Secretariat: ISO/CASCO
ISO/IEC DIS 17067:2025(en)
ISO/CASCO
Date: 2025-06-06
Conformity assessment — Fundamentals of and guidelines for conformity assessment schemes
Évaluation de la conformité — Éléments fondamentaux de l’évaluation de la conformité et lignes directrices pour les programmes de l’évaluation de la conformité
© ISO/IEC 2025
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address below or ISO's member body in the country of the requester.
ISO Copyright Office
CP 401 • CH-1214 Vernier, Geneva
Phone: + 41 22 749 01 11
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland.
Table of Contents
4 Conformity assessment schemes (programmes) and systems 11
4.2 Objects of conformity assessment 11
5 Functional approach to conformity assessment 13
5.2 Conformity assessment activities 13
5.3 Selection and determination 14
5.4 Review, decision and attestation 14
6.1 6.1 Functional approach implemented in the scheme 15
6.1.2 Prior conformity assessment results 15
6.1.2 6.1.3 Outsourcing of the conformity assessment activities 15
6.2 Licensing and controlling the use of statement of conformity 16
6.3 Reporting to the scheme owner 17
6.5 Rules and procedures of a scheme 17
7 Scheme owner responsibility 19
8.1 Identifying the need for conformity assessment schemes 24
9 Categorization and types of schemes 26
ANNEX B - Conformity assessment schemes that include management system certification 32
ANNEX C - Conformity assessment schemes that include certification of persons 34
ANNEX D – Conformity assessment programmes that include validation/verification 36
ANNEX E – Conformity assessment schemes that include inspection 38
ANNEX F – Conformity assessment schemes that include testing 39
ANNEX G – Conformity assessment schemes that include accreditation 40
ANNEX H- Conformity assessment schemes that include peer assessment 42
ANNEX I - Conformity assessment schemes that include declaration 44
ANNEX K – Typical characteristics of schemes 49
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical Commission) form the specialized system for worldwide standardization. National bodies that are members of ISO or IEC participate in the development of International Standards through technical committees established by the respective organization to deal with particular fields of technical activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the work.
The procedures used to develop this document and those intended for its further maintenance are described in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed for the different types of document should be noted. This document was drafted in accordance with the editorial rules of the ISO/IEC Directives, Part 2 (see www.iso.org/directives or www.iec.ch/members_experts/refdocs).
Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent rights. Details of any patent rights identified during the development of the document will be in the Introduction and/or on the ISO list of patent declarations received (see www.iso.org/patents) or the IEC list of patent declarations received (see https://patents.iec.ch).
Any trade name used in this document is information given for the convenience of users and does not constitute an endorsement.
For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and expressions related to conformity assessment, as well as information about ISO's adherence to the World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT) see www.iso.org/iso/foreword.html. In the IEC, see www.iec.ch/understanding-standards.
This document was prepared by the ISO Committee on Conformity Assessment (CASCO).
This second edition cancels and replaces the first edition (ISO/IEC 17067:2013), which has been technically revised.
The main changes are as follows:
— The scope of the standard expanded to apply to conformity assessment schemes in general;
— The title of the standard updated to reflect the extended scope;
— Individual clauses rephrased to apply to conformity assessment schemes in general;
— Clauses added to provide specifics (e.g. on product certification schemes) where necessary.
0.1 This document provides fundamental concepts, principles and guidelines for conformity assessment schemes (which are sometimes referred to as “conformity assessment programmes”).
0.2 Conformity assessment performed in accordance with a conformity assessment scheme can provide assurance to interested parties via demonstration that specified requirements are fulfilled. Conformity assessment can thus provide assurance to interested parties in areas, including but not limited to, legal compliance, health and safety, suitability for intended use, performance, durability, compatibility, environmental impacts, governance and social impacts, resource use efficiency and resource circularity, management and use of information technology, climate change and sustainability matters.
0.3 This document is intended for those who have an interest in conformity assessment schemes, particularly those who own or operate schemes, or are considering development of a scheme. These people and their organizations can include:
a) governments and regulatory authorities;
b) industry, trade associations and organizations (e.g. retailers) within value chains;
c) procurement and purchasing agencies;
d) non-governmental organizations (NGOs);
e) consumer organizations; and
f) bodies undertaking conformity assessment activities.
0.4 A conformity assessment scheme can be operated at an international, regional, national, sub-national level, or for a specific industry sector or value chain. A scheme can be documented or only orally created.
0.5 A conformity assessment scheme is defined as a set of rules and procedures that:
a) describes objects of conformity assessment;
b) identifies the specified requirements; and
c) provides the methodology for performing conformity assessment.
0.6 This document is part of the series of ISO/IEC and ISO documents on conformity assessment that is developed and maintained by the ISO Committee on Conformity Assessment (CASCO). This series of ISO/IEC and ISO documents is colloquially known as the “CASCO Toolbox” and contributes to the development of “conformity assessment procedures” as referenced in the World Trade Organization Agreement on Technical Barriers to Trade (WTO/TBT). This series is applied and used by ISO and its members, IEC and its national committees, and organizations outside of ISO and IEC (e.g. regulatory authorities, NGOs and accreditation bodies) for globally accepted conformity assessment practice.
0.7 In this document, the following verbal forms of expression are used:
— “should” indicates a recommendation;
— “may” indicates a permission;
— “can” indicates a possibility or a capability.
The modal verb "shall", which indicates a requirement, is not used because this document only provides guidelines. Further details can be found in the ISO/IEC Directives, Part 2.
0.8 Unless explicitly stated otherwise, for ease of comprehension of this document, the terms conformity assessment scheme and conformity assessment programme are considered synonyms, and referred to in this document by the short term scheme.
0.9 Where the context is unambiguous, scheme and system are used in short for the full terms conformity assessment scheme and conformity assessment system, respectively.
0.10 Where the context is unambiguous, object is used in short for the full term object of conformity assessment.
Conformity assessment — Fundamentals of and guidelines for conformity assessment schemes
1.0 Scope
This document describes the fundamental principles and concepts of conformity assessment schemes (programmes) and provides guidelines for understanding, developing, operating or maintaining them.
2.0 Normative references
The following documents are referred to in the text in such a way that some or all of their content constitutes requirements of this document. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies.
ISO/IEC 17000:2020, Conformity assessment — Vocabulary and general principles
3.0 Terms and definitions
For the purposes of this document, the terms and definitions given in ISO/IEC 17000 (2020) and the following apply. ISO and IEC maintain terminological databases for use in standardization at the following addresses:
— ISO Online browsing platform: available at https://www.iso.org/obp
— IEC Electropedia: available at https://www.electropedia.org/
3.1
conformity assessment
demonstration that specified requirements (3.3) are fulfilled
Note 1 to entry: The process of conformity assessment as described in the functional approach in Annex A of ISO/IEC 17000 can have a negative outcome, i.e. demonstrating that the specified requirements are not fulfilled.
Note 2 to entry: Conformity assessment includes activities, such as but not limited to testing, inspection, validation, verification , certification (3.17), and accreditation (3.18) .
Note 3 to entry: Conformity assessment is explained in Annex A of ISO/IEC 17000 as a series of functions. Activities contributing to any of these functions can be described as conformity assessment activities.
Note 4 to entry: This document does not include a definition of “conformity”. “Conformity” does not feature in the definition of “conformity assessment”. Nor does this document address the concept of compliance.
[SOURCE: ISO/IEC 17000:2020, 4.1, modified – Notes to entry 1 and 3, words "of ISO/IEC 17000" added.]
3.2
object of conformity assessment
object
entity to which specified requirements (3.3) apply
EXAMPLE Product, process, service, system, installation, project, data, design, material, claim, person, body or organization, or any combination thereof.
Note 1 to entry: The term “body” is used in this document to refer to the conformity assessment body (3.19) and accreditation body (3.20). The term “organization” is used in its general meaning and may include bodies according to the context. The more specific ISO/IEC Guide 2 definition of an organization as a body based on membership is not applicable to the field of conformity assessment (3.1).
[SOURCE: ISO/IEC 17000:2020, 4.2]
3.3
specified requirement
need or expectation that is stated
Note 1 to entry: Specified requirements can be stated in normative documents such as regulations, standards and technical specifications.
