Accredited certification of internationally recognised management system standards
In 2009, The Department of Business, Innovation and Skills (BIS) (now known as the Department for Business, Energy & Industrial Strategy) appointed UKAS (United Kingdom Accreditation Service) as its national accreditation body.
Why use an accredited certification body?
The EU Regulation (EC) 765/2008 provides a legal framework for the provision of accreditation services across Europe. Under the Regulation, accreditation, when carried out against recognised harmonised standards, is regarded as a public authority activity and EU Member States are required to appoint a single national accreditation body to undertake these activities.
A ‘harmonised standard’ is a standard that has been adopted by one of the European standardisation bodies, such as the British Standards Institution (BSI) in the United Kingdom.
Certification bodies are accredited by national accreditation bodies
In 2009, The Department of Business, Innovation and Skills (BIS) appointed UKAS (United Kingdom Accreditation Service) as its national accreditation body. This appointment empowered UKAS to undertake the accreditation of certification bodies in the UK, according to ISO/IEC 17021, for the certification of management system standards (under the Accreditation Regulations of 2009), amongst other accreditation activities.
It is important to ensure that the certification body you use for the certification of a management system standard (for instance ISO/IEC 27001 or ISO/IEC 22031) is accredited by the official national accreditation body, and that the national accreditation body is a member of the IAF, such as UKAS in the United Kingdom.
A Memorandum of Understanding was signed in 2009 between BIS and UKAS to maintain and promote a strong national accreditation service in the UK.
Those that falsely claim accreditation in relation to management system certification should be referred to Trading Standards or the Office of Fair Trading immediately.
A note on Cyber Essentials certification
According to the Department of Business, Innovation and Skills in the UK, the Accreditation Bodies appointed under the Cyber Essentials Scheme have been empowered to perform accreditation activities solely in relation to the Cyber Essentials scheme as it applies in the UK and are not performing accreditation services in relation to EU harmonised standards. The national accreditation body authorised to perform EU-harmonised accreditation services within the UK remains UKAS.
Why you should avoid using non-accredited certification bodies
- Non-accredited certification bodies (and those that claim to be accredited by an accreditation body not recognised by IAF) typically offer a service that includes both consultancy and certification; no formally accredited certification body will offer this type of service, as the international ISO framework recognises the obvious conflict of interest when a single organisation assesses its own work while also offering advice/consultancy.
- Non-accredited certification bodies (and those that claim to be accredited without the recognised scheme) are not subject to regular performance, quality and competence monitoring by a national accreditation body (such as UKAS).
- Non-accredited certification bodies (and those that claim to be accredited without the recognised scheme) usually do not operate in line with the international standards that set out requirements for certification bodies (e.g. ISO/IEC 17021).
Tell-tale signs that a certificate is not meeting industry standards:
- Certificates that are valid for more than 3 years (some are up to 25 years!).
- A separate certificate is issued per address.
- Insistence that all management system documentation be printed and maintained in a lever-arch file.
How you can validate the authenticity of a certification body
Any organisation that claims to be an accredited certification body should be able to show you a current copy of its certificate of conformance with ISO/IEC 17021-1:2015, issued by a national accreditation body for the relevant scheme.
About ISO/IEC 17021
ISO 17021 is the international standard that sets out the requirements for bodies providing audit and certification of management systems. As the International Organization for Standardization (ISO) says, "Certification of management systems is a third-party conformity assessment activity. Bodies performing this activity are therefore third-party conformity assessment bodies."
In other words, certification bodies can never provide a certification service in conjunction with their own consultancy work.
It is important to crack down on non-accredited certification bodies, as they damage the reputation of the certification schemes accredited by UKAS and other national accreditation bodies.
IT Governance is independent of vendors and certification bodies
IT Governance Ltd is recognised by third-party accredited certification bodies as being competent to advise on certification and management system implementation.
We are independent of vendors and certification bodies, and we encourage our clients to select the best-fit supplier of accredited certification services for their needs and objectives.
IT Governance is widely recognised among UKAS-accredited certification bodies as a leading (ISO27001) consultancy and is listed on the following:
- BSI Management Systems UK Associate Consultant Programme.
- Bureau Veritas Certification approved list for the implementation and management of ISO27001 and ISO20000 (IT service management standard).
- ISOQAR consultant database.
- Lloyd’s Register Quality Assurance (LRQA) Consultant Network.
- NQA consultant database.
- DNV Consultant Gateway Member.
Clients of IT Governance have used the following UKAS (or equivalent)-accredited certification bodies:
- ACS Registrars
- AJA Registrars
- BM Trada
- Bureau Veritas
- Certification Europe
- Certification International
- Registrar of Standards, trading as United Registrar of Systems
- The Audit People