Q32: According to ISO/IEC 17021-1:2015, § 9.1.3.3, “Surveillance audits shall be conducted at least once a calendar year, except in recertification years. The date of the first surveillance audit following initial certification shall not be more than 12 months from the certification decision date”. Is this clause still valid?

A32: Yes. However, given the specific circumstances, all the time limits indicated in the standard have to be reconsidered according to the IAF FAQ Q10 that allows the postponements of any conformity assessment activities. This means that:

  • it is not necessary to conduct a surveillance audit at least once a calendar year;
  • the date of the first surveillance audit following initial certification shall not be more than 12 months from the certification decision date plus the postponement allowed by the IAF FAQ Q10.

In the case it is not possible to perform any surveillance activity within the timeframe of 12+6 months (see above second bullet point), the accredited CB shall inform the customer and suspend the accredited certificate.

In these specific circumstances, the suspension could exceed six months (see the note of ISO/IEC 17021-1:2015, § 9.6.5.4).

In order to lift the suspension and continue with the accredited certificate validity, at least a Stage 2 shall be conducted.

Q31: According to ISO/IEC 17021-1:2015 Clause 9.6.3.1.1, planning for recertification shall conducted in due time to enable for timely renewal before the certificate expiry date. Is this clause still valid?

A31: IAF FAQ 10 allows the recertification date to be extended up to six months, which would allow the planning to be extended accordingly. If that six months may not provide sufficient opportunities for CBs to conclude recertification audits, the decision on recertification must be made within 3 months of the lifting of restrictions (e.g. travel) that were preventing the on-site audit taking place. However, if this time-frame, from the certification date exceeds 12 months, the CB should complete the reassessment as possible using remote means for witnessing the certified processes during their execution (real-time video of production and workplaces remotely guided by the auditor and/or review by the auditor of recorded videos in those areas where no direct connection is available, with a possible request of specific new partial video, when deemed necessary). In all those cases where the processes cannot be remotely assessed in an effective way to the satisfaction of the team leader, the certification scope shall be partially reduced consequently or the certificate shall be completely withdrawn, and a new initial audit will be required. In any case, a decision shall be made taking also into consideration the updated risk associated with the operational control capability of the organization in the COVID 19 emergency conditions and the type of certification scheme.

Q22: Could time duration for closure of Non Conformities be prolonged taken into consideration the COVID-19 outbreak? If so, what will be the mechanism / procedure and who is responsible for decision making?

A22: Yes, If it is not possible to perform evaluation activities to effectively close the nonconformities (physically or as per IAF MD4: 2018), and if the conditions recommended by IAF ID3: 2011 are satisfied, closure of nonconformities could be prolonged. However, the postponement of any conformity assessment activity (e.g. surveillances, recertification) can only be postponed for up to 6 months in accordance with FAQ 10.

Q18: IAF ID 3:2011 §3 says that “If the risk of continuing certification is low, and based on the collected information the CAB may need to consider alternative short-term methods of assessment to verify continuing system effectiveness for the organization. This may include requesting relevant documentation (for example, management review meeting minutes, corrective action records, results of internal audits, test/inspection reports, etc.) to be reviewed off site by the CAB to determine continuing suitability of the certification (on a short-term basis only)”. Is this time, used to off-site review the documentation provided by the company, to be considered as “audit time” according to IAF MD 5:2019?

A18: yes, the off-site review of the documentation provided by the company is needed to plan and accomplish a complete and effective audit of the client organization’s management system. This time is to be considered as “audit time” according to IAF MD 5:2019. Audit duration may be reduced due to such off-site documentation review.

Q14: For OH&SMS, according to IAF MD5:2019 (applicable from 7 May 2020), remote auditing techniques shall be limited to reviewing documents/records and to interviewing staff and workers. In addition for OH&SMS, process control and OH&S risk control cannot be audited using remote audit techniques. Considering the specific circumstances, is this valid?

A14: No, considering the specific circumstances, and that the applicability of IAF MD5:2019 has been extended from 7 May 2020 to 7 November 2020 (see Q24), the restriction placed on remote audit activities by IAF MD 5 shall not apply. This means that process control and OH&S risk control can be audited using remote audit techniques until the end of the COVID-19 emergency.

