A22: Yes, If it is not possible to perform evaluation activities to effectively close the nonconformities (physically or as per IAF MD4: 2018), and if the conditions recommended by IAF ID3: 2011 are satisfied, closure of nonconformities could be prolonged. However, the postponement of any conformity assessment activity (e.g. surveillances, recertification) can only be postponed for up to 6 months in accordance with FAQ 10.
A18: yes, the off-site review of the documentation provided by the company is needed to plan and accomplish a complete and effective audit of the client organization’s management system. This time is to be considered as “audit time” according to IAF MD 5:2019. Audit duration may be reduced due to such off-site documentation review.
A14: No, considering the specific circumstances, and that the applicability of IAF MD5:2019 has been extended from 7 May 2020 to 7 November 2020 (see Q24), the restriction placed on remote audit activities by IAF MD 5 shall not apply. This means that process control and OH&S risk control can be audited using remote audit techniques until the end of the COVID-19 emergency.
Posted 1st of April and updated the 26th of April
A13: No. In cases where CABs are still able to perform evaluation activities physically or when these can be fully replaced with evaluation activities as per IAF MD 4, then normal scheduled conformity assessment activities (e.g. surveillances, recertification) should be performed. Otherwise, if the conditions recommended by IAF ID 3: 2011 are satisfied, the normal scheduled conformity assessment activities may be postponed for up to 6 months, and the validity of any output of the conformity assessment activity (e.g. a certificate or report) may be extended for a corresponding period of up to 6 months.
A12: No, Although the scope of IAF MD4:2018 is for the auditing /assessment of management systems, persons, and product (see IAF MD4:2018 Section 1-Scope), it can also be used for other types of conformity assessment activities under the IAF MLA, e.g. validation or verification, as referenced in Section 2 – para. 2 of MD4.
A10: In consideration of this extraordinary period, for schemes of management system certification, product certification and certification of persons under IAF MLA, if it is not possible to perform evaluation activities (physically or as per IAF MD4: 2018), such as audits or exams, and if the conditions recommended by IAF ID3: 2011 are satisfied, all the conformity assessment activities (e.g. surveillances, recertification) may be postponed for up to 6 months, and the validity of any output of any conformity assessment activity (e.g. a certificate or report) may be extended for a corresponding period of up to 6 months. In this last instance, in order to document this to the client, if applicable, it is strongly suggested to issue an extension letter, which ratifies this extended validity and its period. This is essential to guarantee transparency and a correct communication to the external market. Appropriate records should also be updated. However, this could change for specific schemes. For validation and verification, particularly the greenhouse gas (GHG) validation and verification at project or organizational level, they are normally one-off conformity activities, therefore the IAF ID3 guidelines related to surveillance, recertification, extension of certification and recertification cycle etc. may not be applicable. However, for the assessment and accreditation of validation and verification bodies (VVBs), IAF ID3 can be used (see A11), and the remote approaches as per IAF MD4:2018 can be used by both ABs and VVBs (see A12).
Updated on 23/03/2020 to include all IAF MLA main scopes.
The deadline remains the original one. However, it could happen that in specific circumstances the timeline of surveillance could be modified accordingly.
ISO/IEC 27006 was published in 2015, while IAF MD4 was published in 2018 (Issue 2, Issued 04 July 2018, application from 04 July 2019). So, considering the specific circumstances, for ISO/IEC 27006 the relevant rules of IAF MD4 also are applicable. This means that it is possible to adopt to ISO/IEC 27006 the MD4 approach, that is to exceed 30% “off-site” and allow a 100% off-site, during this COVID-19 period. Also during the COVID-19 period, where remote auditing exceeds 30% due to the COVID provisions, there is no need for the Certification Body to obtain approval as required by ISO/IEC 27006: B.3.2.
(Updated 13 June 2020)
Yes, in theory it is possible, if for the specific scheme all the requirements can be evaluated remotely, including observation of activities. However, this could change for specific schemes.
A4. The joint committee with ILAC that looks after all peer evaluations has developed a related document. The document has the agreement of the Regional MLA Chairs and is available on the IAF Website under:
Yes. The IAF Statement on COVID-19 referenced the use of remote assessments and the mandatory document to be used by ABs and CBs, IAF MD4:2018 IAF Mandatory Document for the Use of Information and Communication Technology (ICT) for Auditing and Assessment Purposes. In addition, there is also informative document on principles for remote assessments – IAF ID12:2015 Principles on Remote Assessment that can be used in this instance. It is necessary to bear in mind however, that regulatory bodies, scheme owners and purchasers may have specific requirements that may need to be adhered to, and which may take precedence. IAF ID3 may also assist readers.