) and issue the certificates. ISO/IEC 17021 defines the rules these CBs must follow to ensure their work is credible.

Primary “User”: The Certification Body

For a Certification Body, compliance with ISO/IEC 17021 is mandatory if it seeks accreditation. Accreditation is an independent, formal recognition by a national accreditation body (e.g., UKAS, ANAB, DAkkS) that the CB is competent. Since market trust and regulatory acceptance often depend on accreditation, virtually all reputable CBs are required to implement and adhere to ISO/IEC 17021 in full. It governs their entire management system and audit processes.

Indirect “Beneficiaries”:

While not required to comply, other parties rely on and demand its implementation:

Organizations seeking certification: They depend on CBs operating to ISO/IEC 17021 to ensure their audit is fair, competent, and that their resulting certificate has global credibility.
Accreditation Bodies: They use ISO/IEC 17021 as the strict benchmark against which they assess and accredit Certification Bodies.
Regulators & Industry Schemes: Many governments and industry programs (e.g., in automotive or aerospace) formally require that certificates be issued by CBs accredited to ISO/IEC 17021, making it a de facto regulatory requirement in those sectors.
Customers & Supply Chains: Companies sourcing suppliers use ISO/IEC 17021-compliant certification as a trusted filter, reducing the need for their own audits.

In essence, ISO/IEC 17021 is a required standard for the “referees” (the Certification Bodies) of the management system world, not the “players” (the certified companies). Its widespread adoption by CBs is what creates universal trust in the certificates they issue.

When is Required ISO 17021

Compliance with ISO/IEC 17021 is required at specific, defined points in the lifecycle of a Certification Body (CB) and in the context of market and regulatory demands.

1. For a Certification Body Seeking Accreditation (The Primary “When”)

The most critical point of requirement is when a CB seeks accreditation from a national accreditation body (like UKAS or ANAB). Accreditation is a formal, periodic evaluation. The CB must demonstrate full and ongoing compliance with ISO/IEC 17021 during:

The Initial Assessment: To achieve accreditation for the first time.
Surveillance Assessments: Typically annual audits by the accreditation body to ensure continued compliance.
Re-accreditation: The full re-evaluation cycle, usually every four years.

Without this compliance, accreditation—and thus, mainstream market credibility—is impossible.

2. During Every Single Certification Audit Process

For an accredited CB, ISO/IEC 17021 requirements are operationally required for every client engagement. This is not a one-time implementation but a continuous mandate. Key moments include:

When planning an audit: Ensuring auditor competence and impartiality is verified.
When making a certification decision: The requirement for an independent, impartial individual or committee to make the final grant/deny decision is applied for every certificate.
When conducting surveillance and recertification audits: The prescribed cycles and processes must be followed without exception.

3. When Specified by Regulators or Market Contractual Obligations

Compliance becomes a de facto legal or contractual requirement in many sectors. It is required:

When a regulated industry (e.g., medical devices, certain energy sectors) mandates that suppliers hold certificates from accredited CBs.
When a major corporation or tendering process specifies that suppliers must be certified by a CB accredited to ISO/IEC 17021. This is common in automotive, aerospace, and public procurement.

Summary of Timing

In essence, ISO/IEC 17021 is required continuously from the moment a CB decides to operate as a credible, accredited entity. Its requirements are applied pervasively across all the CB’s management and operational processes and are invoked repeatedly at every stage of each client’s certification cycle. The “when” is not a single date, but an ongoing condition of operation for the certification industry itself.

Where is Required ISO 17021

The requirement for ISO/IEC 17021 is geographically and contextually widespread, tied to the global infrastructure of conformity assessment.

1. Geographically: In Every Country with a Developed Certification Market

ISO/IEC 17021 is the internationally agreed benchmark. Its requirements are effectively mandated wherever credible, accredited certification is demanded. This includes:

All major industrial economies (North America, EU, UK, Japan, etc.), where national accreditation bodies enforce it.
Global supply chain hubs (e.g., China, Southeast Asia, Eastern Europe), where exporters must meet the accredited certification requirements of their international customers.
Any country where regulators reference the ISO/IEC 17000 series in national regulations or public procurement rules.

