FAQs

ANSWER

All course materials, including activities, slides, help documents, and workbooks, will be provided to the learner in digital format before the Virtual Classroom course. You will receive digital course materials via the email address you used to enroll.

ANSWER

Upon registration learners will receive an email with instructions detailing how to log into your course, what tools and equipment you might need during your course, and other helpful information. Be sure that the email you use to register is one you have quick access to, as this is where you will receive your instructions, login info, and course materials.

ANSWER

Yes, learners will get the same valuable educational experience whether they take a course in person or virtually. The only difference is that some activities vary in format, depending on the delivery method.

ANSWER

Yes. Should any registrant find themselves unable to attend due to COVID-19 pandemic-related restrictions, the registrant may transfer to a future class or request a full refund.

ANSWER

ANSWER

Course locations vary by class and are listed on each individual course page under the specific training date.

Courses may be offered virtually (instructor-led, live online) or in person at a designated venue. Virtual classes include login details and time zone information in the course listing.  In-person classes include the full venue name and address.

Please refer to the specific course date for format and location details. If you have questions, please contact us at 301.644.3235 or training@A2LAWPT.org.

ANSWER

Attendees are responsible for arranging their own travel and lodging accommodations. When applicable, the course venue (including hotel name, if relevant) will be listed on the course page. Participants are welcome to stay at the venue hotel but are not required to do so.  Lodging and travel costs are not included in the registration fee. For courses held at A2LA WorkPlace Training Headquarters, please contact us, at 301.644.3235 or via training@a2lawpt.org for nearby hotel information

ANSWER

Meals are not included with registration, and participants are responsible for their own breakfast, lunch, and dinner.  A lunch break will be scheduled each day.  From time to time, light refreshments may be offered; however, they are not guaranteed.

ANSWER

Participants are responsible for arranging their own transportation to and from the training venue. Rental cars, shuttle services, and other transportation options vary by location and should be arranged directly with the appropriate provider.

For courses held at A2LA WorkPlace Training Headquarters, the venue is approximately 45 minutes from local airports.

ANSWER

All required course materials will be provided.  Materials are delivered electronically prior to the course.  For in-person courses, printed materials will also be provided at the start of class.

NOTE:  All Measurement Uncertainty Courses require access to a laptop.

ANSWER

No. Most people dress in business casual attire for A2LA WorkPlace Training courses.

ANSWER

No, licensed copies of ISO standards are not provided for courses.

ANSWER

Yes, we are able to customize our courses to best align with your organization’s needs. There can be additional charges for customizing a course.  Please contact the A2LA WorkPlace Training team for additional information.

ANSWER

Payment is due 30 days from invoice unless prior arrangements have been made.  A2LA WorkPlace Training accepts wire transfers, checks, and all major credit cards.

ANSWER

A2LA WorkPlace Training will only bill for the actual costs incurred. The estimate is simply a general idea of total expenses that could be incurred.

ANSWER

You will receive a certificate of attendance following the course.  For virtually delivered courses, your certificate will be sent electronically.  For in-person courses, a hard copy certificate will be provided. 

ANSWER

Estimated expenses are our good faith estimate of all travel-related expenses incurred by the instructor. The final invoice will reflect actual costs.

ANSWER

Of course!

ANSWER

There is no minimum enrollment requirement.  Our course pricing includes up to 15 participants. If your organization would like to register additional attendees, added fees will apply. Please note that certain courses may have enrollment limits.

ANSWER

Instructor assignments are determined based on course content and expertise.  We strive to accommodate requests whenever possible, while ensuring the most qualitied instructor is assigned to each course. For more information, please contact us at info@a2lawpt.org.

ANSWER

We are committed to providing a positive experience and take all concerns seriously. If you would like to submit a complaint, please share as much detail as possible so we can properly review and address the matter. Including relevant dates, names, and any supporting documentation will help us respond efficiently.

There are three convenient ways to submit your written concern to A2LA WorkPlace Training:

1. Send an email directly to training@a2lawpt.org
2. File a complaint online here
3. Speak directly to an A2LA WorkPlace Training team member by calling 301-644-3235

ANSWER

To help A2LA WorkPlace Training review and address your concern, please provide as much detail as possible about the issue or incident, including the following:

• A written description of the nature of your concern.
• The names of individuals involved and relevant dates.
• Copies of supporting documentation, if available

Providing complete information will help us respond as efficiently and thoroughly as possible.

ANSWER

The standard does not state a frequency, nor mandate one be documented by the lab. However, the Standard expects the laboratory to be constantly aware and prepared to identify and manage risks to impartiality.

ANSWER

There are always risks to impartiality (see clause 4.1.3 and Note to this clause 4.1.4 for some examples) and the laboratory is required to identify them, be structured and managed to safeguard impartiality (4.1.1.) However, the Standard does not specify which risks require mitigating action. At a minimum, the laboratory must clearly include a statement in the management review input documentation (see 8.9.2.m) stating that no new risks were identified requiring action. If previous actions were put in place, this is also where the laboratory is expected to discuss the status of effectiveness of those actions (see 8.5.2.b, bullet 2, and 8.9.3.a)

ANSWER

The Standard does not include expectations on timeliness of records demonstrating mitigation actions.

At a minimum, the risk that was identified must be recorded in the laboratory’s next management review (see 8.9.2.m), and the laboratory must also be prepared to discuss what plan(s) of action are being readied to address the risk (see 8.5.2).

ANSWER

‘Legally enforceable agreements” are records of understanding between two or more parties regarding services provided or received. For purposes of this clause, the Accrediting Body (A2LA as an example) determines a “legally enforceable agreement” to be a record which indicates responsibilities for maintaining confidentiality and repercussions for breaches of that responsibility.

