Conformity assessment Requirements for certification bodies certifying products, processes and services

Transcription

1 ISO/IEC 2009 All rights reserved ISO/IEC TC /SC N Date: ISO/IEC CD ISO/IEC TC /SC /WG Secretariat: Conformity assessment Requirements for certification bodies certifying products, processes and services Evaluation de la conformité Warning This document is not an ISO International Standard. It is distributed for review and comment. It is subject to change without notice and may not be referred to as an International Standard. Recipients of this draft are invited to submit, with their comments, notification of any relevant patent rights of which they are aware and to provide supporting documentation. Document type: International Standard Document subtype: Document stage: (30) Committee Document language: E

2 Copyright notice This ISO document is a working draft or committee draft and is copyright-protected by ISO. While the reproduction of working drafts or committee drafts in any form for use by participants in the ISO standards development process is permitted without prior permission from ISO, neither this document nor any extract from it may be reproduced, stored or transmitted in any form for any other purpose without prior written permission from ISO. Requests for permission to reproduce this document for the purpose of selling it should be addressed as shown below or to ISO's member body in the country of the requester: [Indicate the full address, telephone number, fax number, telex number, and electronic mail address, as appropriate, of the Copyright Manager of the ISO member body responsible for the secretariat of the TC or SC within the framework of which the working document has been prepared.] Reproduction for sales purposes may be subject to royalty payments or a licensing agreement. Violators may be prosecuted. ii ISO/IEC 2009 All rights reserved

3 Contents Page Foreword...v Introduction...vi 1 Scope Normative references Terms and definitions Client Consultancy Evaluation Product Process Service Certification requirement Product requirement Certification decision Certification system Certification scheme Organizational control Justification Scope of certification Certification scheme owner Principles General Impartiality Competence Confidentiality and openness Confidentiality Openness Access to information Responsiveness to complaints and appeals Responsibility General requirements Legal and contractual matters Legal responsibility Certification agreement Responsibility for certification decisions (9.5) Use of license, certificates and marks of conformity Management of impartiality Liability and financing Non-discriminatory conditions Structural requirements Organizational structure and top management Mechanism for safeguarding impartiality Resource requirements Certification body personnel General Management of competence for personnel involved the certification process Contract with the personnel Internal evaluation resources...13 ISO/IEC 2009 All rights reserved iii

4 7.3 Outsourcing Information requirements Publicly available information Standards and other normative documents Certification documentation Directory Confidentiality Process requirements (for operating of a certification scheme Application Application review Evaluation Review Certification decision Certification documentation Surveillance Changes affecting certification Termination, reduction, suspension or withdrawal of certification Records Appeals Complaints Management system requirements for certification bodies General Management system documentation Control of documents Control of records Management review General Review inputs Review outputs Internal audits Corrective actions Preventive actions Annex A (informative) Correlation of Section 9 Clauses with the Functional Approach to Conformity Assessment as Described in ISO/IEC Annex B (informative) Guidelines for product certification schemes Bibliography iv ISO/IEC 2009 All rights reserved

5 Foreword ISO (the International Organization for Standardization) and IEC (the International Electrotechnical Commission) form the specialized system for worldwide standardization. National bodies that are members of ISO or IEC participate in the development of International Standards through technical committees established by the respective organization to deal with particular fields of technical activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the work. In the field of conformity assessment, the ISO Committee on conformity assessment (CASCO) is responsible for the development of International Standards and Guides. International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2. Draft International Standards are circulated to the national bodies for voting. Publication as an International Standard requires approval by at least 75 % of the national bodies casting a vote. [Delete if patent rights are identified in the Introduction (see ISO/IEC Directives, Part 2, 2001, Annex H)] Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights. ISO shall not be held responsible for identifying any or all such patent rights. ISO/IEC 17065:20XX, was prepared [jointly] by the ISO Committee on conformity assessment (CASCO) Where a project is developed jointly (i.e. with the aid of more than one committee and/or an external organization), include the information here, as appropriate. and CASCO WG 29 It was circulated for voting to the national bodies of both ISO and IEC, and was approved by both organizations. [Delete/fill in as applicable] This International Standard cancels and replaces the first edition of ISO/IEC Guide 65:1996 which has been periodically reviewed. ISO/IEC 2009 All rights reserved v

