By Jasmin Dhakaan Accreditation Expert | The Conformity Edge – ISO/IEC 17000 Weekly Series
Why This Flow Matters
Every ISO certificate you have ever seen on a wall, on a product label, or on a website is a public promise. But what makes that promise credible? The answer lies in how a certification body operates behind the scenes.
A certificate may seem like a single outcome, but behind that certificate is a highly structured system. And at the center of it all is ISO/IEC 17021-1:2015 the standard that sets the rules of the game for management system certification bodies.
When followed correctly, it creates a robust, impartial, and globally recognized certification process.
When misapplied or fragmented, it results in nonconformities, loss of credibility, and in worst cases withdrawal of accreditation.
So, let us take a deep dive into what this process actually looks like from start to finish.
Step 1: Enquiry and Application – The First Formal Contact
The certification process begins the moment a potential client expresses interest in certification. This stage may seem administrative, but it lays the groundwork for everything that follows.
Key actions:
- The client submits a formal application or request for quote
- The certification body collects details including:
This stage helps determine whether the CB has the competence and resources to undertake the audit impartially and effectively.
Step 2: Application Review and Contract Agreement – A Risk-Based Decision
This is the point where the CB must thoroughly analyze the application and decide whether to accept the client.
A proper application review involves:
- Evaluating the client’s scope against the CB’s accreditation
- Assessing technical complexity (using IAF MD5 and MD17)
- Identifying potential conflicts of interest
- Determining audit duration and resource needs
- Reviewing exclusions and legal obligations
Once all risks are assessed, a contract is drafted and shared with the client. This contract must define responsibilities, payment terms, confidentiality, conditions for surveillance audit, recertification audit, certification issuance, withdrawal or suspension.
Why this matters: Many nonconformities observed by accreditation bodies begin at this step due to poor risk assessment or unclear scopes.
Step 3: Audit Program Design – Building the 3-Year Plan
After contract signing, the certification body develops a 3-year audit program that includes:
- The Initial Certification Audit (Stage 1 Document Review and Stage 2 Onsite/Remote Audit)
- Two Surveillance Audits (Year 1 and Year 2)
- A Recertification Audit in Year 3
This plan must be:
- Risk-based
- Customized to the client’s size, complexity, and performance history
- Justified in line with IAF MD5
Considerations:
- Are the sites similar in operation?
- Does the client operate in a high-risk industry?
- Have there been changes to processes, ownership, or legal status?
The audit program is shared with the client and regularly updated to reflect organizational or operational changes.
Step 4: Stage 1 Audit – Readiness Review
This is often misunderstood as a document check. In reality, it is a strategic step to determine whether the client is ready for a full system audit.
The auditor must:
- Review documented policies, procedures, and records
- Confirm that internal audits and management reviews have been completed
- Evaluate legal and regulatory compliance
- Understand the client’s processes and site-specific conditions
- Finalize the Stage 2 audit plan
This audit may be conducted remotely or on-site, depending on the risk level and nature of the organization.
Deliverable: A detailed Stage 1 report, identifying any concerns that could affect Stage 2, along with a confirmed audit plan and scope.
Step 5: Stage 2 Audit – On-Site System Evaluation
Stage 2 is the comprehensive audit where the CB verifies implementation and effectiveness of the client’s management system.
This audit is conducted on-site and involves:
- Interviews with leadership and process owners
- Observation of day-to-day operations
- Examination of records and logs
- Evaluation of performance indicators and process metrics
- Verification of legal, customer, and standard-specific compliance
The auditor uses a process-based approach, as per ISO 19011, focusing on:
- Inputs and outputs of each process
- Controls in place
- Monitoring, measurement, and improvement mechanisms
This audit concludes with an audit report and classification of any findings (nonconformities, observations, opportunities for improvement).
Step 6: Nonconformity Management – Root Cause, Not Excuses
If nonconformities are identified, the client must respond with a corrective action plan.
The CB must:
- Clearly classify each nonconformity as major or minor
- Link the issue to a specific clause in the standard
- Request a root cause analysis
- Review and verify the effectiveness of corrective action
Major NCs must be fully closed and verified before certification. For Minor NCs, the plan may be accepted with a follow-up at surveillance.
This step reinforces the principle that certification is evidence-based, not relationship-based.
Step 7: Technical Review – Impartiality in Practice
Before a certification decision is made, the entire audit package undergoes technical review by an authorized reviewer who was not involved in the audit.
Their role:
- Ensure completeness of audit records
- Confirm correct classification and handling of NCs
- Validate that the audit team was competent
- Check for impartiality and objectivity throughout the process
This step is mandatory under ISO/IEC 17021 and ensures that no personal bias influences certification outcomes.
Step 8: Certification Decision – Evidence Over Assumption
The final decision to certify (or not) must be taken by a Certification Decision Maker who:
- Has documented competence
- Is independent from the audit and review
- Reviews all records objectively
The decision is:
- Recorded with justification
- Documented in the client file
- Used to trigger certificate generation
This final step is not just a procedural tick-box. It is a legal and reputational commitment by the certification body.
Step 9: Certificate Issuance and Communication
Once certification is approved:
- A formal certificate is issued with clear scope, date, and validity
- Rules on logo usage and conditions of certification are communicated
- The certificate is logged in the CB’s master register
- Surveillance dates and future activities are scheduled
The client is now considered certified but the CB’s responsibility continues.
Step 10: Surveillance and Recertification – Ongoing Oversight
Certification doesn’t end at issuance. To maintain the value of the certificate, the CB must conduct:
- Surveillance audits in Year 1 and Year 2
- A Recertification audit in Year 3, which evaluates continued conformity and improvement
Surveillance audits must:
- Sample operational and support processes
- Verify previous NC closure
- Review changes to organization or risks
- Evaluate continual improvement
This ongoing monitoring is what separates real certification from one-time auditing.
A certificate is more than a logo or a printed document. It is a statement backed by:
- An impartial application review
- A risk-based audit program
- Evidence-based audits
- Independent technical oversight
- Competent, documented decision-making
When these steps are followed as defined in ISO/IEC 17021-1, certification becomes meaningful. It builds trust not just in the client, but in the certification body itself.
As accreditation bodies will tell you: It’s not the audit report that gets questioned. It’s the system behind it.
Want to Build or Improve Your ISO/IEC 17021 System?
I help certification bodies worldwide to:
- Prepare for ISO 17021 accreditation
- Train auditors, reviewers, and decision makers
- Design risk-based audit programs and flows
- Improve impartiality, reporting, and audit outcomes
Reach out at support@iticglobal.org
