Q32: According to ISO/IEC 17021-1:2015, § 9.1.3.3, “Surveillance audits shall be conducted at least once a calendar year, except in recertification years. The date of the first surveillance audit following initial certification shall not be more than 12 months from the certification decision date”. Is this clause still valid?

A32: Yes. However, given the specific circumstances, all the time limits indicated in the standard have to be reconsidered according to the IAF FAQ Q10 that allows the postponements of any conformity assessment activities. This means that:

  • it is not necessary to conducted a surveillance audit at least once a calendar year;
  • the date of the first surveillance audit following initial certification shall not be more than 12 months from the certification decision date plus the postponement allowed by the IAF FAQ Q10.

In the case it is not possible to perform any surveillance activity within the timeframe of 12+6 months (see above second bullet point), the accredited CB shall inform the customer and suspend the accredited certificate.

In these specific circumstances, the suspension could exceed six months (see the note of ISO/IEC 17021-1:2015, § 9.6.5.4).

In order to lift the suspension and continue with the accredited certificate validity, at least a Stage 2 shall be conducted.

Q31: According to ISO/IEC 17021-1:2015 Clause 9.6.3.1.1, planning for recertification shall conducted in due time to enable for timely renewal before the certificate expiry date. Is this clause still valid?

A31: IAF FAQ 10 allows the recertification date to be extended up to six months, which would allow the planning to be extended accordingly. If that six months may not provide sufficient opportunities for CBs to conclude recertification audits, the decision on recertification must be made within 3 months of the lifting of restrictions (e.g. travel) that were preventing the on-site audit taking place. However, if this time-frame, from the certification date exceeds 12 months, the CB should complete the reassessment as possible using remote means for witnessing the certified processes during their execution (real-time video of production and workplaces remotely guided by the auditor and/or review by the auditor of recorded videos in those areas where no direct connection is available, with a possible request of specific new partial video, when deemed necessary). In all those cases where the processes cannot be remotely assessed in an effective way to the satisfaction of the team leader, the certification scope shall be partially reduced consequently or the certificate shall be completely withdrawn, and a new initial audit will be required. In any case, a decision shall be made taking also into consideration the updated risk associated with the operational control capability of the organization in the COVID 19 emergency conditions and the type of certification scheme.

Q30: The pandemic emergency is very different between the various locations in the world. Do the rules defined in this FAQ apply in all the locations subject to Covid-19 restrictions, and until when?

A30: Yes. The validity  of the FAQ published on www.iaffaq.com website are confirmed, until a different official communication from IAF.

In all locations which do not have Covid-19 access restrictions, activity such as on-site audits shall continue according to usual procedures

Q29: Where can I find a list of IAF Accreditation Bodies recognized for the IAF MLA Medical Devices Management Systems (MDMS) sub-scope, and a link to the Certification Bodies accredited by each?


A29:  See below the list of the recognized ABs under the IAF MLA Medical Devices Management Systems (MDMS) sub-scope and the links to their accredited bodies databases where you can find the certification bodies accredited to provide ISO 13485 certification.

You can also check the IAF Certsearch database which, although incomplete at this time, currently includes  2593 ISO 13485 certificates worldwide from 150 accredited certification bodies for ISO 13485 scopes. 

