Changes to

ISO/IEC17021:2011 &
ISO/IEC 19011:2011
AOQ Queensland
18 July 2012

Geoff Brundle
 Changes
to
ISO/IEC 17021:2011
 ISO/IEC 17021:2011
Key Changes

– ISO 19011 references deleted & included

directly in 17021.
– Personal attributes (19011) replaced with
personal behaviours.
– Larger focus on competencies.
– 6 annexes added: one normative and five
informative
• The one normative annex ( Annex A) and 3 of the 5
informative annexes, (B, C, and D), all relate to the
competence and performance of CB personnel.
• The other 2 informative annexes, (E and F), relate to the
audit and certification processes.
 ISO/IEC 17021:2011
Key Changes

Annexes A – F
• Annex A (normative) Required knowledge and skills
• Annex B (informative) Possible evaluation methods
• Annex C (informative) Example of a process flow for
determining and maintaining competence
• Annex D (informative) Desired personal behaviors
• Annex E (informative) Third-party audit and
certification process
• Annex F (informative) Considerations for the audit
programme, scope or plan
 ISO/IEC 17021:2011
Key Changes

– ISO/IEC 17021:2006 was for QMS & EMS

only.
– New: 17021:2011 – includes any accredited
management systems eg. FSMS, ISMS etc.
Why new revision of ISO/IEC 17021:2011?

This means…..
– It becomes a generic requirements document for the
3rd party auditing of (all) management systems.
– Guidance in ISO 19011 is transformed into
requirements.
– It covers third party auditing and the management of
competence related to third party auditing.
– It provides a template for other bodies of knowledge
(e.g. ISO TCs) to develop specific criteria for third
party auditing and management of competence for
different types of management systems or sector
applications
 ISO/IEC 17021- Clause 3
Additional Definitions

3.4 Third party certification audit - carried out by an

auditing organization independent of the client
and the user, for the purpose of certifying the
client's management system
– Note 4: Joint audit (more than 2 auditing organisations
cooperate to audit single client)
– Note 5: Combined audit (audit against 2 or more
management systems standards)
– Note 6: Integrated audit (Integrate application of 2 or
more management systems)
 ISO/IEC 17021- Clause 3
Additional Definitions (cont’d)

3.5 Client - organization whose management system is

being audited for certification purposes
3.6 Auditor - person who conducts an audit
3.7 Competence – ability to apply knowledge and
skills to achieve intended results
3.8 Guide – person appointed to assist the audit team
3.9 Observer – person who accompanies the audit
team but does not audit
3.10 Technical area – area characterized by
commonalities of processes relevant to a specific
type of management system
 ISO/IEC 17021- Clause 4
Principles

Clause 4 – The six principles remain:-

- Impartiality - Competence
- Responsibility - Openness
- Confidentiality, and - Responsiveness to complaints
 ISO/IEC 17021:2011

Clause 5 - General requirements; and

Clause 6 – Structural requirements

remain unchanged
 ISO/IEC 17021 – Clause 7
Resource requirements
7.1 Competence of management and personnel

• Some changes to numbering

• Some clauses given titles

7.1.2 Determination of competence criteria - NEW

– Competence for a management system, technical area or
certification function
– Focus on knowledge and skills rather than qualifications ie. output.
– Annex A specifies the knowledge and skills for contract reviewer,
certification decision maker, auditing & lead auditor.
– Scheme specific competency requirements shall still apply eg.
ISO/TS 22003 in addition to the 17021 requirements.
– The interpretation of “technical area” is dependent upon the type of
management system.
 ISO/IEC 17021
Normative Annex A

• Knowledge and skills shall be defined for specific

certification functions:
– Conducting the application review to determine audit team competence
required, to select the audit team members, to determine the audit time
– Reviewing audit reports and making certification Decisions
– Auditing
– Leading the audit team
• X means the certification body shall define the
criteria and depth of knowledge and skills

• X+ indicates a need for deeper knowledge and

skills.
 ISO/IEC 17021
Normative Annex A (cont’d)
Knowledge & Skills
 ISO/IEC 17021
Normative Annex A (cont’d)