6 Introduction Certification of a product, process or service is a means of providing assurance that it complies with specified standards and other normative documents. Some product, process or service certification systems may include initial testing and assessment of its suppliers' quality systems, followed by surveillance that takes into account the factory quality system and the testing of samples from the factory and the open market. Other systems rely on initial testing and surveillance testing, while still others comprise type testing only. This International Standard specifies requirements, the observance of which is intended to ensure that certification bodies operate third-party certification systems in a competent, consistent and impartial, manner, thereby facilitating their acceptance on a national and international basis and so furthering international trade. The requirements contained in this International Standard are written, above all, to be considered as general criteria for certification bodies operating product, process or service certification systems; they may have to be amplified when specific industrial or other sectors make use of them, or when particular requirements such as health and safety have to be taken into account. This International Standard does not set requirements for schemes and how they are developed and is not intended to restrict the role or choice of scheme owners. Assertion of conformity to the appropriate standards or other normative documents will be in the form of certificates or marks of conformity. Systems for certifying particular products or product groups to specified standards or other normative documents will, in many cases, require their own explanatory documentation. While this International Standard is concerned with third-parties providing product, process or service certification, many of its provisions may also be useful in first- and second-party product conformity assessment procedures. vi ISO/IEC 2009 All rights reserved

7 COMMITTEE DRAFT ISO/IEC CD Conformity assessment Requirements for certification bodies certifying products, processes and services 1 Scope 1.1 This International Standard contains principles and requirements for the competence, consistency and impartiality of the certification bodies evaluating and certifying products processes and. services. Certification bodies operating to this International Standard need not offer all types of products, processes and services certification. 1.2 Certification of products, processes and services is a third party conformity assessment activity (see clause 5.5 of ISO/IEC 17000:2004). Bodies performing this activity are therefore third party conformity assessment bodies, (named in this standard certification body/bodies ). NOTE 1 A certification body can be non-governmental or governmental (with or without regulatory authority). NOTE 2 This International Standard can be used as a criteria document for accreditation or peer assessment or designation by governmental authorities and others. NOTE 3 Interested parties can expect or require the certification body to meet all the requirements of this document as well as when relevant, those of the certification system and/or certification scheme. NOTE 4 The criteria for the rules, procedures and management for implementing product, process and service certification are stipulated by the certification system and/or the certification scheme. The certification system and/or the certification scheme is owned either by the certification body or another organization (3.15). NOTE 5 ISO/IEC Guide 67 gives guidance on product certification systems. 1.3 To apply this standard to the certification of processes the following terms shall be changed: Replace product with processes(es) Replace production with operation Replace produced with operated 1.4 To apply this standard to the certification of services the following terms shall be changed: Replace product(s)" with service(s)" Replace production with provision Replace produced with provided 2 Normative references The following referenced documents are indispensable for the application of this document. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies. ISO/IEC 2009 All rights reserved 1

8 ISO/IEC 17000:2004, Conformity assessment Vocabulary and general principles. 3 Terms and definitions For the purposes of this document, the terms and definitions given in ISO/IEC 17000:2004 and the following apply. NOTE service. The term and definition of product given in ISO/IEC 17000:2004 is reproduced to aid understanding the term 3.1 Client The organization that is responsible for ensuring that products meet and, if applicable, continue to meet, the requirements on which the certification is based. 3.2 Consultancy Participation in: a) designing, manufacturing, installing, maintaining or distributing of a product to be certified; b) designing, implementing, providing or maintaining of a service to be certified; c) designing, implementing, operating or maintaining of a process to be certified. 3.3 Evaluation Selection and determination function activities in the certification process as described in ISO/IEC 17000:2004 (clause 4 and A.2 and A.3). 3.4 Product Result of a process. NOTE 1 Four generic product categories are noted in ISO 9000:2005: services (e.g. transport) (see definition in 3.6); software (e.g. computer program, dictionary); hardware (e.g. engine, mechanical part); processed materials (e.g. lubricant). Many products comprise elements belonging to different generic product categories. Whether the product is then called service, software, hardware or processed material depends on the dominant element. NOTE 2 resources. Products include results of natural processes such as growth of plants and formation of other natural 3.5 Process Set of interrelated or interacting activities which transforms inputs into outputs. NOTE 1 Any process where a specific standard or other normative documents exist for the process can be certified against the present International Standard. Examples of such standards are: Process of tempering for steel cylinders ISO :1999, Gas cylinders Refillable seamless steel gas cylinders Design, construction and testing Part 1: Quenched and tempered steel cylinders with tensile strength less than 1100 MPa Process of Sterilization of health care products (various ISO standards): ISO/DIS 11135, Sterilization of health care products Ethylene oxide Requirements for development, validation and routine control of a sterilization process for medical devices 2 ISO/IEC 2009 All rights reserved