2. Organizationally: Within Accredited Certification Bodies (CBs)

This is the primary “where.” The standard’s requirements must be embedded throughout the CB’s entire management system, including:

Governance & Structure: At the top level, in the Impartiality Committee and management policies.
Operational Processes: In every step of the audit cycle—from application review in the office to on-site audit execution at client locations.
Human Resources: In the competence evaluation and monitoring systems for all auditors and technical staff.
Client Management: Within contractual agreements, complaint handling systems, and certification decision records.

3. Sectorally: In Regulated and High-Risk Industries

Compliance is most strictly required where trust in certification is critical. This includes sectors like:

Aerospace (AS9100), Automotive (IATF 16949), and Medical Devices (ISO 13485): Where CBs must be accredited to sector-specific schemes that incorporate ISO/IEC 17021.
Food Safety (ISO 22000/FSSC), Information Security (ISO 27001), and Energy Management (ISO 50001): Where risk necessitates unquestionable audit rigor.
Public Sector & Regulated Utilities: Where procurement rules often mandate certification from accredited CBs.

4. In the Global Framework of Accreditation

The ultimate “where” is within the international accreditation network governed by the International Body. International Body members (national accreditation bodies) mutually recognize each other’s accreditations based on the consistent application of ISO/IEC 17021. This creates a global system where a certificate from an accredited CB in one country is trusted worldwide.

How is Required ISO 17021

Compliance with ISO/IEC 17021 is not a single act but a systematic, multi-layered process of implementation, verification, and oversight.

1. Implementation by the Certification Body (CB)

A CB achieves compliance by integrating the standard’s requirements into its entire management system. This involves:

Documenting Processes: Creating policies and procedures for every mandated activity (e.g., competence evaluation, audit planning, handling appeals).
Establishing Governance: Forming an independent Impartiality Committee and ensuring structural safeguards against conflicts of interest.
Managing Competence: Developing criteria for auditor selection, performing rigorous evaluations, and providing ongoing training and monitoring.
Operating the Certification Cycle: Faithfully executing the two-stage audit process, surveillance, and recertification as prescribed.

2. Verification through Accreditation (The Primary Enforcement Mechanism)

Compliance is formally verified and enforced via accreditation. This is a two-step oversight process:

Assessment by a National Accreditation Body (NAB): An NAB (e.g., UKAS, ANAB) conducts a detailed, on-site assessment of the CB against every clause of ISO/IEC 17021. This includes reviewing documents, interviewing staff, and witnessing live audits at client sites.
Ongoing Surveillance: The NAB performs regular surveillance audits (typically annual) and a full re-assessment every four years to ensure continuous compliance. Non-compliance can result in corrective actions, suspension, or withdrawal of accreditation.

3. Market & Regulatory Scrutiny

Compliance is further reinforced by external pressures:

Client & Market Demand: Sophisticated clients and tenders explicitly require certification from an accredited CB, creating a commercial imperative for compliance.
Peer Review within the International Body: The International Body conducts peer evaluations of its member NABs to ensure they are uniformly and rigorously applying ISO/IEC 17021 when assessing CBs, creating a global chain of oversight.

4. Maintaining a Conformity Assessment Ecosystem

Ultimately, compliance is maintained through a self-reinforcing system of checks and balances:
The Standard (ISO/IEC 17021) → guides the Certification Body → which is assessed by an Accreditation Body → which is peer-reviewed under the International Body Multilateral Recognition Arrangement (MLA). This creates a closed loop of requirement, implementation, verification, and global recognition, ensuring consistency and trust worldwide.

Case Study on ISO 17021

Ensuring Credibility in Automotive Supply Chain Certification

Background: “Global AutoParts Inc.,” a mid-sized manufacturer of brake components, invested significant resources to implement ISO 9001 and the stringent automotive-specific standard, IATF 16949. Their goal was to become an approved supplier to major automotive OEMs. After implementation, they sought certification.

The Challenge (The “Bad” Scenario): To save costs, Global AutoParts initially engaged “QuickCert,” a non-accredited certification body. The audit was brief, superficial, and conducted by an auditor with limited automotive experience. Major nonconformities were overlooked, and a certificate was issued quickly. However, when Global AutoParts submitted this certificate to a major OEM as part of a tender, it was rejected outright. The OEM’s procurement policy mandated that all IATF 16949 certificates be issued by a CB accredited to ISO/IEC 17021 (and the IATF rules). The certificate was deemed untrustworthy, resulting in a lost multimillion-dollar contract and reputational damage.