Note 2 to entry: Specified requirements can be detailed or general.
[SOURCE: ISO/IEC 17000:2020, 5.1]
3.4
conformity assessment scheme
conformity assessment programme
set of rules and procedures (3.21) that describes the objects of conformity assessment (3.2), identifies the specified requirements (3.3) and provides the methodology (3.22) for performing conformity assessment (3.1)
Note 1 to entry: A conformity assessment scheme can be managed within a conformity assessment system (3.5).
Note 2 to entry: A conformity assessment scheme can be operated at an international, regional, national, sub-national, or industry sector level.
Note 3 to entry: A scheme can cover all or part of the conformity assessment functions explained in Annex A of ISO/IEC 17000.
[SOURCE: ISO/IEC 17000:2020, 4.9, modified – Note to entry 3, words "of ISO/IEC 17000" added.]
3.5
conformity assessment system
set of rules and procedures (3.22) for the management of similar or related conformity assessment schemes (3.4)
Note 1 to entry: A conformity assessment system can be operated at an international, regional, national, sub-national, or industry sector level.
[SOURCE: ISO/IEC 17000:2020, 4.8]
3.6
owner
owner of a system
owner of a scheme
system owner
scheme owner
person or organization responsible for the development and maintenance of a conformity assessment system (3.5) or conformity assessment scheme (3.4)
Note 1 to entry: A scheme owner does not necessarily operate the scheme (3.4).
Note 2 to entry: A system owner or a scheme owner can be a conformity assessment body (3.19) itself, a governmental authority, a trade association, a group of conformity assessment bodies or others.
[SOURCE: ISO/IEC 17000:2020, 4.13]
3.7
participant
participant in a system
participant in a scheme
person or organization that implements or operates under the rules and procedures (3.21) of a conformity assessment system (3.5) or scheme (3.4) without being involved in their development, revision or approval
[SOURCE: ISO/IEC 17000:2020, 4.11]
3.8
member
member of a system
member of a scheme
person or organization that is involved in the development, revision or approval of the rules and procedures (3.21) of a conformity assessment system (3.5) or scheme (3.4)
[SOURCE: ISO/IEC 17000:2020, 4.12]
3.9
first-party conformity assessment activity
conformity assessment activity that is performed by the person or organization that provides or that is the object of conformity assessment (3.2)
Note 1 to entry: The first-, second- and third-party descriptors used to characterize conformity assessment activities in relation to a given object are not to be confused with the legal identification of the relevant parties to a contract.
EXAMPLE Activities performed by providers, designers or owners of the object, investors in the object, and advertisers or promoters of the object.
Note 2 to entry: If an activity is performed by an external body acting on behalf of and controlled by a person or organization that provides or is the object, the activity is still called a first-party conformity assessment activity (e.g. internal audits performed by a consultant who is not part of the organization).
[SOURCE: ISO/IEC 17000:2020, 4.3]
3.10
second-party conformity assessment activity
conformity assessment activity that is performed by a person or organization that has a user interest in the object of conformity assessment (3.2)
Note 1 to entry: The first-, second- and third-party descriptors used to characterize conformity assessment activities in relation to a given object are not to be confused with the legal identification of the relevant parties to a contract.
EXAMPLE Persons or organizations performing second-party conformity assessment activities include, for example, purchasers or users of products, or potential customers seeking to rely on a supplier's management system, or organizations representing those interests. Examples of organizations representing user interest include consumer advocacy organizations, regulatory authorities implementing legislation governing products and services for the protection of consumer and public interests, centralized government procurement organizations and private sector purchasing agents.
Note 2 to entry: If an activity is performed by an external body acting on behalf of and controlled by a person or organization with a user interest, the activity is still called a second-party conformity assessment activity (e.g. supply chain audits conducted by an external body on behalf of the purchaser).
[SOURCE: ISO/IEC 17000:2020, 4.4]
3.11
third-party conformity assessment activity
conformity assessment activity that is performed by a person or organization that is independent of the provider of the object of conformity assessment (3.2) and has no user interest in the object
Note 1 to entry: The first-, second- and third-party descriptors used to characterize conformity assessment activities in relation to a given object are not to be confused with the legal identification of the relevant parties to a contract.
[SOURCE: ISO/IEC 17000:2020, 4.5]
3.12
review
consideration of the suitability, adequacy and effectiveness of selection and determination activities, and the results of these activities, with regard to fulfilment of specified requirements (3.3) by an object of conformity assessment (3.2)
Note 1 to entry: A description of “selection and determination activities” is included in Clauses 5.1 and 5.3 of this standard and in ISO/IEC 17000 A.2 and A.3.
[SOURCE: ISO/IEC 17000:2020, 7.1, modified – Note to entry 1 added.]
3.13
decision
conclusion, based on the results of review (3.12), that fulfilment of specified requirements (3.3) has or has not been demonstrated
[SOURCE: ISO/IEC 17000:2020, 7.2]
3.14
attestation
issue of a statement, based on a decision (3.13), that fulfilment of specified requirements (3.3) has been demonstrated
Note 1 to entry: The resulting statement, referred to in this document as a “statement of conformity”, is intended to convey the assurance that the specified requirements have been fulfilled. Such an assurance does not, of itself, provide contractual or other legal guarantees.
Note 2 to entry: First-party attestation and third-party attestation are distinguished by the terms declaration (3.16), certification (3.17) and accreditation (3.18), but there is no corresponding term applicable to second-party attestation.
[SOURCE: ISO/IEC 17000:2020, 7.3]
3.15
surveillance
systematic iteration of conformity assessment activities as a basis for maintaining the validity of the statement of conformity
[SOURCE: ISO/IEC 17000:2020, 8.1]
3.16
declaration
first-party attestation (3.14)
[SOURCE: ISO/IEC 17000:2020, 7.3]
3.17
certification
third-party attestation (3.14) related to an object of conformity assessment (3.2), with the exception of accreditation (3.18)
[SOURCE: ISO/IEC 17000:2020, 7.6]
3.18
accreditation
third-party attestation (3.14) related to a conformity assessment body (3.19), conveying formal demonstration of its competence, impartiality and consistent operation in performing specific conformity assessment activities
[SOURCE: ISO/IEC 17000:2020, 7.7]
3.19
conformity assessment body
body that performs conformity assessment activities, excluding accreditation (3.18)
[SOURCE: ISO/IEC 17000:2020, 4.6]
3.20
accreditation body
authoritative body that performs accreditation (3.18)
Note 1 to entry: The authority of an accreditation body can be derived from government, public authorities, contracts, market acceptance or scheme owners.
[SOURCE: ISO/IEC 17000:2020, 4.7]
3.21
procedure
specified way to carry out an activity or a process
Note 1 to entry: In this context, a process is defined as a set of interrelated or interacting activities that use inputs to deliver an intended result.
[SOURCE: ISO/IEC 17000:2020, 5.2]
3.22
methodology
systematic collection of methods
3.23
complaint
expression of dissatisfaction, other than appeal (3.24), by any person or organization to a conformity assessment body (3.19) or an accreditation body (3.20), relating to the activities of that body, where a response is expected
[SOURCE: ISO/IEC 17000:2020, 8.7]
3.24
appeal
request by the person or organization that provides, or that is, the object of conformity assessment (3.2) to a conformity assessment body (3.19) or an accreditation body (3.20) for reconsideration by that body of a decision (3.13) it has made relating to that object
[SOURCE: ISO/IEC 17000:2020, 8.6]
4.0 Conformity assessment schemes (programmes) and systems
4.1 Schemes and systems
4.1.1 The set of rules and procedures defined as a “conformity assessment scheme” or “conformity assessment programme” relates to:
1) a description of the object of conformity assessment (see Clause 4.2);
2) identification of the specified requirements (see Clause 4.3); and
3) provision of the methodology (see Clause 4.4 and 5) for performing conformity assessment (e.g. rules for persons and organisations involved in conformity assessment, procedures for individual activities, rules and procedures for issuing statements of conformity).
