SADCASF40(a)IssueNo:1 Page1of41
Date:20130118CHECKLISTISO/IEC17021:2011ConformityAssessmentRequirementsforBodiesProvidingAuditandCertificationofManagementSystemsDate(s)ofEvaluation:
Assessor(s)&Observer(s): Organization: Area/FieldofOperation:
OrganizationsRepresentative:
Thereportcoversthefollowing:DocumentReviewonly
ImplementationonSiteVisitonlyDocumentReviewandSiteVisitAssessmentofCompanyFilesISO/IEC17021REQUIREMENTSCBSREFERENCESCOMMENTBYASSESSOR5
Generalrequirements5.1 Legalandcontractualmatters5.1.1
Legalresponsibility Legal entity or a defined part of a legalentity
can be held legally responsible. (Pty)Ltd,CCorother? Verify
registration with Registers ofCompanies
GovernmentalCBisalegalentitybasedonits governmental status.
Identitydepartment.5.1.2 Certificationagreement Legally enforceable
agreement (contract)for provision of certification activities
tocustomer? AremultipleofficesofaCBormultiplesitesof a certified
customer covered by theagreement?
Areallthesitescoveredbythescopeofthecertification? 5.1.3
Responsibilityforcertificationdecisions Does CB retain authority
and responsibilityfor its decisions relating to certification?e.g.
granting, maintaining, renewing,extending, reducing, suspending
andwithdrawing. SADCASRef.No: SADCASF40(a)IssueNo:1 Page2of41
Date:20130118ISO/IEC17021REQUIREMENTSCBSREFERENCESCOMMENTBYASSESSOR5.2
Managementofimpartiality 5.2.1 Is CB top management commitment
toimpartiality? Isthereapubliclyaccessiblestatement?
Doesitcover:ImportanceofimpartialityConflictofinterestandObjectivityofitsmanagementsystemcertificationactivities?
5.2.2
Areconflictofinterestsidentified,nalyzedanddocumentedandmanagedthroughthesystem?
Are relationships posing a threat toimpartialitydocumented? How
does the CB demonstrate that iteliminatesorminimizessuchthreats?
Information made available to
theimpartialityCommittee?(see6.2)Note: A relationship that
threatens the impartialityof the CB can be based on ownership,
governance,management,personnel,sharedresources,finances,contracts,
marketing and payment of a salescommission or other inducement for
the referral ofnewclients,etc. 5.2.3 Not offering certification
whenrelationships that threaten
impartialitycannotbeeliminatedorminimized.SeeNote5.2.2 5.2.4 Does
the CB certify another CB for itsmanagement system
certificationactivities?SeeNote5.2.2 5.2.5 Does the CB and any part
of the samelegal entity offer or provide
managementsystemconsultancy? This applies also to that part
ofgovernmentidentifiedastheCB.SeeNote5.2.2 5.2.6
DoestheCBprovideinternalauditstoitscertifiedcustomers?DoestheCBcertifyamanagementsystemonwhichitprovidedinternalauditswithin2
years following the end of the internalaudits? This applies also to
that part ofgovernmentidentifiedasCB.SeeNote5.2.2 5.2.7 Does the CB
certify a customer when theCBs relationship with a managementsystem
consultancy or internal audits,poses an unacceptable threat to
theimpartialityoftheCB?SeeNotes. SADCASF40(a)IssueNo:1 Page3of41
Date:20130118ISO/IEC17021REQUIREMENTSCBSREFERENCESCOMMENTBYASSESSOR5.2.8
Does the CB outsource audits to amanagement system
consultancyorganization? (Unacceptable threat
toimpartiality.See7.5). This clause does not apply to
individualscontractedasauditorscoveredin7.3 5.2.9 Are the CBs
activities marketed or linkedwithmanagementsystemconsultancy? CB
takes action to correct
inappropriateclaimsbyanyconsultancyorganization? Are there any
implications by CB thatcertification would be simpler,
easier,faster or less expensive if a
specifiedconsultancyorganizationisused? 5.2.10 Does CB ensure no
conflict of interest ofpersonnel? 2 Years rule applied, how
effective is theprocess? 5.2.11 Is action taken to respond to any
threatsto CBs impartiality arising from theactions of other
persons, bodies ororganizations?
5.2.12DoesallCBpersonnel,internal,externalorcommittees act
impartially and does theCB allow commercial, financial or
otherpressuretocompromiseimpartiality?
5.2.13DoestheCBrequireallpersonneltorevealanyconflictofinterestsituations?
Information used as input to identifyingthreatstoimpartiality?
5.3LiabilityandFinancing 5.3.1 Is the CB able to demonstrate that
it hasevaluated risks arising from its certificationactivities and
that it has adequatearrangements (e.g. insurance or reserves)
tocover liabilities arising from its operations ineach of its field
of activities and thegeographicareasinwhichitoperates?
5.3.2DoestheCBevaluateitsfinancesandsourcesofincomeanddemonstratetothecommitteespecified
in 6.2 that initially and on an ongoing basis, commercial,
financial or otherpressuresdonotcompromiseitsimpartiality?
SADCASF40(a)IssueNo:1 Page4of41
Date:20130118ISO/IEC17021REQUIREMENTSCBSREFERENCESCOMMENTBYASSESSOR6.
Structuralrequirements6.1 Organizationalstructureandtopmanagement
6.1.1 Organizational structure documentedincluding duties,
responsibilities
andauthoritiesforpersonnelandcommittees;andrelationshipstootherpartswithinthesamelegalentity?
6.1.2 DoestheCBidentifythetopmanagement(board, group of persons, or
person)having overall authority and
responsibilityforeachofthefollowing:a) development of policies
relating to theoperationofthebody?b) supervision of the
implementation ofpoliciesandprocedures?c)
supervisionofthefinancesofthebody?d) development of management
systemcertificationservicesandschemes?e) performance of audits and
certificationandresponsivenesstocomplaints?f)
decisionsoncertification?g)
delegationofauthoritytocommitteesorindividuals,asrequired,toundertakedefinedactivitiesonitsbehalf?h)
contractualarrangements?i)providingadequateresourcesforcertificationactivities?
6.1.3 Formal rules for the appointment, termsof reference and
operation of anycommittees involved in the certificationactivities?
6.2 Committeeforsafeguardingimpartiality 6.2.1
DoesthestructureoftheCBsafeguardtheimpartiality of the activities
of the CB
anddoesitprovideforacommitteeto:a)assistindevelopingthepoliciesrelatingtoimpartialityofitscertificationactivities?b)
counteract any tendency on the part of aCB to allow commercial or
otherconsiderations to present the consistentobjective provision of
certificationactivities?c) advise on matters affecting
confidenceincludingopennessandpublicperception?d) conduct an annual
review of theimpartiality of the audit, certification
anddecisionmakingprocessesoftheCB? SADCASF40(a)IssueNo:1 Page5of41
Date:20130118ISO/IEC17021REQUIREMENTSCBSREFERENCESCOMMENTBYASSESSOR6.2.2
Is the composition, terms of reference,duties, authorities,
competence ofmembers and responsibilities of thiscommittee formally
documented andauthorized by top management of the CBtoensure:a)
representationofabalanceofinterests?b) access to all the
information (see also5.2.2&5.3.2)c) the right to take
independent action,where the top management of the CBdoes not
respect the advice of thecommittee (e.g. informing
authorities,ABs,stakeholders)?Isconfidentialitymaintainedwhentakingindependentactions?See8.5
6.2.3 Arekeyinterestsidentifiedandinvitedtothiscommittee? 7
Resourcerequirements7.1 Competenceofmanagementandpersonnel 7.1.1
Does a CB have a process to ensure thatpersonnel have appropriate
knowledgerelevant to the types of
managementsystemsandgeographicalareasinwhichitoperates?
