changes to iso/iec17021:2011 & iso/iec 19011:2011

Changes to

ISO/IEC17021:2011 &

ISO/IEC 19011:2011

AOQ Queensland 18 July 2012

Geoff Brundle

Changes

to

ISO/IEC 17021:2011

ISO/IEC 17021:2011

Key Changes

– ISO 19011 references deleted & included directly in 17021.

– Personal attributes (19011) replaced with personal behaviours.

– Larger focus on competencies.

– 6 annexes added: one normative and five informative

• The one normative annex ( Annex A) and 3 of the 5

informative annexes, (B, C, and D), all relate to the

competence and performance of CB personnel.

• The other 2 informative annexes, (E and F), relate to the

audit and certification processes.

Annexes A – F

• Annex A (normative) Required knowledge and skills

• Annex B (informative) Possible evaluation methods

• Annex C (informative) Example of a process flow for determining and maintaining competence

• Annex D (informative) Desired personal behaviors

• Annex E (informative) Third-party audit and certification process

• Annex F (informative) Considerations for the audit programme, scope or plan

ISO/IEC 17021:2011

Key Changes

– ISO/IEC 17021:2006 was for QMS & EMS

only.

– New: 17021:2011 – includes any accredited

management systems eg. FSMS, ISMS etc.

ISO/IEC 17021:2011

Key Changes

This means…..

– It becomes a generic requirements document for the 3rd party auditing of (all) management systems.

– Guidance in ISO 19011 is transformed into requirements.

– It covers third party auditing and the management of competence related to third party auditing.

– It provides a template for other bodies of knowledge (e.g. ISO TCs) to develop specific criteria for third party auditing and management of competence for different types of management systems or sector applications

Why new revision of ISO/IEC 17021:2011?

ISO/IEC 17021- Clause 3

Additional Definitions

3.4 Third party certification audit - carried out by an

auditing organization independent of the client

and the user, for the purpose of certifying the

client's management system

– Note 4: Joint audit (more than 2 auditing organisations

cooperate to audit single client)

– Note 5: Combined audit (audit against 2 or more

management systems standards)

– Note 6: Integrated audit (Integrate application of 2 or

more management systems)


Additional Definitions (cont’d)

3.5 Client - organization whose management system is

being audited for certification purposes

3.6 Auditor - person who conducts an audit

3.7 Competence – ability to apply knowledge and

skills to achieve intended results

3.8 Guide – person appointed to assist the audit team

3.9 Observer – person who accompanies the audit

team but does not audit

3.10 Technical area – area characterized by

commonalities of processes relevant to a specific

type of management system


Principles

Clause 4 – The six principles remain:-

- Impartiality - Competence

- Responsibility - Openness

- Confidentiality, and - Responsiveness to complaints

Clause 5 - General requirements; and

Clause 6 – Structural requirements

remain unchanged

ISO/IEC 17021:2011

ISO/IEC 17021 – Clause 7

Resource requirements 7.1 Competence of management and personnel

• Some changes to numbering

• Some clauses given titles

7.1.2 Determination of competence criteria - NEW

– Competence for a management system, technical area or certification function

– Focus on knowledge and skills rather than qualifications ie. output.

– Annex A specifies the knowledge and skills for contract reviewer, certification decision maker, auditing & lead auditor.

– Scheme specific competency requirements shall still apply eg. ISO/TS 22003 in addition to the 17021 requirements.

– The interpretation of “technical area” is dependent upon the type of management system.

ISO/IEC 17021

Normative Annex A

• Knowledge and skills shall be defined for specific

certification functions: – Conducting the application review to determine audit team competence

required, to select the audit team members, to determine the audit time

– Reviewing audit reports and making certification Decisions

– Auditing

– Leading the audit team

• X means the certification body shall define the

criteria and depth of knowledge and skills

• X+ indicates a need for deeper knowledge and

skills.

Knowledge & Skills

ISO/IEC 17021

Normative Annex A (cont’d)

• For knowledge of client products, processes and

organization, where a team is performing the task:

– The expertise needs to exist within the team or could be provided by a

technical expert.

– Where any audit is conducted by a team, the level of skills required

should be held within the team as a whole and not by every individual

member of the team.

– The team leader of a combined or integrated audit should have an in-

depth knowledge of at least one of the standards and is required to have

awareness of the other standards used for that particular audit.

• Risk and complexity to be considered when deciding

the level of expertise needed for any of functions.