4.1.2 Rules and procedures can be unique to a conformity assessment scheme or shared by multiple schemes. The rules and procedures shared by multiple schemes can be described and documented separately from the content of the individual schemes. Such common rules and procedures can relate to concepts (e.g. specific to a sector or an application), structure, methodology, requirements, or other content shared by the schemes. Documents providing such general contents for multiple schemes are different from documents establishing an individual conformity assessment scheme. Sometimes these documents are referred to as “frameworks”.
4.1.3 Depending on the object of conformity assessment, and the needs of users of conformity assessment, a scheme can be used only once or repeatedly.
4.1.4 The rules and procedures in a scheme can be recorded in a single document or recorded in multiple documents linked by reference. Documented schemes can be a set of rules and procedures in many documents and can be intended for repeated use over a long period of time.
4.1.5 A conformity assessment system is also a set of rules and procedures. A conformity assessment system can be applied to manage several conformity assessment schemes that are similar or related. Whenever conformity assessment is performed a scheme always exists, but a system for managing schemes is optional. Figure 1 illustrates the relationship between a scheme and a system.
Figure 1 — Relationship between conformity assessment scheme and conformity assessment system
4.1.1 Objects of conformity assessment
4.2.1 An object of conformity assessment can be, for example, a product, process, service, management system, system, design, project, data, information, programme, material, installation, claim, person, body or organization, or any combination thereof (e.g. a product and its production process, an installation and its maintenance service). The conformity assessment scheme should clearly describe the object of conformity assessment and its characteristics to which the specified requirements within the scheme will apply.
4.2.2 The object can be a single item or a group of items based on common characteristics (e.g. any area of land used for a specific purpose, any person with a specific ability, any management system for a specific discipline within organizations, or anybody performing a specific type of activity).
4.2.3 Schemes that describe multiple objects can identify different specified requirements to be used for each object.
4.1.2 Specified requirements
4.3.1 Specified requirements applicable to the object of conformity assessment are needs or expectations that are stated. The content of specified requirements can, but does not always, indicate the type of object of conformity assessment to which it pertains.
4.3.2 Specified requirements are chosen for the scheme so that, when fulfilled, needs and concerns for assurance are resolved.
4.3.3 Specified requirements are often in the form of provisions in normative documents such as standards, technical specifications, codes of practice and regulations.
4.3.4 Specified requirements can be detailed (e.g. specific expression of measurements or data) or general (e.g. properties and qualities, such as “safe to use” or “fit for intended purpose” or “fit for intended use”).
4.3.4 Where applicable, the specified requirements should be written in terms of results or outcomes, together with limiting values and tolerances. The specified requirements should be stated unambiguously using wording that is objective, logical, valid and specific and enable consistent application by organizations as well as evaluation across conformity assessment bodies.
4.3.5 Identification of the specified requirements for the conformity assessment scheme can be made by reference (e.g. to the applicable standards, technical specifications, regulation, or other normative documents) or by documentation as content of the scheme itself.
4.3.6 Further guidance for drafting normative documents suitable for use for conformity assessment, including documents which provide specified requirements, can also be found in ISO/IEC 17007.
4.1.3 Methodology
4.4.1 The rules and procedures for methodology that pertain to performing conformity assessment activities in the functions described in ISO/IEC 17000:2020, Annex A (the Functional Approach) are one element of a conformity assessment scheme. Individual demonstrations performed in accordance with the same scheme will follow the same methodology provided by the scheme.
4.4.2 A method or procedure for a specific individual activity within the functional approach (e.g. a sampling protocol, standardized method, test method, calibration method, inspection procedure, a general plan for an audit of a management system, a general plan for validation or verification of a type of claim, the formatting of a statement of conformity, etc.) can be included or referenced in the methodology provided in a scheme. However, a method or procedure for a specific individual activity is not by itself a methodology for demonstrating fulfilment of specified requirements as represented by the functional approach.
4.4.3 Methodology for performing conformity assessment can include, for example, rules and procedures for:
a) conformity assessment activities including methods for individual activities such as assessment, auditing, design review, evaluation, examination, inspection, testing, validation, verification, review, decision and attestation;
b) conformity assessment activities during surveillance; and
c) a certificate, mark, label, listing in databases or on websites, approval, consent, permission, licence, marking, report, letter, or other statement of conformity issued to communicate that a successful demonstration of fulfilment of specified requirement by a specific object of conformity assessment exists.
5.0 Functional approach to conformity assessment
5.1 General
5.1.1 Conformity assessment is a series of functions that satisfy the need or demand for demonstration that specified requirements are fulfilled.
NOTE See ISO/IEC 17000:2020, Annex A.
The functions are:
— selection, which involves planning and preparation activities in order to collect or produce all the information and input needed for the subsequent determination function;
— determination, which relates to activities that are undertaken to develop or to gather complete information regarding fulfilment of the specified requirements by the object of conformity assessment or its sample;
— review, decision and attestation, which includes review as the final stage of checking before taking the important decision as to whether or not the object of conformity assessment has been reliably demonstrated to fulfil the specified requirements, and attestation, which results in a statement of conformity communicating that fulfilment of specified requirements has been demonstrated.
5.1.2 The functional approach is the general structure for the methodology provided by conformity assessment schemes.
5.1.3 The aspects of the functional approach addressed by the scheme’s rules and procedures for methodology and the level of detail in those rules and procedures are decided when the scheme is developed and can be altered as the scheme is maintained.
5.1.4 When the rules and procedures for methodology are general, the scheme can be flexible and used broadly. However, leaving the choice of specific activities and details to bodies performing conformity assessment can result in significant differences in individual demonstrations performed in accordance with the scheme which can negatively impact the consistency of the assurance among these demonstrations. Very detailed rules and procedures, on the other hand, result in highly consistent assurance among different demonstrations performed in accordance with the scheme. However, very detailed rules and procedures can result in the applicability of the scheme being very narrow or delay improvement or innovation in the scheme. Implementing the appropriate balance between flexibility and consistency should be considered in developing and maintaining a scheme.
5.1.1 Conformity assessment activities
5.2.1 Activities contributing to any of the functions can be described as “conformity assessment activities”.
5.2.2 The rules and procedures for methodology can specify, for example:
a) what activities are to be performed;
b) who performs activities ;
c) when activities are performed and their sequence;
d) where activities are performed;
e) how often activities are performed;
f) the method, plan, procedure, or instructions for individual activities.
5.2.3 Conformity assessment activities are performed in accordance with the rules and procedures of the scheme by conformity assessment bodies or accreditation bodies (collectively “bodies”). Any activities or details needed for demonstrating fulfilment of specified requirements but not addressed by the rules and procedures in the scheme will be left for the bodies to decide when performing activities in accordance with the scheme.
5.1.2 Selection and determination
5.3.1 Conformity assessment activities contributing to the selection function include but are not limited to planning, sampling and sample preparation.
5.3.2 Conformity assessment activities contributing to the determination functions include, but are not limited to, assessment, auditing, design review, evaluation, examination, inspection, peer assessment, testing, validation and verification.
5.3.3 Rules and procedures for testing and inspection can include decision rules as a basis for stating whether the items tested or inspected fulfil specified requirements. Such statements are part of the reported results of testing or inspection, pertain only to the items tested or inspected, and are different from the statement of conformity issued during attestation (see Clause 5.4.2). Rules and procedures for testing and inspection can specify that results are reported with no indication whether items tested or inspected fulfil specified requirements.
5.3.4 Likewise, rules and procedures for validation and verification can specify that reports include a conclusion regarding fulfilment of specified requirements by the evidence examined. Such conclusions are part of the reported results of validation and verification, pertain only to the evidence examined, and are different from the statement of conformity issued during attestation (see Clause 5.4.3). Rules and procedures for validation and verification can specify reports with no indication whether evidence examined fulfils specified requirements.
5.1.3 Review, decision and attestation
5.4.1 The decision is the defining activity of conformity assessment. It is based on the review, by which the suitability, adequacy, and effectiveness of the preceding activities and results are considered. Part of the review can be whether the object of conformity assessment fits the description in the scheme, whether the specified requirements used are those identified in the scheme, and whether activities were completed in accordance with the methodology provided by the scheme. The outcome of the review can be a recommendation for a subsequent decision. Or review and decision can be made concurrently by the same person. In some cases, schemes do not include rules and procedures for attestation, such as those that include rules and procedures for only testing or inspection without attestation.
