Over the years, I’ve helped certification bodies prepare for accreditation audits, and I’ve noticed something consistent — even well-organized CBs get caught off guard when assessors start asking deeper questions.
They have the documents. They have the procedures. But when it comes to showing evidence — competence evaluations, impartiality records, or certification-decision trails — things start to unravel.
The truth is, most findings during ISO/IEC 17021-1 audits aren’t about misunderstanding the standard. They’re about weak implementation. In this article, we’ll unpack the most common non-conformities clause by clause, and I’ll show you what causes them — plus what actually works to prevent them.
Clause 6: Structural Requirements – Impartiality and Organizational Independence
If there’s one area accreditation bodies always scrutinize first, it’s impartiality. And for good reason — it’s the foundation of your credibility as a certification body.
Here’s what assessors keep finding:
Impartiality committees that exist on paper but never meet.
Conflict-of-interest assessments done once, years ago.
Certification decisions influenced by commercial interests or consultancy links.
Pro Tip: Keep a living impartiality-risk register and update it every quarter. Don’t just list risks — record what actions you’ve taken to mitigate them.
Common Mistake: Thinking a signed “impartiality declaration” is enough. Assessors want to see ongoing evaluation, not one-time paperwork.
Example: A CB I supported had their impartiality committee meet annually but never analyzed new risks. The assessor flagged it as a major non-conformity. Once they started tracking risk trends quarterly, that issue never came back.
Clause 7: Resource Requirements – Auditor and Decision-Maker Competence
Competence is the backbone of ISO/IEC 17021-1 — and it’s where the majority of findings appear.
Typical problems include:
Missing competence evidence for auditors and technical experts.
Outdated training records.
Decision-makers approving certifications outside their technical scope.
Pro Tip: Build a simple “Competence File” for each person. Include qualifications, scope coverage, witnessed audits, training, and re-approvals. Keep it updated and centralized.
Common Pitfall: Assuming ISO 9001 lead-auditor training equals competence. Under 17021-1, competence must match the specific certification scope.
Example: One certification body failed because its decision-maker, though experienced, hadn’t been evaluated for the construction-sector scope they were approving. After fixing the matrix and re-evaluating everyone, their next audit went smoothly.
Clause 8: Information Requirements – Confidentiality, Complaints & Public Information
Clause 8 is where administrative discipline really matters. Assessors expect tight control over public information, confidentiality, and complaints.
Common findings:
Public lists of certified clients not up to date.
Missing confidentiality agreements for subcontracted auditors.
Complaints logged but not resolved or analyzed for trends.
Pro Tip: Keep one master complaint and appeal tracker. Add timestamps, root-cause notes, and resolution details — all in a single file.
Common Mistake: Splitting complaint and appeal records between departments. That fragmentation makes it look like you’re not managing them consistently.
Example: A CB avoided escalation to a major finding when they switched to a digital tracker that linked each complaint to corrective actions and closure verification. Assessors loved it — it showed traceability and responsiveness.
Clause 9: Process Requirements – Audit, Review & Certification Decisions
Clause 9 is the heart of your operations, and it’s where assessors find the most non-conformities.
Here’s what goes wrong most often:
Audit programs don’t reflect client size, risk, or complexity.
Audit reports lack objective evidence or clear conclusions.
Certification decisions made before non-conformities are closed.
The same person performing and reviewing the audit.
Pro Tip: Implement a “four-eye” review system — every audit report should be reviewed and approved by a qualified, independent reviewer before certification.
Common Pitfall: Mixing roles. ISO/IEC 17021-1 requires separation between auditing, reviewing, and certification decision-making.
Example: One CB was downgraded in their accreditation review because their audit reports lacked reviewer signatures. A simple revision of their report-approval workflow fixed the issue permanently.
Clause 10 often looks easy but causes repeat findings. The issue isn’t usually missing audits — it’s the quality of those audits and follow-up actions.
Typical findings include:
Internal audits that don’t cover all processes annually.
Corrective actions closed without verifying effectiveness.
Management reviews missing impartiality or performance data.
Pro Tip: Schedule smaller, rolling internal audits instead of one big annual event. It keeps findings current and easier to manage.
Common Mistake: Treating management reviews like formalities. They should analyze trends, performance metrics, and risks — not just approve minutes.
Example: One CB turned around its recurring Clause 10 non-conformity by redesigning its management-review template. It now includes data dashboards and risk updates, which assessors praised for transparency.
Pro Tip: Conduct a clause-by-clause readiness check using your internal-audit checklist a month before accreditation. It’s the closest simulation you’ll get to a real assessment.
Common Pitfall: Waiting for assessors to find problems for you. Internal audits are your best opportunity to discover and fix issues before anyone else does.
FAQs – ISO/IEC 17021-1 Audit Non-Conformities
Q1. What counts as a major non-conformity? Anything that casts doubt on your ability to make impartial, competent certification decisions — like missing competence evidence or unresolved impartiality risks.
Q2. How fast do we need to close non-conformities? Usually within 30–60 days. Your corrective-action plan must include cause analysis, action taken, and effectiveness verification.
Q3. Can repeated minor findings lead to suspension? Yes. Multiple repeat minors often signal a systemic issue and can escalate to a major non-conformity during re-accreditation.
Learn from Common Mistakes and Strengthen Your System
Most non-conformities aren’t surprises — they’re missed opportunities for follow-up. When you treat impartiality reviews, competence checks, and internal audits as living processes instead of one-time tasks, findings start disappearing.
In my experience, 80% of ISO/IEC 17021-1 issues can be avoided with one thing: consistent internal auditing and documentation discipline.
If you’re preparing for accreditation, start by reviewing these five clauses. Then go one step further — use a structured checklist to verify compliance, record evidence, and close gaps before assessors walk in.
Download the ISO/IEC 17021-1 Non-Conformity Prevention Checklist and keep your next audit free of surprises.
Melissa Lavaro is a seasoned ISO consultant and an enthusiastic advocate for quality management standards. With a rich experience in conducting audits and providing consultancy services, Melissa specializes in helping organizations implement and adapt to ISO standards. Her passion for quality management is evident in her hands-on approach and deep understanding of the regulatory frameworks. Melissa’s expertise and energetic commitment make her a sought-after consultant, dedicated to elevating organizational compliance and performance through practical, insightful guidance.