ISO/IEC 17021

Normative Annex A (cont’d)

7.1.3 Evaluation processes - NEW

– CB shall have documented processes for initial competence

evaluation and on-going monitoring of competence and

performance

– All personnel - management and performance of audits and

certification

– Applying the determined competence criteria



7.1.3 Evaluation processes – (cont’d)

– CB shall demonstrate that its evaluation methods are effective

– Output shall be to identify personnel who have demonstrated the

level of competence required

– Note: informative Annex B for possible evaluation methods

– Note: Informative Annex C provides an example of a process flow

for determining and maintaining competence using the methods in

Annex B



Possible Evaluation Methods

– Review of records

– Feedback

– Interviews

– Observations

– Examinations

ISO/IEC 17021

Informative Annex B

– Example of a process flow for determining and maintaining

competence

ISO/IEC 17021

Informative Annex C

7.1.4 Other considerations (New heading)

• 7.1.4.1 – previously 7.1.2

• 7.1.4.2 – previously 7.1.3



The following note has been added after 7.2.4

7.2.4 refers to the certification body having defined

processes for the selection, training, formally authorizing

auditors and selecting technical experts.

NOTE During the selection and training process described above

desired personal behaviours can be considered. These are

characteristics that affect an individual's ability to perform specific

functions. Therefore, knowledge about the behaviours of individuals

enables a certification body to take advantage of their strengths and to

minimize the impact of their weaknesses. Desired personal behaviours

that are important for personnel involved in certification activities are

described in Annex D.


Resource requirements 7.2 Personnel involved in the certification activities

The remainder of clause 7:-

• 7.3 Use of individual external auditors and technical

experts

• 7.4 Personnel records

• 7.5 Outsourcing; and

Clause 8 – Information requirements

“Remain unchanged.”

ISO/IEC 17021:2011

9.1.1 Audit program – NEW

• 9.1.1.1 An audit program for the full certification cycle

shall be developed to clearly identify the audit

activity(ies) required to demonstrate that the client's

management system fulfils the requirements for

certification to the selected standard(s) or other

normative document(s).

• 9.1.1.2 Clause numbered and notes referencing

Annexes E & F have been added


Process requirements

9.1 General requirements

9.1.2.1 Audit plan (Minor changes)

• Audit plan now required for “each audit identified in audit

programme.”




9.1.2.2 Determining audit objectives, scope & criteria (New)

9.1.2.2.1 The audit objectives shall be determined by the CB, the audit scope & criteria and any changes shall be established after discussion with the client.

9.1.2.2.2 The audit objectives shall describe what is to be accomplished by the audit and shall include the following:

a) determination of the conformity of the client's management system, or parts of it, with audit criteria;

b) evaluation of the ability of the management system to ensure the client organization meets applicable statutory, regulatory and contractual requirements;

NOTE: A management system certification audit is not a legal compliance audit




9.1.2.2.2 (cont.)

• c) evaluation of the effectiveness of the management

system to ensure the client organization is continually

meeting its specified objectives;

• d) as applicable, identification of areas for potential

improvement of the management system.




9.1.2.2.3

• The audit scope shall describe the extent and boundaries

of the audit, such as physical locations, organizational

units, activities and processes to be audited.

• Where the initial or re-certification process consists of

more than one audit (e.g. covering different locations), the

scope of an individual audit may not cover the full

certification scope, but the totality of audits shall be

consistent with the scope in the certification document.

• Annex F lists additional items that can be considered

when preparing or revising the audit scope.




9.1.2.2.4 The audit criteria shall be used as a reference

against which conformity is determined, and shall include:

• the requirements of a defined normative document on

management systems;

• the defined processes and documentation of the management

system developed by the client.




9.1.2.3 Preparing the audit plan (New)

The audit plan shall be appropriate to the objectives and the scope

of the audit and shall at least include:

a) The audit objectives;

b) The audit criteria;

c) The audit scope, including identification of the organizational and functional

units or processes to be audited;

d) the dates and sites where the on-site audit activities are to be conducted,

including visits to temporary sites, as appropriate;

e) the expected time and duration of on-site audit activities;

f) the roles and responsibilities of the audit team members and accompanying

persons.

NOTE: The audit plan information can be contained in more than one document.

NOTE: Annex F lists additional items that can be considered when preparing or

revising the audit plan




9.1.3 Audit team selection and assignments (New)

9.1.3.1 The following added:- If only one auditor, then auditor shall have competencies for team leader for that audit.

9.1.3.2 In deciding the size and composition of the audit team, consideration shall be given to the following:

a) Audit objectives, scope, criteria & estimated time of the audit;

b) Whether the audit is a combined, integrated or joint audit;

c) The overall competence of the audit team;

d) Certification requirements (inc statutory, regulatory, contractual)

e) Language and culture;

f) Whether the members of the audit team have previously audited the clients management system.




