9.1 Third-party certification & accreditation (ISO/IEC 17021-1) & the certification cycle

Key Takeaways

  • Certification bodies (CBs) that issue ISO 9001 certificates must themselves operate to ISO/IEC 17021-1, which governs CB competence, consistency, impartiality, and confidentiality.
  • National accreditation bodies such as UKAS and ANAB accredit CBs against ISO/IEC 17021-1, and the IAF's multilateral recognition arrangement keeps accreditation consistent worldwide.
  • A CB or auditor that consulted on, designed, or implemented a client's QMS cannot later audit that same QMS, because doing so creates a disqualifying conflict of interest.
  • Initial certification requires a Stage 1 readiness review followed by an on-site Stage 2 audit of implementation and effectiveness, with the certification decision made by CB personnel independent of the audit team.
  • Certified organizations receive surveillance audits at least annually and a full recertification audit before the three-year certification cycle expires.
Last updated: July 2026

Passing the CQI/IRCA exam proves you can plan and conduct an audit — but every third-party QMS audit exists inside a formal certification framework. This section covers how a certification body (CB) actually operates, how CBs themselves are held accountable, and the multi-year cycle a certified organization moves through.

Third-Party Certification and ISO/IEC 17021-1

When an organization wants an independent, publicly recognized declaration that its QMS conforms to ISO 9001, it engages a certification body (CB) — sometimes called a registrar. CBs that issue ISO 9001 certificates must themselves operate to ISO/IEC 17021-1, Conformity assessment — Requirements for bodies providing audit and certification of management systems. This standard governs how CBs must behave, not how the client's QMS must be built (that is ISO 9001) or how individual audits must be conducted (that is ISO 19011, which 17021-1 references for audit methodology).

ISO/IEC 17021-1 requires a CB to demonstrate, among other things:

  • Competence — auditors and technical experts with qualifications matched to the client's sector and scope.
  • Consistency — a certification decision that would be repeatable regardless of which auditor conducted the audit.
  • Impartiality — a structure, ownership, and set of processes that protect the CB from commercial or other pressure that could bias an outcome.
  • Confidentiality and responsibility — client information gathered during audits is protected, and the CB is accountable for every certificate it issues.

The Accreditation Chain

A CB does not simply declare itself competent. It is assessed and accredited by a national accreditation body — for example UKAS in the United Kingdom or ANAB in the United States — which audits the CB against ISO/IEC 17021-1 plus any sector-specific accreditation rules. Only after passing this assessment can the CB issue accredited certificates, carrying the accreditation body's mark alongside its own.

The chain runs:

  1. International Accreditation Forum (IAF) — a multilateral recognition arrangement that keeps accreditation consistent worldwide.
  2. National accreditation body (UKAS, ANAB, JAS-ANZ, etc.) — accredits certification bodies.
  3. Certification body — audits and certifies client organizations.
  4. Certified client organization — holds the ISO 9001 certificate.

An auditor should be able to explain this chain to a client and should recognize that a certificate from a non-accredited CB is not automatically invalid, but it carries less external assurance because no independent body has verified the CB's own competence.

Impartiality and Managing Conflicts of Interest

Impartiality is not optional — it is the foundation the whole certification scheme rests on. ISO/IEC 17021-1 requires CBs to identify, analyze, and treat risks to impartiality on an ongoing basis, and it draws a hard line around consultancy: a certification body — and, by extension, an individual auditor — cannot audit a management system that it, or the auditor personally, helped consult on, design, or implement. Writing procedures, running internal audits, or advising on how to structure the QMS creates a conflict of interest that disqualifies that CB or auditor from later certifying the same organization, because they would effectively be auditing their own work.

For the same reason, CBs must not offer or imply that certification will be easier, faster, or cheaper if the client also buys consultancy from a related organization, and individual auditors must declare and manage any personal relationship — past employment, financial interest, family connection — with the auditee before an assignment is confirmed.

The Certification Process: Stage 1 and Stage 2

Initial third-party certification is not a single visit — ISO/IEC 17021-1 mandates a two-stage initial audit.

Stage 1 auditStage 2 audit
PurposeReadiness review — is the client ready for Stage 2?Evaluate implementation and effectiveness of the QMS
FocusDocumented information, scope, context, statutory/regulatory awareness, internal audit and management review planningConformity with every applicable ISO 9001 clause, operational control, performance against objectives
LocationUsually on the client's premises, though parts may be done off-site by agreementAlways on-site, at the location(s) within the certification scope
Typical gap raisedUndefined scope, missing statutory/regulatory identification, QMS not yet operating long enough to generate evidenceNonconformities against specific clauses, based on objective evidence

Stage 1 exists so a CB never arrives for a full Stage 2 audit only to discover the QMS scope is undefined or the client has not completed even one internal audit cycle — Stage 1 findings are documented and must be addressed, or at least understood, before Stage 2 is scheduled.

Stage 2 evaluates the QMS as it actually operates: whether the processes described in documented information are the processes people actually follow, whether the organization meets applicable statutory, regulatory, and contractual requirements, whether internal audits and management review are functioning, and whether performance is measured against real objectives. Nonconformities raised at Stage 2 must normally be corrected — or a credible correction plan agreed — before certification is granted.

The Certification Decision

A critical, frequently tested point: the certification decision is made by the CB, never by the auditor(s) who performed the audit. ISO/IEC 17021-1 requires the decision-maker (or decision-making committee) to be independent of the audit team, reviewing the audit report, evidence, and any nonconformities, and confirming that the CB's own requirements for granting, maintaining, renewing, or withdrawing certification have been met. This separation protects impartiality: the people who built a working relationship with the client during the audit are not the same people with final authority to award the certificate.

Surveillance and Recertification

Certification is not a one-time event. Once granted, the CB conducts surveillance audits at least once a year (the first no later than 12 months after the Stage 2 certification decision) to confirm the QMS is still being maintained. Surveillance audits are narrower than a full audit — they sample selected processes, follow up on previous nonconformities, and check internal audit/management review activity, complaints, and QMS changes — but across the full cycle every part of the standard should eventually be sampled.

Certification runs on a three-year cycle: Year 0 covers the Stage 1 and Stage 2 initial audits and the certification decision; Years 1 and 2 each carry a surveillance audit; and before Year 3 ends, a recertification audit evaluates the overall continued conformity and effectiveness of the whole QMS across the full three years, taking into account the surveillance history — a satisfactory result starts a fresh three-year cycle.

Test Your Knowledge

A certification body wrote the procedures for a client's internal audit process two years ago as a paid consultancy engagement. Under ISO/IEC 17021-1, what is the correct outcome if that same client now applies to that CB for ISO 9001 certification?

A
B
C
D
Test Your Knowledge

Who makes the final certification decision after a Stage 2 audit is completed?

A
B
C
D