https://www.iafcertsearch.org/

CountryAccreditation BodyLink to database
AlbaniaDPA http://dpa.gov.al/en/accredited-bodies/
Australia & New ZealandJAS-ANZhttps://www.jas-anz.org/accredited-bodies/all
AustriaAA
https://www.bmdw.gv.at/Services/Akkreditierung/AkkreditiertePIZ-Stellen.html
BelarusBSCA
https://bsca.by/en/registry-certif-management/all
BelgiumBELAC
https://economie.fgov.be/en/themes/quality-and-safety/accreditation-belac/accredited-bodies/certification-bodies-quality
CanadaSCC
https://www.scc.ca/en/accreditation/programs/management-systems/directory
ColombiaONAChttps://onac.org.co/directorio-de-acreditados
Czech RepublicCAI
http://www.cai.cz/en/Subjects?ScopeId=T&DisableFilter=true
DenmarkDANAKhttp://published.danak.dk/searchregister.asp?cat=ms&lang=e
FinlandFINAShttps://www.finas.fi/sites/en/operators/Pages/default.aspx#Default=%7B%22k%22%3A%22%22%2C%22r%22%3A%5B%7B%22n%22%3A%22RefinableString03%22%2C%22t%22%3A%5B%22%5C%22ǂǂ53797374656d2063657274696669636174696f6e%5C%22%22%5D%2C%22o%22%3A%22and%22%2C%22k%22%3Afalse%2C%22m%22%3Anull%7D%5D%7D
FranceCOFRAChttp://www.cofrac.fr/en/easysearch/resultats_advanced.php?list-11203387
GermanyDAkkShttp://www.dakks.de/en/content/accredited-bodies-dakks?Regnr=d-ZM
GreeceESYD
http://www.esyd.gr/portal/p/esyd/en/bodysearch.jsp
HungaryNAH
http://nah.gov.hu/en/management-systems
IndiaNABCB
http://nabcb.qci.org.in/accreditation/reg_bod_mdqms.php
IrelandINAB
https://www.inab.ie/Directory-of-Accredited-Bodies/Certification-Bodies/Management-Systems-Certification/
ItalyACCREDIAhttps://services.accredia.it/ppsearch/accredia_orgmask.jsp?ID_LINK=1733&area=310&PPSEARCH_ORG_SEARCH_MASK_ORG=&PPSEARCH_ORG_SEARCH_MASK_SCHEMI=SGQ&PPSEARCH_ORG_SEARCH_MASK_SCHEMI_ALTRI=02&PPSEARCH_ODC_SEARCH_MASK_SETTORE_ACCR=&PPSEARCH_ORG_SEARCH_MASK_CITTA=&PPSEARCH_ORG_SEARCH_MASK_PROVINCIA=&PPSEARCH_ORG_SEARCH_MASK_REGIONE=&PPSEARCH_ORG_SEARCH_MASK_STATO=&orgtype=accredited&PPSEARCH_ORG_SEARCH_MASK_SCOPO=&PPSEARCH_ORG_SEARCH_MASK_PDFACCREDITAMENTO=&submitBtn=Search
LuxembourgOLAS
https://portail-qualite.public.lu/fr/accreditation-notification/organismes-accredites/certification/index.html
MalaysiaDSM
http://www.jsm.gov.my/accredited-organisation-directories?p_auth=ub1hH7UV&p_p_id=cabdirectoriessearch_WAR_CABDirectoriesSearchportlet&p_p_lifecycle=1&p_p_state=normal&p_p_mode=view&p_p_col_id=column-2&p_p_col_count=1&_cabdirectoriessearch_WAR_CABDirectoriesSearchportlet_javax.portlet.action=triggerIPC_usingTypeI&type=ACB
MexicoEMA
https://www.ema.org.mx/portal_v3/
NetherlandsRvA
https://www.rva.nl/en/accredited-organisations/all-accredited-bodies
NorwayNA
http://www.akkreditert.no/en/akkrediterte-organisasjoner/?scope=SysCert
PolandPCA
http://www.pca.gov.pl/en/accredited-organizations/accredited-organizations/management-systems-certification-bodies/
RomaniaRENAR
http://www.renar.ro/en/oec
SerbiaATS
http://www.registar.ats.rs/?q=&status=A&suspendovan=1&vrsta_akreditacije=13&datum_prve_akr_od=&datum_prve_akr_do=&datum_poslednje_akr_od=&datum_poslednje_akr_do=&datum_isticanja_akr_od=&datum_isticanja_akr_do=
SingaporeSAC
https://www.sac-accreditations.gov.sg/Pages/Homepage.aspx
SlovakiaSNAS
https://ais.snas.sk/ais/?restartApplication#!WebReports/12/list.accredited.subject.search.byfield/AccreditedSubjectsByFields
SloveniaSA
http://www.slo-akreditacija.si/?post_type=lpacreditation&s=&podrocja%5B0%5D=76&status%5B0%5D=70&order=Akreditacija_DESC
SpainENAC
https://www.enac.es/web/english/accredited-bodies/products-and-services-searchs?p_p_id=BuscadorProductoServicioUnificado_WAR_BuscadorProductoServicioUnificadoportlet&p_p_lifecycle=1&p_p_state=normal&p_p_mode=view&p_p_col_id=column-2&p_p_col_pos=1&p_p_col_count=2&_BuscadorProductoServicioUnificado_WAR_BuscadorProductoServicioUnificadoportlet_javax.portlet.action=irBusqueda&_BuscadorProductoServicioUnificado_WAR_BuscadorProductoServicioUnificadoportlet_idLista=46
SwedenSWEDAChttps://search.swedac.se/en/accreditations
SwitzerlandSAS
https://www.sas.admin.ch/sas/en/home/akkreditiertestellen/akkrstellensuchesas.html
TurkeyTURKAKhttps://secure.turkak.org.tr/kapsam/search
UkraineNAAU
http://naau.org.ua/reyestr-akreditovanix-oov/?lang=en
United KingdomUKAS
https://www.ukas.com/browse-accredited-organisations/?org_cat=4947&parent=Certification%20Bodies&type_id=11
United States of AmericaANAB
https://anabdirectory.remoteauditor.com/
United States of AmericaIAS
https://www.iasonline.org/search-accredited-organizations-2/
List as per the 6th of July 2020.

