Third-Party Certification

In order for standards to be useful — they must be used.

The primary use of ISO management system standards is certification or registration. In this context, the words “certification” and “registration” mean the same thing and are used interchangeably.

The purpose of this web page is to provide basic information about the third-party certification processes. In particular, information is provided about the following topics:

What is Conformity Assessment?
An Overview of Standard-Setting Processes
Certification – the Process of Determining Conformance
Accreditation – Evaluating the Evaluators
The ISO 14001 Conformity Assessment Process
Choosing a Registrar

What is Conformity Assessment?

Conformity Assessment is the process whereby a product, process, service or system is evaluated against specified requirements. It includes activities such as sample testing, management system registration and product certification.

Conformity assessment is supported by three separate, yet interrelated, processes – standard-setting, accreditation and certification. Just as you need at least three legs to support a stool, each of these underlying processes is one leg supporting the integrity of the overall conformity assessment process.

An Overview of Standard-Setting

The first leg supporting conformity assessment is standard-setting.

In order to assess conformance, you need to know the specific requirements you need to meet. These requirements are typically set out in a written standard.

There are hundreds of organizations around the world which develop written standards. Each country typically has at least one standard-setting body and many have several. ISO, the International Organization for Standardization, was established in 1947 specifically to promote the development of international consensus standards to replace country-specific standards to promote international trade.

There are literally thousands of voluntary standards – as many as 50,000 standards just in the United States alone. Some standards are very specific, whereas others are general in nature. Some standards have been adopted universally, while others may apply in only one country. Some are specific to a particular company or industry; others have been developed for use across a number of industries. There are more than 15,000 ISO standards covering topics from paper sizes and film speed to measurement units and management systems.

Certification – the Process of Determining Conformance

Certification is the process by which a party gives a written assurance that a product, service, system, process or material conforms to specific requirements (a standard). It is the second leg supporting the conformity assessment process.

There are hundreds of certification bodies around the world. These organizations inspect, audit, test and certify everything from bananas and shoes to electronic components, chemicals and management systems.

Although certification can be done through self declaration (first-party certification) or customer audits (second-party certification), it is usually considered more reliable if it is conducted by an independent third-party. The fundamental requirement for third-party certification is independence, commonly understood as the lack of potential conflicts of interest on the part of the organizations and the individuals conducting the evaluation.

Other requirements for a certification program include developing a means of assuring technical proficiency on the part of inspectors or auditors and establishing systems that ensure reliable and consistent results. These requirements are imposed on certification bodies through the accreditation process.

Accreditation – Evaluating the Evaluators

The question often arises – “Who audits the auditor?”

In other words, what “watchdog” agencies, programs or processes are in place to make sure the public can rely upon the results of an audit or certification process? This is the role of the third leg of the conformity assessment process, accreditation.

Accreditation is the process by which an authoritative body gives formal recognition to a person or an organization that it is competent to carry out specific tasks. Typically, each country has at least one accreditation body. These accreditation organizations are usually government agencies or non-profit organizations endorsed by the government. As part of the accreditation process, accreditation bodies review the processes and systems of the registrars.

The Conformity Assessment Process

To understand how conformity assessment works for ISO 14001 and OHSAS 18001, it is helpful to understand the interrelationship between the standards, processes and the players that play a role in registering a company.

First, the standards.

ISO 14001 sets out the requirements a company must meet to establish a “conforming” environmental management system.  Similarly, OHSAS 18001 sets out the requirements that an organization needs to meet when establishing an occupational safety and health management system.

These management system standards were developed in accordance with the directives and guides that govern international standard development processes.

The development, and subsequent revision, of the  ISO 14001 standard is the responsibility of ISO Technical Committee 207, which is made up of representatives of each of the member countries to ISO.  The United States develops input and comments on the ISO 14000 standards through the Technical Advisory Group (TAG) to TC 207, which is an ANSI committee with the American Society for Quality (ASQ) as the TAG Administrator.

Next, the processes.

The conformity assessment processes are certification (registration) and accreditation. These processes are influenced or governed by host of national and international agreements, standards and parties. In particular, the rules for accreditation and registration are developed by CASCO – ISO’s Committee on Conformity Assessment.

In order to be certified (i.e registered), an organization must follow the rules established by the registrar who issues it a certificate, and, in turn, the registrar must follow the rules established by the accreditation body that accredits that particular registrar. These rules may be more stringent than the requirements established within ISO 14001 and OHSAS 18001.

Finally, the parties.

In the United States, the accreditation body that certifies ISO 9001 and ISO 14001 registrars is the ANSI/ASQ National Accreditation Board (ANAB). There are several other accrediting bodies around the world. These accreditation bodies have entered into a mutual recognition agreement as members of the International Accreditation Forum (IAF).

In order to be accredited, each registrar must develop written procedures to govern its ISO 14001 registration process. Registrars are subject to periodic surveillance audits by their accreditation bodies to ensure audit reliability and impartiality. A registrar that fails to follow its written procedures or is found to have engaged in improper activities may have its accreditation withdrawn.
One of the requirements registrars must meet is to use competent auditors.

Choosing a Registrar

Now that you have a basic understanding of the overall ISO certification process, how do you go about selecting a registrar to certify your environmental management system?

The first question you need to answer is whether you need third-party certification. ISO 14001 can be used without third-party certification. Organizations can self-certify their conformance to the standard and many have used this approach. This is particularly true for governmental agencies that already have independent oversight mechanisms in place. On the other hand, if you have a major customer who is requiring an ISO 14001 certificate, third-party certification will likely be mandatory.

If third-party certification is not required, the next question asked is usually “What benefit will it provide?” Organizations have found third-party certification to be helpful for several reasons:

• In large organizations, third-party certification can supply information for executive management to get an independent evaluation of their management systems. This prevents top management for only hearing what middle managers want them to hear.

• Regularly-scheduled third-party reviews can prevent other activities from taking top priority and focus management attention, at least periodically, on environmental concerns.

• Third-party auditors can provide input to assist organizations in assessing their processes against industry best practices and to provide input for continual improvement of their management systems.

Once you decide to move forward with third-party certification, it is important to choose your registrar carefully – taking into account your overall business goals. Given the nature of the conformity assessment process, you will be choosing someone with whom you will have a business relationship for at least three years, so it is important to choose carefully.

Approaches vary widely so it is worthwhile to get proposals from several registrars. It is also important to keep in mind that the overall cost to your organization includes the costs of implementing a system that meets the registrar’s particular requirements, travel costs for the registration auditor(s) who will be visiting your facility and the time and resources you will need to support the periodic in-person registration audits. These indirect costs may be substantially more than direct costs spelled out in the registration contract.