9.1.3 Audit team selection and assignments

9.1.3.3 The necessary knowledge & skills of the audit team leader & auditors may be supplemented by technical experts, translators & interpreters who shall operate under the direction of an auditor. Where translators or interpreters are used, they are to be selected such that they do not unduly influence the audit.

NOTE: The criteria for the selection of technical experts are determined on a case by case basis by the needs of the audit team and scope of the audit.

9.1.3.4 Auditors-in-training may be included in the audit team as participants, providing an auditor is appointed as an evaluator. The evaluator shall be competent to take over the duties and have final responsibility for the activities and findings of the auditor-in-training.




9.1.3 Audit team selection and assignments

9.1.3.5 The audit team leader, in consultation with the audit team, shall assign to each team member responsibility for auditing specific processes, functions, sites, areas or activities. Such assignments shall take into account the need for competence, and the effective and efficient use of the audit team, as well as different roles and responsibilities of auditors, auditors-in-training and technical experts. Changes to the work assignments may be made as the audit progresses to ensure achievement of the audit objectives..




9.1.4 Determining audit time

The following has been added in clause 9.1.4.1 to the list of aspects for consideration when determining audit duration

g) The risks associated with the products, processes or activities of the organization;

h) When audits are combined, joint or integrated e.g. ISO/TS 22003.

9.1.4.2 The time spent by any team member that is not assigned as an auditor (i.e. technical experts, translators, interpreters, observers and auditors-in-training) shall not count in the above established audit time.

NOTE The use of translators, interpreters can necessitate additional time.




Clauses now given titles

9.1.5 Multi-site sampling

9.1.6 Communication of audit team tasks

9.1.7 Communication concerning audit team members

9.1.8 Communication of audit plan

9.1.9 Conducting on-site audits




9.1.9 Conducting on-site audits

9.1.9.1 The following has been added.

“This process shall include an opening and closing meeting.”

The following clauses have been added from ISO/IEC 19011.

• 9.1.9.2 Conducting the opening meeting

• 9.1.9.3 Communication during the audit

• 9.1.9.4 Observers and guides

• 9.1.9.5 Collecting & verifying information

• 9.1.9.6 Identifying & recording audit findings

• 9.1.9.7 Preparing audit conclusions




The following clauses have also been added from ISO/IEC

19011.

• 9.1.9.8 Conducting the closing meeting

• A formal meeting where attendance shall be recorded

• The audit conclusions are presented together with any

recommendations

• 9.1.10 Audit report – the CB shall provide a written report for

each audit.

• 9.1.10.2 Audit team leader responsible for audit report

• Also defines required content for inclusion




Clauses now given titles

• 9.1.11 Cause analysis of nonconformities

• 9.1.12 Effectiveness of corrections and corrective actions

• The following has been added:-

“The certification body shall verify the effectiveness of any correction and

corrective actions taken. The evidence obtained to support the resolution

of nonconformities shall be recorded. The client shall be informed of the

result of the review and verification.

NOTE Verification of effectiveness of correction and corrective action can

be carried out based on a review of documentation provided by the client,

or where necessary, through verification on-site.”

• 9.1.13 Additional audits

• 9.1.14 Certification decision

• 9.1.15 Actions prior to making a decision




9.2.2 Application review

Clause 9.2.2.2 added

9.2.2.2 Following the review of the application, the

certification body shall either accept or decline an

application for certification. When the certification body

declines an application for certification as a result of the

review of application, the reasons for declining an

application shall be documented and made clear to the

client.

NOTE: When declining an application for certification, the

CB should be careful not to act in conflict with the

principles set out in Clause 4.



9.2 Initial audit and certification

Remains unchanged except clause 10.2.5 Design and

development has been deleted.


management system requirements for

certification bodies

Changes

to

ISO/IEC 19011:2011

ISO/IEC 19011:2011

Key Changes

— the scope has been broadened from the auditing of

quality and environmental management systems to

the auditing of any management systems;

— the relationship between ISO 19011 and ISO/IEC

17021 has been clarified;

— remote audit methods and the concept of risk have

been introduced;

— confidentiality has been added as a new principle;

— Clauses 5, 6 and 7 have been reorganized;

— additional information has been included in a new

Annex B, resulting in the removal of help boxes;

— the competence determination and evaluation

process has been strengthened;

— illustrative examples of discipline-specific

knowledge and skills have been included in a new

Annex A;

— more information has been made available on an

ISO public website

(www.ISO.org/ISO19011Auditing).

ISO/IEC 19011:2011

Key Changes

ISO/IEC 19011:2011 – Clause 1

Scope

This International Standard provides guidance on auditing

management systems, including the principles of auditing,

managing an audit programme and conducting management

system audits, as well as guidance on the evaluation

of competence of individuals involved in the audit

process, including the person managing the audit

programme, auditors and audit teams.