• For knowledge of client products, processes and

organization, where a team is performing the task:
– The expertise needs to exist within the team or could be provided by a
technical expert.
– Where any audit is conducted by a team, the level of skills required
should be held within the team as a whole and not by every individual
member of the team.
– The team leader of a combined or integrated audit should have an in-
depth knowledge of at least one of the standards and is required to have
awareness of the other standards used for that particular audit.
• Risk and complexity to be considered when deciding
the level of expertise needed for any of functions.
 ISO/IEC 17021 – Clause 7
Resource requirements
7.1 Competence of management and personnel

7.1.3 Evaluation processes - NEW

– CB shall have documented processes for initial competence

evaluation and on-going monitoring of competence and
performance

– All personnel - management and performance of audits and

certification

– Applying the determined competence criteria

 ISO/IEC 17021 – Clause 7
Resource requirements
7.1 Competence of management and personnel

7.1.3 Evaluation processes – (cont’d)

– CB shall demonstrate that its evaluation methods are effective

– Output shall be to identify personnel who have demonstrated the
level of competence required
– Note: informative Annex B for possible evaluation methods
– Note: Informative Annex C provides an example of a process flow
for determining and maintaining competence using the methods in
Annex B
 ISO/IEC 17021
Informative Annex B
Possible Evaluation Methods

– Review of records
– Feedback
– Interviews
– Observations
– Examinations
 ISO/IEC 17021
Informative Annex C

– Example of a process flow for determining and maintaining

competence
 ISO/IEC 17021 – Clause 7
Resource requirements
7.1 Competence of management and personnel

7.1.4 Other considerations (New heading)

• 7.1.4.1 – previously 7.1.2
• 7.1.4.2 – previously 7.1.3
 ISO/IEC 17021 – Clause 7
Resource requirements
7.2 Personnel involved in the certification activities

The following note has been added after 7.2.4

7.2.4 refers to the certification body having defined
processes for the selection, training, formally authorizing
auditors and selecting technical experts.

NOTE During the selection and training process described above

desired personal behaviours can be considered. These are
characteristics that affect an individual's ability to perform specific
functions. Therefore, knowledge about the behaviours of individuals
enables a certification body to take advantage of their strengths and to
minimize the impact of their weaknesses. Desired personal behaviours
that are important for personnel involved in certification activities are
described in Annex D.
 ISO/IEC 17021:2011

The remainder of clause 7:-

• 7.3 Use of individual external auditors and technical
experts
• 7.4 Personnel records
• 7.5 Outsourcing; and
Clause 8 – Information requirements

“Remain unchanged.”
 ISO/IEC 17021 – Clause 9
Process requirements
9.1 General requirements

9.1.1 Audit program – NEW

• 9.1.1.1 An audit program for the full certification cycle
shall be developed to clearly identify the audit
activity(ies) required to demonstrate that the client's
management system fulfils the requirements for
certification to the selected standard(s) or other
normative document(s).
• 9.1.1.2 Clause numbered and notes referencing
Annexes E & F have been added
 ISO/IEC 17021 – Clause 9
Process requirements
9.1 General requirements

9.1.2.1 Audit plan (Minor changes)

• Audit plan now required for “each audit identified in audit

programme.”
 ISO/IEC 17021 – Clause 9
Process requirements
9.1 General requirements
9.1.2.2 Determining audit objectives, scope & criteria
(New)
9.1.2.2.1 The audit objectives shall be determined by the CB,
the audit scope & criteria and any changes shall be
established after discussion with the client.
9.1.2.2.2 The audit objectives shall describe what is to be
accomplished by the audit and shall include the following:
a) determination of the conformity of the client's management
system, or parts of it, with audit criteria;
b) evaluation of the ability of the management system to ensure the
client organization meets applicable statutory, regulatory and
contractual requirements;
NOTE: A management system certification audit is not a legal
compliance audit
 ISO/IEC 17021 – Clause 9
Process requirements
9.1 General requirements

