A32: Yes. However, given the specific circumstances, all the time limits indicated in the standard have to be reconsidered according to the IAF FAQ Q10 that allows the postponements of any conformity assessment activities. This means that:
it is not necessary to conducted a surveillance audit at least once a calendar year;
the date of the first surveillance audit following initial certification shall not be more than 12 months from the certification decision date plus the postponement allowed by the IAF FAQ Q10.
In the case it is not possible to perform any surveillance activity within the timeframe of 12+6 months (see above second bullet point), the accredited CB shall inform the customer and suspend the accredited certificate.
In these specific circumstances, the suspension could exceed six months (see the note of ISO/IEC 17021-1:2015, § 22.214.171.124).
In order to lift the suspension and continue with the accredited certificate validity, at least a Stage 2 shall be conducted.
A31: IAF FAQ 10 allows the recertification date to be extended up to six months, which would allow the planning to be extended accordingly. If that six months may not provide sufficient opportunities for CBs to conclude recertification audits, the decision on recertification must be made within 3 months of the lifting of restrictions (e.g. travel) that were preventing the on-site audit taking place. However, if this time-frame, from the certification date exceeds 12 months, the CB should complete the reassessment as possible using remote means for witnessing the certified processes during their execution (real-time video of production and workplaces remotely guided by the auditor and/or review by the auditor of recorded videos in those areas where no direct connection is available, with a possible request of specific new partial video, when deemed necessary). In all those cases where the processes cannot be remotely assessed in an effective way to the satisfaction of the team leader, the certification scope shall be partially reduced consequently or the certificate shall be completely withdrawn, and a new initial audit will be required. In any case, a decision shall be made taking also into consideration the updated risk associated with the operational control capability of the organization in the COVID 19 emergency conditions and the type of certification scheme.
A29: See below the list of the recognized ABs under the IAF MLA Medical Devices Management Systems (MDMS) sub-scope and the links to their accredited bodies databases where you can find the certification bodies accredited to provide ISO 13485 certification.
You can also check the IAF Certsearch database which, although incomplete at this time, currently includes 2593 ISO 13485 certificates worldwide from 150 accredited certification bodies for ISO 13485 scopes.
A27: No. In cases that ABs are still able to perform evaluation activities physically or when these can be fully replaced with evaluation activities as per IAF ID 12, normal scheduled conformity assessment activities (e.g. surveillances, reassessment) should be performed.
Otherwise, if the conditions recommended by IAF ID 3: 2011 are satisfied, the normal scheduled conformity assessment activities may be postponed for up to 6 months, and the validity of all output of the conformity assessment activity (e.g. a certificate) may be extended for a corresponding period of up to 6 months.
This means that an accreditation certificate would be valid for a maximum for 5 years (see ISO/IEC 17011, § 7.9.1) plus 6 months.
If there is a postponement of 6 months in the deadline of a certificate, according to Q8, the next accreditation cycle starts from the original one and not from the new accreditation decision.
If the CAB is not able to perform evaluation activities physically or when these cannot fully be replaced with evaluation activities as per IAF MD 4, then the normal scheduled recertification activities may be postponed for up to 6 months (see Q13)
A certificate can only be renewed if the CAB is able to evaluate all the applicable requirements of ISO/IEC 17021-1 (126.96.36.199) through a complete and effective audit of the client’s management system, followed by a successful review and decision making activities
A22: Yes, If it is not possible to perform evaluation activities to effectively close the nonconformities (physically or as per IAF MD4: 2018), and if the conditions recommended by IAF ID3: 2011 are satisfied, closure of nonconformities could be prolonged. However, the postponement of any conformity assessment activity (e.g. surveillances, recertification) can only be postponed for up to 6 months in accordance with FAQ 10.
A18: yes, the off-site review of the documentation provided by the company is needed to plan and accomplish a complete and effective audit of the client organization’s management system. This time is to be considered as “audit time” according to IAF MD 5:2019. Audit duration may be reduced due to such off-site documentation review.
A17: No, a certificate can only be issued if the CAB is able to evaluate all the applicable requirements of ISO/IEC 17021-1 (188.8.131.52 Stage 1 and 184.108.40.206 Stage 2) through a complete and effective audit of the client’s management system, followed by a successful review and decision making activities. However, this could change for specific schemes.
A16: Yes, if all the points listed in § 2.2.4 of IAF MD2:2017 and any issues arising from the document review, for example major nonconformities (2.2.2) can be evaluated remotely. However, this could change for specific schemes.
A15: OHSAS 18001 certification can be extended by up to six months as detailed in FAQ 10. This means that transition period for migrating accredited certifications from OHSAS 18001:2007 to ISO 45001:2018 is extended to: 30 September 2021.
The audit for migration can be done with remote auditing techniques, following what was already clarified in Q5.
(Answer published on 3 April and updated 11/04/2020 with blue text)
A14: No, considering the specific circumstances, and that the applicability of IAF MD5:2019has been extended from7 May 2020 to 7 November 2020 (see Q24), the restriction placed on remote audit activities by IAF MD 5 shall not apply. This means that process control and OH&S risk control can be audited using remote audit techniques until the end of the COVID-19 emergency.