5.4.2 Attestation is defined as the issue of a statement of conformity based on a decision that fulfilment of specified requirements has been demonstrated. The statement of conformity issued during attestation can cover the entire object of conformity assessment, not only the items or samples used in previous activities. It can convey the commitment by the body issuing the statement that a suitable, adequate and effective demonstration of the object’s fulfilment of specified requirements, performed in accordance with the pertinent scheme, exists. Examples of statements of conformity include certificates, marks, labels, listings in databases or on websites, approvals, consents, permissions, licences, markings, reports, letters.
5.4.3 Certain types of attestation have specific names. An attestation as a first-party activity is referred to as “declaration”, or “self-declaration”. An attestation as a third-party activity is referred to as “certification”, with the exception of “accreditation”. An attestation as a third-party activity related to fulfilment of requirements for competence, impartiality and consistent operation by a conformity assessment body is referred to as “accreditation”. Second party attestation has no specific name. Other conformity assessment bodies than certification bodies can issue third-party attestations (See Annex J).
NOTE See ISO/IEC 17000:2020, 7.6 and 7.7.
5.1.4 Surveillance
5.5.1 The statement of conformity can have an expiration date after which it is not valid, and conformity assessment is repeated to attain a new statement of conformity. In other cases, a systematic iteration of conformity assessment activities can be performed as a basis for maintaining the validity of the statement of conformity issued during the attestation. This systematic iteration is surveillance.
5.5.2 The need for surveillance can be based on an object of conformity assessment that can change significantly over time or the nature of its production (e.g. for ongoing manufacturing of products or continuously provided services) or by the continuing use of a mark of conformity.
5.5.3 Surveillance activities can be the same in each iteration and repeated until the statement of conformity expires or is terminated or withdrawn. Or surveillance activities can change from iteration to iteration. A pattern of such iterations can be repeated as a cycle. At the end of each cycle a new statement of conformity can be issued or the next cycle started.
6.0 Content of a scheme
6.1 Functional approach implemented in the scheme
6.1.1 Sampling
The scheme should define when sampling is required, who is permitted to undertake it and how. Where applicable, the scheme should define the extent to which sampling of the object of conformity assessment is required, and on what basis such sampling should be undertaken as a selection function activity including an activity during surveillance.
NOTE Useful information on statistical sampling is given in ISO 10576, ISO 2859 (All Parts), ISO 3951(All Parts) and ISO 22514 (All Parts).
6.1.2 Prior conformity assessment results
6.1.2.1 In some cases, the output of a conformity assessment activity, including a determination function activity (e.g. testing, inspection, validation, verification, auditing, or peer assessment) exists prior to starting conformity assessment. Or such outputs can be created by activities or bodies outside the demonstration that specified requirements are fulfilled. Such outputs can include findings of nonconformities.
6.1.2.2 The rules and procedures of the scheme should specify whether and under what conditions recognition (see ISO/IEC 17000:2020, 9.5), acceptance (the results can be utilized, see ISO/IEC 17000:2020, 9.6), neither, or both apply to such outputs.
NOTE ISO/IEC Guide 68 provides guidance on arrangements for the recognition and acceptance of conformity assessment results. ISO/IEC 17040 specifies general requirements for the peer assessment process carried out by agreement groups of accreditation bodies or conformity assessment bodies as basis for mutual recognition.
6.1.3 Outsourcing of the conformity assessment activities
6.1.3.1 The scheme should define whether and under what conditions bodies may outsource or subcontract conformity assessment activities. The scheme should state the degree to which prior consent with outsourcing needs to be obtained from the scheme owner or from the provider of the object. The use of personnel external to the conformity assessment body under contract is usually not considered outsourcing. Some standards of the ISO/IEC 17000 series set requirements for outsourcing.
6.1.3.2 The scheme should require bodies that perform outsourced conformity assessment activities to meet the relevant requirements for bodies.
6.1.4 Surveillance
6.1.4.1 The choices for surveillance activities should be sufficient to assure the validity of the statement of conformity and counteract pressures or incentives to not fulfil specified requirements. In addition, the choices for surveillance activities can be restricted to avoid costs related to activities that provide unnecessary additional assurance. The balance between assurance and costs related to surveillance activities can be a key element to whether a scheme is utilized or not.
6.1.4.2 The scheme should specify appropriate surveillance activities based on consideration of:
a) the nature of the object of conformity assessment;
b) the probability and consequences of nonconformities;
c) a risk-based approach to identifying specific requirements which should have the most focus during a surveillance;
d) whether or the extent to which the conformity performance history or risk profile that is associated with the provider of the object of conformity assessment should be taken into account;
e) the extent to which surveillance is carried out at distinct intervals or is dynamic/continuous (e.g. through automated monitoring, etc.).
6.1.4.3 If surveillance is included, the scheme should provide rules and procedures indicating:
a) what surveillance activities are performed;
b) who performs them;
c) where they are performed;
d) when they are performed,
e) how they are performed and
f) how often they are performed.
6.1.4.4 The rules and procedures for consideration of the results of surveillance activities should be provided as well.
6.2 Licensing and controlling the use of statement of conformity
6.2.1 Where the scheme provides for the use of certificates, marks or other statements of conformity, some form of legally enforceable agreement should control their use. Licences, for example, can include provisions related to use of a certificate, mark or other statement of conformity in communications, and requirements to be fulfilled when the statement of conformity is no longer valid. Such licences can be between two or more of the following:
a) scheme owner;
b) conformity assessment body;
c) client of the conformity assessment body;
d) accreditation body.
NOTE These activities are outside the functional approach.
6.2.2 The scheme should specify the process and responsibilities for addressing fraudulent use of statements of conformity.
NOTE These activities are outside the functional approach.
6.2.1 Reporting to the scheme owner
The scheme rules and procedures should include whether reporting to the scheme owner is required. Where required, the content, frequency and responsibility for reporting should be provided. Such reporting can be for the purpose of scheme improvement, for control purposes, or for monitoring the extent of conformity by providers of objects of conformity assessment.
NOTE These activities are outside the functional approach.
6.2.2 Complaints and appeals
6.4.1 The scheme should define the responsibility and process for handling different types of complaints and appeals.
6.4.2 Appeals against the decision of a conformity assessment body or accreditation body and complaints about a conformity assessment body or accreditation body should first be addressed to the respective body. Appeals and complaints that have not been, or cannot be, resolved by the body can be addressed to the scheme owner.
NOTE These activities are outside the functional approach.
6.2.3 Rules and procedures of a scheme
6.5.1 Schemes can include content beyond the rules and procedures referenced in the definition of conformity assessment scheme. The definition does not limit the content of a scheme. The defined and additional rules and procedures can address objects of conformity assessment and specified requirements (see 6.5.2), conformity assessment activities and methodology (see 6.5.3), conformity assessment bodies and accreditation bodies (see 6.5.4), and conformity assessment processes and administration (see 6.5.5).
NOTE A diagram providing a comparative summary of characteristic elements of conformity assessment schemes utilizing the CASCO Toolbox standards for bodies performing activities in the scheme is provided in Annex J.
6.5.2 Rules and procedures addressing objects of conformity assessment and specified requirements include, but are not limited to:
a) describing objects of conformity assessment in terms of single objects, groups of objects, categories of objects;
b) the specified requirements to which fulfilment by the objects of conformity assessment will be demonstrated, by reference to standards or other normative documents. When the scheme includes procedures to elaborate upon the specified requirements to remove ambiguity, the explanations should be formulated by competent persons and should be made available to all interested parties;
NOTE Further guidance on how to formulate specified requirements is provided in ISO/IEC 17007.
c) other requirements to be met by the provider of an object of conformity assessment, e.g. activities to assure the demonstration of fulfilment of specified requirements is valid on an ongoing basis;
d) the extent to which the object of conformity assessment can be modified, changed or updated before it would become necessary to undertake a new conformity assessment activity to assess the changes, modifications or updates.