ANSWER

If the laboratory were to obtain information about the customer other than from the customer itself, the laboratory shall not reveal this information to any other party other than the customer. The laboratory shall also protect the source of the information if the information about the customer is shared with the customer.

ANSWER

The laboratory may be a public, governmental or private entity, an established business or corporation, or an identifiable division or in-house activity of a business or corporation, which meets the applicable legal requirements of the jurisdiction in which it conducts business.

ANSWER

The range of laboratory activities, as defined by the Standard, are those tests, calibrations and sampling activities (with subsequent testing or calibration) a laboratory claims as enveloped under their ISO/IEC 17025:2017 conformant management system. These may be as generic as testing, calibration and/or sampling activities (with subsequent testing or calibration), as specific as particular activities, methods, measurement ranges, etc., or anything in between. This does not explicitly or implicitly reference or require the scope of accreditation. This Standard was not specifically written for accrediting bodies or accreditation.

ANSWER

If a laboratory has or has access to all of the resources and processes necessary to perform a test, then the laboratory may claim it as part of the range of activities a laboratory can perform. The laboratory must demonstrate it retains the proficiency necessary to perform the test through an interlaboratory comparison, proficiency test, or demonstrate proficiency during an assessment.

ANSWER

The reason for the statement, “which excludes externally provided laboratory activities on an ongoing basis” was for laboratories that do not maintain the competence and resources to perform the laboratory activity. If the laboratory demonstrates competency and have the resources necessary to perform the activity during the assessment, then this meets the intent of the Standard. In addition to the verification of competency during the assessment, the laboratory may also demonstrate competency through proficiency testing and/or interlaboratory comparisons.

ANSWER

The Standard does not require a document for this clause. However, if the laboratory does document the organization and management structure then clause 8.2.4 applies. Clause 8.2.4 states, “All documentation . . . related to the fulfillment of the requirements of this document shall be included in, referenced from or linked to the management system.”

ANSWER

The Standard does not require a job description and, therefore, does not require the responsibilities and authorities to be documented in a job description. See section 6.2 on Personnel for more information on the documentary requirements of responsibilities and authorities.

ANSWER

“Consistent application” means that when a procedure is written it must be detailed enough so that when it is performed by competent and authorized personnel, that undocumented steps or variances in its implementation do not adversely impact the validity of the laboratory activities and the validity of results.

ANSWER

Under this clause, records are not required for specific authorizations. This clause focuses on personnel having the authority to carry out their duties. Authorizations and records thereof are covered in clause 6.2.5.

ANSWER

Job descriptions are not required in the Standard. Competence requirements shall be documented and controlled within the laboratory’s management system.  The Standard allows the laboratory to document its competency requirements in any manner it deems appropriate.

ANSWER

No, this clause in the Standard does not explicitly require the laboratory to document this authorization. The Standard states, “The laboratory shall ensure that the personnel have the competence . . . to evaluate the significance of deviations.” However, a record would be required, as per 6.2.5 e), for authorizing personnel.

ANSWER

No, the standard does not explicitly call out a record of communication for this requirement since communication may occur in a variety of ways, although many laboratories will keep track of this information communication via “job descriptions,” performance reviews, etc.

ANSWER

No, the Standard does not require “monitoring” to be a “defined” frequency.  Frequencies might be defined and/or adjusted by the laboratory or required as part of a contract (7.1), regulatory requirement (5.4), or included as a means of mitigating a perceived risk in this process.

ANSWER

No, the Standard does not require, in this clause, that a laboratory keep records of monitoring or checking facility controls.

ANSWER

There is no requirement to document the review but any adjustments must be identifiable (8.3.2 c.)

ANSWER

No, there is not an expected frequency or time-period for re-evaluating external service providers per the Standard. However, including a frequency or time-period as a means of mitigating a perceived risk in this process may be considered.

ANSWER

My laboratory performs tests which historically do not require measurement uncertainty estimates (such as those called out under note 1 for clause 7.6.3). If a customer contract requests a statement of conformity for such a test, what must my laboratory do to conform with the requirements related to decision rules? If the method defines the decision rule and the laboratory follows the method, then the laboratory meets the intent of the Standard. Methods, in many cases, control the measurement process well enough to manage measurement precision and bias, but might not evaluate measurement uncertainty or define a decision rule for conformity statements. At this point, the Standard does not provide examples of decision rules other than Note (ISO/IEC Guide 98-4) but does require that one be selected and shall be communicated to and agreed with the customer. If the laboratory deviates from the method in 7.6.3 (under note 1), the laboratory is required to validate the method (section 7.2) and evaluate the impact on the decision rule as it pertains to making statements of conformance and the decision rule shall be communicated to and agreed with the customer.

ANSWER

The Standard is silent on the “transfer” of original observations in 7.5 and 8.4. However, in clause 7.11.6 it states that “calculations and data transfers be checked . . .” The form of the original recording need not be maintained in the record system after transfer, i.e., the original form of the record may be disposed if the requirements of 7.5 and 8.4 are met in the system receiving the transferred result.

ANSWER

According to the words of the Standard, the monitoring shall include all the activities, that are appropriate to ensure the validity of the tests. Appropriateness is determined by the laboratory and may result in the laboratory choosing to only perform one activity despite the availability and seeming appropriateness of other options.

ANSWER

There are no commercially available proficiency testing programs offered for the tests on my scope of accreditation. How can my laboratory meet the requirement (7.7.2.b) for participating in interlaboratory comparisons other than proficiency testing if we are concerned with confidentiality and do not have a corporate branch structure of laboratories in place?

