A32: Yes. However, given the specific circumstances, all the time limits indicated in the standard have to be reconsidered according to the IAF FAQ Q10 that allows the postponements of any conformity assessment activities. This means that:
it is not necessary to conduct a surveillance audit at least once a calendar year;
the date of the first surveillance audit following initial certification shall not be more than 12 months from the certification decision date plus the postponement allowed by the IAF FAQ Q10.
In the case it is not possible to perform any surveillance activity within the timeframe of 12+6 months (see above second bullet point), the accredited CB shall inform the customer and suspend the accredited certificate.
In these specific circumstances, the suspension could exceed six months (see the note of ISO/IEC 17021-1:2015, § 220.127.116.11).
In order to lift the suspension and continue with the accredited certificate validity, at least a Stage 2 shall be conducted.
A31: IAF FAQ 10 allows the recertification date to be extended up to six months, which would allow the planning to be extended accordingly. If that six months may not provide sufficient opportunities for CBs to conclude recertification audits, the decision on recertification must be made within 3 months of the lifting of restrictions (e.g. travel) that were preventing the on-site audit taking place. However, if this time-frame, from the certification date exceeds 12 months, the CB should complete the reassessment as possible using remote means for witnessing the certified processes during their execution (real-time video of production and workplaces remotely guided by the auditor and/or review by the auditor of recorded videos in those areas where no direct connection is available, with a possible request of specific new partial video, when deemed necessary). In all those cases where the processes cannot be remotely assessed in an effective way to the satisfaction of the team leader, the certification scope shall be partially reduced consequently or the certificate shall be completely withdrawn, and a new initial audit will be required. In any case, a decision shall be made taking also into consideration the updated risk associated with the operational control capability of the organization in the COVID 19 emergency conditions and the type of certification scheme.
A22: Yes, If it is not possible to perform evaluation activities to effectively close the nonconformities (physically or as per IAF MD4: 2018), and if the conditions recommended by IAF ID3: 2011 are satisfied, closure of nonconformities could be prolonged. However, the postponement of any conformity assessment activity (e.g. surveillances, recertification) can only be postponed for up to 6 months in accordance with FAQ 10.
A18: yes, the off-site review of the documentation provided by the company is needed to plan and accomplish a complete and effective audit of the client organization’s management system. This time is to be considered as “audit time” according to IAF MD 5:2019. Audit duration may be reduced due to such off-site documentation review.
A14: No, considering the specific circumstances, and that the applicability of IAF MD5:2019has been extended from7 May 2020 to 7 November 2020 (see Q24), the restriction placed on remote audit activities by IAF MD 5 shall not apply. This means that process control and OH&S risk control can be audited using remote audit techniques until the end of the COVID-19 emergency.
A13: No. In cases where CABs are still able to perform evaluation activities physically or when these can be fully replaced with evaluation activities as per IAF MD 4, then normal scheduled conformity assessment activities (e.g. surveillances, recertification) should be performed. Otherwise, if the conditions recommended by IAF ID 3: 2011 are satisfied, the normal scheduled conformity assessment activities may be postponed for up to 6 months, and the validity of any output of the conformity assessment activity (e.g. a certificate or report) may be extended for a corresponding period of up to 6 months.
A12: No, Although the scope of IAF MD4:2018 is for the auditing /assessment of management systems, persons, and product (see IAF MD4:2018 Section 1-Scope), it can also be used for other types of conformity assessment activities under the IAF MLA, e.g. validation or verification, as referenced in Section 2 – para. 2 of MD4.
A10: In consideration of this extraordinary period, for schemes of management system certification, product certification and certification of persons under IAF MLA, if it is not possible to perform evaluation activities (physically or as per IAF MD4: 2018), such as audits or exams, and if the conditions recommended by IAF ID3: 2011 are satisfied, all the conformity assessment activities (e.g. surveillances, recertification) may be postponed for up to 6 months, and the validity of any output of any conformity assessment activity (e.g. a certificate or report) may be extended for a corresponding period of up to 6 months. In this last instance, in order to document this to the client, if applicable, it is strongly suggested to issue an extension letter, which ratifies this extended validity and its period. This is essential to guarantee transparency and a correct communication to the external market. Appropriate records should also be updated. However, this could change for specific schemes. For validation and verification, particularly the greenhouse gas (GHG) validation and verification at project or organizational level, they are normally one-off conformity activities, therefore the IAF ID3 guidelines related to surveillance, recertification, extension of certification and recertification cycle etc. may not be applicable. However, for the assessment and accreditation of validation and verification bodies (VVBs), IAF ID3 can be used (see A11), and the remote approaches as per IAF MD4:2018 can be used by both ABs and VVBs (see A12).
Updated on 23/03/2020 to include all IAF MLA main scopes.
ISO/IEC 27006 was published in 2015, while IAF MD4 was published in 2018 (Issue 2, Issued 04 July 2018, application from 04 July 2019). So, considering the specific circumstances, for ISO/IEC 27006 the relevant rules of IAF MD4 also are applicable. This means that it is possible to adopt to ISO/IEC 27006 the MD4 approach, that is to exceed 30% “off-site” and allow a 100% off-site, during this COVID-19 period. Also during the COVID-19 period, where remote auditing exceeds 30% due to the COVID provisions, there is no need for the Certification Body to obtain approval as required by ISO/IEC 27006: B.3.2.
A4. The joint committee with ILAC that looks after all peer evaluations has developed a related document. The document has the agreement of the Regional MLA Chairs and is available on the IAF Website under:
Yes. The IAF Statement on COVID-19 referenced the use of remote assessments and the mandatory document to be used by ABs and CBs, IAF MD4:2018 IAF Mandatory Document for the Use of Information and Communication Technology (ICT) for Auditing and Assessment Purposes. In addition, there is also informative document on principles for remote assessments – IAF ID12:2015 Principles on Remote Assessment that can be used in this instance. It is necessary to bear in mind however, that regulatory bodies, scheme owners and purchasers may have specific requirements that may need to be adhered to, and which may take precedence. IAF ID3 may also assist readers.