6.5.3 Rules and procedures addressing conformity assessment activities and methodology include, but are not limited to:
a) the methods and procedures (e.g. on-site and off-site) to be used by the conformity assessment bodies, accreditation bodies and other organizations involved in the scheme, so as to assure the integrity and consistency of the outcome of the conformity assessment process;
b) how the results of conformity assessment activities including surveillance activities (if any) are to be reported and used;
c) acceptance of results (e.g. from another conformity assessment activity) for determination activities;
d) how nonconformities with the specified requirements are to be dealt with and resolved, including:
i. definitions and any categorisations of nonconformities (e.g. minor, major, critical etc.);
ii. the expectations for root cause analysis, corrective actions and nonconformity close-out timeframes;
iii. any prescribed follow-up actions or sanctions (e.g. suspension, withdraw of conformity assessment status etc.) if nonconformities are not satisfactorily addressed;
iv. additional surveillance activities, and
v. expectations for monitoring and reporting on trends in nonconformities to inform scheme improvement and identify training opportunities.
e) whether procedures are to be used to confirm the integrity and consistency of the outcome of the conformity assessment activities performed in accordance with the scheme;
f) the content of the statement of conformity (e.g. certificate) which unambiguously identifies the object of conformity assessment to which it applies. A statement of conformity can be unique to a scheme and thus also convey that the scheme rules and procedures for methodology were followed in the demonstration that the object covered by the statement of conformity fulfilled specified requirements;
g) surveillance activities, including specific surveillance activities for performing the initial conformity assessment activities in full or in part as surveillance (if any), or unannounced surveillance activities;
h) activities when an object of conformity assessment no longer fulfils specified requirements (e.g. product recall or providing information to the market).
6.5.4 Rules and procedures addressing conformity assessment bodies and accreditation bodies include, but are not limited to:
a) the requirements for conformity assessment bodies and accreditation bodies operating in accordance with the scheme. These requirements should not contradict the requirements of the applicable standards for conformity assessment bodies and accreditation bodies;
b) the requirements for impartiality and competence of personnel (including contracted personnel) within conformity assessment bodies, accreditation bodies, and bodies performing outsourced activities;
c) whether conformity assessment bodies involved in the scheme (e.g. testing laboratories, inspection bodies, certification bodies) are to be accredited, are to participate in peer assessment or qualified in another manner. If conformity assessment bodies are accredited, the appropriate rules and procedures should be specified (e.g. that the accreditation body is a member of a mutual recognition arrangement between accreditation bodies).
6.5.5 Rules and procedures addressing the conformity assessment process and scheme administration include, but are not limited to:
a) the information to be supplied by an applicant for conformity assessment in accordance with the scheme;
b) the ownership, the conditions for the use and control of statements of conformity (e.g. marks of conformity);
NOTE ISO/IEC 17030 provides general requirements for third-party marks of conformity, including their issue and use.
c) period of validity for a statement of conformity;
d) transfer of issued statements of conformity (e.g. certificates);
e) general conditions for granting, maintaining, extending the scope of, reducing the scope of, suspending and withdrawing the statement of conformity, this includes rules and procedures for discontinuation of advertising and return of formal documents and any other action;
f) content, conditions and responsibility for publication of a directory or similar information for objects of conformity assessment whose fulfilment of specified requirements has been demonstrated;
g) the criteria for participants in a scheme and members in a scheme;
h) the need for, and content of, contracts, (e.g. between scheme owner and conformity assessment bodies, scheme owner and providers of objects of conformity assessment, conformity assessment bodies and providers of objects of conformity assessment) including the rights, responsibilities and liabilities of the various parties;
i) transition for implementing scheme modification or scheme termination;
j) retention of records by the scheme owner, by conformity assessment bodies and by accreditation bodies;
k) communication, public information, and marketing related to the scheme, including scheme objectives and the way in which reference can be made to the scheme in publicity material.
7.0 Scheme owner responsibility
7.1 General
7.1.1 All conformity assessment activities fall into one of three types based on the person or organization that performs the activity and their interests. The three types are:
— first-party activities by the person or organization that provides the object of conformity assessment (or is the object);
— second-party activities by a person or an organization that has a user interest in the object of conformity assessment; or
— third-party activity by a person or an organization that is independent of those who provide the object and who has no user interests in that object.
7.1.2 When developing or altering the scheme rules and procedures for methodology used in conformity assessment, the scheme owner should consider whether a specific conformity assessment activity will be a first-, second-, or third-party activity.
7.1.3 Conformity assessment activities are performed directly or indirectly by a person or organization (a conformity assessment body or an accreditation body). When automated technology, artificial intelligence, or other tools are used exclusively to perform conformity assessment activities, persons or organizations exist who created the tool, or who are responsible for the use of the tool. These persons or organizations indirectly perform such conformity assessment activities. Responsibility for tools and their use can be created by regulations, the legal system or jurisdiction in which the tool is used, or in a contract.
7.1.4 As the use of automated technologies advances, scheme owners should be transparent in adopting such methods to gain confidence in the results of conformity assessment.
7.1.5 Standards in the ISO/IEC 17000 series set requirements for competence, consistent operation and impartiality of conformity assessment bodies and accreditation bodies. Some of those standards include methodology the bodies are required to use for conformity assessment activities within the structure of the functional approach. The table below provides information on the standards of the ISO/IEC 17000 series and clauses where such methodology (see Clause 4.4.) is contained.
ISO/IEC Standard | Clauses containing rules and procedures for methodology |
ISO/IEC 17011:2017 | 7.4 – Preparation for assessment 7.5 – Review of documented information 7.6 – Assessment 7.7 – Accreditation decision making 7.8 – Accreditation information 7.9 – Accreditation cycle 7.10 – Extending accreditation 7.11 – Suspending, withdrawing or reducing accreditation |
ISO/IEC 17020:2026 | None |
ISO/IEC 17021-1:2015 | 8.2 – Certification documents 8.3.1 to 8.3.3 – Reference to certification and use of marks 9.1.3 – Audit programme 9.1.4 – Determining audit time 9.1.5 – Multi-site sampling 9.1.6 – Multiple MS standards 9.2 – Planning audits 9.3 – Initial certification 9.4 – Conducting audits 9.5 – Certification decision 9.6 – Maintaining certification |
ISO/IEC DIS 17024:2025 | 8 – Certification schemes 9.2 – Application process 9.3 – Examination process 9.4 – Decision on certification 9.5 – Suspending, withdrawing or reducing the scope of certification 9.6 – Recertification process 9.7 – Use of certificates, logos and marks |
ISO/IEC 17025:2019 | None |
ISO/IEC 17029:2019 | 8 – Validation/Verification programme 9.3 – Engagement 9.4 – Planning 9.5 – Validation/Verification execution 9.6 – Review 9.7 – Decision and issue of validation/ verification statement 9.8 – Facts discovered after issue of validation/verification statement |
ISO/IEC 17065:2012 | 7.3.5 – Existing certification 7.4 – Evaluation 7.5 – Review 7.6 – Certification decision 7.7 – Certification documentation 7.9 – Surveillance 7.10 – Changes affecting certification 7.11 – Termination, reduction, suspension or withdrawal of certification |
Figure 2 — Standards of the ISO/IEC 17000 series that contain requirements for methodology
When scheme rules and procedures require a conformity assessment body and accreditation bodies to fulfil requirements of such a standard, the scheme owner should ensure that the scheme rules and procedures for methodology used in conformity assessment are compatible with any corresponding requirements in the standard for the body.
7.1.6 Some of the standards of the ISO/IEC 17000 series explicitly require the conformity assessment body to operate a scheme (programme), e.g. ISO/IEC 17065, ISO/IEC 17024 and ISO/IEC 17029. Others contain specifications corresponding to elements of a scheme, e.g. the description of a management system as the object of conformity assessment according to ISO/IEC 17021-1. When scheme rules and procedure require a conformity assessment body to fulfil requirements of such a standard, the scheme owner should ensure the details of the scheme are aligned with these requirements.