Q28: Based on the answer to IAF COVID-19 FAQ Q20 which has extended the transition arrangements of such standards as ISO 50001: 2018 and ISO 22000:2018 by 6 months, can it be confirmed that the dates related to all intermediate requirements contained in these transition arrangements, for example the dates to stop auditing against the previous version of the standard, are also extended by 6 months?

A28: Yes, the extension to the transition arrangements applies to all dates quoted within these arrangements so all dates are extended by 6 months.

Ref: FAQ20

Q27: In consideration of this extraordinary period, may all assessments (e.g. surveillances, reassessment) be postponed for up to 6 months, and the validity of all output of accreditation activity (e.g. a certificate) be extended for a corresponding period of up to 6 months?

A27: No. In cases that ABs are still able to perform evaluation activities physically or when these can be fully replaced with evaluation activities as per IAF ID 12,  normal scheduled conformity assessment activities (e.g. surveillances, reassessment) should be performed. 

Otherwise, if the conditions recommended by IAF ID 3: 2011 are satisfied, the normal scheduled conformity assessment activities may be postponed for up to 6 months, and the validity of all output of the conformity assessment activity (e.g. a certificate) may be extended for a corresponding period of up to 6 months.

This means that an accreditation certificate would be valid for a maximum for 5 years (see ISO/IEC 17011, § 7.9.1) plus 6 months.

If there is a postponement of 6 months in the deadline of a certificate, according to Q8, the next accreditation cycle starts from the original one and not from the new accreditation decision.

Q26: If the certificate has already expired, can the period during which the certification body may restore certification (according to ISO/IEC 17021-1 § 9.6.3.2.5) be extended by a further 6 months (to a maximum of 12 months from certificate expiry) provided that the outstanding recertification activities are completed?

A26: Yes. Otherwise at least a stage 2 shall be conducted. (See Q8 for details of certificate validity and possible modifications to subsequent surveillance activities).    

Q25: During the COVID-19 crisis, if a CAB conducts a part of the recertification of a management system with remote audit activities and plans to complete the remainder of the audit onsite within six months, is it possible to reissue the certificate at the conclusion of the remote audit activities?

A25:

  • If the CAB is not able to perform evaluation activities physically or when these cannot fully be replaced with evaluation activities as per IAF MD 4, then the normal scheduled recertification activities may be postponed for up to 6 months (see Q13)
  • A certificate can only be renewed if the CAB is able to evaluate all the applicable requirements of ISO/IEC 17021-1 (9.6.3.2) through a complete and effective audit of the client’s management system, followed by a successful review and decision making activities

Updated 14/05/2020

Q23: In consideration of this extraordinary period, if a Management Systems Certification Body is not able to perform audits, physically or with remote audit technique, can an Accreditation Body replace a witness assessment, as required in IAF MD17, with a remote office assessment or with other assessment activities (IAF MD17, § 2.2.1)?


A23: If witnessing cannot be delayed, instead of observing a CAB carrying out conformity assessment services, an Accreditation Body may either :

  • use other mechanisms (office assessment activities or other assessment activities IAF MD17, § 2.2.1) to assess the scope of accreditation. 
  • or maintain the scope of accreditation providing that the witnessing assessment shall still be conducted immediately once it is possible.  

Q22: Could time duration for closure of Non Conformities be prolonged taken into consideration the COVID-19 outbreak? If so, what will be the mechanism / procedure and who is responsible for decision making?

