When ISO/IEC 17021-1 was updated in 2015, many certification bodies thought they could just tweak their old procedures and call it a day. But during accreditation reviews, I’ve seen how that assumption backfires. Assessors aren’t just looking for document control—they’re looking for evidence that your system reflects the new intent behind the 2015 version.
Updating your procedures isn’t busywork. It’s how you align your certification body with modern expectations—competence-based evaluations, impartiality in decisions, and risk-driven management. In this guide, I’ll walk you through what to update, how to update it, and how to make those changes stick without drowning in paperwork.
The 2015 revision brought ISO’s High-Level Structure (Annex SL) into the picture. That means your procedures now need to fit a more standardized logic—clear context, leadership involvement, and risk-based thinking.
Three big shifts to keep in mind:
Competence: Auditors, technical experts, and decision-makers must have documented, ongoing competence evaluations.
Impartiality: Decision processes must be clearly separated from audit activities.
Consistency: Audit programs, sampling methods, and reporting formats must follow uniform rules.
Pro Tip: Don’t start by rewriting everything. Begin by mapping your 2011 clauses against 2015. It’ll show you exactly where your procedures fall short.
Common mistake: Re-labelling old procedures with the new clause numbers but leaving the actual content unchanged. Assessors notice that instantly.
Identifying Which Procedures Need Updating
Start by listing every documented procedure in your management system. Then mark which ones are affected by the 2015 update. Typically, you’ll need to revise:
Audit Program Planning & Scheduling – to align with competence and impartiality rules.
Competence Evaluation – now requires ongoing monitoring, not just initial approval.
Certification Decision Process – must demonstrate role separation.
Document & Record Control – needs risk-based access and retention justification.
Management Review & Internal Audit – should integrate risk and improvement focus.
One certification body I worked with assumed only their competence procedure needed changes. But when we reviewed their audit program, we realized it didn’t include sampling justification—something assessors now emphasize.
Action Step: Classify each procedure as Compliant, Needs Update, or Missing. That single exercise can save you weeks during transition prep.
How to Update Procedures Step-by-Step
Here’s a practical, no-fluff approach that actually works:
Review each relevant 2015 clause. Focus on intent, not just wording.
Compare line-by-line with your current procedure. Highlight any mismatch.
Update roles and responsibilities—especially where impartiality or competence overlaps.
Integrate risk-based thinking. Add checks or decision points where risks are identified.
Simplify language. Write procedures your team will actually use, not just auditors.
Get approval and communicate. Make sure every revision is reviewed, signed off, and shared.
Pro Tip: Keep procedures practical. Replace paragraphs with process flowcharts or bullet-style steps when possible—it makes training and audits easier.
Common mistake: Updating procedures but forgetting to revise related forms and records. The mismatch will trigger nonconformities.
Embedding Risk-Based Thinking
ISO/IEC 17021-1:2015 expects your certification body to anticipate and control risks, not just react to them.
You can build that directly into procedures by asking one simple question: “What could go wrong in this step, and how do we prevent it?”
For example:
In impartiality reviews, identify potential conflicts before audit assignment.
In audit planning, consider the risk of inadequate sampling.
In certification decisions, review the risk of bias or undue influence.
One CB I worked with added a “risk check” section to every procedure template. It wasn’t fancy, but it made their system look—and perform—far more mature.
Pro Tip: Use a simple “risk consideration” note at the end of each procedure instead of creating a separate risk register.
Verifying and Validating Updated Procedures
Updating your procedures isn’t the finish line—you still need to prove they work.
Start by running internal audits focused on the revised processes. Then, conduct a management review to confirm they’re effective and understood.
Ask your team what’s working and what isn’t. In my experience, auditors in the field catch practical issues faster than anyone else.
Common mistake: Forgetting to update linked records. If you revise the audit procedure but not the report template, the inconsistency will show up instantly during witness assessments.
Action Step: Maintain a simple Document Change Log—list procedure name, date, change summary, and reviewer. Assessors love seeing it; it proves control and traceability.
Training and Communication – Making It Stick
The best procedure update means nothing if your team doesn’t follow it.
Once updates are approved:
Hold short refresher sessions for auditors and technical experts.
Share summary sheets showing what’s changed and why.
Update job descriptions or competency matrices if responsibilities shifted.
One certification body I coached added a 15-minute “procedure of the week” briefing to their audit planning meetings. Within a month, everyone was aligned—and their audit reports became far more consistent.
Pro Tip: Skip long PowerPoint trainings. Focus on showing examples of how the updated procedure actually improves daily work.
FAQs – Quick Answers to Common Questions
Q1: Do I have to rewrite every procedure? No. Only those affected by the 2015 updates or connected to competence, impartiality, and risk management.
Q2: Should I keep older versions? Yes. Archive them with change logs—it shows your commitment to continual improvement.
Q3: How often should procedures be reviewed? At least once a year, or whenever there’s a major change in accreditation or ISO standards.
Procedure Updates as Continuous Improvement
Updating your procedures for ISO/IEC 17021-1:2015 isn’t just compliance—it’s smart management. It ensures your system reflects how your certification body actually operates today.
The more you simplify, clarify, and integrate risk thinking, the stronger your system becomes—and the smoother your next accreditation audit will go.
At QSE Academy, we’ve helped dozens of certification bodies rewrite and validate their procedures for ISO/IEC 17021-1 compliance with zero major findings.
If you want a head start, download our ISO/IEC 17021-1 Procedure Update Checklist or schedule a quick review session—we’ll help you streamline your documentation and align your system confidently.
Melissa Lavaro is a seasoned ISO consultant and an enthusiastic advocate for quality management standards. With a rich experience in conducting audits and providing consultancy services, Melissa specializes in helping organizations implement and adapt to ISO standards. Her passion for quality management is evident in her hands-on approach and deep understanding of the regulatory frameworks. Melissa’s expertise and energetic commitment make her a sought-after consultant, dedicated to elevating organizational compliance and performance through practical, insightful guidance.