There may be reasons for which a laboratory is not able to assemble or participate in ILCs.  In the event the laboratory can justify the position that relevant and available interlaboratory comparison programs do not exist, the laboratory must still perform intra-laboratory comparisons (see 7.7.1). For example, if it is not appropriate for a laboratory to share artifacts with their competitors due to intellectual property or proprietary reasons or if the test method is proprietary, then the laboratory shall employ the means it used to validate the method, see 7.7.1.

ANSWER

Yes. It is important to remember, however, clause 7.8.1.3 states, “Any information listed in 7.8.2 to 7.8.7 that is not reported to the customer shall be readily available.”

ANSWER

No, the Standard does not require the “complaint handling process” be “made publicly available.” The Standard requires that it “be available to any interested party on request.”

ANSWER

No, this clause does not require a record of acknowledgement. Communication of policies and objectives may occur through many avenues and so follows the acknowledgement by the recipients of the communication.

ANSWER

No, the laboratory is not required to record that it periodically reviewed controlled documents. The Standard only requires the laboratory to “ensure” they are periodically reviewed (see 8.9.2 c) and records regarding the suitability of policies and procedures).

ANSWER

Yes, the records might appear in any number of areas but, as a minimum, are required as part of the management review (8.9.2 and 8.9.3).

ANSWER

In some cases there may be contractual obligations which detail the minimum amount of coverage or there may be requirements imposed by the regulators for which the inspections are being performed or by the inspection scheme owners.

In the absence of such requirements, the inspection body is responsible for determining what “adequate” levels are with respect to having liability coverage arrangements. As exemplified in this clause, such arrangements can include insurance or cash reserves. A2LA assessors may raise questions about the adequacy of the coverage and how the organization arrived at the decision this was adequate coverage. Additionally, A2LA assessors may raise questions about coverage for certain aspects of the inspection activities which are normally excluded from insurance policies and write a deficiency if the policy will not cover accredited activities; an example of this would be a policy that did not cover data breaches for an organization that provide cyber security assessments.

ANSWER

For all types of inspection bodies, top management is considered to be those individuals who have the authority and can provide the resources necessary to make changes to any aspect regarding the inspection activities. Although it is up to the organization to identify top management, it is important that these individuals lead the management review and that it be clear in the records.

ANSWER

For either independent or in-house inspection bodies of larger organizations, top management is considered to be those individuals who have authority and can provide the resources necessary to make changes to any aspect within the inspection body. It is, therefore, important that these individuals participate in the management review, stress the importance of meeting customer requirements and ensure integrity of the management system. Evidence that proper resources are allocated to the performance of appropriate and effective internal audits, management reviews, etc. could also be considered evidence of top management’s commitment to its management system. As a result, records demonstrating top management’s participation in these functions could be considered evidence of compliance with this particular section of the standard.

ANSWER

For the purposes of A2LA accreditation, accredited Inspection Bodies are required to own or have direct access to, and have under their document control system, current versions of the normative documents that are vital to maintaining their accreditation and to perform their inspection activities.

These documents include all relevant regulations, standards and/or technical methods, etc. related to the inspection activities. Additionally, ISO/IEC 17020:2012, general A2LA policy documents, and the specific A2LA program requirement documents relating directly to their field of accreditation. A2LA does not consider “terminology documents”, such as ISO/IEC 17000 and the VIM, to be normative documents that an organization must control within their system.

For inspection bodies the A2LA normative documents are as follows:

• R301 – General Requirements: Accreditation of ISO/IEC 17020 Inspection Bodies
• R102 – Conditions for Accreditation
• R105 – Requirements When Making Reference to A2LA Accredited Status
• P102 – A2LA Policy on Metrological Traceability (only when inspections require the use of traceable measuring equipment) or
• P113 – A2LA Policy on Measurement Traceability for Life Sciences Testing and Forensic Conformity Assessment Bodies (CABs)(for Forensic organizations)
• ILAC P15-Application of ISO/IEC 17020:2012 for the Accreditation of Inspection Bodies (This document can be found at ILAC.org)

Specific program requirements (examples):

• R310 – Specific Requirements: Special Inspection Agencies Inspection Body Accreditation Program (only for special inspection agencies)
• R311 – Specific Requirements: Federal Risk and Authorization Management Program (only for FedRAMP)
• R318 – Specific Requirements: Forensic Examination Accreditation Program (only for forensic inspection)
• R332 – Specific Requirements: NFPA Field Evaluation Bodies (only for NFPA field evaluation bodies)

ANSWER

In some instances external requirements, standards and specifications provide specific requirements for the retention of records. If there are no specifics provided then per A2LA requirement document R102-Conditions for Accreditation, item 4 states, “Retain all quality records and technical records supporting reported results throughout the period between A2LA full assessments bearing in mind that adequate records must be available to demonstrate full compliance with the requirements for accreditation.” Therefore, at minimum records shall be retained for the period of time from one full assessment to the next.

ANSWER

No. ISO/IEC section 8.6.3 requires that the inspection body conduct internal audits. With the understanding that it is the inspection body’s responsibility to conduct their own internal audit, third party audits of the organization are not acceptable for meeting any portion of this requirement of the standard. Only internal audits completed by the inspection body staff or contracted consultants of the organization are acceptable.

ANSWER

Not necessarily – The standard calls for the inspection body to “verify that it fulfills the requirements of this International Standard, and that the management system is effectively implemented and maintained.” An inspection body must provide evidence that their internal audit consists of at least the following:

• Determination of compliance with all ISO/IEC 17020 requirements
• Determination of compliance with all policies, procedures, inspection processes, instructions, etc. that form your management system
• Determination of compliance with all relevant A2LA policies and requirements.