9 ISO/DIS 17665, Sterilization of health care products Moist heat Development, validation and routine control of a sterilization process for medical devices ISO 11137;1995, Sterilization of health care products Requirements for validation and routine control Radiation sterilization NOTE 2 Adapted from ISO 9000:2005 clause Service Result of at least one activity necessarily performed at the interface between the supplier and the customer and is generally intangible. NOTE 1 Provision of a service can involve, for example, the following: an activity performed on a customer-supplied tangible product (e.g. automobile to be repaired); an activity performed on a customer-supplied intangible product (e.g. the income statement needed to prepare a tax return); the delivery of an intangible product (e.g. the delivery of information in the context of knowledge transmission); the creation of ambience for the customer (e.g. in hotels and restaurants). NOTE 2 Adapted from ISO 9000:2005 clause Note Certification requirement Specified requirement (ISO/IEC 17000:2004, 3.1), including product requirement (3.8) that must be fulfilled by the client (3.1) as a condition of establishing or maintaining certification. NOTE 1 Certification requirements include requirements imposed on the client by the certification body (usually via the certification agreement, 5.1.2) to meet this International Standard, and can also include requirements imposed on the client by the certification scheme. Certification requirements as used in this International Standard do not include requirements imposed on the certification body by the certification scheme NOTE 2 Examples of certification requirements that are not product requirements are: Completing the certification agreement; Paying fees; Providing information about changes to the certified product; Providing access to certified products for surveillance activities. 3.8 Product requirement Certification requirement (3.7) directly or indirectly related to a product, specified in product standards and/or in other normative documents. 3.9 Certification decision Granting, continuing, expanding the scope of, reducing the scope of, suspending, restoring, withdrawing or refusing certification. NOTE A certification scheme can utilize some or all of these types of certification decisions. ISO/IEC 2009 All rights reserved 3

10 3.10 Certification system Rules, procedures, and management for carrying out certification. NOTE Adapted from ISO/IEC 17000:2004 clause Certification scheme Certification system related to specified products, to which the same specified requirements, specific rules and procedures apply. NOTE Adapted from ISO/IEC 17000:2004 clause Organizational control One of the following mechanisms by which a certification body ensures control: Majority participation on another legal entity s Board of Directors; or Majority ownership; or Documented authority over another legal entity within a network of legal entities (in which the certification body resides) linked by ownership or Board of Directors control; or Authority to appoint and withdraw the members of a committee or group Justification Rationale establishing that no adverse impact on the competence, consistency and impartiality of the certification body s operation of the certification scheme has resulted Scope of certification Range or characteristics of products, processes or services covered by certification. The scope of certification generally includes; the product(s), process(es) or service(s), the applicable certification system/scheme, and the standard(s) and other normative document(s) (including date of publication) to which the product(s), process(es) or service(s) has been judged to comply Certification scheme owner Individual or organization which is responsible for developing and maintaining a certification scheme. NOTE The certification scheme owner can be the certification body itself, a governmental authority or other. 4 Principles 4.1 General These principles are the basis for the subsequent specific performance and descriptive requirements in this International Standard. This International Standard does not give specific requirements for all situations 4 ISO/IEC 2009 All rights reserved

11 that can occur. These principles should be applied as guidance for the decisions that may need to be made for unanticipated situations. Principles are not requirements The overall aim of certification is to give confidence to all interested parties that a product fulfils specified requirements. The value of certification is the degree of public confidence and trust that is established by an impartial and competent evaluation by a third-party. Parties that have an interest in certification include, but are not limited to: a) the clients of the certification bodies; b) the customers of the organizations whose products are certified; c) governmental authorities; d) non-governmental organizations; and e) consumers and other members of the public The principles for inspiring confidence are those listed below (4.2 to 4.6). 4.2 Impartiality The use of the term impartiality in this standard is understood to be the actual and/or publicly perceived presence of objectivity. NOTE 1 Objectivity is understood to mean that conflicts of interest do not exist or are resolved so as not to adversely influence the activities of the certification body. NOTE 2 other terms that are useful in conveying the element of impartiality are: independence, neutrality, fairness, open-mindedness, even-handedness, detachment, balance, freedom from conflict of interests, freedom from bias, lack of prejudice It is necessary for certification bodies and their personnel to be, and be perceived as, impartial to give confidence in their activities and their outcomes Threats to impartiality include bias that may arise from: a) self-interest (e.g. overdependence on a contract for service or the fees, or fear of losing the client or fear of becoming unemployed, to an extent that adversely affects objectivity in carrying out conformity assessment activities); ISO/IEC 2009 All rights reserved 5