Iscompetencerequiredforeachtechnicalarea and for each function in
thecertification activity determined for eachtechnicalarea? Is the
means for the demonstration ofcompetencedetermined? 7.1.2 Are
competence requirements determined for all CB personnel and is this
asper documented process? Is
thedocumentedprocessasperAnnexureAoraspercertificationscheme? 7.1.3
Evaluationprocesses
DoestheCBhavedocumentedprocessesfortheinitialcompetenceevaluationandongoingmonitoringofcompetenceandperformanceofallpersonnelinvolvedinthemanagementandperformanceofauditsandcertification?
Arethesemethodseffective? SADCASF40(a)IssueNo:1 Page6of41
Date:20130118ISO/IEC17021REQUIREMENTSCBSREFERENCESCOMMENTBYASSESSOR7.1.4
Otherconsiderations7.1.4.1 Does the CB address the
functionsundertaken by management andadministrative personnel
whiledetermining the competencerequirements?7.1.4.2 Does the CB
have access to the necessarytechnical expertise for technical
areas,types of management system
andgeographicareasinwhichitoperates? 7.2
Personnelinvolvedinthecertificationactivities 7.2.1 Does the CB as
part of its ownorganization have personnel withsufficient
competence for managing thetype and range of audit programmes
andothercertificationworkperformed? 7.2.2 Does the CB employ or
have access to asufficient number of auditors includingaudit team
leaders and technical expertstocoverallactivitiesandvolumeofwork?
7.2.3 Does the CB make clear to each personconcerned duties,
responsibilities andauthorities? 7.2.4
DoestheCBhavedefinedprocessesfor:SelectingTrainingFormallyauthorizingauditorsandSelectingtechnicalexperts?
Does the initial competence evaluation ofan auditor include the
ability to applyrequired knowledge and skill duringaudits, as
determined by a competentevaluator observing (witnessing)
theauditorconductinganaudit? 7.2.5
DoestheCBhaveaprocesstoachieveanddemonstrate effective auditing,
includingtheuseofauditorsandauditteamleaderspossessing generic
auditing skills andknowledgeaswellasskillsandknowledgeappropriate
for auditing in specifictechnicalareas? SADCASF40(a)IssueNo:1
Page7of41
Date:20130118ISO/IEC17021REQUIREMENTSCBSREFERENCESCOMMENTBYASSESSOR
Does the CB define the knowledge andskills for specific
certification functions asperAnnexureAofISO/IEC17021:2011? 7.2.6
Are auditors and technical expertsknowledgeable of the CBs
auditprocesses, certification scheme and itsrequirements and other
relevantrequirements? Does the CB give auditors and
technicalexperts access to an uptodate set ofdocumented procedures
giving auditinstructions and all relevant
informationonthecertificationactivities? 7.2.7 Are auditors and
technical experts used inthese activities where they
havedemonstratedcompetence?SeeNote9.1.3 7.2.8 Are training needs
identified for functionsperformed?
Wherethereisneed,istrainingofferedorprovided? 7.2.9 Are person(s)
taking the
certificationdecisionsknowledgeableonthe:applicablestandard;certificationrequirements;have
demonstrated competence toevaluate the audit processes; andrelated
recommendations of theauditteam? 7.2.10 Does documented procedures
and criteriafor monitoring and measurement
ofperformanceofallpersonnelexist? Competence reviewed to identify
trainingneeds? 7.2.11 Do procedures include a combination ofonsite
observation, review of auditreports and feedback from customers
orfromthemarket? 7.2.12 Does the CB periodically observe
theperformanceofeachauditoronsite? Is the frequency of onsite
observationsbased on need determined from
allmonitoringinformationavailable? SADCASF40(a)IssueNo:1 Page8of41
Date:20130118ISO/IEC17021REQUIREMENTSCBSREFERENCESCOMMENTBYASSESSOR7.3
Useofindividualexternalauditorsandexternaltechnicalexperts Does a
CB have a written agreement withexternal auditors and external
technicalexperts in place by which they committhemselves to comply
with applicablepoliciesandproceduresasdefined? Does the agreement
address all relevantaspects? 7.4 Personnelrecords
DoestheCBmaintainuptodatepersonnelrecordsincluding:Relevantqualifications;Training;Experience;Affiliations;Professionalstatus;Competence;andAnyrelevantconsultancyservices?
Doesthisincludemanagementandadministrativepersonnelinadditiontothoseperformingcertificationactivities?
7.4 Personnelrecords(cont.) 7.5 Outsourcing 7.5.1 Does the CB have
a process in which itdescribes the conditions under
whichoutsourcingmaytakeplace? Legally enforceable agreement with
eachbodythatprovidesoutsourcedservices?SeeNotes 7.5.2 Is the CB
outsourcing certificationdecisions? 7.5.3 DoestheCB:a) take
responsibilities for all activitiesoutsourced?b) ensure that the
body that
providesoutsourcesactivities:conformstotheCBsrequirementsconformstotheapplicableprovisionsof
this international standardincluding competence,
impartialityandconfidentiality?c) ensure that the outsourced
services arenot involved in any way that
impartialitycouldbecompromised? SADCASF40(a)IssueNo:1 Page9of41
Date:20130118ISO/IEC17021REQUIREMENTSCBSREFERENCESCOMMENTBYASSESSOR7.5.4
Documented procedures for thequalification and monitoring of
alloutsourced services used for certificationactivities? Records of
the competence of auditorsandtechnicalexpertsmaintained? 8
Informationrequirements8.1 Publiclyaccessibleinformation 8.1.1 Does
the CB maintains and make publiclyaccessible or provide upon
requestinformationdescribingitsauditprocesses,certification
processes and about thecertification activities, types ofmanagement
systems and geographicalareasinwhichitoperates? 8.1.2 Is the
information provided by the CB
toanyclientortothemarketplaceincludingadvertisingaccurateandnotmisleading?
8.1.3 Does the CB make publicly accessibleinformation about
certifications granted,suspendedorwithdrawn? 8.1.4 Does the CB on
request from any
partyprovidemeanstoconfirmthevalidityofagivencertification:SeeNotes
8.2 Certificationdocuments 8.2.1 Does the CB provide
certificationdocuments to the certified client by
anymeansitchooses? 8.2.2 Is the effective date on a
certificationdocument the date before thecertificationdecision?
8.2.3
Doesthecertificationdocument(s)identifythefollowing:a)thenameandgeographiclocationofeachclient
and any sites within the scope of amultisitecertification?b) the
dates of granting, extending
orrenewingcertification?c)theexpirydateorrecertificationduedateconsistentwiththerecertificationcycle?d)auniqueidentificationcode?e)
the standard and/or other normativedocument including issue number
and/orrevisionusedforthecertifiedcustomer? SADCASF40(a)IssueNo:1
Page10of41
Date:20130118ISO/IEC17021REQUIREMENTSCBSREFERENCESCOMMENTBYASSESSOR8.2.3
cont.f) the scope of certification with respect toproduct
(including service), process, etc,asapplicableateachsite?g) the
name, address and certification markof the CB; other marks (e.g.
accreditationsymbol)?h) any other information required by
thestandard and/or other normativedocumentusedforcertification?i)
in the event of issuing any revisedcertification documents, a means
todistinguish the revised documents fromanypriorobsoletedocuments?
8.3 Directoryofcertifiedcustomers Does the CB maintain and make
publiclyaccessibleorprovideuponrequest,byanymeans it chooses, a
directory of validcertifications? See 8.3 for directorydetail. 8.4
Referencetocertificationanduseofmarks 8.4.1 Does the CB have a
policy governing anymarkthatitauthorizescertifiedcustomersto use?
See 8.4.1 and ISO/IEC 17030 fordetail. Is the mark used on a
product or productpackagingseenbytheconsumer? 8.4.2
DoestheCBpermititsmarktobeappliedto laboratory test, calibration
orinspectionreports? 8.4.3 Does the CB require that the
clientorganization:a) conforms to the requirements of the CBwhen
making reference to its certificationstatusincommunicationmedia?b)
does not make or permit any
misleadingstatementregardingitscertification?c) does not use or
permit the use of
acertificationdocumentoranypartthereofinamisleadingmanner?d) upon
suspension or withdrawal of itscertification discontinues its use
of alladvertising matter that contains areference to certification,
as directed bytheCB?(See9.6.3and9.6.6)e) amends all advertising
matter when thescopeofcertificationhasbeenreduced?