This can be done on the C301 checklist by confirming compliance and providing detailed notes on the objective evidence reviewed in making that determination. Where such detailed information on the C301 is not provided, the inspection body must maintain additional evidence that all requirements noted above were audited.

ANSWER

Determining the cause of nonconformity is deemed equivalent to root cause analysis. Root cause analysis can be the most challenging part of the corrective action process and should be used as a tool for continuous improvement, which may reduce or eliminate the likelihood of future deficiencies. Understanding why an event occurred is the key to developing effective corrective actions. In some cases, the root cause is singular and easily discerned; in most cases it is not, and there may be multiple root causes. Because of this, there is no single ‘recipe’ that can be followed. While it is impossible to create a procedure that would apply to all scenarios, there are some guiding principles which can be employed, the most important of which is that the root cause should address the question: “Why did this deficiency occur?”.  Other point to consider:

• Statements of root cause which are essentially a restatement of the nonconformity provide no new information beyond the facts of what was found and are not considered to be an acceptable response.
• Each non-conformance should be evaluated independently.
• While each non-conformance and its associated root cause should be approached individually, trends in the identified root causes for a group of non-conformances is a strong indicator that further investigation is needed. For example, upon conclusion of an assessment during which 8 non-conformances were cited, it is determined that the root cause of 6 of the 8 non-conformances pertain to employee training. In this example, additional investigation into the employee training program would be prudent and should be evident in a response.

Additional resources that may be of help are found at:

• Presentation on Root Cause Analysis”, found under “A2LA Guidance Documents” in the Document Finder on the A2LA website.
• The February 2007 Issue of the A2LA Newsletter, found under the “Publications” tab, and “Newsletter Archive” menu item on the A2LA website.

ANSWER

CASCO, the ISO Committee responsible for issues relating to conformity assessment policies and standards, has indicated that it is permissible for a Certification Body to offer consulting services in certain situations so long as the risks to the CB’s impartiality are identified and shown to be eliminated or mitigated in such a manner as to show that the CB has erred on the side of caution.

Accrediting Body expectations on these scenarios are as follows:

1) In the case where the CB’s parent company offers consulting on the types of products being certified, two situations exist: 1.A) Offering of consultancy on the product types the CB certifies to NON-CERTIFICATION CLIENTS – Accrediting Bodies consider this to be a 100% risk to the CB’s impartiality which must be documented and eliminated, with supporting records of the identification, elimination, and ongoing monitoring of the risk. At a minimum, the Accrediting Body expects to see the CB document how it ensures that the consulting client does not become a certification client for the types of products certified by the CB. Additional elimination and mitigating actions are at the discretion of the CB, but due to the significant risk to impartiality such a scenario presents, this minimum threshold must be met for this situation.

1.B) Offering of consultancy on the product types the CB certifies to clients which are, or intend to be, certification clients – This situation is expressly prohibited under clause 4.2.6 of ISO/IEC 17065. It is inherent that the CB ensure that its parent company consulting division is aware of existing or likely certification clients to prevent this non-conforming situation from occurring.

2) In the case where the CB’s parent company offers consulting on product types that are NOT being certified, the CB must still document this clear risk to its impartiality and provide evidence of elimination / mitigating actions to ensure that the CB’s impartiality is not compromised.

The ISO/IEC 17021-1 (2015) standard (for Management System Certification Bodies) offers more information on the concepts and principles of impartiality (for example, see ISO/IEC 17021-1 section 4, and clauses 5.2.7, 7.3, and 9.1.1.e), as well as potential ideas for mitigating risks to impartiality, that a Product Certification Body may wish to consider implementing or augmenting.

Accrediting Body assessors will not expect that an ISO/IEC 17065 accredited Product Certification Body follow these 17021-1 requirements for mitigating risks, unless the certification scheme requires the CB to implement them. However, in all cases, the offering of consultancy of any kind by the CB and/or its parent company is an acknowledged risk to the certification body’s impartiality (however minimal that risk may be) and is expected to be identified and mitigated with supporting records. The Certification Body must err on the side of protecting its impartiality in all situations.

ANSWER

Note 2 of clause 6.2.2.1 states “Use of external personnel under contract is not outsourcing.”

If there exists a properly executed agreement (e.g. contract) between the department/personnel in question and the Certification Body which meets the requirements of clause 6.1.3, then no, the example given does not constitute “Outsourcing” of activities by the Certification Body. (This documentation also answers the question, “Is the resource under the direct control of the Certification Body?” for purposes of judging whether or not the entity in question is an Internal Resource of the Certification Body – see clause 6.2.1)

If the documentation linking the other department or its personnel to the Certification Body does not meet the requirements called out under clause 6.1.3, or if the Certification Body cannot provide evidence that the additional requirements stated under clause 6.1.2 are met for the personnel in question, then the actions taken by the Certification Body are considered “Outsourcing,” and the Certification Body must demonstrate that it complies with the requirements related to Outsourced activities.

ANSWER

The NOTE below clause 6.2.2.4 clarifies when a Certification Body may utilize accreditation as part of their qualification, assessment, and monitoring of an external resource.

In summary, A2LA, as an example, permits a Certification Body to reference an external resource’s accreditation (e.g. to ISO/IEC 17025) only if this is clearly allowed within the scheme(s) being operated, the resource’s scope of accreditation is applicable to the evaluation activity being performed (including appropriate test or inspection methods), and the Certification Body has a documented frequency and supporting records for verifying the accreditation status.

If the scheme does not mention allowing the Certification Body to rely on accreditation without other qualification / assessing / monitoring activities of their own, A2LA, an example, requires the Certification Body to clearly state in their required policies and procedures how the qualification / assessing / monitoring activities are undertaken, and to keep records showing that those actions have been undertaken for all approved providers of outsourced services.