“Focus now on the competence of all personnel not

just auditors”

ISO/IEC 19011:2011 – Clause 1

Scope

This International Standard introduces the concept of risk to

management systems auditing. The approach adopted relates

both to the risk of the audit process not achieving its

objectives and to the potential of the audit to interfere with the

auditee’s activities and processes.


Additional Definitions

3.11 Observer – person who accompanies the audit

team but does not audit

3.12 Guide – person appointed to assist the audit team

3.16 Risk – effect on uncertainty of objectives

3.18 Conformity – fulfilment of a requirement

3.19 Nonconformity – non-fulfilment of a requirement

3.20 Management system – system to establish policy

and objectives and to achieve those objectives

Note : A management system of an organisation can include different

management systems, such as a quality management system, a financial

management system or an environmental management system

ISO/IEC 19011 - Clause 4

Principles of auditing

4.a – was Ethical Conduct: foundation of

professionalism; NOW is Integrity - foundation of

professionalism;

4.d Confidentiality: – security of information (added)

Auditors should exercise discretion in the use and protection of

information acquired in the course of their duties. Audit

information should not be used inappropriately for personal gain

by the auditor or the audit client, or in a manner detrimental to

the legitimate interest of the auditee. This concept includes the

proper handling of sensitive or confidential information.

ISO/IEC 19011:2011 – Clause 5.1

General

The top management should ensure that the audit programme

objectives are established and assign one or more competent

persons to manage the audit programme. The extent of an audit

programme should be based on the size and nature of the

organization being audited, as well as on the nature,

functionality, complexity and the level of maturity of the

management system to be audited. Priority should be given to

allocating the audit programme resources to audit those

matters of significance within the management system. These

may include the key characteristics of product quality or

hazards related to health and safety, or significant

environmental aspects and their control.

“More commonly known as risk-based auditing.”

ISO/IEC 19011:2011 – Clause 5.2 Establishing the audit programme objectives

Additional points added:-

c) characteristics of processes, products and projects, and

any changes to them;

h) auditee’s level of performance, as reflected in the

occurrence of failures or incidents or customer complaints;

j) results of previous audits;

k) level of maturity of the management system being audited.

ISO/IEC 19011:2011 – Clause 5.3 Establishing the audit programme

Additional risk focus:-

5.3.1 Roles and responsibilities of the person managing

the audit programme

— identify and evaluate the risks for the audit programme;

5.3.4 Identifying and evaluating audit programme risks

Planning; resources; selection of the audit team; implementation;

records and their controls; and monitoring, reviewing and improving

the audit programme.

ISO/IEC 19011:2011 – Clause 5.3.2 Competence of the person managing audit programme

The person managing the audit programme should have the

necessary competence to manage it and its associated risks

effectively and efficiently, as well as knowledge and skills in

the following areas:

− audit principles, procedures and methods;

− management system standards and reference documents;

− activities, products and processes of the auditee;

− applicable legal and other requirements relevant to the

activities and products of the auditee;

− customers, suppliers and other interested parties of the

auditee, where applicable.

ISO/IEC 19011:2011 – Clause 5.4.3 Selecting the audit methods

The person managing the audit programme should select

and determine the methods for an audit depending on the

defined audit objectives, scope and criteria for effectively

conducting the audit.

NOTE Guidance on how to determine audit methods is given

in Annex B.

(e.g. on-site; remote; human interaction; no human interaction)

ISO/IEC 19011:2011 – Clause 7 Competence and evaluation of auditors

• Still provides guidance relating to the competence and

evaluation of auditors

• Now includes audit teams. i.e. audit team leader and

auditors

• Personal attributes now Personal behaviour

• Specific knowledge and skills requirements for quality and

environmental auditors moved to Annex A

ISO/IEC 19011:2011 – Annex A Guidance and illustrative examples of discipline-specific

knowledge and skills of auditors

A.2 - transportation safety management

A.3 - environmental management

A.4 - quality management

A.5 - records management

A.6 - resilience, security, preparedness and continuity

management

A.7 - information security management

A.8 – occupational health and safety management

ISO/IEC 19011:2011 – Annex B Additional guidance for auditors for planning and

conducting audits

B.1 – Applying audit methods

• Includes onsite and remote

• Human interaction and no human interaction

B.2 – Conducting document review

B.3 – Sampling

B.4 – Preparing work documents

B.5 – Selecting sources of information

B.6 – Guidance on visiting the auditee’s location

B.7 – Conducting interviews

B.8 – Audit findings

Thank you

and

???????

changes to iso/iec17021:2011 & iso/iec 19011:2011

Documents