SADCASF40(a)IssueNo:1 Page11of41
Date:20130118ISO/IEC17021REQUIREMENTSCBSREFERENCESCOMMENTBYASSESSOR8.4.3
cont..f) does not allow reference to itsmanagement system
certification to beused to imply that the CB certifies
aproduct(includingservice)orprocess?g) does not imply that the
certificationapplies to activities that are outside
thescopeofcertification?andh) does not use its certification in
such amanner that would bring the CB and/orcertification system
into disrepute andlosepublictrust? 8.4.4 Does the CB exercise
proper control ofownership and take action to deal withincorrect
references to certification
statusormisleadinguseofcertificationmarksorauditreports?SeeNote 8.5
Confidentiality 8.5.1/8.5.5 Does the CB through legally
enforceableagreements have a policy andarrangements to safeguard
theconfidentiality of the information at alllevels of its
structure, includingcommittees and external bodies
orindividualsactingonitsbehalf? 8.5.2 Client informed by the CB of
theconfidential information it intends toplaceinthepublicdomain?
8.5.3 Except as required in this
internationalstandard,isinformationaboutaparticularclient or
individual disclosed to a thirdparty without the written consent of
theclientorindividualconcerned?
WheretheCBisrequiredbylawtoreleaseconfidentialinformationtoathirdparty,isthe
customer or individual concerned,unless regulated by law, notified
inadvanceoftheinformationprovided? 8.5.4
Isinformationabouttheclienttreatedasconfidential,consistentwiththeCBspolicy?
SADCASF40(a)IssueNo:1 Page12of41
Date:20130118ISO/IEC17021REQUIREMENTSCBSREFERENCESCOMMENTBYASSESSOR8.5.5
Do all personnel acting on the CBs behalfkeep confidential all
information obtainedor created during the performance of
theCBsactivities? 8.5.6 Does the CB have available and useequipment
and facilities that ensure thesecure handling of
confidentialinformation(e.g.documents,records)? 8.5.7 When
confidential information is madeavailable to other bodies (e.g.
AB,agreement group of a peer assessmentscheme) does the CB inform
its client ofthisaction? 8.6
InformationexchangebetweenaCBanditscustomers 8.6.1
Informationonthecertificationactivityandrequirements
DoestheCBprovideandupdateclientsonthefollowing:a)a detailed
description of the initial andcontinuing certification activity
includingthe application, initial audits, surveillanceaudits and
the process for granting,maintaining, reducing,
extending,suspending, withdrawing certification
andrecertification?b)The normative requirements
forcertification?c)Informationaboutthefeesforapplication,initial
certification and
continuingcertification?d)TheCBsrequirementsfortheprospectivecustomer:1To
comply with certificationrequirements?2To make all necessary
arrangementsfortheconductoftheauditsincludingprovision for
examiningdocumentation and the access to allprocesses and areas,
records andpersonnel for the purposes of initialcertification,
surveillance, recertification and resolution ofcomplaints,and?3To
make provisions where applicableto accommodate the presence
ofobservers (e.g. accreditation auditorsortraineeauditors)?
SADCASF40(a)IssueNo:1 Page13of41
Date:20130118ISO/IEC17021REQUIREMENTSCBSREFERENCESCOMMENTBYASSESSORe)Documents
describing the rights andduties of certified clients
includingrequirements when making reference toits certification in
communication of
anykindinlinewiththerequirementsin8.4?f)Information on procedures
for handlingcomplaintsandappeals? 8.6.2 NoticeofchangesbyaCB Does
the CB give its certified clients duenotice of any changes to its
requirementsforcertification? Does the CB verify that each
certifiedclient complies with the newrequirements?SeeNote 8.6.3
Noticeofchangesbyaclient
LegallyenforceablearrangementstoensurethatthecertifiedcustomerinformstheCBofmattersthatmayaffectthemanagementsystemsabilitytocontinuetofulfilltherequirementsofthestandardusedforcertification?Seeexamplesa)toe)inthestandard
9 Processrequirements9.1 Generalrequirements 9.1.1
Auditprogramme9.1.1.1 Is the audit programme for the
fullcertification cycle developed and does itclearly identify the
audit activity(ies)required for certification to the
selectedstandard(s) or other normativedocuments?9.1.1.2 Does the
audit programme include a twostage initial audit, surveillance
audits inthe 1st and 2nd years and a recertificationaudit in the
3rd year prior to expiration ofcertification? (The 3year
certificationcycle begins with the certification or
recertificationdecision).9.1.1.3 Where a CB is taking account
ofcertification or other audits alreadygranted to the customer,
does it collectsufficient, verifiable information to justifyand
record any adjustments to the auditprogramme?
9.1.2Auditplan9.1.2.1General Is an audit plan established for each
auditto provide the basis for agreementregarding the conduct and
scheduling oftheauditactivities? SADCASF40(a)IssueNo:1 Page14of41
Date:20130118ISO/IEC17021REQUIREMENTSCBSREFERENCESCOMMENTBYASSESSORIs
the audit plan based on
documentedrequirementsofthecertificationbody?9.1.2.2 Determining
audit objectives, scope andcriteria9.1.2.2.1 Does the CB determine
the auditobjectives? Is the audit scope and criteria
includingchanges established by the CB
afterdiscussionswiththeclient?9.1.2.2.2 Are audit objectives
describe what is to beaccomplished by the audit and does
itincludethefollowing: a) determination of the conformity of
theclients management system, or parts of it,withtheauditcriteria
b) evaluation of the ability of themanagement system to ensure the
clientorganization meets applicable
statutory,regulatoryandcontractualrequirementsSeeNote c) evaluation
of the effectiveness of themanagement system to ensure the
clientorganization is continually meeting itsspecifiedobjectives d)
as applicable, identification of areas
ofpotentialimprovementofthemanagementsystem9.1.2.2.3 Does the audit
scope describe the extentand boundaries of the audit? Where
theinitial or recertification process consists ofmore than one
audit, are total auditsconsistent with the scope in
thecertification?9.1.2.2.4Is the audit criteria used as a
referenceagainstwhichconformityisdeterminedanddoesitinclude:The
requirements of a defined normativedocumentonmanagementsystemsThe
defined processes and documentationof the management system
developed bytheclient9.1.2.3 Preparingtheauditplan Is the audit
plan appropriate to theobjectivesandthescopeoftheauditand
SADCASF40(a)IssueNo:1 Page15of41
Date:20130118ISO/IEC17021REQUIREMENTSCBSREFERENCESCOMMENTBYASSESSOR9.1.2.3
Preparingtheauditplan(cont.) Does it at least include or refer to
thefollowing:a)Theauditobjectivesb)Theauditcriteriac)The audit
scope including identification ofthe organizational and functional
units
orprocessestobeauditedd)Thedatesandsiteswheretheonsiteauditactivities
are to be conducted
includingvisitstotemporarysites,asappropriatee)The expected time
and duration of onsiteauditactivitiesf)The roles and
responsibilities of the
auditteammembersandaccompanyingpersonsSeeNotes1and2 9.1.3
Auditteamselectionandassignments9.1.3.1 Process in place for
selecting andappointing the audit team taking
intoaccountthecompetenceneededtoachievetheobjectivesoftheaudit?