ANSWER

Clause 6.2.2.4(f) requires the certification body to notify the client in advance of subcontracting in order for the client to have the opportunity to object to that action. The 17065 Accrediting Body understands that certification bodies may not always immediately know what outside entity will be used to perform evaluation tasks when taking on an application.

At a minimum, the certification body may issue a blanket statement (or make known in some other clear manner) of possible subcontracting to its clients and potential clients. The client then has an opportunity to object to the use of external resources, or to request clarification on the matter. If clarification is requested, the certification body is expected to answer the clients’ question and identify the potential entity that would be used before the evaluation activity takes place in order to allow the customer the opportunity to object to the use of that particular external resource, while still accepting the possible use of a different external evaluation resource.

Records of correspondence are required to demonstrate that the CB has given adequate notice to the client and, if necessary, has identified the specific subcontractor if so requested.

The critical idea in this clause is that the CB has given the client a reasonable opportunity to object to the use of outside evaluation resources, whether that be objecting to a specific entity (such as a chosen test lab) or objecting to the entire concept of outsourcing. (Note that ISO/IEC 17065 does not explicitly require the certification body to receive a written approval from the client to initiate the subcontracting, but it may be beneficial for a certification body to attempt to obtain this documented approval.)

ANSWER

The Application Review stage of the certification process is a very fine line for Certification Bodies to walk when considering duties assigned to its personnel. The Application Review cannot be automatically assumed to be an Evaluation activity without further examination by an assessor. The assessor will sample certification records and will interview various persons within the Certification Process in order to collect evidence demonstrating whether or not the person taking part in the Application Review has performed activity which is considered Evaluation.

When the tasks performed by the Application Reviewer are found to be administrative in nature only (e.g. requesting missing pages from an evaluation report, requesting a missing signature on the certification agreement, or requesting a sample of the product to be certified), then no, the Application Reviewer is not considered as having performed any Evaluation tasks.

However, any work performed by the Application Reviewer which results in the selection of a product to be certified, or which results in data/information that is or could be used in determining whether or not a product meets certification requirements, is considered part of the Evaluation process. This work would then preclude the Application Reviewer from taking part in the formal certification Review (7.5) and Decision (7.6) phases of the certification process.

ANSWER

The Certification Body should compare the new product to be certified against those with which it has similar experience by examining the schemes (if different) used for performing the certifications, the technologies inherent in the products, the evaluation techniques which must be implemented to characterize the product to determine its compliance with the requirements in the certification scheme(s), and the technical knowledge of its own personnel in order to ensure that a knowledgeable review and decision on certification can ultimately be made.

The NOTE under this clause gives excellent guidance for the Certification Body to consider when comparing the new product(s) they are being asked to certify against products they have certified in the past. Similar comparisons should also be made when a new certification scheme or new normative document (such as a different evaluation specification) is introduced to the Certification Body by their client.

If the certification body determines that the new product is of the same type as ones with which it has previous experience, no records are needed, but the Certification Body may be asked to explain its rationale in determining that the new product is of the same type as ones that were previously certified. If the Certification Body cannot explain this rationale to an assessors satisfaction, a deficiency may be cited if the assessor can justify that a certification was not of the same type; as certifications previously granted by the Certification Body (for example, by showing that the new product has substantial differences in technical underpinnings from those the Certification Body used in its comparison).

The CB Accrediting body, such as A2LA may provide additional notes, such as: Performing certifications against schemes and underlying technical standards not shown on the Certification Body’s Scope of Accreditation cannot be claimed as Accredited work in accordance with A2LA R105 – Requirements When Making Reference to A2LA Accredited Status. A2LA does offer a “F330 – Request for Expansion of Scope of Accreditation – Product Certification” form for Certification Bodies wishing to expand their Scope of Accreditation for situations such as these. The Certification Body must fill out and have the Scope expansion request approved by A2LA and their most recent assessor before offering these certifications as Accredited.

ANSWER

The standard does not specify what form a record must take that would offer justification for undertaking a new type of certification. However, the records must show that the Certification Body has performed an analysis of the new certification to be performed, and compared the requirements of the new certification against the existing experiences and competencies of its resources to perform similar certifications, as well as verifying that the certification body is capable of performing the certification activities required by the new certification being undertaken.

The justification records should be sufficiently detailed such that the assessor can reach the same conclusions that the certification body reaches with respect to moving forward with the new certification. An assessor may cite a deficiency if there is, in his or her opinion, insufficient information in the justification records for undertaking the new certifications or supporting evidence that the certifications were improperly granted as a result of insufficient or improper justification.

The CB Accrediting body, such as A2LA may provide additional notes, such as: Performing certifications against schemes and underlying technical standards not shown on the Certification Body’s Scope of Accreditation cannot be claimed as Accredited work in accordance with A2LA R105 – Requirements When Making Reference to A2LA Accredited Status. A2LA does offer a “F330 – Request for Expansion of Scope of Accreditation – Product Certification” form for Certification Bodies wishing to expand their Scope of Accreditation for situations such as these. The Certification Body must fill out and have the Scope expansion request approved by A2LA and their most recent assessor before offering these certifications as Accredited.

ANSWER

The CB Accrediting Body may read clause 7.6.4 to be more of a definition of what Organizational Control IS, rather than something a Certification Body must exert. As such, there are many instances where Organizational Control will not come into play for a Certification Body. There are three clauses in the standard which reference Organizational Control of an outside entity by the Certification Body. Assessors are instructed to examine how each Certification Body implements the following clauses, and, if no related bodies are utilized in the implementation of these steps, then clause 7.6.4 is Not Applicable for the Certification Body.