7.1.1 Scheme owner
7.2.1 The owner of a scheme (or scheme owner) is the person or organization responsible for its development and maintenance. Examples of scheme owners are:
— conformity assessment bodies or accreditation bodies which develop a scheme for the sole use of their clients;
— organizations such as a regulatory authority or a trade association not acting as a conformity assessment body or accreditation body, which develop a scheme in which one or more bodies participate;
— non-governmental organizations that have developed a scheme to address a societal or economic need or demand
NOTE A group of bodies, perhaps in different countries, can together set up a scheme. In that case, the bodies, as joint owners of the scheme, can create a management structure to develop and maintain the scheme effectively by all participating bodies (See Clause 7.3)
7.2.2 The scheme owner should be a legal entity.
NOTE A governmental scheme owner is deemed to be a legal entity on the basis of its governmental status.
7.2.3 If a scheme owner is responsible for several conformity assessment schemes, the scheme owner can manage them using a conformity assessment system. If the scheme owner is responsible for the rules and procedures which comprise the system, then the scheme owner is also the owner of the system.
NOTE For more information about the relationship between a scheme and a system, see Clause 4.1.5.
7.1.2 Ownership
7.3.1 The scheme owner should be able to take on full responsibility for the objectives, the content, and the integrity of the scheme.
7.3.2 The scheme owner should evaluate and manage the risks and liabilities arising from its activities.
NOTE Evaluating risks does not imply risk assessments in accordance with ISO 31000.
7.3.3 The scheme owner should have adequate arrangements (e.g. insurance or reserves) to cover liabilities arising from its activities. Arrangements should be appropriate (e.g. for the range of activities it performs and in the geographic regions in which activities are performed in accordance with the scheme).
7.3.4 The scheme owner should have the financial stability and resources required for it to fulfil its role in the management of the scheme and any activities it performs in accordance with the scheme.
7.1.3 Development
7.4.1 The scheme owner should ensure that the scheme is developed and maintained by persons competent in both technical and conformity assessment aspects.
7.4.2 The scheme owner should create and control adequate documentation of the scheme to facilitate consistency of activities performed in accordance with the scheme and for the maintenance and improvement of the scheme. The documentation can include the responsibilities for governance of the scheme.
7.4.3 For schemes that are monitored by other organizations (e.g. accreditation bodies, public authorities), the scheme owner should observe the requirements and obligations towards these organizations and, if applicable, inform the users of the scheme of the monitoring obligations, cooperation and disclosure obligations towards these other organizations.
7.1.4 Management
7.5.1 The scheme owner should set up responsibilities and processes for the management of the scheme.
7.5.2 The scheme owner should make arrangements to protect the confidentiality of information provided by the parties involved in the scheme.
7.5.3 The scheme owner should analyse the competition law regulations for each market in which the scheme is applied and make the necessary determinations to prevent impairments of competition. In particular, the scheme owner should grant each economic operator non-discriminatory access. The scheme owner can set the number of bodies performing activities in the scheme for cost, management, integrity or other reasons. However, the number of bodies should be high enough so that all have reasonably similar choices and costs for bodies performing conformity assessment activities.
NOTE It is not considered discriminatory if the scheme owner charges transparent fees for access or use of its scheme.
7.5.4 If the scheme owner outsources all or part of its activities to another party, it should have a legally binding contract defining the duties and responsibilities of both parties. A governmental scheme owner can subcontract its activities by regulatory provisions.
7.1.5 Maintenance
7.6.1 The scheme owner should monitor the development of the standards and other normative documents which define the specified requirements, rules and procedures used in the scheme. Where changes in these documents occur, the scheme owner should have a process for making the necessary changes in the scheme, including rules and procedures for implementation of the changes (e.g. transition period) by the conformity assessment bodies, accreditation bodies, providers of objects, and, where necessary, other interested parties.
7.6.2 The scheme owner should define a process for reviewing the scheme on a periodic basis in order to confirm that assurance and other intended benefits are being realized and to identify aspects requiring improvement, taking into account feedback, including complaints against the scheme, from interested parties or feedback from scheme integrity. The review should include provisions for ensuring that the scheme is being applied in a consistent manner.
7.6.3 The scheme owner should define a process for managing the implementation of other changes to the rules and procedures in the scheme.
7.6.4 The scheme owner should maintain and make available upon request information about procedures for complaints about the scheme.
7.6.5 Rules and procedures for scheme maintenance can include:
a) management system and internal scheme administration;
b) documents and records control;
c) monitoring and responding to misleading or fraudulent use of the scheme;
d) scheme preparedness for sudden changes in operating conditions (e.g. pandemics, cyberattacks), business continuity and resilience;
e) managing changes to the rules and procedures, including specified requirements and methodologies, or in any changes to the ownership or governance of the scheme.
7.1.6 Scheme integrity
7.7.1 Scheme integrity is a set of activities that assesses, repeats, or otherwise checks in detail the results of specific conformity assessment activities performed in accordance with the scheme.
7.7.2 The intent of scheme integrity is to incentivize the bodies performing conformity assessment activities in accordance with the scheme to be vigilant and attentive to details. The incentive is introduced by the possibility that their work will be scrutinized with possible consequences from the scheme owner.
7.7.3 Scheme integrity can add costs, which can be minimized by targeting the conformity assessment activities needing the greatest attention to detail for the scheme to deliver the intended assurance.
7.7.4 The scheme should specify whether scheme integrity will be performed, and if so, who will perform it, when and where they will be performed, how it will be performed and how often it will be performed. To maintain the efficacy of scheme integrity, these details can be confidential to the scheme owner.
7.7.5 Rules and procedures for scheme integrity can include:
a) performance measurement, monitoring, analysis and evaluation;
b) impact measurement against the objectives of the scheme, monitoring, analysis and evaluation;
c) complaints and appeals handling (6.5).
8.0 Lifecycle of a scheme
8.1 Identifying the need for conformity assessment schemes
8.1.1 The decision to develop a conformity assessment scheme should take into consideration a number of factors, including the following:
a) the societal or economic need or demand for assurance that can be satisfied by a demonstration that an object of conformity assessment meets specified requirements;
b) the balance between the potential advantages (e.g. helping to enhance assurance in objects of conformity assessment, improving quality and facilitating trade) and the potential disadvantages (e.g. adding costs, distorting market access and creating unnecessary technical barriers to trade);
c) the impact of the proposed conformity assessment scheme on affected parties;
d) the bodies that would be most effective and efficient to perform conformity assessment and their availability;
e) existence of conformity assessment schemes and regulations that can fulfil the societal or economic need or demand, or can serve as a model for a new conformity assessment scheme;
f) the existence of fully developed international, regional or national normative documents;
g) the availability of an entity assuming scheme owner’s responsibilities.
8.1.2 ISO and IEC have developed ISO/IEC 17007 which provides guidance for developing normative documents that are suitable for use in conformity assessment. The guidance pertains to normative documents that serve as:
a) specified requirements applicable to the objects of conformity assessment,
b) methods for individual conformity assessment activities, and
c) rules and procedures for a methodology for performing conformity assessment.
8.1.1 Development of schemes
8.2.1 Schemes can be developed for different purposes. Such purposes can include achieving certain outcomes (e.g. in relation to health, safety, security or environmental) and differentiating objects of conformity assessment in the market place (e.g. to facilitate informed purchasing decisions). The purpose of the scheme should be retained in a form which enables evaluation of the effectiveness of the scheme, including the ongoing fitness for purpose of the scheme.
8.2.2 Schemes should be developed with an understanding of the assumptions regarding the need for a scheme, the influences and acceptance of a scheme, and the consequences involved in developing and maintaining a scheme on an ongoing basis.
8.2.3 Interested parties should be identified and their participation in scheme development should be sought.
8.2.4 Before developing the specific content of the scheme, fundamental principles of scheme ownership and management should be agreed among the interested parties. Such principles can include:
a) confirmation of the ownership,
b) confirmation of the governance and decision making mechanisms that may or may not provide for direct involvement of interested parties,
c) confirmation of the underlying business and funding model, and
d) providing an outline for monitoring and periodic review of the scheme.
NOTE Further guidance on scheme ownership and scheme owner responsibilities is provided in Clause 7.
8.2.5 Scheme development should consider the purpose, scope, scheme objectives and processes, which would be further detailed in rules and procedures of the scheme.