Where there is only one auditor, is
theauditorcompetenttoperform?9.1.3.2 In deciding the size and
composition of theauditteamwasthefollowingconsidered:a) audit
objectives, scope, criteria
andestimatedtimeoftheauditb)whethertheauditisacombined,integratedorjointauditc)
the overall competence of the audit teamneeded to achieve the
objectives of theauditd) certification requirements (including any
applicable statutory, regulatory
orcontractualrequirements?e)Languageandculturef) Whether the
members of the audit teamhave previously audited the
clientsmanagementsystem.9.1.3.3Where
thenecessaryknowledgeandskillofthe audit team leader and auditors
wassupplemented by technical experts,translators and interpreters,
were theyselected such that they do not undulyinfluencetheaudit?
SADCASF40(a)IssueNo:1 Page16of41
Date:20130118ISO/IEC17021REQUIREMENTSCBSREFERENCESCOMMENTBYASSESSOR9.1.3.4
Where auditorsintraining are included inthe audit team as
participants, was anevaluatorappointed?
Wastheevaluatorcompetenttotakeoverthedutiesandhavefinalresponsibilityfortheactivitiesandfindingsoftheauditorintraining?9.1.3.5Doestheauditteamleader,inconsultationwith
the audit team assign to each teammember responsibility for
specificprocesses, functions, sites, areas oractivities and are
such assignments takingintoaccounttheneedforcompetence? Were
changes to assignments made toensure achievement of the
auditobjectives? 9.1.4 Determiningaudittime 9.1.4.1 Does the CB
have documented
proceduresfordeterminingaudittimeneedtoplanandaccomplishacompleteandeffectiveaudit?
Does the procedure include or
makereferencetotherelevantannexesintheIAFGD2andGD6documents? In
determining the audit time, does the CBconsider among other things
the followingaspects:a)The requirements of the
managementsystemstandard?b)Sizeandcomplexity?c)Technologicalandregulatorycontext?
d)Anyoutsourcing?e)Theresultsofanyprioraudits?f)Numberofsitesandmultisiteconsiderations?g)
The risks associated with the
product,processesoractivitiesoftheorganization?h) When audits are
combined, joint orintegrated?i) Specific criteria for specific
certificationschemewhereestablished?9.1.4.2 Does the CB include
time spent by anyteam member that is not assigned as anauditor?
SADCASF40(a)IssueNo:1 Page17of41
Date:20130118ISO/IEC17021REQUIREMENTSCBSREFERENCESCOMMENTBYASSESSOR9.1.5
Multisitesampling Where multisite sampling is utilized, didthe CB
develop an adequate samplingprogramme to ensure proper audit of
themanagementsystem? Is the rationale for the sampling
plandocumented?(IAFguidanceapplies) 9.1.6
Communicationofauditteamtasks Are the tasks given to the audit
teamdefined and make known to the client?Doestheauditteam:a)Examine
and verify the structure, policies,processes, procedures, records
and relateddocuments of the customer
organizationrelevanttothemanagementsystem?b)Determine that these
meet all therequirements relevant to the
intendedscopeofcertification?c)Determine that the processes
andprocedures are established, implementedand maintained
effectively, to provide abasis for confidence in the
clientmanagementsystem?andd)Communicate to the customer, for
itsaction, any inconsistencies between thecustomers policy,
objectives and targetsandtheresults? 9.1.7 Communication concerning
audit teammembers Does the CB provide the name and, whenrequested,
make available backgroundinformation of each member of the
auditteam with sufficient time for the clientorganization to object
to the appointmentofanyparticularauditorortechnicalexpertand for
the CB to reconstitute the team inresponsetoanyvalidobjection?
9.1.8 Communicationofauditplan Is the audit plan communicated and
thedatesoftheauditagreedupon,inadvance,withtheclientorganization?
9.1.9 Conductingonsiteaudits9.1.9.1 General
DoestheCBhaveaprocessforconducting SADCASF40(a)IssueNo:1 Page18of41
Date:20130118ISO/IEC17021REQUIREMENTSCBSREFERENCESCOMMENTBYASSESSOR9.1.9.1
General(cont.)Onsiteaudits?Does the process include opening
meetingatthestartoftheauditandclosingmeetingattheconclusionoftheaudit?9.1.9.2
ConductingtheopeningmeetingDoestheauditteamhaveaformalopeningmeeting
with the clients management andthose responsible for the functions
orprocessestobeaudited?Are the opening meeting conducted by
theLeadauditor?Are audit activities explained including
thefollowing:a)Introduction of the participants
includinganoutlineoftheirrolesb)Confirmationofthescopeofcertificationc)Confirmation
of the audit plan (includingtype and scope of audit, objectives
andcriteria), any changes and other relevantarrangements with the
client such as thedate and time for the closing meeting,interim
meetings between the audit teamandclientsmanagementd)Confirmation
of formal communicationchannels between the audit team and
thecliente)Confirmation that the resources
andfacilitiesneededbyauditteamareavailablef)Confirmation of matters
relating toconfidentialityg)Confirmation of relevant work
safety,emergency and security procedures for
theauditteamh)Confirmation of the availability, roles
andidentitiesofanyguidesandobserversi)The method of reporting
including anygradingofauditfindingsj)Information about the
conditions underwhich the audit may be
prematurelyterminatedk)Confirmation that the audit team leaderand
audit team representing the CB isresponsible for the audit and
shall be incontrol of executing the audit
planincludingauditactivitiesandaudittrails SADCASF40(a)IssueNo:1
Page19of41
Date:20130118ISO/IEC17021REQUIREMENTSCBSREFERENCESCOMMENTBYASSESSOR9.1.9.2(cont.)l)confirmationofthestatusoffindingsofthepreviousrevieworaudit,ifapplicablem)
methods and procedures to be used
toconducttheauditbasedonsamplingn) confirmation of the language to
be usedduringtheaudito confirmation that during the audit theclient
will be kept informed of
auditprogressandanyconcernsp)opportunityfortheclienttoaskquestions9.1.9.3
Communicationduringtheaudit9.1.9.3.1 During the audit does the
audit teamperiodically assess audit progress andexchange
information and does the teamleader reassign work as needed
betweenthe audit team members and
periodicallycommunicatetheprogressoftheauditandanyconcernstotheclient?9.1.9.3.2
Does the audit team leader report to theclient and where possible
to the CBpresence of an immediate and significantrisk(e.g.safety)?
IstheoutcomeoftheactiontakenreportedtotheCB?9.1.9.3.3
Doestheteamleaderreviewwiththeclientany need for changes to the
audit scopewhich becomes apparent as onsiteauditing activities
progress and report thistotheCB?9.1.9.4
ObserversandGuides9.1.9.4.1Observers Prior to the conduct of the
audit does theclient agree to the presence andjustification of
observers during an auditactivity?9.1.9.4.2Guides
Doeseachauditoraccompaniedbyaguide,unless otherwise agreed to by
the auditteamleaderandtheclient? Does the audit team ensure that
guides donot influence or interfere in the
auditprocessoroutcomeoftheaudit?SeeNote SADCASF40(a)IssueNo:1
Page20of41
Date:20130118ISO/IEC17021REQUIREMENTSCBSREFERENCESCOMMENTBYASSESSOR9.1.9.5
Collectingandverifyinginformation9.1.9.5.1 Is information relevant
to the auditobjective, scope and criteria collected byappropriate
sampling and verified tobecomeauditevidence?9.1.9.5.2 Are methods
to collect
informationincluded?a)interviewsb)observationofprocessesandactivitiesc)reviewofdocumentationandrecords9.1.9.6
Identifyingandrecordingauditfindings9.1.9.6.1 Are audit findings
summarizing conformityand detailing nonconformity audits and
itssupporting evidence recorded andreported?9.1.9.6.2 Where
opportunities for improvement arenot prohibited by the requirements
of amanagement system scheme, are
theyidentifiedandrecorded?9.1.9.6.3 Is a finding of nonconformity
recordedagainst a specific requirement of the auditcriteria and
does it contain a clearstatement of the nonconformity andidentify
in detail the objective evidence onwhichthenonconformityisbased?
