Mandatory Clauses

Have you noticed the surveillance audits by your certification body always seem to address some of the same ISO 9001 clauses? The reason is that ISO 17021, a standard that applies to bodies providing audit and certification of management systems, requires a few areas to be a mandatory part of a surveillance audit program.

Section 9.3.2.1 of ISO 17021 reminds us that surveillance audits are on-site audits, but not necessarily full system audits. And, surveillance audits must be planned together so the certification body can be confident that the certified system continues to meet its requirements between the three-year re-certification audits. Therefore, ISO 17021 requires the surveillance audit program to include, at least:

a) internal audits (8.2.2) and management review (5.6)

b) a review of the action taken (8.5.2) on nonconformities identified during the previous audit

c) treatment of complaints (8.2.1, 8.5.2)

d) effectiveness of the management system with regard to achieving the certified client’s objectives (5.4.1, 5.3)

e) progress of planned activities aimed at continual improvement (8.5.1)

f) continuing operational control (8.1)

g) review of any changes (4.2.2, 5.4.2)

h) use of marks and/or any other references to certification

Please note that I added the references to the ISO 9001 clause numbers to identify what might be called the mandatory clauses for surveillance audits. 

Some of the clauses are very easy to determine. For example, the mention of Internal Audits and Management Review leads quickly to ISO 9001 clauses 8.2.2 and 5.6. Next on the surveillance list is the “review of the action taken on nonconformities”, which relates to clause 8.5.2 for Corrective Action.

What about the clause for “treatment of complaints”? Monitoring the customer’s perception as to how well an organization has met requirements would involve clause 8.2.1 on Customer Satisfaction. Clause 8.2.1 includes determining the methods for obtaining and using this information, which would address the treatment of complaints. Clause 8.5.2 on Corrective Action requires the review of nonconformities and specifically customer complaints.

The next area to evaluate is the “effectiveness of the management system” with regard to achieving an organization’s objectives. Clause 5.4.1 on Quality Objectives should be examined, and since these objectives must be consistent with the Quality Policy, the auditor could also assess clause 5.3.

In addition, surveillance audits must evaluate the “progress of planned activities aimed at continual improvement”. Auditing clause 8.5.1 on Continual Improvement will address this surveillance topic.

Selecting a clause for “continuing operational control” is not as simple. Operational control includes monitoring and analysis to ensure planned results are being achieved, and if not, taking actions to improve the results.

Clause 8.2.3, Monitoring and Measurement of Processes, certainly relates to this subject, as does 8.4, Analysis of Data. However, 8.1 seems the most inclusive clause since it requires an organization to plan and implement the monitoring, measurement, analysis, and improvement processes needed to ensure that the product and system requirements are met and the effectiveness of the system is continually improved.

Another required surveillance topic is the “review of any changes”. System changes need to be planned in accordance with clause 5.4.2, Quality Management System Planning, and the changes may result in revisions to the Quality Manual described in clause 4.2.2.

Certification bodies may have a different view of these requirements and include a slightly different set of mandatory clauses for their surveillance audits. For example, one registrar includes 8.5.3, Preventive Action, which could be considered part of assessing operational control and how well an organization prevents potential problems.

The last item on the surveillance list is for auditors to ensure that certification marks and other references to certification are properly used by the organization. Registrars provide information on how their certification marks are to be displayed, and ISO provides guidance at this web page on how to publicize your ISO 9001 certification.