9.1.2.2.2 (cont.)
• c) evaluation of the effectiveness of the management
system to ensure the client organization is continually
meeting its specified objectives;
• d) as applicable, identification of areas for potential
improvement of the management system.
 ISO/IEC 17021 – Clause 9
Process requirements
9.1 General requirements
9.1.2.2.3
• The audit scope shall describe the extent and boundaries
of the audit, such as physical locations, organizational
units, activities and processes to be audited.
• Where the initial or re-certification process consists of
more than one audit (e.g. covering different locations), the
scope of an individual audit may not cover the full
certification scope, but the totality of audits shall be
consistent with the scope in the certification document.
• Annex F lists additional items that can be considered
when preparing or revising the audit scope.
 ISO/IEC 17021 – Clause 9
Process requirements
9.1 General requirements

9.1.2.2.4 The audit criteria shall be used as a reference

against which conformity is determined, and shall include:
• the requirements of a defined normative document on
management systems;
• the defined processes and documentation of the management
system developed by the client.
 ISO/IEC 17021 – Clause 9
Process requirements
9.1 General requirements
9.1.2.3 Preparing the audit plan (New)
The audit plan shall be appropriate to the objectives and the scope
of the audit and shall at least include:
a) The audit objectives;
b) The audit criteria;
c) The audit scope, including identification of the organizational and functional
units or processes to be audited;
d) the dates and sites where the on-site audit activities are to be conducted,
including visits to temporary sites, as appropriate;
e) the expected time and duration of on-site audit activities;
f) the roles and responsibilities of the audit team members and accompanying
persons.
NOTE: The audit plan information can be contained in more than one document.
NOTE: Annex F lists additional items that can be considered when preparing or
revising the audit plan
 ISO/IEC 17021 – Clause 9
Process requirements
9.1 General requirements

9.1.3 Audit team selection and assignments (New)

9.1.3.1 The following added:- If only one auditor, then auditor shall
have competencies for team leader for that audit.

9.1.3.2 In deciding the size and composition of the audit team,

consideration shall be given to the following:
a) Audit objectives, scope, criteria & estimated time of the audit;
b) Whether the audit is a combined, integrated or joint audit;
c) The overall competence of the audit team;
d) Certification requirements (inc statutory, regulatory, contractual)
e) Language and culture;
f) Whether the members of the audit team have previously audited
the clients management system.
 ISO/IEC 17021 – Clause 9
Process requirements
9.1 General requirements

9.1.3 Audit team selection and assignments

9.1.3.3 The necessary knowledge & skills of the audit team leader
& auditors may be supplemented by technical experts,
translators & interpreters who shall operate under the direction
of an auditor. Where translators or interpreters are used, they
are to be selected such that they do not unduly influence the
audit.

NOTE: The criteria for the selection of technical experts are

determined on a case by case basis by the needs of the audit
team and scope of the audit.

9.1.3.4 Auditors-in-training may be included in the audit team as

participants, providing an auditor is appointed as an evaluator.
The evaluator shall be competent to take over the duties and
have final responsibility for the activities and findings of the
auditor-in-training.
 ISO/IEC 17021 – Clause 9
Process requirements
9.1 General requirements

9.1.3 Audit team selection and assignments

9.1.3.5 The audit team leader, in consultation with the audit team,
shall assign to each team member responsibility for auditing
specific processes, functions, sites, areas or activities. Such
assignments shall take into account the need for competence,
and the effective and efficient use of the audit team, as well as
different roles and responsibilities of auditors, auditors-in-
training and technical experts. Changes to the work
assignments may be made as the audit progresses to ensure
achievement of the audit objectives..
 ISO/IEC 17021 – Clause 9
Process requirements
9.1 General requirements

9.1.4 Determining audit time

The following has been added in clause 9.1.4.1 to the list of aspects
for consideration when determining audit duration

g) The risks associated with the products, processes or activities of

the organization;
h) When audits are combined, joint or integrated e.g. ISO/TS
22003.

9.1.4.2 The time spent by any team member that is not assigned as
an auditor (i.e. technical experts, translators, interpreters,
observers and auditors-in-training) shall not count in the above
established audit time.