8.2.6 Once developed, general information describing the scheme should be publicly available to ensure transparency, understanding and acceptance.
8.1.2 Scheme documentation
8.3.1 For documented schemes, i.e. those that are not created orally, the scheme documentation should identify the specified requirements applicable to the objects of conformity assessment and the rules and procedures for conformity assessment activities in a clear and unambiguous manner with sufficient detail to ensure that the statements of conformity and any other deliverables are traceable and provide comparable assurance.
8.3.2 The rules and procedures of a scheme can be in a single document or in multiple documents; and multiple documents can be of different types and from different sources. For instance, the description of the object can be a legal provision, the applicable requirements can be a mix of regulatory directives and technical standards, and the methodology can be provided by sectoral industry practice or international agreements.
8.3.3 ISO/IEC 17007 provides guidance for developing normative documents that are suitable for use in conformity assessment.
8.1.3 Discontinuing a scheme
Before discontinuing a conformity assessment scheme in part or in full, at least the following should be considered:
a) the original need for the scheme;
b) views of interested parties;
c) contractual duties;
d) transition arrangements (e.g. for the validity of issued statements of conformity);
e) external communication regarding the discontinuation;
f) information published by the scheme owner and by the participants (where applicable).
9.0 Categorization and types of schemes
9.1 Reference to a “scheme” or “programme” can be more or less common for particular conformity assessment activities. For example, references to “scheme” or “programme” are infrequent or rare in connection with testing or inspection. On the other hand, references to “scheme” or “programme” are common in connection with certification, peer assessment and accreditation. In all cases, however, conformity assessment activities cannot begin without knowing the object of conformity assessment and the specified requirements. Conformity assessment cannot progress without deciding the methodology for performing it. As a result, a scheme always exists or comes into existence whenever conformity assessment as represented by the functional approach is performed.
9.2 Schemes can be designated according to the activities performed, e.g.:
a) “validation programme”, where the object of conformity assessment is a claim and validation is the prevailing determination activity;
b) “inspection scheme”, where inspection is the prevailing determination activity ;
c) “certification scheme”, where the object is a management system, person, product, process, or service and the statement of conformity is issued during certification;
d) “accreditation scheme”, where the object is a conformity assessment body and the statement of conformity is issued during accreditation;
e) “supplier’s declaration of conformity scheme”, where the statement of conformity is issued during declaration.
9.3 For examples of common characteristics of conformity assessment schemes which invoke a CASCO Toolbox standard, see Annex J.
9.4 Two or more schemes can be referred to by the same general term (e.g. certification scheme) but describe significantly different objects, identify significantly different specified requirements, and provide significantly different methodologies (e.g. designated types of product certification schemes, see Annex A).
9.5 On the other hand, more than one reference can apply to a single scheme. For example, a scheme can describe four different objects: a group of products, a group of persons, a type of management system and a type of conformity assessment body. The methodology provided by the scheme can have rules and procedures for third-party laboratory testing, second-party witnessing of persons while performing activities, first-party audits of management systems, third-party assessments of conformity assessment bodies, and declarations (first-party attestations). The general reference to this scheme can include e.g. “management system scheme” or “declaration scheme”.
9.6 Schemes can use a combination of determination activities (e.g. management system audit, testing, inspection, product evaluation, validation/ verification) and the results are reviewed and a single conformity assessment decision and attestation.
9.7 Some sectors are establishing guidance or common content for schemes specific to their sector (see 4.1.2). These are not a conformity assessment scheme nor a conformity assessment system. They can provide required elements to include in a scheme and required or recommended practices when developing or maintaining a scheme.
9.8 There is no standardized rule, nomenclature, or terminology for referring to individual conformity assessment schemes based on their characteristics. However, a proper name for a scheme can be adopted so that it can be referenced accurately in public information, contracts, regulations etc. For example, a product certification scheme could be named the “Worldwide Retail Association Product Safety Scheme” to differentiate it from other product certification schemes and so that accurate references to this specific scheme can be made.
9.9 As a result the guidance provided in this document, especially in the Annexes A to J, refers to “schemes which include” or similar wording. For example, “schemes which include service certification” rather than the term “service certification scheme” (see ISO/IEC 17000:2020, A.3.2 and A.4.3).
A.1 Conformity assessment schemes which include product, process, or service certification:
— describe a product, process, or service as an object of conformity assessment, and
— provide a methodology with certification as the attestation (in the review, decision, attestation function) to indicate that a product’s, process’s, or service’s fulfilment of the specified requirements has been demonstrated.
A.2 Further guidance could be found in:
— ISO/IEC TR 17026 that provides an example of a scheme which includes product certification,
— ISO/IEC TR 17028 that provides guidelines for a scheme which includes service certification, and
— ISO/IEC TR 17032 that provides guidelines for a scheme which includes process certification.
A.3 Conformity assessment schemes which include product, process, or service certification can describe a single product, process, or service or can describe multiple products, processes, or services as objects of conformity assessment.
A.4 These schemes can describe products, processes, or services as the only object of conformity assessment or can describe products, processes, or services as one of the multiple objects of conformity assessment. If the scheme includes other objects of conformity assessment, then the scheme can provide certification or can provide another type of attestation (in the review, decision, attestation function) in the methodology for the other objects of conformity assessment.
A.5 These schemes identify specified requirements related to products, processes, or services. If the scheme includes objects of conformity assessment other than products, processes, or services, then the scheme identifies different specified requirements for the other objects of conformity assessment and these different specified requirements do not apply to products, processes, or services as an object of conformity assessment.
A.6 ISO/IEC 17065 sets requirements for the competence, impartiality and consistent operation of a product, process, or service certification body. These bodies perform activities contributing to the functions of the functional approach, including certification, for demonstrating that a product, a process, or a service fulfils specified requirements. ISO/IEC 17065 sets requirements for surveillance activities in specific circumstances. As a result, a scheme which references ISO/IEC 17065 should provide a methodology that is the same as, or at least not contradictory with, these requirements in ISO/IEC 17065.
A.7 A scheme can describe products, processes, or services, but the methodology can provide a type of attestation different than certification. Similarly, a scheme can provide certification as the attestation but describe different objects of conformity assessment than products, processes, or services. Neither of these schemes would be a conformity assessment scheme which includes product, process, or service certification.
A.8 The following examples do not represent all possible types of “product, process or service certification schemes”. They may be used with many types of requirements and may use a wide variety of statements of conformity (see ISO/IEC 17000:2020, 7.3, Note to entry 1). All types of these certification schemes involve selection, determination, review, decision and attestation. One or more determination activities should be selected taking into account the product, process or service and the specified requirements. The types of schemes differ according to which surveillance activities (if applicable) are carried out. For scheme types 1a and 1b, no surveillance is required since the attestation relates only to the product items which have been subjected to the determination activities. For other scheme types the way in which the different surveillance activities can be used and the circumstances to which they could be applicable should be described by the scheme.
A.9 The following table lists the examples of schemes described in more detail below.