12 b) self-review (e.g. performing conformity assessment activity in which the certification body evaluates the results of other services it has already provided, such as design or consultancy services); c) advocacy (e.g. a certification body or its personnel acting in support of, or in opposition to, a given company, which is at the same time its client); d) over-familiarity, i.e. threats that arise from a certification body or its personnel being overly familiar or too trusting instead of seeking evidence of conformity (in the product certification context, this risk is more difficult to manage because the need for assessment personnel, with very specific expertise, often limits the availability of qualified individuals); e) intimidation (e.g. the certification body or its personnel can be deterred from acting objectively by threats from or fear of, a client or other interested party); f) competition (e.g. between the client and a contracted technical assessor). 4.3 Competence Competence of the personnel supported by the management system of the certification body is necessary to deliver certification that provides confidence. Competence is the demonstrated ability to apply knowledge and skills to achieve intended results. 4.4 Confidentiality and openness Managing the balance between confidentiality (4.4.1) and openness (4.4.2) related requirements affects stakeholders' trust and their perception of value in the conformity assessment activities being performed Confidentiality To gain access to the information needed to conduct effective conformity assessment activities, the certification body needs to provide confidence that confidential information will not be disclosed All organizations and individuals have the right to have protected any proprietary information that they provide unless required by law Openness A certification body needs to provide public access to, or disclosure of, appropriate and timely information about its evaluation and certification processes, and about the certification status (i.e. the granting, continuing, expanding the scope of, reducing the scope of, suspending, restoring, withdrawing or refusing certification) of any product, in order to gain confidence in the integrity and credibility of certification. Openness is a principle of access to, or disclosure of, appropriate information Access to information Any information held by the certification body on a product that is the subject of an evaluation and/or certification should, upon request, be made accessible to the person or organization which contracted the certification body to undertake the certification activity 4.5 Responsiveness to complaints and appeals The effective resolution of complaints and appeals is an important means of protection for the certification body, its clients and other users of conformity assessment against errors, omissions or unreasonable behavior. Confidence in conformity assessment activities is safeguarded when complaints and appeals are processed appropriately. 6 ISO/IEC 2009 All rights reserved

13 4.6 Responsibility The client, not the certification body, has the responsibility for fulfillment of the certification requirements The certification body has the responsibility to evaluate sufficient objective evidence upon which to base a certification decision. Based on evaluation conclusions, it makes a decision to grant certification if there is sufficient evidence of conformity, or a decision not to grant certification if there is not sufficient evidence of conformity, or a decision not to maintain certification 5 General requirements 5.1 Legal and contractual matters Legal responsibility The certification body shall be a legal entity, or a defined part of a legal entity, such that the legal entity can be held legally responsible for all its certification activities. Where a certification body is part of another legal entity it shall clearly identify which legal entity has responsibility for each certification. NOTE 1 A governmental certification body is deemed to be a legal entity on the basis of its governmental status. NOTE 2 A certification body, along with other certification bodies, can be owned by (or under other contractual relationship with) a larger legal entity wherein all bodies work under a common management structure and management system. In such a situation each certification can only be the responsibility of one certification body/legal entity Certification agreement The certification body shall have a legally enforceable agreement for the provision of certification activities to its clients. Contracts and agreements for certification shall take into account the responsibilities of the parties The certification body shall ensure their certification agreement requires that the client comply at least, with the following: a) always fulfils the certification requirements (3.7) including changes communicated by the certification body (9.8); b) the certified product always fulfils the product requirements (3.8); c) makes all necessary arrangements for the conduct of the evaluation (3.3), including provision for examining documentation and records, and access to the relevant location(s), area(s) and personnel and for investigation of complaints; d) makes claims regarding certification only in respect of the scope of certification (3.14); e) does not use its product certification in such a manner as to bring the certification body into disrepute and does not make any statement regarding its product certification which the certification body may consider misleading or unauthorized; f) upon suspension or withdrawal of certification, discontinues its use of all advertising matter that contains any reference thereto and returns as required by the certification scheme any certification documents and takes any other measure; g) endeavours to ensure that no certificate or report nor any part thereof is used in a misleading manner; ISO/IEC 2009 All rights reserved 7

