Whether you are already certified to an ISO Standard, or are considering going through the process for the first time, understanding how certification bodies calculate the number of audit days required will help you budget for the future, and could impact your chosen certification scope.
In this blog post, we explain the rules that govern how certification bodies calculate the required audit time and put into context the roles of the IAF, Accreditation Bodies and Certification Bodies.
While this blog will provide you with some important information related to ISO certification pricing, you may still benefit from engaging an ISO Consultant to support you on your journey, and liaise with your certification body to ensure you get the best deal.
Roles of IAF, Accreditation Bodies, and Certification Bodies
In the ISO certification process, there are three key entities that play pivotal roles:
The International Accreditation Forum (IAF)
The IAF establishes global standards for accrediting certification bodies, ensuring consistency and reliability.
It was established to promote the international acceptance of accredited certifications, and plays a crucial role in developing and maintaining a framework for the consistent application of conformity assessment standards.
Many national accreditations bodies, such as UKAS, are members of the IAF and sign its Multilateral Recognition Agreement (MLA) recognising the equivalence of other signatories’ accreditations to their own. Find out more.
Accreditation Bodies (such as The United Kingdom Accreditation Service (UKAS)),
UKAS, as a national accreditation body, oversees the competence of certification bodies within the UK, ensuring they adhere to IAF standards.
They will audit and monitor certification bodies to ensure they continue to meet scheme requirements.
ISO Certification Bodies
Certification Bodies work directly with clients to conduct audits and issue ISO certificates, acting as the link between organisations and accreditation bodies.
There are many accredited certification bodies to choose from, some of which are listed on our website.
What is IAF’s MD5 Document?
The IAF’s MD5 document, titled “IAF Mandatory Document for the Application of ISO/IEC 17021 for Audits of Integrated Management Systems,” provides guidelines for the audit of integrated management systems and outlines the requirements and expectations for certification bodies, ensuring a standardised approach to audits.
MD5 also includes three annexes with tables covering the expected initial audit duration of Quality, Environmental and Occupational H&S management systems based on staff numbers.
What is ISO 27006?
For the auditing of information security management systems, ISO has published specific guidelines under ISO 27006.
This document has an annex containing a table of audit timings based on staff numbers. Helpfully, this also maps the MD5 audit timings for QMS, EMS, OHSMS along side.
The standard does make provision for a reduction of audit time based on factors including complexity, but also states this should be no more than 30% and the reasons must be documented (B.3.5 Limitation of deviation of audit time).
How Do Accreditation Bodies Use MD5, ISO 27006 etc?
Accreditation bodies such as UKAS use the IAF’s MD5 document as a reference guide to assess the competency of certification bodies.
By aligning with the MD5 guidelines, UKAS ensures that certification bodies adhere to best practices during integrated management system audits, fostering consistency and reliability in the certification process Certification Body’s Audit Day Calculation
ISO Certification Bodies calculate the number of audit days based on several factors.
The primary consideration is the size and complexity of the organisation seeking certification, giving reference to the IAF MD5 tables.
Larger and more complex organizations may require additional audit days to thoroughly assess their compliance with ISO standards.
The scope of certification, industry-specific requirements, and the organization’s processes also influence the calculation of audit days.
Factors that may to Reduce ISO Audit Days
Certification bodies often have some scope to reduce the number of audit days based the following factors:
Effective Number of Staff
Certification bodies need to know the ‘effective number of staff” in order to calculate the correct audit time, BUT this is not necessarily the number of employees.
Firstly certification bodies should only account for staff within your certification scope. So if there are locations or processes not included in scope, these should be removed from the total.
They will also take into account groups of employees who are performing similar activities, and reduce the number on that basis.
However, if an in-scope activity uses subcontractors, these should be added.
Therefore, while the effective number of employees is often lower than the number employed, in some circumstances it may also be higher!
Complexity and Risk
The certification body will also take into account the complexity and risk related to the audit scope.
For example, does the client engage in activities with a high-risk of harm to employees, or process large volumes of sensitive personal information?
If it can be evidenced that the client’s business is low-risk, it may result in a reduction of up to 20% of the initial audit time.
Conclusion
Understanding the roles of the IAF, UKAS, and Certification Bodies, along with the nuances of audit day calculation, is essential to ensure you are getting value from your ISO Certification process.