Understanding the ISO/IEC 17021-1 Mandatory Procedures (and Why They Matter)
If you run or manage a certification body, you’ve probably wondered, “Which procedures are actually mandatory under ISO/IEC 17021-1?” You’re not alone. I’ve worked with certification bodies of all sizes—from small regional CBs to those preparing for multi-scheme accreditation—and this question always comes up before their first accreditation audit.
Here’s what I’ve noticed: many CBs overcomplicate their documentation. They either write too many procedures or skip key ones that accreditation bodies expect to see. This article cuts through the noise. You’ll see exactly which procedures are required, why they matter, and how to structure them efficiently without drowning in paperwork.
By the end, you’ll have a clear checklist to make your ISO/IEC 17021-1 documentation audit-ready—and practical enough to use daily.
Every certification body needs solid governance procedures. This is where your structure, impartiality, and independence come into play.
At a minimum, you should have documented procedures for:
Managing impartiality and conflicts of interest
Appointing and operating the impartiality committee
Reviewing risks to impartiality
In my experience, accreditation assessors look closely at how these procedures connect to real actions. It’s not enough to have an “impartiality procedure” sitting in a folder. They’ll ask for meeting minutes, risk logs, and proof that conflicts were actually reviewed.
Pro tip: Rotate committee members or roles in certification decisions to keep your impartiality strong and demonstrable.
Common pitfall: Letting conflict-of-interest declarations go stale. I once helped a CB that hadn’t renewed these forms for two years—resulting in a nonconformity during assessment. A simple annual reminder system fixed it immediately.
Example: A small CB in Southeast Asia avoided bias by creating a rule: no auditor or reviewer handles the same client for more than two consecutive cycles. It became their easiest impartiality control ever.
This is where most CBs stumble. ISO/IEC 17021-1 demands that you prove your auditors, technical experts, and decision-makers are competent—and that competence is maintained.
Your documented procedures should cover:
Defining competence criteria
Evaluating auditor performance
Conducting witness audits
Managing training, calibration, and monitoring
Here’s what I’ve learned over time: don’t make competence management a one-time exercise. It’s a cycle. Define, evaluate, improve, and record.
Pro tip: Build a competence matrix. It maps each role to the standards they audit, the training they’ve completed, and the technical areas they’re qualified for. Accreditation assessors love these matrices—they make competence evidence easy to trace.
Common pitfall: Forgetting to update competence files after a new scheme or scope is added. I’ve seen assessors mark this as a major nonconformity.
Example: One CB automated its competence tracking using a simple spreadsheet with conditional formatting. It reduced missing updates by 90%—no fancy software required.
Certification-Process Procedures (Clause 9 – Process Requirements)
Now we’re at the core of what ISO/IEC 17021-1 is all about—the certification process itself.
You need clear, documented procedures that show exactly how certification decisions are made, from the first inquiry to the certificate being issued.
Here’s a practical list:
Application review and contract acceptance
Audit program development
Stage 1 and Stage 2 audit processes
Audit reporting and follow-up
Certification decision
Surveillance and recertification planning
In my experience, accreditation assessors trace every certification decision back to these steps. They want to see that responsibilities are separated—that auditors audit, reviewers review, and decision-makers decide.
Pro tip: Create a simple flowchart showing handovers between these roles. Visuals impress assessors and help staff follow the process consistently.
Common pitfall: Allowing the same person to audit and approve a client. That’s an automatic impartiality red flag.
Example: I once worked with a CB that linked each certification activity to a digital checklist. It kept their process auditable and transparent. When the accreditation assessor arrived, they breezed through the file review.
Management-System Procedures (Clause 10 – Management System Requirements)
Your certification body’s own management system needs structure too. Think of this as practicing what you preach.
Required procedures here include:
Document and record control
Internal audit
Management review
Corrective action and continual improvement
Pro tip: Align your internal management system with ISO 9001. It simplifies integration, especially if your CB also offers management-system certifications.
Common pitfall: Treating your management-system procedures as static files. These should evolve as your organization grows. Update them after every internal audit or management review.
Example: A medium-sized CB noticed repeated findings in their internal audits. Instead of patching them, they built a corrective-action dashboard and tracked closure trends. Within six months, they reduced repeat findings by 40%.
Information-Management and Confidentiality Procedures (Clause 8 – Information Requirements)
Information management is more than just data storage—it’s about trust. Clients hand you confidential data, and ISO/IEC 17021-1 expects you to protect it.
Your documented procedures should clearly show how you:
Handle confidential and public information
Protect electronic and physical records
Define access rights for audit and review teams
Manage data retention after certification ends
Pro tip: Include confidentiality clauses for remote auditing, especially if you use cloud platforms. Assessors are now checking for this due to increased online audits.
Common pitfall: Overlooking post-certification record security. Accreditation bodies often ask, “What happens to client data after suspension or withdrawal?” Have a clear, written answer.
Example: One CB updated its client contracts to specify that data would be securely archived for five years post-certification. During its next assessment, this proactive clause earned specific praise.
Continual Improvement and Non-Conformity Procedures (Across Clauses 9 & 10)
Non-conformities are inevitable—it’s how you respond that counts.
You’ll need procedures for:
Identifying and documenting non-conformities
Performing root-cause analysis
Implementing and verifying corrective actions
Tracking trends for continual improvement
Pro tip: Use your internal audit data as an early-warning system. When you spot repeated findings, it’s a sign your system needs a deeper fix.
Common pitfall: Closing non-conformities just to “tick the box” without verifying effectiveness. Assessors pick this up fast.
Example: I worked with a CB that categorized every non-conformity by type and clause. After a year, they used trend data to redesign their training sessions—cutting internal errors in audit files by a third.
FAQs – Common Questions on ISO/IEC 17021-1 Mandatory Procedures
Q1.Are documented procedures required for every clause? Not exactly. Only clauses that govern key activities—like governance, competence, process, and management system—require documented procedures. The rest can be handled through policies or records as long as intent is clear.
Q2.Can we merge multiple procedures into one document? Absolutely. Many efficient CBs integrate their process and management-system procedures into one manual. What matters is clarity, not quantity.
Q3.Are electronic procedures acceptable to accreditation bodies? Yes—as long as they’re controlled, versioned, and accessible to your team. Digital systems are now common and even preferred for consistency.
Building a Practical ISO/IEC 17021-1 Procedure Framework
If there’s one thing I tell every certification body, it’s this: keep your ISO/IEC 17021-1 procedures lean, clear, and functional. You don’t need a hundred pages of documentation—you need documents that actually guide your people and satisfy assessors.
I’ve seen CBs transform their audits just by refining these core procedures. When your governance, competence, process, and management-system procedures work together, accreditation becomes a smoother, more predictable journey.
If you want to skip the guesswork, you can:
Download QSE Academy’s ISO/IEC 17021-1 Mandatory Procedures Template Pack, or
Book a consultation to have these procedures customized for your certification body.
Either way, make this the year your documentation finally works as efficiently as your audits.
Melissa Lavaro is a seasoned ISO consultant and an enthusiastic advocate for quality management standards. With a rich experience in conducting audits and providing consultancy services, Melissa specializes in helping organizations implement and adapt to ISO standards. Her passion for quality management is evident in her hands-on approach and deep understanding of the regulatory frameworks. Melissa’s expertise and energetic commitment make her a sought-after consultant, dedicated to elevating organizational compliance and performance through practical, insightful guidance.