14 h) if the client provides copies of the certification documents to others, the documents shall be reproduced in their entirety; i) in making reference to its product certification in communication media such as documents, brochures or advertising, complies with the requirements of the certification body if applicable; j) uses the certification mark only on products it has found to comply with the requirements if applicable; NOTE See also ISO/IEC Guide 23 and ISO/IEC Guide 27. k) applies a mark to each certified product, or to product packaging, or on information accompanying each product, if applicable; l) keeps a record of all complaints made known to the client relating to the compliance with certification requirements and to make these records available to the certification body when requested; and 1) takes appropriate action with respect to such complaints and any deficiencies found in products, processes or services that affect compliance with the requirements for certification; 2) documents the actions taken. Verification by the certification body of (l) is optional unless mandated by the certification scheme. m) informs the certification body, without delay, of changes that may affect its ability to conform with the certification requirements. NOTE Example of changes that can be addressed include: the legal, commercial, organizational status or ownership, organization and management (e.g. key managerial, decision-making or technical staff), modifications to the product or manufacturing process contact address and sites, scope of operations in the production process, and major changes to the management system and processes Responsibility for certification decisions (9.5) The certification body shall be responsible for and shall retain authority for its decisions relating to certification. This includes the granting, continuing, expanding the scope of, reducing the scope of, suspending, restoring, withdrawing or refusing of certification. The certification body shall only grant authority to make a certification decision referenced in Section 9.5, or any decision in the handling of complaints and appeals only to: an individual(s) within its contractual or employment control; a group (e.g. committee) within its organizational control (3.12) but having delegation from the certification body (5.1.1); or personnel (employed or contracted) in an organization within its organizational control but having delegation from the certification body (5.1.1). Assignment to any other individual or group or delegation of the responsibility or authority for decisions relating to certification is prohibited. 8 ISO/IEC 2009 All rights reserved

15 The certification body shall only grant authority to make a certification decision, or any decision in the handling of complaints and appeals, to an individual or group that is impartial with respect to the product(s) Use of license, certificates and marks of conformity The certification body shall exercise proper control over ownership, use and display of licenses, certificates, marks of conformity, and any other mechanisms for indicating a product is certified. NOTE Guidance on the use of certificates and marks permitted by the certification body can be obtained from ISO/IEC Guide 23 and ISO/IEC Incorrect references to the certification system/scheme or misleading use of licenses, certificates, marks, or any other mechanism for indicating a product is certified, found in advertisement catalogues, etc. shall be dealt with by suitable action. NOTE Such actions are addressed in ISO/IEC Guide 27 and can include corrective actions, withdrawal of certificate, publication of the transgression and, if necessary, other legal action. 5.2 Management of impartiality The certification body shall have top management commitment to impartiality The certification body shall have and make available on request a statement that it understands the importance of impartiality in carrying out its certification activities, manages conflict of interests and ensures the objectivity of its certification activities The certification body shall identify risks to its impartiality on an ongoing basis. This shall include those risks that arise from its activities, or from its relationships, or from the relationships of its personnel (7.1). However, such relationships do not necessarily present a certification body with a risk to impartiality. NOTE A relationship that threatens the impartiality of the certification body can be based on ownership, governance, management, personnel, shared resources, finances, contracts, marketing and payment of a sales commission or other inducement for the referral of new clients, etc If a risk to impartiality is identified, the certification body shall be able to demonstrate how it eliminates or minimizes such risk When a relationship poses an unacceptable threat to impartiality (such as a wholly owned subsidiary of the certification body requesting product certification from its parent or the same when the certification body belongs to a corporation or holding and other parts of it, manufacturers, etc. requests product certification to its related certification body), then certification shall not be provided Certification bodies shall document how they manage their certification business and any other activities so as to eliminate actual conflict of interests and minimize any identified risk to impartiality. This information shall be made available to the mechanism specified in 6.2. The documentation shall cover all potential sources of conflict of interests that are identified, whether they arise from within the certification body or from the activities of other persons, bodies or organizations The certification body and any group within its organizational control or personnel, employed or contracted in an organization within its organizational control, shall not offer or provide consultancy on the product that it certifies. This also applies to that part of government identified as the certification body The certification body shall not give prescriptive advice or consultancy as part of an evaluation. NOTE 1 This does not preclude normal exchange of information (including explaining its findings and/or clarify the requirements) with the clients and other interested parties The certification body (and any group within its organizational control or personnel, employed or contracted, in an organization within its organizational control) shall not offer or provide internal management ISO/IEC 2009 All rights reserved 9