7.6.3: The Certification Body is permitted to essentially “outsource” the certification decision, but only if the person/group of persons making the decision is employed by or contracted to the Certification Body itself, or an entity that the Certification Body holds more than 50% control in. If the person/group making the decision is not employed or contracted by the CB or an “organizationally controlled” entity, the CB cannot utilize that person or group to make the final certification decision. Note that committees are excluded from this clause by virtue of the requirements in clause 5.1.4 of the standard.

4.2.6: Any entity which the Certification Body has Organizational Control over is not permitted to design, manufacture, install, distribute, or maintain the product being certified. The Certification Body must be prepared to explain how they are ensuring that all related entities which are under Organizational Control are not performing any of these actions. Related entities NOT under Organization Control are not subject to these requirements but are instead subject to examination for risks to impartiality under clauses 4.2.3 and 4.2.7.

7.6.5: The Certification Body must be able to demonstrate (with supporting record evidence) how it ensures that personnel in entities under organizational control are fulfilling the ISO/IEC 17065 requirements. Fulfillment of these requirements includes (but may not be limited to) requiring the existence of a contract with those personnel which meets the requirements of clause 6.1.3.

ANSWER

There is a defined minimum amount of information required in clause 7.8 which must be published or made available upon request even if the scheme is silent on this subject. This minimum is “information … about the validity of a given certification,” as outlined in the final sentence of this clause (e.g. by answering “Yes, that is a valid certification”).

The certification body may certainly go above and beyond the scheme in making information publicly available, but must meet the requirements in section 4.5 of ISO/IEC 17065 (confidentiality) in those instances.

ANSWER

Note 2 under clause 7.9.1 indicates that criteria and processes for surveillance are to be defined by the certification scheme.

In the case of a certification scheme being silent on any of the requirements for surveillance (e.g. frequency of surveillance, actions to be taken, percentages of certified products to be reviewed, etc.), and assuming that the Scheme Owner does not respond with any objective instruction for the certification body, the CB Accrediting Body requires the certification body to clarify how the surveillance will be performed, using a process similar to that called out in clause 7.1.3 for creating explanations for certification requirements. This information is then also to be made publicly available (upon request) pursuant to clause 4.6.a, as it relates to the certification scheme(s) being operated by the certification body.

The certification body must, at a minimum, define the actions taken to establish appropriate surveillance activities related to the product (e.g. how many products will be included, how they are to be acquired/selected, etc.), define the frequency of surveillance activities (e.g. per calendar year, in the first quarter of every year, etc.), and define the requirements which the product must meet (e.g. the product must meet original certification requirements in order to continue certification). The examples given in this paragraph are not meant to be all-encompassing, but should be taken as guidance in considering how to address the needs of the certification body and the ISO/IEC 17065 standard.

Additional guidance can be found in ISO/IEC 17067 for surveillance activities. It is encouraged to use this international guidance document for Certification Bodies which need to define their own surveillance activities.

ANSWER

Clause 7.10.1 is required to be implemented by all certification bodies, regardless of what changes and subsequent action (or inaction) is stated by the scheme.
In all cases of certification changes, it remains the responsibility of the accredited certification body to be aware of these changes, to gain assurance that the changes have been communicated to clients in some manner, and to take some action to verify that the changes have been implemented by its clients. If the scheme specifies any further actions, such as mandating immediate re-evaluation of any certified product, then the certification body has further tasks to undertake.

In the case of a scheme owner sending out email notifications, actions taken by the CB to assure themselves that the communication has taken place may be minimal (but caution should still be taken in the event that a client is not receiving those notifications). In other cases, such as the CB being the scheme owner, a notification blast (e.g., via email or letter) to all clients could be submitted as evidence of the steps the CB has taken to comply with this requirement.

With regard to actions taken to verify implementation, these will depend on the instructions included (or not included) by the scheme owner. This might include re-evaluation of certified products (as mentioned previously), a re-review of currently certified product documentation and evaluation results to verify that the product continues to comply with certification requirements, an audit of client facilities, or even a simple evaluation of products at the next scheduled certification renewal point without taking immediate action.

However, in the event that the scheme or scheme owner is silent on actions to be taken, the certification body is still required to take some action of their own choosing to verify implementation of the changes by the client. This could include (for example) an analysis of the changes to determine whether or not re-evaluation is necessary, with a record of this analysis being kept. If any action is necessary, as per clause 7.10.3, it shall be performed in accordance with the appropriate part of section 7 of the standard, with records kept of those activities as required by section 7.12.

ANSWER

Clause 8.4.2 of the standard indicates that the Certification Body’s procedures for record retention must be consistent with any contractual and legal obligations. Those legal and contractual obligations would take precedence over the shorter retention cycle given in the example above.

Above and beyond any legal or scheme obligations for record retention, CB Accrediting Bodies may have specific requirements for record retention. For example – A2LA requires, as one of the Conditions and Criteria for Accreditation (A2LA R102 – Conditions for Accreditation, clause 4), that the accredited (or applicant) organization must keep copies of records for the entire time period between on-site assessments. Legal and scheme obligations may require longer retention periods, but under no circumstances may the Certification Body dispose of records in any shorter time period.

ANSWER

In many instances, it may not be possible for a certification body to give a formal notice of complaint resolution to the complainant; one such example is if a complaint is received anonymously. Other examples where it may not be possible to formally notify a complainant could include the complainant not leaving any contact information for receiving feedback, or the complainant changing contact information either voluntarily (i.e. relocation) or involuntarily, (i.e. being dismissed from an employment position).

Possible evidence which would show that the certification body has performed their due diligence when the complainant is unreachable could include records of attempted emails with read receipts, phone logs, voicemails, certified postal mailings, or generalized resolution notices to alternate persons that are known to be related to the original complainant.