Are nonconformities discussed with theclient to ensure that the
evidence isaccurate andthat the nonconformities
areunderstood?9.1.9.6.4 Does the audit team leader attempt
toresolveanydivergingopinionsbetweentheaudit team and the client
concerning auditevidence on findings and are
unresolvedpointsrecorded?9.1.9.7 Preparingauditconclusions Prior to
the closing meeting does the auditteam:a)review the audit findings
and any otherappropriate information collected
duringtheauditagainsttheauditobjectivesb)agree upon the audit
conclusions
takingintoaccounttheuncertaintyinherentintheauditprocess
SADCASF40(a)IssueNo:1 Page21of41
Date:20130118ISO/IEC17021REQUIREMENTSCBSREFERENCESCOMMENTBYASSESSOR9.1.9.7
(cont.)c) identifyanynecessaryfollowupactionsd) confirm the
appropriateness of the auditprogramme or identify any
modificationrequired (e.g. scope, audit time or
dates,surveillancefrequency,competence)9.1.9.8
Conducttheclosingmeeting9.1.9.8.1 Does the team hold a formal
closingmeeting with management and are nonconformities presented in
such a mannerthat they are understood, and
aretimeframesforrespondingagreed? Isattendancerecorded?9.1.9.8.2
Does the closing meeting include thefollowing:a) advising the
client that the audit evidencecollected was based on sample of
theinformation; thereby introducing anelementofuncertaintyb) the
method and timeframe of
reportingincludinganygradingofauditfindingsc)
thecertificationbodysprocessforhandlingnonconformities including
anyconsequences relating to the status of theclientscertificationd)
the timeframe for the client to present
aplanforcorrectionandcorrectiveactionforany nonconformities
identified during theaudite) theCBspostauditactivitiesf)
information about the complaint handlingandappealprocesses9.1.9.8.3
Is the client given opportunity forquestions? Are diverging
opinions regarding the auditfindings or conclusions discussed,
resolvedwherepossible?
AreunresolveddivergingopinionsrecordedandreferredtotheCB? 9.1.10
Auditreport9.1.10.1 Does the CB provide a written report foreach
audit and is ownership of the reportmaintainedbytheCB? If the audit
team identifies opportunitiesfor improvement, do they
recommendspecificsolutions? SADCASF40(a)IssueNo:1 Page22of41
Date:20130118ISO/IEC17021REQUIREMENTSCBSREFERENCESCOMMENTBYASSESSOR9.1.10.2
Does the team leader ensure that thereport is prepared and takes
responsibilityofthecontentofthereport? Does the report provide
accurate, conciseand clear record of the audit and does
itincludethefollowing:a)identificationofthecertificationbodyb)name
and address of the clientsmanagementrepresentativec)type of audit
(e.g. initial, surveillance
orrecertification)d)auditcriteriae)auditobjectivesf)audit scope,
particularly identification ofthe organizational of functional
units orprocessesauditedandthetimeoftheauditg)identification of the
audit team leader,audit team members and
anyaccompanyingpersonsh)dates and places where the audit
activities(onsiteofoffsite)wereconductedi)audit findings, evidence
and conclusions,consistent with the requirements of
thetypeofauditj)anyunresolvedissues,ifidentified 9.1.11
Causeanalysisofnonconformities Does the CB require the client to
analyzethe cause and describe the specificcorrection and corrective
actions taken orplanned to be taken to eliminate
detectednonconformitieswithinadefinetimeline? 9.1.12 Effectiveness
of corrections and correctiveactions Does the CB review the
corrections,identified causes and corrective actionssubmitted by
the customer to determine iftheseareacceptable? Does the CB verify
the effectiveness of anycorrectionandcorrectiveactiontaken? Is the
evidence obtained to support
theresolutionofnonconformitiesrecorded?
Doestheclientgetinformedoftheresultofthereviewandverification?SeeNote
SADCASF40(a)IssueNo:1 Page23of41
Date:20130118ISO/IEC17021REQUIREMENTSCBSREFERENCESCOMMENTBYASSESSOR9.1.13
Certificationdecision Is the client informed if an additional
fullaudit, an additional limited audit ordocumented evidence (to be
confirmedduring future surveillance audits) will beneeded to verify
effective correction andcorrectiveactions? 9.1.14 Does the CB
ensure that the persons orcommittees that make the certification
orrecertification decisions are different
fromthosewhocarriedouttheaudits? 9.1.15
Actionspriortomakingadecision Does the CB confirm, prior to making
adecisionthat:a)Theinformationprovidedbytheauditteamissufficient?b)It
has reviewed, accepted and verified theeffectiveness of corrections
and correctiveactions for all nonconformities
thatrepresent:1failure to fulfill one or more
requirementsofthemanagementsystemstandard?or2a situation that
raises significant doubtabout the ability of the
customersmanagement system to achieve itsintendedoutputsc)It has
reviewed and accepted the clientsplanned correction and corrective
actionforanyothernonconformity? 9.2
Initialauditandcertification9.2.1 Application Does the CB require
an authorizedrepresentativeoftheapplicantorganizationto provide the
necessary information
toenableittoestablish:a)Thedesiredscopeofthecertification?b)The
general features of the applicantorganization including its name
and theaddress(es) of its physical location(s),significant aspects
of its process andoperations and any relevant
legalobligations?c)General information relevant for the fieldof
certification applied for, concerning
theapplicantorganization,suchasitsactivities,human and technical
resources, functionsand relationship in a larger corporation,
ifany? SADCASF40(a)IssueNo:1 Page24of41
Date:20130118ISO/IEC17021REQUIREMENTSCBSREFERENCESCOMMENTBYASSESSOR9.2.1
(cont.)d)Information concerning all
outsourcedprocessesusedbytheorganizationthatwillaffectconformitytorequirements?e)The
standards or other requirements forwhich the applicant organization
is seekingcertification?f)Information concerning the use
ofconsultancy relating to the managementsystem? 9.2.2
Applicationreview9.2.2.1 Before proceeding with the audit does
theCB conduct a review of the application
andsupplementaryinformationfor certificationtoensurethat:a) The
information about theapplicant and itsmanagement system is
sufficient for theconductoftheaudit?b) The requirements for
certification areclearly defined and documented and havebeen
provided to the applicantorganization?c) Any known difference in
understandingbetween the CB and the
applicantorganizationisresolved?d) The CB has the competence and
ability toperformthecertificationactivity?e) The scope of
certification sought, thelocation(s) of the applicants
organizationsoperations, time required to completeaudits and any
other points influencing thecertification activity are taken into
account(language, safety conditions, threats toimpartiality,etc)?f)
Records of the justification for the
decisiontoundertaketheauditshallbemaintained?9.2.2.2 Following the
review of the applicationdoes the CB accept or decline
anapplicationorcertification? When declined, are reasons for
decliningdocumentedmadecleartotheclient?SeeNote
SADCASF40(a)IssueNo:1 Page25of41
Date:20130118ISO/IEC17021REQUIREMENTSCBSREFERENCESCOMMENTBYASSESSOR9.2.2.3
Based on this review does the CBdetermine the competences it needs
toincludeinitsauditteam(see7.2.7)andforthecertificationdecision(see7.2.9)?9.2.2.4
Is the audit team appointed and do theyhave the totality of the
competencesidentifiedbytheCBassetoutin9.2.2.3forthe certification
of the applicantorganization? Is selection of the team performed
withreference to the designations ofcompetence of auditors and
technicalexpertsmadeunder7.2.5?9.2.2.5 Is the individual(s) who
will be conductingthe certification decision appointed toensure
appropriate competence isavailable?(See7.2.9and9.2.2.3) 9.2.3
Initialcertificationaudit Is the initial certification audit of
amanagement system conducted in
twostagesStage1andStage29.2.3.1Stage1audit9.2.3.1.1
Isthestage1auditperformed:a) to audit the clients management
systemdocumentation;b) to evaluate the clients location and
sitespecific conditions and to undertakediscussions with the
clients personnel todetermine to the preparedness for
theStage2audit;c) to review the clients status andunderstanding
regarding requirements ofthe standard, in particular with respect
tothe identification of key performance orsignificant aspects,
processes, objectivesandoperationofthemanagementsystem?d) to
collect necessary information regardingthe scope of the management,
processesand location(s) of the client, and relatedstatutory and
regulatory aspects andcompliance (e.g. quality, environmental,legal
aspects of the clients operation,associatedrisks,etc.)?