The Solution (The “ISO/IEC 17021” Scenario): Learning from this failure, Global AutoParts contracted “Accredited Assurance Group (AAG),” a CB accredited by a recognized national body (e.g., ANAB, UKAS).

How ISO/IEC 17021 Requirements Were Applied:

Impartiality & Competence: AAG’s systems, per Clause 5, ensured the audit team was led by a competent lead auditor with specific automotive sector experience (verified through documented competence records). Its Impartiality Committee confirmed no conflicts of interest.
Robust Two-Stage Audit Process: AAG followed the mandated process (Clause 9). Stage 1 identified gaps in Global AutoParts’ readiness, prompting necessary corrections. The comprehensive Stage 2 audit involved deep sampling of production processes, management review, and customer-specific requirements.
Independent Decision & Rigorous Findings: The audit identified several major nonconformities related to calibration and defect management. Per ISO/IEC 17021 requirements, the certification decision was made by a separate AAG technical review committee, not the auditing team. Certification was conditionally granted only after Global AutoParts provided robust evidence of corrective actions.
Oversight & Recognition: AAG’s own accreditation body conducted an unannounced witness audit during the Stage 2, verifying AAG’s compliance with ISO/IEC 17021 in real-time.

The Outcome: Global AutoParts received a credible, internationally recognized IATF 16949 certificate. The rigorous audit process genuinely improved their management system. They successfully qualified for the OEM’s supplier list and secured new business. The OEM trusted the certificate because it was backed by the chain of assurance: AAG’s compliance with ISO/IEC 17021, verified by its accreditation, which is part of the global International Body network.

Conclusion: This case demonstrates that ISO/IEC 17021 is not just bureaucratic overhead. It is the critical infrastructure that prevents worthless certifications, ensures audits add real value, and enables the trust that allows certified organizations to compete and succeed in regulated, high-stakes global markets.

White paper on ISO 17021

The Bedrock of Trust in Management System Certification

Executive Summary
In an era of complex global supply chains and heightened stakeholder expectations, management system certifications (e.g., ISO 9001, ISO 14001) are ubiquitous marks of assurance. Yet, the value of any certificate is intrinsically tied to the credibility of the organization that issued it. ISO/IEC 17021, Conformity assessment — Requirements for bodies providing audit and certification of management systems, is the international standard that establishes this credibility. This white paper outlines why ISO/IEC 17021 is not merely a technical guideline but the essential foundation for a trusted global certification ecosystem.

The Core Challenge: Variability and Risk
Without a universal benchmark, certification practices can vary wildly. Inconsistent audits, conflicts of interest, and auditor incompetence devalue certifications, creating significant risk for organizations that rely on them. This erosion of trust renders certifications meaningless as tools for risk management, supplier selection, and market access.

The ISO/IEC 17021 Solution: Standardizing Trust
ISO/IEC 17021 directly addresses this challenge by mandating rigorous requirements for Certification Bodies (CBs) in three pivotal areas:

Structural Integrity and Impartiality: The standard enforces absolute independence. CBs must have top-level governance (Impartiality Committees) to identify and mitigate conflicts of interest. They are prohibited from providing consultancy to their audit clients, eliminating a fundamental threat to objective auditing.
Operational Rigor and Competence: It mandates a robust, two-stage audit process (document review followed by on-site assessment) and a prescribed surveillance and recertification cycle. Crucially, it requires CBs to systematically ensure and document the competence of their auditors, particularly for high-risk or technical sectors.
Accountability and Transparency: The final certification decision must be made by impartial individuals separate from the audit team, adding a critical layer of oversight. CBs must also have transparent processes for handling complaints and appeals.

The Enforcement Mechanism: Accreditation
Compliance with ISO/IEC 17021 is verified through accreditation. Independent national Accreditation Bodies (ABs) rigorously assess CBs against the standard. An accredited CB operates under ongoing surveillance, creating a powerful chain of assurance: the CB audits the organization, and the AB audits the CB. This system is harmonized globally through the International Body, enabling mutual recognition of certificates across borders.