These examples, are not intended to be all-inclusive, nor are they mandatory actions that must be undertaken by the Certification Body.

Ultimately, the Certification Body must show evidence that they have done reasonable due diligence in attempting to contact or locate the original complainant, and these examples may be useful when considering what actions to undertake to notify the complainant of the outcome. In all cases, these attempts to contact the complainant must be part of the records associated with complaint resolution as required by clause 7.13.1.

ANSWER

For the purposes of A2LA accreditation, accredited Certification Bodies are required to own or have direct access to, and have under their document control system, current versions of the normative documents that are vital to maintaining their accreditation and to perform their certification activities. These documents include (in addition to relevant regulations, standards and/or technical methods, etc.) ISO/IEC 17065:2012, general A2LA policy documents, and the specific A2LA program requirement documents relating directly to their field of accreditation. A2LA does not consider “terminology documents”, such as ISO/IEC 17000 and the VIM, to be normative documents that an organization must control within their system. For example, a Telecommunications Certification Body (TCB) would be expected to possess (or have direct access to) and have under its document control system current versions of the following A2LA documents:

•  R307 – General Requirements – Accreditation of ISO/IEC 17065 Product Certification Bodies
•  R105 – Requirements When Making Reference to A2LA Accredited Status
•  R102 – Conditions for Accreditation
•  R308 – Specific Requirements – 17065 – Telecommunication Certification Body Accreditation Program

Furthermore, such a TCB would be expected to control copies of all test methods called out in the certification schemes being operated, as well as copies of the schemes themselves.

ANSWER

Not necessarily, there may be some Accrediting Bodies that do not require that a complete management review be done prior to accreditation. You will however need to demonstrate that you have established a process for management reviews. The records from your management review and any evidence of implementing actionable outputs shall be available for review at the time of the initial assessment and will be reviewed and confirmed during your surveillance assessment.  You need to check with your CB Accrediting Body for clarification.

ANSWER

Not necessarily, there may be some Accrediting Bodies that do not require that a complete internal audit to be completed prior to accreditation. Your documented internal audit program and any evidence of implementation shall be available for review at the time of the initial assessment and the progression of your audit per your audit schedule will be reviewed and confirmed during your surveillance assessment. You need to check with your CB Accrediting Body for clarification.

ANSWER

Not necessarily – The standard calls for the certification body to “verify that it fulfills the requirements of this International Standard, and that the management system is effectively implemented and maintained.” (emphasis added) A CB must provide evidence that their internal audit consists of at least the following:

• Determination of compliance with all ISO/IEC 17065 requirements;
•  Determination of compliance with all policies, procedures, instructions, etc. that form your management system;
•  Review of all Certification Process steps (i.e. application, evaluation, review, decision, certification documents, and surveillance, where applicable); and,
•  Determination of compliance with all relevant A2LA policies and requirements.

ANSWER

At a minimum, each scheme for which the certification body is accredited to be included in their Internal Audit in order to ensure that the steps in the certification process, as well as the CB’s management system requirements are being properly implemented across all certification schemes offered.

The Internal Audit is considered incomplete if the organization fails to include all schemes during its internal audit. It is not required that every product type be addressed in one internal audit cycle, but it is recommended that different product types be reviewed from audit to audit.

As a reminder, Clause 8.6.2 requires the internal audit program to take into account previous audit findings – if any findings related to a specific product type were found at a previous audit, those must be taken into account when planning the current internal audit.

ANSWER

A certification body’s initial internal audit schedule should show that internal audits will be performed once in a 12 month period (or show that one full audit will be performed over a rolling 12 month period).f the certification body feels that they need to initially schedule more frequent audits, or if the results of any audit show the need to schedule a subsequent audit sooner than 12 months, the certification body should not hesitate to adjust their schedule accordingly.

Regardless of the period or frequency defined, any changes to the schedule of the audits as well as the rationale behind the decisions to change, must be documented and kept under record control by the certification body.

Any changes to reduce the frequency (that is, make the time span between internal audits longer) must be supported by records that demonstrate ongoing stability and effectiveness of the management system.

ANSWER

Clause 8.6.4(a) requires internal auditors to be competent in three areas – knowledge of the standard, knowledge of the certification process, and knowledge of auditing. The determination of auditor competence levels (that is, what an auditor needs to do to show they are “knowledgeable”) is the responsibility of the certification body, and records are required to show that the auditors have demonstrated their knowledge to the certification body for whichever of the three aspects they are responsible for covering during an audit.

ANSWER

The standard does not define what “timely and appropriate” means for its certification bodies. The intent of this clause is for the organization to take action as soon as they are able, in order to ensure that the organization’s quality system is running smoothly, and that the certifications being offered are not negatively impacted. The CB may define the timeframe in their own internal quality management system. An assessor may cite a deficiency if there is evidence that the quality system or offered certifications are being affected by lack of action on an internal audit finding. The certification body is still responsible for meeting all requirements related to corrective actions (section 8.7) and preventive actions (section 8.8) when acting upon their internal audit findings.

ANSWER

For purposes of this clause, a “legally enforceable agreement” may be any signed or signable record between the certification body and its client/customer which meets the requirements of clause 4.1.2.2, and which (as stated in 4.1.2.1) takes into account the responsibilities of the two parties in that agreement. This record can be known by any name but is typically referred to as a “Contract” for ease of reference.

The assessors will not be determining, nor can they be held responsible for, the legality of the certification body / client agreements. Their purpose is solely to find facts as to whether or not an agreement is in place which accounts for the responsibilities of the two parties and the client compliance requirements listed in clause 4.1.2.2.

Your CB Accrediting Body may be able to provide additional clarification on this clause.