SADCASF40(a)IssueNo:1 Page26of41
Date:20130118ISO/IEC17021REQUIREMENTSCBSREFERENCESCOMMENTBYASSESSOR9.2.3.1.1
(cont.)e) to review the allocation of resources forStage 2 audit
and agree with the client onthedetailsoftheStage2audit?f) to
provide a focus for planning the Stage 2audit by gaining a
sufficient
understandingoftheclientsmanagementsystemandsiteoperations in the
context of possiblesignificantaspects?g) to evaluate if the initial
audits andmanagementreviewarebeingplannedandperformed and that the
level ofimplementation of the
managementsystemsubstantiatesthattheclientisreadyfortheStage2audit?
For most management systems it isrecommended that at least part of
theStage 1 audit be carried out at the clientspremises in order to
achieve the objectivesstatedabove.9.2.3.1.2
AreStage1auditfindingsdocumentedandcommunicated to the client
organizationincluding identification of any areas ofconcern that
could be classified as nonconformityduringStage2audit?9.2.3.1.3 In
determining the interval between
Stage1andStage2,isconsiderationgiventotheneeds of the client to
resolve areas ofconcernidentifiedduringtheStage1audit? The CB may
also need to revise itsarrangementforStage29.2.3.2
Stage2audit9.2.3.2.1 The purpose of the Stage 2 audit is toevaluate
the implementation includingeffectiveness of the
customersmanagementsystem. Is the Stage 2 audit taking place at
thesite(s)oftheclient?
Doesitincludeatleastthefollowing:a)Informationandevidenceaboutconformityto
all requirements of the applicablemanagement system standard or
othernormativedocument? SADCASF40(a)IssueNo:1 Page27of41
Date:20130118ISO/IEC17021REQUIREMENTSCBSREFERENCESCOMMENTBYASSESSOR9.2.3.2.1(cont.)b)
performance monitoring, measuring,reporting and reviewing against
keyperformanceobjectivesandtargets?c) the clients management system
andperformanceasregardslegalcompliance?d) operational control of
the clientsprocesses?e)internalauditingandmanagementreview?f)
management responsibility for the
clientorganizationspolicies?g)linksbetweenthenormativerequirements,policy,
performance objectives and targets,any applicable legal
requirements,responsibilities, competence of personnel,operations,
procedures, performance dataandinternalauditfindingsandconclusions?
9.2.4 Initialcertificationauditconclusions
Doestheauditteamanalyzeallinformationand audit evidence gathered
during theStage 1 and Stage 2 audits to review theaudit findings
and agree on the auditconclusions? 9.2.5
Informationforgrantinginitialcertification9.2.5.1DoestheinformationprovidedbytheauditteamtotheCBforthecertificationdecisionincludeasaminimum:a)
theauditreports?b) comments on the nonconformities and,where
applicable, the correction
andcorrectiveactionstakenbytheclient?c)confirmationontheinformationprovidedtothe
certification body used in theapplicationreview?(See9.2.2)andd)
arecommendationwhetherornottograntcertification together with any
conditionsorobservations?9.2.5.2
DoestheCBmakethecertificationdecisionon the basis of an evaluation
of the auditfindings and conclusions and any otherrelevant
information (e.g. publicinformation,
commentsontheauditreportfromthecustomer)? SADCASF40(a)IssueNo:1
Page28of41
Date:20130118ISO/IEC17021REQUIREMENTSCBSREFERENCESCOMMENTBYASSESSOR9.3
Surveillanceactivities9.3.1 General9.3.1.1
DidtheCBdevelopitssurveillanceactivitiesso that representative
areas and functionscovered by the scope of the managementsystem are
monitored on a regular basisand take into account changes to
itscertified client and its managementsystem?9.3.1.2 Do
surveillance activities include onsiteaudits assessing the
certified clientsmanagementsystemfulfillmentofspecifiedrequirements
with respect to the standardtowhichthecertificationisgranted?
Othersurveillanceactivitiesmayinclude:a)Enquiries from the CB to
the certified onaspectsofcertification;b)Reviewing any clients
statements withrespect to its operations (e.g.
promotionalmaterial,website);c)Requests to the client to
providedocuments and records (on paper
orelectronicmedia);andd)Other means of monitoring the
certifiedclientsperformance. 9.3.2 Surveillanceaudit9.3.2.1 Are
onsite audits planned with othersurveillance activities, so that
the CB canmaintain confidence that the certifiedmanagement
continues to fulfillrequirements in between recertificationaudits?
Does the surveillance audit
programmeincludeatleast:a)Internalauditsandmanagementreview?b)Reviewofactiontakenonnonconformitiesidentifiedduringthepreviousaudits?c)Treatmentofcomplaints?d)Effectiveness
of the management systemwith regard to achieving the
certifiedclientsobjectives?e)Progress of planned activities aimed
atcontinualimprovement? SADCASF40(a)IssueNo:1 Page29of41
Date:20130118ISO/IEC17021REQUIREMENTSCBSREFERENCESCOMMENTBYASSESSOR9.3.2.1
(cont.)f)continuingoperationalcost?g)reviewofanychanges?andh) use
of marks and/orany other reference tocertification?9.3.2.2 Are
surveillance audits conducted at leastonceayear? Is the date of the
1st surveillance auditfollowing initial certification not more
than12 monthsfrom the lastday ofthe Stage 2audit? 9.3.3
Maintainingcertification
DoestheCBmaintaincertificationbasedondemonstration that the client
continues tosatisfy the requirements of
themanagementsystemstandard? Does the CB maintain an
organizationscertification based on a positiverecommendation by the
audit team leaderwithout further independent
reviewprovidedthat:a)For any nonconformity or other situationthat
may lead to suspension or withdrawalof certification, the CB needs
to initiate areview by appropriately
competentpersonneldifferentfromthosewhocarriedout the audit to
determine
whethercertificationcanbemaintained?(See7.2.9)andb)Competent
personnel of the CBmonitor itssurveillance activities, including
monitoringthe reporting by its auditors, to confirmthat the
certification activity is operatingeffectively? 9.4
Recertification9.4.1 Recertificationcycle9.4.1.1 Is a
recertification audit planned andconducted to evaluate the
continuedfulfillment of all the requirements of therelevant
management system standard orothernormativedocument?9.4.1.2 Does
the recertification audit consider theperformance of the management
systemover the period of certification and includethe review of
previous surveillance auditreports? SADCASF40(a)IssueNo:1
Page30of41
Date:20130118ISO/IEC17021REQUIREMENTSCBSREFERENCESCOMMENTBYASSESSOR99.4.1.3
In situations where they have beensignificant changes (e.g. changes
tolegislation, management, processes, etc.)do the recertification
audit activitiesincludeaStage1audit?9.4.1.4 In the case of multiple
sites or certificationmultiple management system standardsbeing
provided by the CB, does theplanning for the audit ensure adequate
onsiteauditcoveragetoprovideconfidenceinthecertification? 9.4.2
Recertificationaudit9.4.2.1 Does the recertification audit include
anonsiteauditthataddressesthefollowing:a) the effectiveness of the
managementsystem?b) demonstrated commitment to maintain
theeffectivenessandimprovement?c) whether the operation of the
certifiedmanagement system contributes to theachievement of the
organizations policyandobjectives?9.4.2.2 When during a
recertification auditinstances of nonconformity or lack ofevidence
of conformity are identified,
doestheCBdefinetimelimitsforcorrectionandcorrective actions to be
implemented priortheexpiryofcertification? 9.4.3
Informationforgrantingrecertification Does the CB make decisions on
renewingcertificationbasedon:Theresultsofrecertificationaudit?Theresultsofthereviewofthesystemovertheperiodofcertification?andThe
complaints received from users ofcertification?