Posted 1st of April and updated the 26th of April

A13: No. In cases where CABs are still able to perform evaluation activities physically or when these can be fully replaced with evaluation activities as per IAF MD 4, then normal scheduled conformity assessment activities (e.g. surveillances, recertification) should be performed. Otherwise, if the conditions recommended by IAF ID 3: 2011 are satisfied, the normal scheduled conformity assessment activities may be postponed for up to 6 months, and the validity of any output of the conformity assessment activity (e.g. a certificate or report) may be extended for a corresponding period of up to 6 months.

Q12: Is IAF MD4:2018 exclusively applicable for management systems, persons, and product?

A12: No, Although the scope of IAF MD4:2018 is for the auditing /assessment of management systems, persons, and product (see IAF MD4:2018 Section 1-Scope), it can also be used for other types of conformity assessment activities under the IAF MLA, e.g. validation or verification, as referenced in Section 2 – para. 2 of MD4.

This image has an empty alt attribute; its file name is md4.png

Q10: For schemes under IAF MLA (Management system certification, Product certification, Certification of persons, Validation and Verification), how are conformity assessment activities to be managed in this extraordinary period?

A10: In consideration of this extraordinary period, for schemes of management system certification, product certification and certification of persons under IAF MLA, if it is not possible to perform evaluation activities (physically or as per IAF MD4: 2018), such as  audits or exams, and if the conditions recommended by IAF ID3: 2011 are satisfied, all the conformity assessment activities (e.g. surveillances, recertification) may be postponed for up to 6 months, and the validity of any output of any conformity assessment activity (e.g. a certificate or report) may be extended for a corresponding period of up to 6 months. In this last instance, in order to document this to the client, if applicable, it is strongly suggested to issue an extension letter, which ratifies this extended validity and its period. This is essential to guarantee transparency and a correct communication to the external market. Appropriate records should also be updated. However, this could change for specific schemes. For validation and verification, particularly the greenhouse gas (GHG) validation and verification at project or organizational level, they are normally one-off conformity activities, therefore the IAF ID3 guidelines related to surveillance, recertification, extension of certification and recertification cycle etc. may not be applicable. However, for the assessment and accreditation of validation and verification bodies (VVBs), IAF ID3 can be used (see A11), and the remote approaches as per IAF MD4:2018 can be used by both ABs and VVBs (see A12).

Updated on 23/03/2020 to include all IAF MLA main scopes.

Q6: Is the limit imposed by ISO/IEC 27006 (maximum 30% of remote audit) still valid?

ISO/IEC 27006 was published in 2015, while IAF MD4 was published in 2018 (Issue 2, Issued 04 July 2018, application from 04 July 2019). So, considering the specific circumstances, for ISO/IEC 27006 the relevant rules of IAF MD4 also are applicable. This means that it is possible to adopt to ISO/IEC 27006 the MD4 approach, that is to exceed 30% “off-site” and allow a 100% off-site, during this COVID-19 period. Also during the COVID-19 period, where remote auditing exceeds 30% due to the COVID provisions, there is no need for the Certification Body to obtain approval as required by ISO/IEC 27006: B.3.2.

(Updated 13 June 2020)

Q4: Will the Nov. 2020 deadline for implementation of the new version of ISO/IEC 17011 still hold?

A4. The joint committee with ILAC that looks after all peer evaluations has developed a related document. The document has the agreement of the Regional MLA Chairs and is available on the IAF Website under:

Q2: Is it permissible to use remote assessments and audits to maintain the validity of accredited certifications during the COVID-19 crisis?

Yes.  The IAF Statement on COVID-19 referenced the use of remote assessments and the mandatory document to be used by ABs and CBs, IAF MD4:2018 IAF Mandatory Document for the Use of Information and Communication Technology (ICT) for Auditing and Assessment Purposes. In addition, there is also informative document on principles for remote assessments – IAF ID12:2015 Principles on Remote Assessment that can be used in this instance.  It is necessary to bear in mind however, that regulatory bodies, scheme owners and purchasers may have specific requirements that may need to be adhered to, and which may take precedence. IAF ID3 may also assist readers.