The Documentation Backbone of Certification Body Operations
ISO/IEC 17021-1:2015 establishes comprehensive requirements for how certification bodies manage their documents, records, and information. These requirements are not peripheral. They form the backbone of a CB's management system and are among the most frequently examined areas during accreditation assessments.
Understanding these requirements in detail, and implementing systems that satisfy them systematically, is essential for any certification body that intends to maintain its accreditation without constant corrective actions.
Clause 8.2: Management System Option
ISO/IEC 17021-1:2015 Clause 8.2 provides two options for a CB's management system: Option A (aligned with ISO 9001) or Option B (general requirements). Under either option, the CB must establish, document, implement, and maintain a management system capable of supporting and demonstrating the consistent achievement of the requirements of this standard.
This means that documentation is not optional or flexible. The CB must have a documented system, and the documentation must be controlled.
Clause 8.3: Document Control
Clause 8.3 addresses the control of documents specifically. The CB must establish procedures that ensure:
- •Documents are approved before issue. Every document that is part of the management system must go through an approval process before it becomes active. This includes procedures, forms, templates, and work instructions.
- •Documents are reviewed and updated as necessary. Documents must be periodically reviewed to ensure they remain current and effective. Changes must be controlled.
- •Changes and current revision status are identified. When a document is revised, the nature of the change and the current version must be clear. Users must be able to determine which version is current.
- •Relevant versions are available at points of use. The right version of the right document must be accessible to the people who need it, when they need it.
- •Documents remain legible and readily identifiable. Documents must be clearly identified and maintained in a condition that allows them to be read and understood.
- •External documents are identified and their distribution controlled. Standards, accreditation body requirements, and other external documents must be identified and managed.
- •Obsolete documents are prevented from unintended use. When a document is superseded, the old version must be clearly identified as obsolete or removed from circulation.
How Software Addresses Document Control
In a paper-based or file-folder-based system, maintaining document control requires constant vigilance. Old versions must be manually removed. New versions must be manually distributed. Version tracking must be manually maintained.
Certiva automates document control:
- •Version Control: Every document in the system has a version history. When a document is updated, the new version replaces the old automatically. Previous versions are retained for reference but clearly marked as superseded.
- •Approval Workflows: Documents pass through defined approval workflows before becoming active. The approval is recorded with the approver's identity and timestamp.
- •Centralized Distribution: Documents are available through the platform, ensuring that everyone accesses the current version. There are no local copies that might be outdated.
- •Access Control: Different users see different documents based on their role. Auditors see auditor-relevant documents. Clients see client-relevant documents. Obsolete documents are not visible in normal views.
Clause 8.4: Control of Records
Clause 8.4 requires the CB to establish procedures for the identification, storage, protection, retrieval, retention time, and disposition of records. This applies to all records generated by the certification process, including:
- •Audit plans and reports
- •Nonconformity records and evidence of closure
- •Committee review records
- •Certification decisions
- •Communication records
- •Competence records for all personnel
- •Client applications and agreements
The volume of records generated by a busy certification body is substantial. Each client generates records at every phase of the certification lifecycle, and these records must be maintained for the full retention period.
How Software Addresses Record Control
Manual record management, typically involving physical file cabinets or electronic folder structures, struggles with several aspects of Clause 8.4:
- •Retrieval: Finding a specific record in a large filing system is time-consuming. During an accreditation assessment, when an assessor requests specific records from multiple files, the time pressure is significant.
- •Protection: Records must be protected against loss, damage, and unauthorized access. Physical files are vulnerable to loss and damage. Electronic files in shared folders are vulnerable to accidental deletion and unauthorized modification.
- •Retention: Records must be retained for defined periods. Tracking retention dates across thousands of records is impractical without systematic support.
Certiva addresses all of these requirements:
- •Structured Storage: Records are stored in a structured database, linked to the relevant client, audit, and certification. Retrieval is instantaneous through search and navigation.
- •Automatic Protection: Records in the system are protected by the platform's security infrastructure. Access controls prevent unauthorized viewing or modification. Backups prevent loss.
- •Retention Management: Retention periods are defined in the system configuration. Records approaching the end of their retention period can be flagged for review and disposition.
Clause 9.1: General Audit Requirements
Clause 9.1 addresses the general requirements for the audit process, including the audit programme, audit objectives, and audit scope. From a documentation perspective, the CB must maintain records that demonstrate:
- •The audit programme was planned and implemented effectively.
- •Audit objectives were defined and communicated.
- •Audit scope was determined and appropriate.
- •Resources were allocated competently.
Clause 9.4: Conducting the Audit
Clause 9.4 covers the conduct of the audit, including the audit plan, document review, and communication with the client. Documentation requirements include:
- •Audit Plan Records: The audit plan must be documented, communicated to the client, and retained as a record.
- •Finding Records: All findings must be documented with sufficient detail to allow understanding without reference to the auditor's notes.
- •Report Records: Stage reports must be documented, reviewed, and retained.
Clause 9.5: Certification Decision
The certification decision is one of the most scrutinized areas during accreditation assessments. Clause 9.5 requires:
- •The certification decision is made by a person or committee not involved in the audit.
- •The decision-maker has the competence to understand the audit findings and their significance.
- •The decision is documented with clear rationale.
Software support for committee management is critical here. Certiva manages the entire committee review process, validates competence, enforces signing sequences, and maintains complete decision records.
Clause 9.6: Maintaining Certification
Maintaining certification requires ongoing documentation:
- •Surveillance audit records
- •Recertification audit records
- •Records of scope changes
- •Records of suspension or withdrawal actions
The volume of maintenance records grows with every certification cycle. Without systematic management, records become disorganized and retrieval becomes unreliable.
Clause 9.8: Appeals and Complaints
Clause 9.8 requires the CB to maintain records of appeals and complaints, including:
- •Receipt and acknowledgment records
- •Investigation records
- •Resolution records
- •Records of corrective actions taken
These records must demonstrate that the CB handled each case fairly and in accordance with its procedures.
The Systematic Approach
The thread running through all of these requirements is the need for a systematic approach to documentation and record management. Individual, ad hoc efforts to maintain records are insufficient. The accreditation body expects to see a system that produces, manages, and preserves records as a natural outcome of normal operations.
Certiva provides this systematic approach. Records are created as a byproduct of work performed in the system. Documents are controlled through built-in version management. Communication is logged automatically. Decisions are recorded through structured workflows.
The result is a documentation system that satisfies ISO/IEC 17021-1:2015 requirements not through extra effort, but through the normal operation of the platform.
Ready to eliminate documentation management risk?
Book a demo at getcertiva.com and see how Certiva satisfies ISO/IEC 17021-1:2015 documentation requirements systematically and automatically.