A22: Yes, If it is not possible to perform evaluation activities to effectively close the nonconformities (physically or as per IAF MD4: 2018), and if the conditions recommended by IAF ID3: 2011 are satisfied, closure of nonconformities could be prolonged. However, the postponement of any conformity assessment activity (e.g. surveillances, recertification) can only be postponed for up to 6 months in accordance with FAQ 10.

Q19: According ISO/IEC 17021-1, § 7.2.4, “The initial competence evaluation of an auditor shall include the ability to apply required knowledge and skills during audits, as determined by a competent evaluator observing the auditor conducting an audit”. Is it possible to conduct this observation if the observer is using remote audit techniques?

A19: Yes, provided that the remote audit being observed can fully replace physical audit.

Q18: IAF ID 3:2011 §3 says that “If the risk of continuing certification is low, and based on the collected information the CAB may need to consider alternative short-term methods of assessment to verify continuing system effectiveness for the organization. This may include requesting relevant documentation (for example, management review meeting minutes, corrective action records, results of internal audits, test/inspection reports, etc.) to be reviewed off site by the CAB to determine continuing suitability of the certification (on a short-term basis only)”. Is this time, used to off-site review the documentation provided by the company, to be considered as “audit time” according to IAF MD 5:2019?

A18: yes, the off-site review of the documentation provided by the company is needed to plan and accomplish a complete and effective audit of the client organization’s management system. This time is to be considered as “audit time” according to IAF MD 5:2019. Audit duration may be reduced due to such off-site documentation review.

Q17: During the COVID-19 crisis, if a CAB conducts a part of the initial certification of a management system with remote audit activities and plans to complete the remainder of the audit onsite within six months, is it possible to issue the certificate at the conclusion of the remote audit activities?

A17: No, a certificate can only be issued if the CAB is able to evaluate all the applicable requirements of ISO/IEC 17021-1 (9.3.1.2 Stage 1 and 9.3.1.3 Stage 2) through a complete and effective audit of the client’s management system, followed by a successful review and decision making activities. However, this could change for specific schemes.

Q15: What will happen to the Migration period for ISO 45001; will it be extended?

A15: OHSAS 18001 certification can be extended by up to six months as detailed in FAQ 10. This means that transition period for migrating accredited certifications from OHSAS 18001:2007 to ISO 45001:2018 is extended to: 30 September 2021.

The audit for migration can be done with remote auditing techniques, following what was already clarified in Q5.

(Answer published on 3 April and updated 11/04/2020 with blue text)

Q14: For OH&SMS, according to IAF MD5:2019 (applicable from 7 May 2020), remote auditing techniques shall be limited to reviewing documents/records and to interviewing staff and workers. In addition for OH&SMS, process control and OH&S risk control cannot be audited using remote audit techniques. Considering the specific circumstances, is this valid?

A14: No, considering the specific circumstances, and that the applicability of IAF MD5:2019 has been extended from 7 May 2020 to 7 November 2020 (see Q24), the restriction placed on remote audit activities by IAF MD 5 shall not apply. This means that process control and OH&S risk control can be audited using remote audit techniques until the end of the COVID-19 emergency.

Posted 1st of April and updated the 26th of April

A13: No. In cases where CABs are still able to perform evaluation activities physically or when these can be fully replaced with evaluation activities as per IAF MD 4, then normal scheduled conformity assessment activities (e.g. surveillances, recertification) should be performed. Otherwise, if the conditions recommended by IAF ID 3: 2011 are satisfied, the normal scheduled conformity assessment activities may be postponed for up to 6 months, and the validity of any output of the conformity assessment activity (e.g. a certificate or report) may be extended for a corresponding period of up to 6 months.

Q12: Is IAF MD4:2018 exclusively applicable for management systems, persons, and product?

A12: No, Although the scope of IAF MD4:2018 is for the auditing /assessment of management systems, persons, and product (see IAF MD4:2018 Section 1-Scope), it can also be used for other types of conformity assessment activities under the IAF MLA, e.g. validation or verification, as referenced in Section 2 – para. 2 of MD4.

This image has an empty alt attribute; its file name is md4.png

Q10: For schemes under IAF MLA (Management system certification, Product certification, Certification of persons, Validation and Verification), how are conformity assessment activities to be managed in this extraordinary period?