ANSWER

Historically, verbal agreements are difficult, if not impossible, to legally enforce. Because the Certification Agreement must be legally enforceable and must address the responsibilities of each party, which requires that the responsibilities of the client with regard to any evaluation of the product performed prior to filing the application for certification be clearly outlined in writing in the Certification Agreement. This is also encompassed by clause 4.1.2.2.c.1 which requires the client to “make all necessary arrangements for… the conduct of the evaluation and surveillance (if required)…”

ANSWER

The standard requires the certification body to keep records of risks to impartiality that have been eliminated or mitigated, via clauses:

• 4.2.4 (the CB shall be able to demonstrate how it eliminates or minimizes such risk; the information shall be made available to the mechanism specified in 5.2),
• 5.2.1.c (the mechanism (for safeguarding impartiality) shall provide input on…  matters affecting impartiality…), and
• 8.5.2c (inputs to the recorded management reviews shall include … feedback from the mechanism for safeguarding impartiality)

ANSWER

In some cases, there may be contractual obligations which detail the minimum amount of coverage or there may be requirements imposed by the regulators for which the inspections are being performed or by the inspection scheme owners.

In the absence of such requirements, the inspection body is responsible for determining what “adequate” levels are with respect to having liability coverage arrangements. As exemplified in this clause, such arrangements can include insurance or cash reserves. Assessors may raise questions about the adequacy of the coverage and how the organization arrived at the decision this was adequate coverage. Additionally, Assessors may raise questions about coverage for certain aspects of the inspection activities which are normally excluded from insurance policies and write a deficiency if the policy will not cover accredited activities; an example of this would be a policy that did not cover data breaches for an organization that provide cyber security assessments.

ANSWER

In order for expedite fees or volume discounts (or other financial considerations between certifier and client) to be considered non-discriminatory and justifiable, the availability of such fees and discounts should be made known to all potential clients, and a process for applying such fees must be clearly laid out so that all parties taking advantage of them are considered equally. (Clause 4.6(b) of ISO/IEC 17065 requires that descriptions of fees charged to clients be documented and made available to clients upon request.)

While not explicitly required by the standard, if a certification body wishes to offer special pricing structures, it may be good practice to consider specifying “categories” that a client would fall into for these special pricing structures (e.g. “Clients with 0 to 50 applications per year receive no discount; 50 to 100 receive a 5% discount; etc.” or “To include your application in our expedited workflow line, the fee is xxx dollars due upon application receipt”). These suggested clarifications may assist the certification body in supporting their position if any questions over discriminatory practices are raised.

The certifier must take care to ensure that no special treatments are given, for example, to one client over another if both clients are equivalent in all other senses (e.g. both have paid the same expedite fee, or both have been informed of the same pricing discount). The fees, and the application of them, must not be constructed or used in such a manner as to impede or inhibit access by an otherwise qualified applicant. If a potential client were to issue a complaint about the prices charged by a certifier, the standard requires the certifier to keep a record of those complaints received, and any subsequent actions, as required by section 7.13 of ISO/IEC 17065.

ANSWER

Yes, the Certification Body must address each required procedure under this clause, even if the certification activities being performed do not include those actions. For example, an organization operating a certification scheme which does not allow for extensions or reductions to the scope of certification must have documented some statement to the effect of, “We do not offer any extensions or reductions to our certifications.”

ANSWER

Note 2 to clause 5.2.1 and Note 1 to clause 5.2.4 of ISO/IEC 17065 both identify examples of mechanisms and potential invitees that the Certification Body may have overlooked during its invitation process, and should be examined prior to determining that all possible avenues have been exhausted.

The certification body must be able to demonstrate (e.g. by providing records) that they have ensured a balanced interest in their mechanism by identifying and inviting potentially interested parties, and that they have ensured that the composition of their Mechanism is such that no single interest predominates. In all cases, the certification body cannot hold more than 50% stake in this Mechanism – it is up to the certification body to take additional suitable actions to ensure that these balanced interest requirements are met.

ANSWER

The “applicable requirements” that an internal resource must meet shall be defined and documented, and are considered to fall under the following hierarchy:

1.  Requirements should be defined by the Certification Scheme;
2.  If the requirements are not defined in the scheme, the Certification Body should define what requirements are or are NOT applicable in their quality system, with justification on any omitted clauses of the relevant International Standard(s);
3.  If the CB and/or Scheme do not define the “applicable requirements,” an Assessor will assume that all requirements in the relevant International Standard(s) are applicable.

Important to note, if an Evaluation standard (testing / inspection method specified in the Certification Scheme) explicitly requires an aspect contained in (for example) ISO/IEC 17020, 17021, or 17025, such as measurement uncertainty calculations, it cannot be excluded when considering whether or not the resource meets the requirements of those standards. 

Your CB Accrediting Body may be able to provide additional clarification on this clause.

ANSWER

The “applicable requirements” that an external resource must meet shall be defined and documented, and are considered to fall under the following hierarchy:

1. Requirements should be defined by the Certification Scheme;
2.  If the requirements are not defined in the scheme, the Certification Body should define what requirements are or are NOT applicable in their quality system, with justification on any omitted clauses of the relevant International Standard(s);
3.  If the CB and/or Scheme do not define the “applicable requirements,” An Assessor will assume that all requirements in the relevant International Standard(s) are applicable.

Important to note, if an Evaluation standard (testing / inspection method specified in the Certification Scheme) explicitly requires an aspect contained in (for example) ISO/IEC 17020, 17021, or 17025, such as measurement uncertainty calculations, it cannot be excluded when considering whether or not the resource meets the requirements of those standards.

Your CB Accrediting Body may be able to provide additional clarification on this clause.