16 system audits to the client (or other legal entities involved in the certification process), in those schemes that require the client (or other legal entities involved in the certification process), to perform internal management system audits. This also applies to that part of government identified as the certification body. NOTE See note to The certification body shall not certify a product on which a client has received consultancy or internal evaluations, where the relationship between the consultancy organization and the certification body poses an unacceptable threat to the impartiality of the certification body. NOTE 1 Allowing a minimum period of two years to elapse following the end of the product consultancy is one way of reducing the threat to impartiality to an acceptable level. NOTE 2 precluded. Using, installing and maintaining of a certified product needed for the operation of the certification body is not The certification body's activities shall not be marketed or offered as linked with the activities of an organization that provides product consultancy. The certification body shall take action to correct inappropriate claims by any consultancy organization stating or implying that certification would be simpler, easier, faster or less expensive if the certification body were used. A certification body shall not state or imply that certification would be simpler, easier, faster or less expensive if a specified consultancy organization were used To ensure that there is no conflict of interests, personnel who have provided consultancy for, or been employed by a client, including those acting in a managerial capacity, shall not be used by the certification body to make a certification decision nor resolution of a complaint or appeal for that client within two years following the end of the consultancy or employment. NOTE This requirement does not apply to an individual participating in a group/committee The certification body shall take action to respond to any threats to its impartiality arising from the actions of other persons, bodies or organizations All certification body personnel, either internal or external, or committees, who could influence the certification activities, shall act impartially and shall not allow commercial, financial or other pressures to compromise impartiality (7.1.3 c) The certification body shall manage the risk to impartiality arising from over-familiarity between its personnel and the client. 5.3 Liability and financing The certification body shall evaluate the risks arising from its certification activities and that it has adequate arrangements (e.g. insurance or reserves) to cover liabilities arising from its operations The certification body shall together with its top management and staff, be free from any commercial, financial and other pressures which might influence the results of the certification process The certification body shall have the financial stability and resources required for the operation of a certification system. 5.4 Non-discriminatory conditions The policies and procedures under which the certification body operates and their administration shall be non-discriminatory and shall be administered in a non-discriminatory manner. Procedures shall not be used to impede or inhibit access by applicants, other than as provided for in this International Standard Certification bodies shall not practice any form of discrimination such as hidden discrimination by speeding up or delaying the processing of applications. 10 ISO/IEC 2009 All rights reserved

17 5.4.3 The certification body shall make its services accessible to all applicants whose activities fall within its declared field of operation. There shall not be undue financial or other conditions Access to the certification process shall not be conditional upon the size of the client or membership of any association or group, nor shall certification be conditional upon the number of certifications already issued. NOTE However a certification body can deny certification to a client when fundamental/demonstrated reasons exist, such as illegal activities, history of repeated non compliances with the certification/product requirements and similar issues The certification body shall confine its requirements, evaluation (if the certification body is responsible for evaluation), review, decision, and surveillance (if any) to those matters specifically related to the scope of the certification. 6 Structural requirements 6.1 Organizational structure and top management The certification body shall document its organizational structure, showing duties, responsibilities and authorities of management and other certification personnel and any committees. When the certification body is a defined part of a legal entity, the structure shall include the line of authority and the relationship to other parts within the same legal entity The management of the certification body shall identify the board, group of persons, or person having overall authority and responsibility for each of the following: a) development of policies relating to the operation of the certification body; b) supervision of the implementation of the policies and procedures; c) supervision of the finances of the certification body; d) development of certification services; e) performance of evaluation and certification; f) decisions on certification (5.1.3); g) delegation of authority to committees or individuals, as required, to undertake defined activities on its behalf; h) contractual arrangements; i) provision of adequate resources for certification activities; j) responsiveness to complaints; k) certification requirements The certification body shall have formal rules for the appointment, terms of reference and operation of any committees that are involved in the certification process. Such committees shall be free from any commercial, financial and other pressures that might influence decisions. 6.2 Mechanism for safeguarding impartiality The certification body shall safeguard the impartiality of its activities and shall provide a mechanism through which significant interested parties, as indicated in 6.2.4, can provide input on: ISO/IEC 2009 All rights reserved 11