SADCASF40(a)IssueNo:1 Page31of41
Date:20130118ISO/IEC17021REQUIREMENTSCBSREFERENCESCOMMENTBYASSESSOR9.5
Specialaudits9.5.1 Extensionstoscope Does the CB in response to an
applicationforextensiontothescopeofacertificationalready granted,
undertake a review of theapplication and determine any
auditactivities necessary to decide whether ornot the extension may
be granted? (Thismay be conducted in conjunction with
asurveillanceaudit)9.5.2 Shortnoticeaudits If it is necessary for
the CB to conductaudits of certified clients at short notice
toinvestigate complaints (see 9.8) or
inresponsetochanges(see8.6.3)orasfollowuponsuspendedcustomers(see9.6):a)Does
the CB describe and make known inadvance to the certified clients
(e.g. indocuments as described in 8.6 1) theconditions under which
these short noticevisitsaretobeconducted?Andb)c)Does the CB
exercise additional care in theassignment of the audit team because
ofthe lack of opportunity for the client toauditteammembers? 9.6
Suspending, withdrawing or reducingscopeofcertification 9.6.1
DoestheCBhaveapolicyanddocumentedprocedure(s) for suspension,
withdrawal orreduction of the scope of certification anddoes it
specify the subsequent actions bytheCB? 9.6.2 Does the CB suspend
certification in caseswhenforexample:The customers certified
managementsystem has persistently or seriously failedto meet
certification requirementsincluding requirements for
theeffectivenessofthemanagementsystem?The certified client does not
allowsurveillance or recertification audits to
beconductedattherequiredfrequencies?orThe certified client has
voluntarilyrequestedasuspension? SADCASF40(a)IssueNo:1 Page32of41
Date:20130118ISO/IEC17021REQUIREMENTSCBSREFERENCESCOMMENTBYASSESSOR9.6.3
Under suspension the customersmanagement system certification
istemporarilyinvalid. Does the CB have
enforceablearrangementswithitsclientstoensurethatin case of
suspension the client
refrainsfromfurtherpromotionofitscertification? Does the CB make
the suspended status ofthe certification publicly available
(see8.1.3) and take any other measures itdeemsappropriate? 9.6.4
Does failure to resolve the issues that haveresulted in the
suspension in a timeestablished by CB result in withdrawal
orreductionofthescopeofcertification?SeeNote 9.6.5 Does the CB
reduce the customers scopeof certification to exclude the parts
notmeeting the requirements when the clienthas persistently or
seriously failed to meetthe certification requirements for
thosepartsofthescopeofcertification? 9.6.6 Does the CB have
enforceablearrangements with the certified customerconcerning
conditions of withdrawal
(see8.4.3d)ensuringuponnoticeofwithdrawalof certification that the
customerdiscontinuesitsuseofalladvertisingmatterthat contains any
reference to a certifiedstatus? 9.7 Appeals 9.7.1
DoestheCBhaveadocumentedprocesstoreceive, evaluate and make
decisions onappeals? 9.7.2 Is a description of the appeals
handlingprocesspubliclyavailable? SADCASF40(a)IssueNo:1 Page33of41
Date:20130118ISO/IEC17021REQUIREMENTSCBSREFERENCESCOMMENTBYASSESSOR9.7.3
Is the CB responsible for all decisions at
alllevelsoftheappealshandlingprocess? Does the CB ensure that the
personsengaged in appeals handling process aredifferent from those
who carried out theauditsandmadethecertificationdecisions? 9.7.4 Do
submission, investigation and decisionon appeals result in any
discriminatoryactionsagainsttheappellant? 9.7.5
Doestheappealhandlingprocessincludeatleastthefollowingelementsandmethods:a)
an outline of the process for receiving,validating, investigating
the appeal and fordeciding what actions are to be taken inresponse
to it, taking into account theresultsofprevioussimilarappeals;b)
tracking and recording appeals
includingactionsundertakentoresolvethem;c) ensuring that any
appropriate correctionandcorrectiveactionistaken. 9.7.6 Does the CB
acknowledge receipt of theappeal and provide the appellant
withprogressreportsandtheoutcome? 9.7.7 Are the decision to be
communicated tothe appellant made by, or reviewed andapproved by,
individual(s) not previouslyinvolvedinthesubjectoftheappeal? 9.7.8
Does the CB give formal notice of the endof the appeal handling
process to theappellant? 9.8Complaints 9.8.1 Is a description of
the complaints handlingprocesspubliclyaccessible? 9.8.2 Upon
receipt of a complaint does the CBconfirm whether the complaint
relates
tocertificationactivitiesthatisresponsibleforand,ifso,dealswith? If
the complaint relates to a certified clientdoes the examination of
the complaintconsider the effectiveness of the
certifiedmanagementsystem? SADCASF40(a)IssueNo:1 Page34of41
Date:20130118ISO/IEC17021REQUIREMENTSCBSREFERENCESCOMMENTBYASSESSOR9.8.3
Is a complaint about a certified client alsoreferred by the CB to
the certified client inquestionatanappropriatetime? 9.8.4
DoestheCBhaveadocumentedprocesstoreceive, evaluate and make
decisions oncomplaints? Is this process subject to requirements
forconfidentiality as it relates to thecomplainant and to the
subject of thecomplaint? 9.8.5 Does the complaints handling
processinclude at least the following elements andmethods:a)an
outline of the process for
receiving,validating,investigatingthecomplaintandfor deciding what
actions are to be
takeninresponsetoit?b)trackingandrecordingcomplaintsincludingactionsundertakentoresolvethem?c)ensuringthatanappropriatecorrectionandcorrectiveactionsaretaken?SeeNote
9.8.6 Is the CB receiving the complaintresponsible for gathering
and verifying allnecessary information to validate thecomplaint?
9.8.7 Whenever possible does the CBacknowledge receipt of the
complaint andprovide the complainant with
progressreportsandtheoutcome? 9.8.8 Is the decision to be
communicated to thecomplainant made by, or reviewed andapproved by,
individual(s) not previouslyinvolvedinthesubjectofthecomplaint?
9.8.9
WheneverpossibledoestheCBgiveformalnoticeoftheendofthecomplainthandlingprocesstothecomplainant?
SADCASF40(a)IssueNo:1 Page35of41
Date:20130118ISO/IEC17021REQUIREMENTSCBSREFERENCESCOMMENTBYASSESSOR9.8.10
Does the CB determine together with theclient and the complainant
whether and, ifso to what extent, the subject of thecomplaint and
its resolution shall be madepublic? 9.9
Recordsofapplicantsandclients 9.9.1 Does the CB maintain records on
the auditandothercertificationactivityforallclientsincluding all
organizations that submittedapplications and all organizations
audited,certifiedorwithcertificationwithdrawn? 9.9.2 Do the records
on certified clients includethefollowing:a) application information
and initial,surveillance and recertification
auditreports?b)certificationagreement?c) justification of the
methodology used forsampling?d) justification for auditor
timedetermination?(See9.1.4)e) verification of correction and
correctiveactions?f) records of complaints and appeals and
anysubsequent correction and correctiveactions?g) committee
deliberations and decisions, ifapplicable?h) documentation of the
certificationdecisions?i) certificationdocumentsincludingthescopeof
certification with respect to
product,processorservicesasapplicable?j) related records necessary
to establish thecredibility of the certification such
asevidenceofthecompetenceofauditorandtechnicalexpert?SeeNote 9.9.3
DoestheCBkeeptherecordsonapplicantsand customers, secure to ensure
that theinformationiskeptconfidential? Are records transported,
transmitted ortransferred in a way that ensures
thatconfidentialityismaintained? SADCASF40(a)IssueNo:1 Page36of41
Date:20130118ISO/IEC17021REQUIREMENTSCBSREFERENCESCOMMENTBYASSESSOR9.9.4
DoestheCBhaveadocumentedpolicyanddocumented procedures on retention
ofrecords? Arerecordsretainedforthedurationofthecurrent cycle plus
one (1) full certificationcycle?SeeNote 10 Management system
requirements forCBs10.1 Options In addition to meeting the
requirements ofClauses 5 to 9 did the CB implement amanagement
system in accordance witheither:a)Management system requirements
inaccordancewithISO9001(Option1)?orb)General management system
requirements(Option2)? 10.2
Option1:ManagementsystemrequirementsinaccordancewithISO900110.2.1
General Is the ISO 9001 system capable ofsupporting and
demonstrating theconsistent achievement of
therequirementsofthisinternationalstandard,amplifiedby10.2.2to10.2.4?