NOTE The use of translators, interpreters can necessitate

additional time.
 ISO/IEC 17021 – Clause 9
Process requirements
9.1 General requirements

Clauses now given titles

9.1.5 Multi-site sampling

9.1.6 Communication of audit team tasks

9.1.7 Communication concerning audit team members

9.1.8 Communication of audit plan

9.1.9 Conducting on-site audits

 ISO/IEC 17021 – Clause 9
Process requirements
9.1 General requirements

9.1.9 Conducting on-site audits

9.1.9.1 The following has been added.
“This process shall include an opening and closing meeting.”

The following clauses have been added from ISO/IEC 19011.

• 9.1.9.2 Conducting the opening meeting
• 9.1.9.3 Communication during the audit
• 9.1.9.4 Observers and guides
• 9.1.9.5 Collecting & verifying information
• 9.1.9.6 Identifying & recording audit findings
• 9.1.9.7 Preparing audit conclusions
 ISO/IEC 17021 – Clause 9
Process requirements
9.1 General requirements

The following clauses have also been added from ISO/IEC

19011.

• 9.1.9.8 Conducting the closing meeting

• A formal meeting where attendance shall be recorded
• The audit conclusions are presented together with any
recommendations

• 9.1.10 Audit report – the CB shall provide a written report for

each audit.

• 9.1.10.2 Audit team leader responsible for audit report

• Also defines required content for inclusion
 ISO/IEC 17021 – Clause 9
Process requirements
9.1 General requirements
Clauses now given titles

• 9.1.11 Cause analysis of nonconformities

• 9.1.12 Effectiveness of corrections and corrective actions

• The following has been added:-
“The certification body shall verify the effectiveness of any correction and
corrective actions taken. The evidence obtained to support the resolution
of nonconformities shall be recorded. The client shall be informed of the
result of the review and verification.
NOTE Verification of effectiveness of correction and corrective action can
be carried out based on a review of documentation provided by the client,
or where necessary, through verification on-site.”

• 9.1.13 Additional audits

• 9.1.14 Certification decision

• 9.1.15 Actions prior to making a decision

 ISO/IEC 17021 – Clause 9
Process requirements
9.2 Initial audit and certification

9.2.2 Application review

Clause 9.2.2.2 added
9.2.2.2 Following the review of the application, the
certification body shall either accept or decline an
application for certification. When the certification body
declines an application for certification as a result of the
review of application, the reasons for declining an
application shall be documented and made clear to the
client.
NOTE: When declining an application for certification, the
CB should be careful not to act in conflict with the
principles set out in Clause 4.
 ISO/IEC 17021 – Clause 10
management system requirements for
certification bodies

Remains unchanged except clause 10.2.5 Design and

development has been deleted.
 Changes
to
ISO/IEC 19011:2011
 ISO/IEC 19011:2011
Key Changes
— the scope has been broadened from the auditing of
quality and environmental management systems to
the auditing of any management systems;
— the relationship between ISO 19011 and ISO/IEC
17021 has been clarified;
— remote audit methods and the concept of risk have
been introduced;
— confidentiality has been added as a new principle;
— Clauses 5, 6 and 7 have been reorganized;
 ISO/IEC 19011:2011
Key Changes
— additional information has been included in a new
Annex B, resulting in the removal of help boxes;
— the competence determination and evaluation
process has been strengthened;
— illustrative examples of discipline-specific
knowledge and skills have been included in a new
Annex A;
— more information has been made available on an
ISO public website
(www.ISO.org/ISO19011Auditing).
 ISO/IEC 19011:2011 – Clause 1
Scope

This International Standard provides guidance on auditing

management systems, including the principles of auditing,
managing an audit programme and conducting management
system audits, as well as guidance on the evaluation
of competence of individuals involved in the audit
process, including the person managing the audit
programme, auditors and audit teams.