Business Impact and Value Proposition

For Certified Organizations: Their certificate carries global weight, facilitates market access (especially in regulated sectors), and represents a meaningful achievement validated by a competent audit.
For Specifiers and Regulators: Reliable, accredited certification reduces the cost and need for second-party supplier audits and provides a robust compliance tool.
For the Global Market: It levels the playing field, fosters fair competition based on demonstrated management system effectiveness, and protects the reputation of ISO management system standards.

Conclusion
ISO/IEC 17021 is the indispensable quality standard for the certification industry itself. It transforms certification from a potential commodity into a trusted assurance tool. By demanding impartiality, competence, and consistency, it safeguards the investment of all stakeholders and ensures that a management system certificate remains a reliable symbol of commitment to excellence and continuous improvement.

Industrial Application of ISO 17021

Enabling Sector-Specific Trust and Compliance

ISO/IEC 17021 provides the generic framework for credible certification, but its most critical industrial application is in high-stakes, regulated, and complex sectors where the consequences of audit failure are severe. Here, it acts as the foundational platform upon which industry-specific certification schemes are built.

1. Automotive Industry (IATF 16949)

Application: IATF 16949 is the global quality management standard for automotive production. Its certification scheme mandates that Certification Bodies (CBs) must be accredited to ISO/IEC 17021 plus additional automotive-specific requirements.
How ISO/IEC 17021 is Applied: The standard ensures CBs have the management system to conduct rigorous, consistent audits. It guarantees auditor independence (critical when auditing potential competitors) and a structured process for surveillance and recertification. The IATF Oversight office then audits the CBs against even stricter rules, using ISO/IEC 17021 as the essential baseline for CB competence. Without it, the global consistency of automotive supplier audits would collapse.

2. Aerospace Industry (AS/EN 9100, 9110, 9120)

Application: The International Aerospace Quality Group (IAQG) scheme requires CBs to be accredited to ISO/IEC 17021 and conform to additional aerospace requirements (e.g., specific auditor competency profiles, mandated audit days).
How ISO/IEC 17021 is Applied: It provides the enforceable requirements for managing impartiality and auditor competence—non-negotiable in a safety-critical industry. The scheme leverages ISO/IEC 17021’s infrastructure to ensure that audits are performed by CBs with robust management systems, whose work is then further validated by the IAQG’s own witness audit process. This layered oversight is vital for FAA/EASA regulatory acceptance.

3. Medical Devices (ISO 13485)

Application: Regulatory authorities in many jurisdictions (like Health Canada and the EU’s Medical Device Regulation) recognize or require audits against ISO 13485 to be performed by CBs accredited to ISO/IEC 17021.
How ISO/IEC 17021 is Applied: For medical device manufacturers, certification is often a gatekeeper to market access. ISO/IEC 17021 ensures the auditing CB has a documented process for employing auditors with relevant regulatory and technical expertise in medical technology. Its requirements for handling confidential information are also paramount when auditing proprietary device designs and clinical data.

4. Food Safety (FSSC 22000, BRCGS)

Application: Global Food Safety Initiative (GFSI)-benchmarked schemes require CBs to be accredited to ISO/IEC 17021 (and often ISO/IEC 17065 for product certification) as a condition for recognition.
How ISO/IEC 17021 is Applied: In food safety, audit credibility is directly linked to consumer safety. The standard ensures CBs can demonstrate the competence of auditors to assess Hazard Analysis and Critical Control Point (HACCP) systems and food fraud mitigation. Its requirements for consistent, evidence-based audit decisions are critical for maintaining the integrity of the entire food supply chain audit system.

Conclusion

In these industries, ISO/IEC 17021 is not merely applied—it is embedded and amplified. It provides the essential, trusted baseline of management system integrity for CBs, which sector-specific schemes then augment with stricter technical and competence rules. This hybrid model ensures that specialized industrial certifications are both technically rigorous (through sector rules) and administratively credible (through ISO/IEC 17021’s governance), creating the high level of assurance that regulators, OEMs, and consumers demand.

sanatanboards