A13: No. In cases where CABs are still able to perform evaluation activities physically or when these can be fully replaced with evaluation activities as per IAF MD 4, then normal scheduled conformity assessment activities (e.g. surveillances, recertification) should be performed. Otherwise, if the conditions recommended by IAF ID 3: 2011 are satisfied, the normal scheduled conformity assessment activities may be postponed for up to 6 months, and the validity of any output of the conformity assessment activity (e.g. a certificate or report) may be extended for a corresponding period of up to 6 months.
A12: No, Although the scope of IAF MD4:2018 is for the auditing /assessment of management systems, persons, and product (see IAF MD4:2018 Section 1-Scope), it can also be used for other types of conformity assessment activities under the IAF MLA, e.g. validation or verification, as referenced in Section 2 – para. 2 of MD4.
A11: No, IAF ID3:2011 is primarily applicable for management systems certification, but it can be applied to all the accreditation and conformity assessment activities under the IAF MLA (see IAF ID3:2011 para. 1):
A10: In consideration of this extraordinary period, for schemes of management system certification, product certification and certification of persons under IAF MLA, if it is not possible to perform evaluation activities (physically or as per IAF MD4: 2018), such as audits or exams, and if the conditions recommended by IAF ID3: 2011 are satisfied, all the conformity assessment activities (e.g. surveillances, recertification) may be postponed for up to 6 months, and the validity of any output of any conformity assessment activity (e.g. a certificate or report) may be extended for a corresponding period of up to 6 months. In this last instance, in order to document this to the client, if applicable, it is strongly suggested to issue an extension letter, which ratifies this extended validity and its period. This is essential to guarantee transparency and a correct communication to the external market. Appropriate records should also be updated. However, this could change for specific schemes. For validation and verification, particularly the greenhouse gas (GHG) validation and verification at project or organizational level, they are normally one-off conformity activities, therefore the IAF ID3 guidelines related to surveillance, recertification, extension of certification and recertification cycle etc. may not be applicable. However, for the assessment and accreditation of validation and verification bodies (VVBs), IAF ID3 can be used (see A11), and the remote approaches as per IAF MD4:2018 can be used by both ABs and VVBs (see A12).
Updated on 23/03/2020 to include all IAF MLA main scopes.
A9: Yes. It is applicable. IAF General Assembly Resolution 2015–15 was taken to confirm this. For the maintenance of IAF Technical Committee documents it states: “The General Assembly, acting on the recommendation of the Technical Committee, resolved that references to ISO/IEC 17021 in IAF documents shall be understood to refer to ISO/IEC 17021-1:2015 in relation to CABs that have completed the transition and after the transition period. However, ABs and CABs will need to take account of the changes in ISO/IEC 17021-1 when using IAF documents which may not be revised until after the transition period to reference ISO/IEC 17021-1.”
IAF ID3 allows, in extraordinary events or circumstances like this, postponement of the assessment / audits.
Moreover, according to IAF MD17:2015 Witnessing Activities for the Accreditation of Management System Certification Bodies and/or relevant timeline modified accordingly, it is justifiable and understandable in this situation that a CB or its client refuses a witness assessment by the AB. It is important to make audits only when there is agreement of all the parties involved (client, CB and AB). See MD17, 2.2.2 and 2.4.2. It is also possible to perform partial witnessing (2.4.10).
ISO/IEC 27006 was published in 2015, while IAF MD4 was published in 2018 (Issue 2, Issued 04 July 2018, application from 04 July 2019). So, considering the specific circumstances, for ISO/IEC 27006 the relevant rules of IAF MD4 also are applicable. This means that it is possible to adopt to ISO/IEC 27006 the MD4 approach, that is to exceed 30% “off-site” and allow a 100% off-site, during this COVID-19 period. Also during the COVID-19 period, where remote auditing exceeds 30% due to the COVID provisions, there is no need for the Certification Body to obtain approval as required by ISO/IEC 27006: B.3.2.
A4. The joint committee with ILAC that looks after all peer evaluations has developed a related document. The document has the agreement of the Regional MLA Chairs and is available on the IAF Website under:
A3. The joint committee with ILAC that looks after all peer evaluations has developed a related document. The document has the agreement of the Regional MLA Chairs and is available on the IAF Website under:
Yes. The IAF Statement on COVID-19 referenced the use of remote assessments and the mandatory document to be used by ABs and CBs, IAF MD4:2018 IAF Mandatory Document for the Use of Information and Communication Technology (ICT) for Auditing and Assessment Purposes. In addition, there is also informative document on principles for remote assessments – IAF ID12:2015 Principles on Remote Assessment that can be used in this instance. It is necessary to bear in mind however, that regulatory bodies, scheme owners and purchasers may have specific requirements that may need to be adhered to, and which may take precedence. IAF ID3 may also assist readers.