18 a) the policies and principles relating to the impartiality of its certification activities, b) counteracting any tendency on the part of a certification body to allow commercial or other considerations to prevent the consistent impartial provision of certification activities, c) matters affecting impartiality and confidence in certification, including openness and public perception NOTE 1 Other tasks or duties can be assigned to the mechanism provided these additional tasks or duties do not compromise its essential role of ensuring impartiality. NOTE 2 NOTE 3 A possible mechanism is a committee. A single mechanism for the certification body can satisfy this requirement The terms of reference, duties, authorities and responsibilities of the mechanism shall be formally documented to ensure: a) representation of a balance of interests such that no single interest predominates (internal or external personnel of the certification body are considered to be a single interest, and shall not predominate); b) access to all the information necessary to enable it to fulfill all its functions (5.2.6) If impartiality is not being achieved by the certification body, the mechanism will not be prohibited from taking appropriate action (e.g. informing authorities, accreditation bodies, stakeholders). In taking appropriate action, the confidentiality requirements of 8.5 relating to the client and certification body shall be respected Although every interest cannot be represented in the mechanism, a certification body shall identify and invite key interests. NOTE 1 Such interests can include: clients of the certification body, customers of organizations whose products are certified, manufacturers, suppliers, users, conformity assessment experts, representatives of industry trade associations, representatives of governmental regulatory bodies or other governmental services, or representatives of nongovernmental organizations, including consumer organizations. NOTE 2 If the certification body also provides management systems certification, the committee that fulfils clause 6.2 of ISO/IEC 17021:2006 can also fulfil clause 6.2 of ISO/IEC NOTE 3 These interests may be limited depending on the certification scheme. 7 Resource requirements 7.1 Certification body personnel General The personnel of the certification body (internal or external) shall be competent for the functions they perform, including making required technical judgments, framing policies and implementing them. NOTE External personnel includes individuals working under contract The certification body shall employ or have access to a sufficient number of personnel technically competent to cover the operations of the product certification system and schemes and the applicable standards. The certification body shall have access to the necessary technical expertise for advice on matters directly relating to certification for technical areas, types of product certification systems/schemes and, if relevant for the certification schemes, geographic areas in which the certification body operates. Such advice may be provided externally or by certification body personnel. 12 ISO/IEC 2009 All rights reserved

19 7.1.2 Management of competence for personnel involved the certification process The certification body shall establish, implement and maintain a procedure for personnel (internal and external) involved in the certification process (9). The procedure shall require the certification body to: a) determine required personnel competencies for each scheme; b) identify training needs and provide, as necessary, training programmes on certification processes, requirements, methodologies, activities and other relevant certification scheme requirements; c) recruit, select, assess and formally authorize and monitor certification body personnel; d) demonstrate that personnel have the required competencies in the duties and responsibilities they undertake Information on the relevant qualifications, training and experience of each member of the personnel (internal and external) involved in the certification process shall be maintained by the certification body. Records of competence shall be kept up to date, in particular the following: a) name and address; b) organization affiliation and position held; c) educational qualification and professional status; d) experience and training in each field of the certification body's competence; e) records of assessment of competence; f) date of most recent updating of records; g) performance appraisal Contract with the personnel The certification body shall require personnel (internal and external) involved in the certification process to sign a contract or other document by which they commit themselves to: a) comply with the rules defined by the certification body, including those relating to confidentiality (8.5.4) and independence from commercial and other interest; b) declare any prior and/or present association on their own part, or on the part of their employer, with a supplier or designer of products to the evaluation or certification of which they are to be assigned; and c) reveal any situation known to them that may present them or the certification body with a conflict of interests (5.2.14). Certification bodies shall use this information as input to identifying threats to impartiality raised by the activities of such personnel or by the organizations that employ them, and shall not use such personnel (internal or external) unless they can demonstrate that there is no conflict of interests. 7.2 Internal evaluation resources When a certification body performs evaluation using its own resources (including external individuals), it shall fulfill the relevant requirements as specified by the certification scheme. NOTE Requirements for testing, inspection and management system audit are contained in ISO/IEC 17025, ISO/IEC and ISO/IEC 17021, respectively. Certification schemes can specify all or some of the requirements of ISO/IEC 17025, ISO/IEC 17020, ISO/IEC or other relevant documents as being applicable. ISO/IEC 2009 All rights reserved 13

