Third-Party Certification Process Explained

Third-party certification is a formal conformity assessment mechanism in which an independent body — neither the organization seeking certification nor the customer relying on it — evaluates whether a product, management system, service, or person meets defined requirements. This page covers the full structure of the process: how certification bodies operate, the sequential phases from application to certificate issuance, the scenarios where third-party certification is required or advantageous, and the boundaries that determine when it applies versus other conformity assessment approaches. Understanding this process is essential for organizations subject to federal procurement mandates, sector-specific regulations, or international trade requirements that demand documented, impartial verification.

Definition and scope

Third-party certification sits at the center of the international conformity assessment framework defined by ISO/IEC 17000:2020, the vocabulary standard published jointly by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). Under that framework, first-party assessment is performed by the organization itself (supplier's declaration of conformity), second-party assessment is performed by a customer or regulator, and third-party assessment is performed by an independent, accredited conformity assessment body (CAB).

The scope of third-party certification spans three primary object categories:

For a detailed comparison of these categories, see Product Certification vs Management System Certification.

The distinction between accreditation and certification is critical here. Accreditation is the process by which a national accreditation body — in the United States, primarily ANAB (ANSI National Accreditation Board) or A2LA (American Association for Laboratory Accreditation) — formally recognizes that a certification body is competent to perform certification in a defined scope. Certification is what that recognized body then issues to its clients.

How it works

The third-party certification process follows a structured sequence governed by ISO/IEC 17021-1:2015 for management system certification bodies and parallel standards for product and personnel schemes. The major phases are:

  1. Application and contract review — The organization submits an application defining the scope, site locations, and relevant standard. The certification body reviews for completeness, identifies any conflicts of interest under impartiality requirements, and issues a formal agreement.
  2. Document review (Stage 1 audit) — The audit team examines the organization's documented management system or technical file against the normative requirements of the target standard. This stage identifies gaps before the on-site assessment and determines audit readiness.
  3. On-site assessment (Stage 2 audit) — Auditors conduct interviews, observe processes, and sample objective evidence at the facility or facilities within scope. Findings are classified as major nonconformities, minor nonconformities, or observations.
  4. Nonconformity resolution — The organization submits corrective action evidence within a time window specified by the scheme (typically 30–90 days). The certification body verifies root cause analysis and corrective action effectiveness before proceeding.
  5. Certification decision — A qualified individual not involved in the audit makes the certification decision — a governance separation required by ISO/IEC 17021-1, §9.5. For more on this decision gate, see Certification Decision Process.
  6. Certificate issuance — A certificate is issued with defined scope language, issue date, and expiry date (typically a 3-year certification cycle for management system schemes).
  7. Surveillance and recertification — Surveillance audits (commonly at 12-month intervals) verify ongoing conformance. A full recertification audit occurs before the 3-year certificate expires.

Common scenarios

Third-party certification arises across regulatory, contractual, and voluntary contexts in the United States.

Federal procurement and regulatory mandates: The Federal Acquisition Regulation (FAR) references third-party certification for quality management in defense and aerospace supply chains. The FDA's Quality System Regulation (21 CFR Part 820) is supported by third-party audit programs such as the Medical Device Single Audit Program (MDSAP), administered by a consortium including the FDA, Health Canada, and regulatory bodies in Brazil, Australia, and Japan.

Occupational health and safety: OSHA's recognition of Nationally Recognized Testing Laboratories (NRTLs) under 29 CFR 1910.7 constitutes a formal federal third-party product certification program. NRTLs must demonstrate competence to OSHA, which publishes the NRTL list on OSHA's NRTL Program page.

Food safety: The FDA Food Safety Modernization Act (FSMA) established a third-party certification program for foreign food facilities under 21 CFR Part 1, Subpart M, requiring accredited certification bodies to assess facilities against FDA food safety standards before certain imports may enter the US market.

International trade: Organizations exporting to the European Union frequently require third-party certification to EN-harmonized standards under CE marking schemes. Mutual recognition arrangements (MRAs) between accreditation bodies — coordinated through the International Accreditation Forum (IAF) and the International Laboratory Accreditation Cooperation (ILAC) — allow certificates issued in one jurisdiction to be accepted in another.

Decision boundaries

Not every conformity claim requires third-party certification, and selecting the appropriate level of assessment involves examining regulatory mandates, contractual specifications, and risk profile.

Regulatory requirement vs. voluntary scheme: When a statute or federal regulation explicitly requires third-party certification (NRTL listing under OSHA, MDSAP under FDA), there is no substitute. When no mandate exists, organizations choose third-party certification to signal credibility to customers, satisfy supply chain requirements, or participate in procurement programs. See Regulatory vs Voluntary Certification for a structured comparison.

Management system vs. product certification: Management system certification (ISO 9001, ISO 45001) demonstrates that a process framework is in place; it does not certify individual products. Product certification evaluates a specific product design or production lot against a technical specification. Purchasing organizations often require both independently.

Scope limitations: A third-party certificate is valid only for the scope language written on the certificate. Operations, sites, or product lines outside that language are not covered, regardless of organizational proximity. The Scope of Certification Boundaries page addresses how CABs define and audit scope exclusions.

Transfer between bodies: If an organization transfers its certificate to a different certification body before expiry, the receiving body must conduct its own assessment. Acceptance of prior audit evidence is governed by the receiving body's policies and relevant accreditation requirements, not by the original certificate (Certification Transfer Between Bodies).

References

📜 1 regulatory citation referenced  ·  🔍 Monitored by ANA Regulatory Watch  ·  View update log

📜 1 regulatory citation referenced  ·  🔍 Monitored by ANA Regulatory Watch  ·  View update log

Read Next

Product Certification vs. Management System Certification Management System Certification Two fundamentally different models operate under the label "certification" in US and... Accreditation vs. Certification: Key Distinctions Certification: Key Distinctions Accreditation and certification are both formal conformity assessment mechanisms, but they... Certification Decision Process and Authority This page covers the structural mechanics of that process, the authority requirements that must be in place before a decision...