A10: In consideration of this extraordinary period, for schemes of management system certification, product certification and certification of persons under IAF MLA, if it is not possible to perform evaluation activities (physically or as per IAF MD4: 2018), such as  audits or exams, and if the conditions recommended by IAF ID3: 2011 are satisfied, all the conformity assessment activities (e.g. surveillances, recertification) may be postponed for up to 6 months, and the validity of any output of any conformity assessment activity (e.g. a certificate or report) may be extended for a corresponding period of up to 6 months. In this last instance, in order to document this to the client, if applicable, it is strongly suggested to issue an extension letter, which ratifies this extended validity and its period. This is essential to guarantee transparency and a correct communication to the external market. Appropriate records should also be updated. However, this could change for specific schemes. For validation and verification, particularly the greenhouse gas (GHG) validation and verification at project or organizational level, they are normally one-off conformity activities, therefore the IAF ID3 guidelines related to surveillance, recertification, extension of certification and recertification cycle etc. may not be applicable. However, for the assessment and accreditation of validation and verification bodies (VVBs), IAF ID3 can be used (see A11), and the remote approaches as per IAF MD4:2018 can be used by both ABs and VVBs (see A12).

Updated on 23/03/2020 to include all IAF MLA main scopes.

Q9: Is IAF ID3:2011 still applicable even though ID3:2011 refers to an accreditation standard that is no longer valid (ISO/IEC 17021:2011)?

A9: Yes. It is applicable. IAF General Assembly Resolution 2015–15 was taken to confirm this. For the maintenance of IAF Technical Committee documents it states: “The General Assembly, acting on the recommendation of the Technical Committee, resolved that references to ISO/IEC 17021 in IAF documents shall be understood to refer to ISO/IEC 17021-1:2015 in relation to CABs that have completed the transition and after the transition period. However, ABs and CABs will need to take account of the changes in ISO/IEC 17021-1 when using IAF documents which may not be revised until after the transition period to reference ISO/IEC 17021-1.

Q7: What happens if a Company/CB is not comfortable in this period to give access to its location to the AB audit / assessment team for witnessing?

IAF ID3 allows, in extraordinary events or circumstances like this, postponement of the assessment / audits.

Moreover, according to IAF MD17:2015 Witnessing Activities for the Accreditation of Management System Certification Bodies and/or relevant timeline modified accordingly, it is justifiable and understandable in this situation that a CB or its client refuses a witness assessment by the AB. It is important to make audits only when there is agreement of all the parties involved (client, CB and AB). See MD17, 2.2.2 and 2.4.2. It is also possible to perform partial witnessing (2.4.10).

Q6: Is the limit imposed by ISO/IEC 27006 (maximum 30% of remote audit) still valid?

ISO/IEC 27006 was published in 2015, while IAF MD4 was published in 2018 (Issue 2, Issued 04 July 2018, application from 04 July 2019). So, considering the specific circumstances, for ISO/IEC 27006 the relevant rules of IAF MD4 also are applicable. This means that it is possible to adopt to ISO/IEC 27006 the MD4 approach, that is to exceed 30% “off-site” and allow a 100% off-site, during this COVID-19 period. Also during the COVID-19 period, where remote auditing exceeds 30% due to the COVID provisions, there is no need for the Certification Body to obtain approval as required by ISO/IEC 27006: B.3.2.

(Updated 13 June 2020)

Q4: Will the Nov. 2020 deadline for implementation of the new version of ISO/IEC 17011 still hold?

A4. The joint committee with ILAC that looks after all peer evaluations has developed a related document. The document has the agreement of the Regional MLA Chairs and is available on the IAF Website under:

Q3: What is happening with IAF MLA peer evaluations during the outbreak?

A3. The joint committee with ILAC that looks after all peer evaluations has developed a related document. The document has the agreement of the Regional MLA Chairs and is available on the IAF Website under:

Q2: Is it permissible to use remote assessments and audits to maintain the validity of accredited certifications during the COVID-19 crisis?

Yes.  The IAF Statement on COVID-19 referenced the use of remote assessments and the mandatory document to be used by ABs and CBs, IAF MD4:2018 IAF Mandatory Document for the Use of Information and Communication Technology (ICT) for Auditing and Assessment Purposes. In addition, there is also informative document on principles for remote assessments – IAF ID12:2015 Principles on Remote Assessment that can be used in this instance.  It is necessary to bear in mind however, that regulatory bodies, scheme owners and purchasers may have specific requirements that may need to be adhered to, and which may take precedence. IAF ID3 may also assist readers.