20 7.3 Outsourcing The certification body shall only outsource evaluation activities to bodies that fulfil the relevant requirements as specified by the certification scheme. NOTE 1 Requirements for testing, inspection and management system audit are contained in ISO/IEC 17025, ISO/IEC and ISO/IEC 17021, respectively. Certification schemes can specify all or some of the requirements of ISO/IEC 17025, ISO/IEC 17020, ISO/IEC or other relevant document as being applicable. NOTE 2 This can include outsourcing to other certification bodies. Use of external personnel under contract is addressed in 7.1. NOTE 3 For the purposes of this International Standard, the terms outsourcing and subcontracting are considered to be synonyms Where the certification body utilizes non independent testing facilities (e.g. client testing facilities), it shall do so in accordance with the requirements of the certification scheme. NOTE The certification scheme can include assurance that specified controls are in place at the testing facilities, that they are managed in a manner which provides confidence in the results obtained from the tests, and that records are available to justify the confidence. In this case the requirements of 7.3 can also apply The certification body shall have a legally enforceable agreement with the body that provides the outsourced service, including confidentiality and conflict of interests The certification body a) shall take responsibility for all activities outsourced to another body; b) shall ensure that the body that provides outsourced services, and the individuals that it uses, conform to requirements of the certification body and also to the applicable provisions of this International Standard, including competence, impartiality and confidentiality; c) shall ensure that the body that provides outsourced services, and the individuals that it uses, are not involved, either directly or through any other employer, in such a way that the credibility of the results could be compromised; d) shall have documented policies and procedures for the qualification, assessing and monitoring of all bodies that provide outsourced services used for certification activities; e) shall maintain a list of approved outsourced services. f) The certification body shall ensure that neither bodies that perform outsourced services nor external personnel operate in breach of the undertakings that they have been given. It shall implement appropriate corrective action in the event that such a breach is identified. NOTE 1 If the qualification, assessing and monitoring of the bodies which provide outsourced services is performed by other organisations such as accreditation bodies, peer assessment bodies or governmental authorities, the certification body can take this qualification and monitoring into account provided that: the scope is applicable to the work being undertaken; and the validity of the qualification, assessing and monitoring arrangements is verified at a periodicity determined by the certification body. NOTE 2 Where work related to certification has been undertaken prior to the application for certification, the certification body can take account of it, provided it can take responsibility as detailed in a) and satisfy itself regarding the matters detailed in b) and c). This can include work carried out under recognition agreements between certification bodies. 14 ISO/IEC 2009 All rights reserved

21 8 Information requirements 8.1 Publicly available information The certification body shall maintain (through publications, electronic media or other means) and make available on request, the following: a) information about the authority under which the certification body operates; b) information about its product certification systems/schemes, including its rules and procedures for granting, continuing, expanding the scope of, reducing the scope of, suspending, restoring, withdrawing or refusing certification; c) information about the evaluation procedures and certification process related to each product certification system/schemes; d) a description of the means by which the organization obtains financial support and general information on the fees charged to applicants and to clients of certified products; e) a description of the rights and duties of applicants and clients of certified products, including requirements, restrictions or limitations on the use of the certification body's mark and on the ways of referring to the certification granted; f) information about procedures for handling complaints and appeals. 8.2 Standards and other normative documents The criteria against which the products of a client are evaluated shall be those outlined in specified standards and other normative documents. NOTE Guidance for developing standards suitable for this purpose is contained in lso/iec If explanation is required as to the application of these documents for a specific certification system/schemes, it shall be formulated by relevant and impartial committees or persons possessing the necessary technical competence, and made available upon request by the certification body. 8.3 Certification documentation The certification body shall provide to the client formal certification documentation that clearly conveys, or permits identification of: a) the name and address of the certification body; b) the identification to whom the certification has been granted and the date certification is granted; the date certification is granted shall not precede the date the certification decision was completed; c) the name and address of the client; d) the scope of certification (3.14); NOTE Where the standards or other normative document(s) to which conformity is being certified includes reference to other standards or normative documents, these others do not need to be included in the formal certification documentation; e) if certification expires after an established period of time, the term or expiration date of certification; f) a unique identification code for the certificate where used; ISO/IEC 2009 All rights reserved 15