“Focus now on the competence of all personnel not

just auditors”
 ISO/IEC 19011:2011 – Clause 1
Scope

This International Standard introduces the concept of risk to

management systems auditing. The approach adopted relates
both to the risk of the audit process not achieving its
objectives and to the potential of the audit to interfere with the
auditee’s activities and processes.
 ISO/IEC 19011- Clause 3
Additional Definitions

3.11 Observer – person who accompanies the audit

team but does not audit
3.12 Guide – person appointed to assist the audit team
3.16 Risk – effect on uncertainty of objectives
3.18 Conformity – fulfilment of a requirement
3.19 Nonconformity – non-fulfilment of a requirement
3.20 Management system – system to establish policy
and objectives and to achieve those objectives
Note : A management system of an organisation can include different
management systems, such as a quality management system, a financial
management system or an environmental management system
 ISO/IEC 19011 - Clause 4
Principles of auditing

4.a – was Ethical Conduct: foundation of

professionalism; NOW is Integrity - foundation of
professionalism;
4.d Confidentiality: – security of information (added)
Auditors should exercise discretion in the use and protection of
information acquired in the course of their duties. Audit
information should not be used inappropriately for personal gain
by the auditor or the audit client, or in a manner detrimental to
the legitimate interest of the auditee. This concept includes the
proper handling of sensitive or confidential information.
 ISO/IEC 19011:2011 – Clause 5.1
General

The top management should ensure that the audit programme

objectives are established and assign one or more competent
persons to manage the audit programme. The extent of an audit
programme should be based on the size and nature of the
organization being audited, as well as on the nature,
functionality, complexity and the level of maturity of the
management system to be audited. Priority should be given to
allocating the audit programme resources to audit those
matters of significance within the management system. These
may include the key characteristics of product quality or
hazards related to health and safety, or significant
environmental aspects and their control.
“More commonly known as risk-based auditing.”
 ISO/IEC 19011:2011 – Clause 5.2
Establishing the audit programme objectives

Additional points added:-

c) characteristics of processes, products and projects, and
any changes to them;
h) auditee’s level of performance, as reflected in the
occurrence of failures or incidents or customer complaints;
j) results of previous audits;
k) level of maturity of the management system being audited.
 ISO/IEC 19011:2011 – Clause 5.3
Establishing the audit programme

Additional risk focus:-

5.3.1 Roles and responsibilities of the person managing
the audit programme
— identify and evaluate the risks for the audit programme;
5.3.4 Identifying and evaluating audit programme risks
Planning; resources; selection of the audit team; implementation;
records and their controls; and monitoring, reviewing and improving
the audit programme.
 ISO/IEC 19011:2011 – Clause 5.3.2
Competence of the person managing audit programme

The person managing the audit programme should have the

necessary competence to manage it and its associated risks
effectively and efficiently, as well as knowledge and skills in
the following areas:
− audit principles, procedures and methods;
− management system standards and reference documents;
− activities, products and processes of the auditee;
− applicable legal and other requirements relevant to the
activities and products of the auditee;
− customers, suppliers and other interested parties of the
auditee, where applicable.
 ISO/IEC 19011:2011 – Clause 5.4.3
Selecting the audit methods

The person managing the audit programme should select

and determine the methods for an audit depending on the
defined audit objectives, scope and criteria for effectively
conducting the audit.

NOTE Guidance on how to determine audit methods is given

in Annex B.
(e.g. on-site; remote; human interaction; no human interaction)
 ISO/IEC 19011:2011 – Clause 7
Competence and evaluation of auditors

• Still provides guidance relating to the competence and

evaluation of auditors
• Now includes audit teams. i.e. audit team leader and
auditors
• Personal attributes now Personal behaviour
• Specific knowledge and skills requirements for quality and
environmental auditors moved to Annex A
 ISO/IEC 19011:2011 – Annex A
Guidance and illustrative examples of discipline-specific
knowledge and skills of auditors

A.2 - transportation safety management

A.3 - environmental management
A.4 - quality management
A.5 - records management
A.6 - resilience, security, preparedness and continuity
management
A.7 - information security management
A.8 – occupational health and safety management
 ISO/IEC 19011:2011 – Annex B
Additional guidance for auditors for planning and
conducting audits

B.1 – Applying audit methods

• Includes onsite and remote
• Human interaction and no human interaction
B.2 – Conducting document review
B.3 – Sampling
B.4 – Preparing work documents
B.5 – Selecting sources of information
B.6 – Guidance on visiting the auditee’s location
B.7 – Conducting interviews
B.8 – Audit findings
Thank you
and
???????