10.2.2 Scope Doesthescopeofthemanagementsysteminclude the design
and developmentrequirementsforitscertificationservices? 10.2.3
CustomerFocus Does the CB consider the credibility ofcertification
and address the needs of allparties (as set out in 4.1.2) that rely
uponits audit and certification services, not justitsclients?
10.2.4Managementreview Does the CB include as input formanagement
review information
onrelevantappealsandcomplaintsfromusersofcertificationactivities?
SADCASF40(a)IssueNo:1 Page37of41
Date:20130118ISO/IEC17021REQUIREMENTSCBSREFERENCESCOMMENTBYASSESSOR10.3
Option 2: General management systemrequirements10.3.1 General Does
the CB establish, document,implement and maintain a
managementsystem that is capable of supporting anddemonstrating the
consistent achievementof the requirements of this
internationalstandard? Does the CBs top management
establishanddocumentpoliciesandobjectivesforitsactivities? Does top
management provide evidence ofits commitment to the development
andimplementation of the managementsystem in accordance with
therequirements of this internationalstandard? Does top management
ensure that thepolicies are understood, implemented andmaintained
at all levels of the certificationbodysorganization? Did the CBs
top management appoint amember of management who, irrespectiveof
other responsibilities, shall
haveresponsibilityandauthoritythatincludes:a)Ensuring that
processes and proceduresneeded for the management system
areestablished, implemented and maintained?andb)Reporting to top
management on theperformance of the management
systemandanyneedforimprovement? 10.3.2 Managementsystemmanual Are
all applicable requirements of
thisinternationalstandardaddressedeitherinamanualorinassociateddocuments?
Does the CB ensure that the manual andrelevant associated documents
areaccessibletoitspersonnel? 10.3.3 Controlofdocuments Did the CB
establish procedures to controlthe documents (internal and
external) thatrelatetothefulfillmentofthisinternationalstandard?
SADCASF40(a)IssueNo:1 Page38of41
Date:20130118ISO/IEC17021REQUIREMENTSCBSREFERENCESCOMMENTBYASSESSOR
Does the procedures define the controlneeded:a)To approve documents
for adequacy priortoissue?b)To review and update as necessary
andapprovedocuments?c)To ensure that changes and the
currentrevisionstatusofdocumentsareidentified?d)To ensure that
relevant versions ofapplicable documents are available
atpointsofuse?e)To ensure that documents remain
legibleandreadilyidentifiable?f)Toensurethatdocumentsofexternaloriginare
identified and their distributioncontrolled?andg)To prevent the
unintended use of obsoletedocuments and to apply
suitableidentification to them if they are
retainedforanypurpose?SeeNote 10.3.4Controlofrecords Does the CB
establish procedures to definethe controls needed for the
identification,storage, protection, retrieval, retentiontime and
disposition of its records relatedto the fulfillment of this
internationalstandard? Does the CB establish procedures
forretaining records for a period
consistentwithitscontractualandlegalobligations? Is access to these
records consistent withtheconfidentialityarrangements?SeeNote
10.3.5 Managementreview10.3.5.1General Did the CBs top management
establishprocedures to review its managementsystem at planned
intervals to ensure itscontinuing suitability, adequacy
andeffectiveness including the stated policiesand objectives
related to the fulfillment ofthisinternationalstandard?
Arethesereviewsconductedatleastonceayear? SADCASF40(a)IssueNo:1
Page39of41
Date:20130118ISO/IEC17021REQUIREMENTSCBSREFERENCESCOMMENTBYASSESSOR10.3.5.2Reviewinputs
Does the input to management
reviewincludeinformationrelatedto:a)Resultsofinternalandexternalaudits?b)Feedback
from clients and interestedparties related to the fulfillment of
thisinternationalstandard?c)Feedback from the committee
forsafeguardingimpartiality?d)Statusofpreventiveandcorrectiveactions?e)Followup
actions from
previousmanagementreviews?f)Fulfillmentofobjectives?g)Changes that
could affect themanagement?andh)Appealsandcomplaints?10.3.5.3
Reviewoutputs Do the outputs from the managementreview include
decisions and actionsrelatedto:a)Improvement of the effectiveness
of themanagementsystemanditsprocesses?b)Improvement of the
certification servicesrelated to the fulfillment of
thisinternationalstandard?andc)Resourceneeds? 10.3.6
Internalaudits10.3.6.1 Does the CB establish procedures forinternal
audits to verify that it fulfills therequirements of this
international standardand that the management system
iseffectivelyimplementedandmaintained?SeeNote10.3.6.2 Is an audit
programme planned taking intoconsideration the importance of
theprocesses and areas to be audited as
wellastheresultsofpreviousaudits?10.3.6.3
Areinternalauditsperformedatleastonceevery12months?10.3.6.4
DoestheCBensurethat:a)Internal audits are conducted by
qualifiedpersonnel knowledgeable in certification,auditing and the
requirements of
thisinternationalstandard?b)Auditorsshallnotaudittheirownwork?
SADCASF40(a)IssueNo:1 Page40of41
Date:20130118ISO/IEC17021REQUIREMENTSCBSREFERENCESCOMMENTBYASSESSOR10.3.6.4(cont.)c)
Personnel responsible for the area
auditedareinformedoftheoutcomeoftheaudit?c)Any actions resulting
from internal auditsare taken in a timely and
appropriatemanner?andd)Any opportunities for improvement
areidentified? 10.3.7 Correctiveactions Does the CB establish
procedures foridentification and management of
nonconformitiesinitsoperations? Does the CB also, where necessary,
takeactions to eliminate the causes of nonconformities in order to
preventrecurrence? Are corrective actions appropriate to
theimpactoftheproblemencountered?
Dotheproceduresdefinerequirementsfor:a)Identifying nonconformities
(e.g.
fromcomplaintsandinternalaudits)?b)Determiningthecausesofnonconformity?c)Correctingnonconformities?d)Evaluating
the need for actions to
ensurethatnonconformitiesdonotrecur?e)Determining and implementing
in a
timelymannertheactionsneeded?f)Recordingtheresultsofactionstaken?andg)Reviewing
the effectiveness of correctiveactions? 10.3.8Preventiveactions
DoestheCBestablishproceduresfortakingpreventive actions to
eliminate the causesofpotentialnonconformities?
Arepreventiveactionstakenappropriatetothe probable impact of the
potentialproblems? Do the procedures for preventive
actionsdefinerequirementsfor:a)Identifying potential
nonconformities andtheircauses?b)Evaluating the need for action to
preventNNtheoccurrenceofnonconformities?Determining and
implementing the actionneeded? SADCASF40(a)IssueNo:1 Page41of41
Date:20130118ISO/IEC17021REQUIREMENTSCBSREFERENCESCOMMENTBYASSESSOR10.3.8(cont.)
c)Recordingtheresultsofactionstaken?andd)Reviewing the
effectiveness of thepreventiveactions?SeeNote
Additional/GeneralComments(Thisspacemaybeusedtoexpandoncommentsinspecificsections)SignedLead/TechnicalAssessor:
Date: