The standard states the time between consecutive on-site assessments shall not exceed two years unless the accreditation body determines that an on-site assessment is not “applicable”. When would an on-site assessment not be applicable? If an on-site assessment can reasonably be conducted under normal conditions, is it “applicable” to be on-site, or does the accreditation body have the ability in all cases to justify the use of other assessment techniques that do not incorporate on-site assessment, and thus exceed the two-year maximum required by the standard?
If an accreditation body implements remote assessment techniques that can achieve the same objectives and outcomes as on-site assessment techniques, can those remote assessment activities be considered equivalent to an on-site assessment?
The expectation from ISO/IEC 17011:2017 is to normally conduct on-site assessments at least every two years during the AB’s assessment programme.
Where it is not possible to do an on-site assessment – e.g. due to force majeure event, health or security crisis, virtual site – then a remote assessment could be applicable. In these cases, the AB must ensure that the same objectives and outcomes are achieved with the remote assessment techniques as with the on-site assessment techniques.
In bullet a) of Annex A.3 it is stated that the inspection body shall provide safeguards within the organisation to ensure adequate segregation of responsibilities and accountabilities between inspection and other activities. Could you give examples of such safeguards?
STANDARD: ISO/IEC 17020 · CLAUSE: Annex A.3 · TOPIC: Independence Type C
Safeguards that ensure adequate segregation can include e.g. – Maintenance of separate instructions for, or clear demarcation between, activities performed in different roles; – Reporting arrangements; or – Communication and maintenance of policies; or – Rules or code of conduct of inspectors; or – Remittance and review procedures
The wording of bullet b) in Annex A.1 indicates that there may be more activities than those listed in the 2nd sentence that may conflict with the inspection body’s and/or its personnel’s independence of judgment and integrity. Could you give examples of such activities?
STANDARD: ISO/IEC 17020 · CLAUSE: Annex A.1 · TOPIC: Independence Type A
In many cases, activities like project management and support activities related to the items inspected may also conflict with the independence of judgment and integrity. Also, consultancy engagements related to the items inspected may, depending on their nature and character, conflict with the independence of judgment and integrity.
In clause 6.2.13, bullet b) it is stated that the inspection body shall ensure that procedures are established and implemented to protect the integrity and security of data. Could you give examples of such procedures?
Procedures for protecting the integrity and security of data may include: – Backup practices and frequencies – Actions to effectively restore data from backup – The maintenance of virus protection – The maintenance of password protection – Protection of data collected on-site – Protection of ICT tools to carry out inspection – Encryption of data – Protection and access control of internally stored inspection records and reports – Protection of electronically issued inspection reports
Examples of competencies a technical manager may need are to; – Understand the requirements for the items inspected – Understand the risks pertaining to failure of inspected items to fulfil the requirements – Understand the possibilities and limitations of the inspection process and the relevant inspection techniques/technologies used for inspection – Determine the type of technical competence required for performance of inspection activities – Plan and organise inspection activities – Understand and judge the ramifications of inspection outcomes – Understand the type of technology developments that may influence the inspection activities
In clause 4.1.3 of the standard reference is made to threats to impartiality arising from the inspection body’s activities. Can you give examples of activities which may constitute a threat to the inspection body’s impartiality?
Examples of activities of the inspection body that can influence its impartiality include: – Making commitments to complete unrealistic inspection volumes in a limited amount of time. – Marketing, branding or sales activities relating to the items inspected, as explained in a general sense in ILAC P15. – Customised training activities related to fulfilment of scheme requirements.
Can an Accreditation Body that is linked to a separate legal entity that provides consulting services have a website with direct hot links to the website of the linked separate entity that provides consulting services and meet the impartiality requirements of ISO/IEC 17011:2017 Section 4.4?
No, if an AB has publicly available in its website (or otherwise) a direct link to a consultancy organization (that is not an accredited CAB and listed as such in its Directory of Accredited CABs) it should be considered as an infringement of clause 4.4.13 of ISO/IEC 17011: 2017.
Can an Accreditation Body that is linked to a separate legal entity that provides consulting services have personnel (internal staff or external contractors) carry out consulting activities for that linked body and meet the impartiality requirements of ISO/IEC 17011:2017 Section 4.4?
No, unless exceptional conditions are met. If the AB’s ‘internal’ staff is providing consulting services, the AB would need to demonstrate simultaneous compliance with several clauses of the standard, namely: – 4.4.4: staff acting objectively, in absence of pressures and disclosing potential conflict of interests; – 4.4.6-9: risk analysis to impartiality, stakeholder consideration of acceptable public perception if AB internal staff provides consultancy, etc.; – 4.4.12.b) and d): effective mechanisms to prevent influence on the outcome of accreditation activities. – 4.4.13: nothing can be said or implied that would suggest that accreditation would be simpler, easier, faster or less expensive if any specified person(s) or consultancy were used;
The analysis of acceptability needs to include a review of the functions that the staff providing consultancy for the ‘Linked Body’ are assigned to do in the AB and the risk arising can differ significantly depending on the tasks performed. It should be noted that the standard forbids any staff providing consultancy to participate in accreditation decision-making.
Regarding clause 4.4.6, note that it may not be sufficient to forbid consulting and assessing to the same customer, to ensure that self-evaluation risks are sufficiently mitigated.
The note to clause 4.4.13 indicates that AB’s personnel can participate as lecturers in training and similar activities, but states that they cannot provide specific solutions to a CAB, so any form of consultancy that includes this would violate the clause.
Can an Accreditation Body that is linked to a separate legal entity that provides consulting services have shared resources (office space, finances, sales, marketing, accounting, human resources, legal counsel, etc.) and meet the impartiality requirements of ISO/IEC 17011:2017 Section 4.4?
The absence of ‘shared resources’ is not required by clause 4.4.12 and is therefore not applicable; however, ‘shared resources’ can be a source of risk to impartiality (Note 1 of 4.4.6) and it should be considered in the risk analysis process covered by clause 4.4.6. The type of resource being shared can introduce additional requirements that should be considered, for example: – sharing office space can infringe confidentiality and public perception requirements; – sharing personnel can violate confidentiality, impartiality, and public perception requirements; – sharing finances can violate confidentiality requirements and allow commercial and financial pressures to appear; – sharing sales or marketing prevents meeting clause 4.4.13.
Can an Accreditation Body that is linked to a separate legal entity that provides consulting services have common owners, or a person who holds a higher position above the managers of both organizations meet the impartiality requirements of ISO/IEC 17011:2017 Section 4.4?
No, unless strict and exceptional conditions are demonstrated to be met: – Because of the common ownership between the AB and the separate legal entity that provides consulting services, then they are deemed to be linked and the AB must fulfil all the conditions in clause 4.4.12 of ISO/IEC 17011:2017; – Regarding the person who holds a higher position at both organizations, this person cannot perform any of the activities listed in clause 5.7 as this would be a violation of §4.4.12 a). Careful consideration must be made to ensure that person is not involved in any of the AB top management activities outlined in clause 5.7 of ISO/IEC 17011:2017.