Beyond Issuance: The Full Certificate Lifecycle
Many certification bodies focus their attention on the process leading up to certificate issuance. The application, the audits, the committee review, and finally the certificate. But issuance is not the end of the certification process. It is the beginning of a lifecycle that spans years and requires systematic management at every stage.
ISO/IEC 17021-1:2015 establishes clear requirements for maintaining, suspending, and withdrawing certifications. Failure to manage this lifecycle properly creates risk for both the CB and its clients, and is a common source of accreditation findings.
Stage 1: Certificate Issuance
Certificate issuance is the culmination of the initial certification process. Before a certificate is issued, the CB must verify that:
- •The audit programme has been completed (Stage 1 and Stage 2).
- •All major nonconformities have been resolved.
- •The committee has made a positive certification decision.
- •The certificate data (scope, locations, standard, dates) is accurate.
- •The certificate format meets the CB's procedures and any accreditation requirements.
In practice, certificate issuance is where errors often creep in. Scope descriptions may be inconsistent with what was audited. Dates may be incorrect. Locations may be missing. These errors, while seemingly minor, can create significant problems during the certification cycle.
Certiva generates certificates from the data already in the system. The scope, locations, standard, and dates are pulled from the verified certification record, reducing the risk of transcription errors. The certificate is generated, reviewed, digitally signed, and made available to the client through their portal.
Stage 2: Surveillance Scheduling
Once a certificate is issued, the CB must establish a surveillance programme. Clause 9.6.2 requires surveillance audits at planned intervals, typically annually, although the first surveillance must occur no later than 12 months after the last day of the Stage 2 audit.
Surveillance scheduling creates a tracking challenge that grows with the number of active certifications. Each client has their own surveillance cycle, and the timing depends on:
- •The date of the initial certification or last recertification audit.
- •The number of surveillance audits per cycle (typically two in a three-year cycle).
- •Any adjustments based on previous audit results.
- •Client availability and scheduling constraints.
With hundreds of active certifications, manual tracking of surveillance deadlines is unreliable. A missed surveillance window can require suspension of the certificate, creating a cascade of administrative and client relationship problems.
Stage 3: Ongoing Maintenance
Between surveillance audits, the certification body must also manage:
Scope Changes: Clients may request changes to their certified scope. Expansions require additional audit activity. Reductions require verification and certificate reissue. Each change must be documented and the certificate updated.
Transfer Audits: Clients may transfer their certification from another CB. The transfer process has its own requirements, including verification of the existing certification and any necessary audit activity.
Client Changes: Organizations undergo structural changes: mergers, acquisitions, name changes, location changes. Each of these may affect the certification and must be assessed and documented.
Complaints and Information: If the CB receives complaints about a certified organization or information suggesting nonconformity, it must evaluate the information and take appropriate action. This may trigger unscheduled audits or other investigation.
Stage 4: Recertification
Before the three-year certification cycle expires, a recertification audit must be completed and a new certification decision made. The recertification process involves:
- •Reviewing the performance of the management system over the certification cycle.
- •Conducting a full system audit covering all requirements of the applicable standard.
- •Evaluating the effectiveness of the management system as a whole.
- •Making a new certification decision.
The timing of recertification is critical. The recertification audit must be completed and the decision made before the current certificate expires. If the recertification is not completed in time, the certificate lapses and the organization must go through the initial certification process again.
Stage 5: Suspension
ISO/IEC 17021-1:2015 Clause 9.6.5 addresses suspension of certification. The CB must suspend certification when:
- •The client's management system has persistently or seriously failed to meet certification requirements.
- •The client does not allow surveillance or recertification audits to be conducted at the required frequency.
- •The client has voluntarily requested suspension.
Suspension is a formal action with specific requirements:
- •The status of the client's certification is changed to suspended.
- •The client is notified of the suspension.
- •The suspended status is made publicly accessible.
- •The suspension has a defined duration (typically not exceeding six months).
- •At the end of the suspension period, the certification is either restored or withdrawn.
Managing suspension requires careful tracking of deadlines and actions. When a certification is suspended, the CB must monitor the suspension period and either resolve the situation or proceed to withdrawal.
Stage 6: Withdrawal
Certification is withdrawn when:
- •The issues that led to suspension are not resolved within the suspension period.
- •The client does not take necessary action to restore their certification status.
- •The client requests withdrawal.
- •The CB determines that the certified management system does not meet the requirements.
Withdrawal is the most consequential action in the certification lifecycle. The client loses their certification, must remove any references to it, and typically must go through the full initial certification process to become certified again.
Why Lifecycle Management Requires Software
The certificate lifecycle involves multiple deadlines, dependencies, and decision points spread over a multi-year cycle. Managing this lifecycle for a single client is straightforward. Managing it for hundreds of clients simultaneously, while complying with all ISO/IEC 17021-1:2015 requirements, requires systematic software support.
Certiva manages the entire certificate lifecycle:
- •Automatic Surveillance Scheduling: Surveillance audit windows are calculated automatically based on the certification date. The system alerts planners when scheduling action is needed.
- •Expiry Tracking: Certificate expiry dates are tracked systemically. The system generates warnings well in advance of expiry, giving the CB adequate time to plan and conduct recertification audits.
- •Scope Change Management: Scope changes are processed through a defined workflow that includes review, additional audit activity if required, and certificate reissuance.
- •Suspension and Withdrawal Workflows: When suspension or withdrawal is warranted, the system provides structured workflows that ensure all required actions are taken and documented.
- •Status Dashboard: A real-time dashboard shows the status of every certificate: active, approaching surveillance, due for recertification, suspended, or withdrawn. Planners have complete visibility into the certification portfolio.
- •Client Portal Updates: Clients see the current status of their certificate through their portal, including upcoming audit dates and any required actions.
The Cost of Lifecycle Management Failures
When certificate lifecycle management fails, the consequences are immediate:
- •Lapsed Certifications: A client's certificate expires because the recertification was not completed in time. The client loses their certification, potentially affecting their business relationships and contractual obligations.
- •Delayed Suspensions: The CB fails to suspend a certificate when required, maintaining an active certification for an organization that does not meet the requirements.
- •Missed Surveillance: Surveillance audits are not conducted within the required window, triggering the need for suspension.
- •Accreditation Findings: All of the above create nonconformities during accreditation assessments.
Ready to eliminate certificate lifecycle management failures?
Book a demo at getcertiva.com and see how Certiva tracks every certificate from issuance through renewal, with automated scheduling, deadline alerts, and complete lifecycle documentation.