ISO/IEC 17021 Requirements for Certification Bodies

ISO/IEC 17021 establishes the requirements that certification bodies must satisfy to demonstrate competence, consistency, and impartiality when auditing and certifying management systems. Published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC), the standard functions as the foundational competence benchmark against which accreditation bodies evaluate certification body operations. Understanding these requirements is essential for organizations evaluating the credibility of a certification body, and for certification bodies seeking or maintaining accreditation from recognized national accreditation bodies such as ANAB or A2LA.

Definition and scope

ISO/IEC 17021-1:2015 (the current primary part of the series) specifies principles and requirements for the competence, consistency, and impartiality of bodies conducting audit and certification of management systems. The standard applies to third-party certification activities — situations where an independent certification body evaluates an organization's management system against a specified management system standard, such as ISO 9001 (quality), ISO 14001 (environment), or ISO 45001 (occupational health and safety).

The scope of ISO/IEC 17021 is explicitly limited to management system certification. It does not govern product certification, personnel certification, or inspection body operations, which fall under ISO/IEC 17065, ISO/IEC 17024, and ISO/IEC 17020, respectively. The difference between accreditation and certification is a foundational concept under this standard: a certification body certifies organizations, while an accreditation body — such as ANAB (ANSI National Accreditation Board) or A2LA (American Association for Laboratory Accreditation) — assesses and accredits certification bodies against ISO/IEC 17021.

The standard is structured around 8 principle-based clauses covering impartiality, competence, responsibility, openness, confidentiality, responsiveness to complaints, risk-based thinking, and process orientation. These principles underpin every procedural and structural requirement in the normative text (ISO/IEC 17021-1:2015, ISO Store).

Core mechanics or structure

The structural architecture of ISO/IEC 17021-1 maps to four operational pillars: organizational requirements, resource requirements, information requirements, and process requirements.

Organizational requirements mandate that a certification body maintain a legal entity structure capable of bearing legal responsibility for its certification decisions. The body must establish an impartiality committee — a function responsible for monitoring and safeguarding impartiality across all certification activities. Committee membership must include representatives of parties that have an interest in certification but must exclude a majority from any single interest group.

Resource requirements address personnel competence. Auditors, technical experts, and certification decision-makers must be evaluated against defined competence criteria specific to the technical domains and management system standards they cover. ISO/IEC 17021-1 Clause 7 requires certification bodies to maintain a documented competence evaluation process for each auditor, covering education, work experience, auditor training, and demonstrated audit skills.

Information requirements obligate certification bodies to make publicly available information about the certification process, scope of accreditation, and a list of certified clients and their certification status. This transparency requirement supports market confidence and enables end-users of certificates to verify status independently.

Process requirements govern the full certification audit lifecycle — from application review and audit planning through audit execution, certification decision, surveillance, recertification, and suspension or withdrawal. The standard specifies that certification decisions must be made by a person or persons who did not conduct the audit, enforcing a structural separation between evidence gathering and decision authority. This separation is one of the most operationally significant requirements in the standard.

Causal relationships or drivers

The requirements in ISO/IEC 17021 exist because management system certification operates in a trust-dependent market. If a certification body's auditors lack domain competence, or if the body allows financial relationships with clients to influence audit outcomes, certificates lose credibility as market signals. ISO/IEC 17021 addresses this by tying accreditation — and therefore market recognition — to demonstrated structural safeguards.

Regulatory uptake amplifies these requirements in the United States. Federal acquisition and procurement frameworks increasingly reference accredited third-party certification. The Occupational Safety and Health Administration (OSHA) references ISO 45001-based management systems in voluntary protection program guidance. The Environmental Protection Agency (EPA) recognizes ISO 14001 certification under certain voluntary environmental program structures. When regulatory recognition depends on accredited certification, failures in certification body competence can propagate into regulatory compliance misrepresentation — a failure mode that ISO/IEC 17021's structural requirements are designed to prevent.

Accreditation bodies enforce these requirements through periodic assessments. ANAB and A2LA conduct both document reviews and witnessed audits, where an assessor accompanies a certification body's audit team to observe conformance to ISO/IEC 17021 in practice. This oversight chain creates accountability that extends from the international standard down to individual audit interactions with certified organizations. The role of ANAB and A2LA as accreditation bodies is integral to understanding how ISO/IEC 17021 is operationalized in the US market.

Classification boundaries

ISO/IEC 17021 covers all management system certification disciplines, but supplementary sector-specific documents extend its requirements for particular domains:

These technical specifications do not replace ISO/IEC 17021-1; they extend it. A certification body offering ISO 45001 certification must conform to both ISO/IEC 17021-1 and ISO/IEC TS 17021-10. Accreditation bodies assess conformance to the full applicable document set.

The standard explicitly does not apply to:
- Second-party audits (supplier audits conducted by a customer)
- Internal audits
- Product or service certification (governed by ISO/IEC 17065)
- Personnel certification (governed by ISO/IEC 17024)

Understanding these classification lines is essential when evaluating the scope of certification boundaries for a given management system program.

Tradeoffs and tensions

Impartiality versus commercial viability. Certification bodies operate as commercial entities that generate revenue from certification fees. ISO/IEC 17021 Clause 5 requires that commercial pressure not compromise impartiality, but the business model inherently creates tension: a body that aggressively certifies clients retains revenue, while a body that issues nonconformities or withholds certificates may lose clients to competitors. The impartiality committee structure is the standard's primary countermeasure, but its effectiveness depends on committee composition and organizational culture, which assessors evaluate qualitatively.

Competence depth versus scope breadth. Certification bodies offering certification across dozens of industry sectors must maintain auditor competence across all covered sectors. Clause 7.1 requires that auditors have relevant work experience in the technical areas they audit. Maintaining genuine depth across wide scope creates resource strain, and certification bodies sometimes operate near the margin of defensible competence in niche sectors. Accreditation bodies address this through scope-of-accreditation limitations, but the tension between market coverage and authentic competence is persistent.

Audit duration versus audit thoroughness. ISO/IEC 17021-1 Annex B provides guidance on determining audit time, but the calculation method (based on employee count, site complexity, and processes) produces minimum estimates, not guaranteed sufficiency thresholds. Certification bodies competing on price may schedule audits at or near minimums. Shorter audits reduce the probability of identifying significant nonconformities, which undermines the signal value of the certificate — a structural tension the standard acknowledges but cannot fully resolve through normative requirements alone.

Common misconceptions

Misconception: ISO/IEC 17021 accreditation is the same as ISO certification.
Correction: ISO/IEC 17021 accreditation applies to the certification body itself, not to the organizations it certifies. An organization receives an ISO 9001 certificate from a certification body, not from ISO or from an accreditation body. ISO as an organization does not audit or certify any entity.

Misconception: Any certification body can legally issue ISO management system certificates.
Correction: There is no universal legal prohibition on unaccredited certification bodies issuing certificates. However, accreditation against ISO/IEC 17021 by a recognized accreditation body (such as ANAB or A2LA) is required for certificates to be recognized in regulated procurement, international mutual recognition frameworks, and industry-sector programs. Unaccredited certificates carry no recognized third-party assurance backing.

Misconception: A certification decision can be made by the lead auditor who conducted the audit.
Correction: ISO/IEC 17021-1 Clause 9.5 explicitly requires that the certification decision be made by a person different from those who carried out the audit. This separation is normative — it is not optional or subject to a risk-based exception.

Misconception: Surveillance audits are optional between recertification cycles.
Correction: For 3-year certification cycles (the most common structure), ISO/IEC 17021-1 requires surveillance audits at least once in the first year and at least once in the second year following initial certification or recertification. Certification bodies that fail to conduct mandatory surveillance must have documented procedures for handling this as a potential suspension trigger. Surveillance audits and recertification requirements are normative, not discretionary.

Checklist or steps (non-advisory)

The following sequence reflects the normative process requirements of ISO/IEC 17021-1 for initial management system certification:

  1. Application review — Certification body reviews the client's application to confirm scope, geographic coverage, applicable normative documents, and absence of disqualifying conflicts of interest.
  2. Audit program planning — Certification body calculates audit time in accordance with Annex B criteria, assigns qualified audit team, and confirms team competence against the technical scope.
  3. Stage 1 audit — On-site or remote audit focuses on the organization's readiness: management system documentation, understanding of requirements, and identification of significant aspects. Stage 1 findings inform Stage 2 planning.
  4. Stage 2 audit — On-site audit evaluates effective implementation and maintenance of the management system. Auditors gather objective evidence against all applicable clauses of the management system standard.
  5. Nonconformity classification — Auditors classify findings as major nonconformities (systemic failures or absence of required elements) or minor nonconformities (isolated lapses). Nonconformity handling in certification follows defined resolution timelines.
  6. Corrective action review — Client submits corrective action evidence for identified nonconformities. Certification body reviews and accepts or rejects evidence before proceeding.
  7. Certification decision — A designated decision-maker independent of the audit team reviews the complete audit record and approves or denies certification.
  8. Certificate issuance — Certificate specifies scope, applicable standard, certification body identity, accreditation body identity, certificate number, and validity period (typically 3 years).
  9. Surveillance audit 1 — Conducted no later than 12 months after certification decision date.
  10. Surveillance audit 2 — Conducted no later than 24 months after certification decision date.
  11. Recertification audit — Conducted prior to the 3-year certificate expiry, covers the full scope, and resets the cycle upon successful completion.

Reference table or matrix

Requirement Area ISO/IEC 17021-1 Clause Key Obligation Enforcement Mechanism
Impartiality Clause 5 Impartiality committee; identification and management of conflicts Accreditation body assessment
Legal and contractual matters Clause 6 Legal entity; liability coverage; client agreements Document review at accreditation
Personnel competence Clause 7 Documented competence criteria; evaluation records per auditor Witnessed audits; file review
Outsourcing Clause 8.4 Contracted auditors subject to same competence and impartiality rules Contract review; personnel records
Audit planning Clause 9.1 Audit time calculation; team assignment; conflict screening Audit program records
Stage 1 and Stage 2 audits Clause 9.3 Two-stage initial certification process Audit reports and records
Certification decision Clause 9.5 Decision-maker independent of audit team Organizational chart; decision records
Surveillance Clause 9.6.2 Minimum 2 surveillance audits per 3-year cycle Certification schedule tracking
Recertification Clause 9.6.3 Full-scope recertification audit before expiry Certificate validity monitoring
Suspension/withdrawal Clause 9.7 Defined criteria and timelines for action Client status records
Public information Clause 9.8 Certified client directory publicly accessible Website and database review
Complaints and appeals Clause 9.9 Documented process; independence in resolution Process documentation; case records

ISO/IEC TS 17021-2, 17021-3, and 17021-10 extend Clause 7 competence requirements for environmental, quality, and occupational health and safety auditors, respectively. Certification bodies must maintain separate competence matrices aligned to each sector-specific technical specification for which they hold accreditation scope.

References

Read Next

Accreditation vs. Certification: Key Distinctions Certification: Key Distinctions Accreditation and certification are both formal conformity assessment mechanisms, but they... Compliance Certification Lifecycle Understanding this lifecycle is essential for quality managers, compliance officers, and operational teams because failure at... ANAB and A2LA: US Accreditation Bodies for Certification Their decisions directly affect whether a certification carries regulatory weight, market access, or government recognition.