Table A.1 — Examples of types of schemes<Tbl_--></Tbl_-->
Conformity assessment functions and activitiesa | Types of certification schemesb | ||||||||
1a | 1b | 2 | 3 | 4 | 5 | 6 | Nc,d | ||
I | Selection, including planning and preparation activities, specification of requirements, e.g. normative documents, and sampling, as applicable | x | x | x | x | x | x | x | x |
II | Determination, development of complete information regarding fulfilment of specified requirements , by, for example: a) testing b) inspection c) design appraisal d) assessment of services or processes e) verification f) other determination activities | x | x | x | x | x | x | x | x |
III | Review Consideration of the suitability, adequacy and effectiveness of Selection and Determination activities and the results of those activities with regard to fulfilment of specified requirements | x | x | x | x | x | x | x | x |
IV | Decision on certification Granting, maintaining, extending, reducing, suspending, withdrawing the statement of conformity (e.g. the certificate or mark) | x | x | x | x | x | x | x | x |
V | Certification, by licensing as applicable |
|
|
|
|
|
|
|
|
a) issuing a certificate of conformity or other statement of conformity (attestation) | x | x | x | x | x | x | x | x | |
b) granting the right to use certificates or other statements of conformity | x | x | x | x | x | x | x |
| |
c) issuing a certificate of conformity for a batch of products |
| x |
|
|
|
|
|
| |
d) granting the right to use marks of conformity (licensing) is based on surveillance (VI) or certification of a batch. |
| x | x | x | x | x | x |
| |
VI | Surveillance, as applicable (see 5.5.1 to 5.5.4), by: |
|
|
|
|
|
|
|
|
a) testing or inspection of samples from the open market |
|
| x |
| x | x |
|
| |
b) testing or inspection of samples from the factory |
|
|
| x | x | x |
|
| |
c) assessment of the production, the delivery of the service or the operation of the process |
|
|
| x | x | x | x |
| |
d) management system audits combined with random tests or inspections |
|
|
|
|
| x | x |
| |
a Where applicable, the activities can be coupled with initial assessment and surveillance assessment of the management system of product manufacturer, process operator and service provider (an example is given in ISO/IEC TR 17026) or initial assessment of the production process. b An often used and well-tried model for a product certification scheme is described in ISO/IEC TR 17026; it is a product certification scheme corresponding to scheme type 5. c A product certification scheme includes at least the activities I, II, III, IV and V a). d The symbol N has been added to show an undefined number of possible other schemes, which can be based on different activities. | |||||||||
A.10 Scheme type 1a
In this type of scheme one or more samples of the product are subjected to the determination activities. A certificate of conformity or other statement of conformity (e.g. a letter) is issued for the product type, the characteristics of which are detailed in the certificate or a document referred to in the certificate. Subsequent production items are not covered by the certification body's attestation of conformity.
The samples are representative of subsequent production items which can be referred to by the manufacturer as being manufactured in accordance with the certified type.
The certification body may grant to the manufacturer the right to use the type-approval certificate or other statement of conformity (e.g. letter) as a basis for the manufacturer to declare that subsequent production items conform to the specified requirements.
A.11 Scheme type 1b
This type of scheme involves the certification of a whole batch of products, following selection and determination as specified in the scheme. The proportion to be tested, which can include testing of all the units in the batch (100 % testing), can be based, for example, on the homogeneity of the items in the batch and the application of a sampling plan, where appropriate. If the outcome of the determination, review and decision is positive, all items in the batch may be described as certified and may have a mark of conformity affixed, if that is included in the scheme.
A.12 Scheme type 2
The surveillance part of this scheme involves periodically taking samples of the product from the market and subjecting them to determination activities to check that items produced subsequent to the initial attestation fulfil the specified requirements.
While this scheme may identify the impact of the distribution channels of supply chain on conformity of objects, the resources it requires can be extensive. Also, when significant nonconformities are found, effective corrective measures may be limited since the product has already been distributed to the market.
A.13 Scheme type 3
The surveillance part of this scheme involves periodically taking samples of the product from the point of production and subjecting them to determination activities to check that items produced subsequent to the initial attestation fulfil the specified requirements. The surveillance includes periodic assessment of the production process.
This scheme does not provide any indication of the impact of the distribution channels of supply chain on conformity of objects. When serious nonconformities are found, the opportunity may exist to resolve them before widespread market distribution occurs.
A.14 Scheme type 4
The surveillance part of this scheme allows for the choice between periodically taking samples of the product from the point of production, or from the market, or from both, and subjecting them to determination activities to check that items produced subsequent to the initial attestation fulfil the specified requirements. The surveillance includes periodic assessment of the production process.
This scheme can both indicate the impact of the distribution channels of supply chain on conformity of object and provide a pre-market mechanism to identify and resolve serious nonconformities. Significant duplication of effort may take place for those products whose conformity is not affected during the distribution process.
A.15 Scheme type 5
The surveillance part of this scheme allows for the choice between periodically taking samples of the product either from the point of production, or from the market, or from both, and subjecting them to determination activities to check that items produced subsequent to the initial attestation fulfil the specified requirements. The surveillance includes periodic assessment of the production process, or audit of the management system, or both. The extent to which the four surveillance activities are conducted may be varied for a given situation, as defined in the scheme. If the surveillance includes audit of the management system, an initial audit of the management system will be needed.
A.16 Scheme type 6
Although services are considered as being generally intangible, the determination activities are not limited to the evaluation of intangible elements (e.g. effectiveness of an organization's procedures, delays and responsiveness of the management). In some situations, the tangible elements of a service can support the evidence of conformity indicated by the assessment of processes, resources and controls involved. For example, inspection of the cleanliness of vehicles for the quality of public transportation.
As far as processes are concerned, the situation is very similar. For example, the determination activities for welding processes can include testing and inspection of samples of the resultant welds, if applicable.
For both services and processes, the surveillance part of this scheme should include periodic audits of the management system and periodic assessment of the service or process.
B.1 Conformity assessment schemes which include management system certification:
— describe a management system as an object of conformity assessment, and
— provide a methodology with certification as the attestation (in the review, decision, attestation function) to indicate a management system’s fulfilment of the specified requirements has been demonstrated
B.2 Conformity assessment schemes which include management system certification can describe one type of management system or can describe multiple types of management systems (e.g. quality management systems, environmental management systems, and information security management systems) as objects of conformity assessment.
B.3 These schemes can describe management systems as the only object of conformity assessment or can describe management systems as one of multiple objects of conformity assessment. If the scheme includes other objects of conformity assessment, then the scheme can provide certification or can provide another type of attestation (in the review, decision, attestation function) in the methodology for the other objects of conformity assessment.
B.4 These schemes identify specified requirements related to management systems. If the scheme includes objects of conformity assessment other than management systems, then the scheme identifies different specified requirements for the other objects of conformity assessment and these different specified requirements do not apply to management systems as an object of conformity assessment.
B.5 The following is an example of a conformity assessment scheme which includes management system certification. The scheme describes an environmental management system as an object of conformity assessment and a product as an object of conformity assessment. The scheme identifies specified requirements for an environmental management system and provides a methodology including surveillance activities for demonstrating that the management system fulfils the specified requirements. In that methodology, certification is the type of attestation indicating that the management system’s fulfilment of specified requirements has been demonstrated. The scheme identifies different specified requirements regarding use of recycled material for a product and provides a methodology including surveillance activities for demonstrating that the product fulfils the specified requirements. In this methodology for a product, declaration (ISO/IEC 17000:2020, 7.5) is the type of attestation indicating that the product’s fulfilment of specified requirements has been demonstrated.
B.6 ISO/IEC 17021-1 and related parts (e.g. ISO/IEC 17021-3) and ISO management system certification body requirements (e.g. ISO 22003-1, ISO 50003, ISO/IEC 27006) set requirements for the competence, impartiality and consistent operation of a body performing Functional Approach activities, including certification, for demonstrating that a management system fulfils specified requirements (i.e. a management system certification body). ISO/IEC 17021-1 refers to audit plans and audit programmes as the way to perform selection and determination function activities. These and other required activities in ISO/IEC 17021-1 are a detailed methodology for all Functional Approach activities, including surveillance activities, for demonstrating a management system fulfils specified requirements. As a result, a scheme which references ISO/IEC 17021-1 as requirements for a management system certification body should provide a methodology for demonstrating that management systems fulfils specified requirements that is the same as, or at least not contradictory with, the detailed methodology in ISO/IEC 17021-1. A scheme can achieve this by remaining silent on the methodology for demonstrating a management system fulfils specified requirements and referencing ISO/IEC 17021-1 as requirements for a management system certification body. In this situation, the detailed methodology in ISO/IEC 17021-1 will be used by the management system certification body.
B.7 A scheme can describe management systems as an object of conformity assessment, but the methodology can provide a type of attestation different than certification. Similarly, a scheme can provide certification as the attestation but describe objects of conformity assessment different than management systems. Neither of these schemes would be a conformity assessment scheme which includes management system certification.
C.1 Conformity assessment schemes which include certification of persons:
— describe persons and their competence as an object of conformity assessment, and
— provide a methodology with certification as the attestation (in the review, decision, attestation function) to indicate a person’s fulfilment of the specified requirements has been demonstrated.
C.2 Because the methodology for demonstrating that a person fulfils specified requirements can vary significantly based on the type of competence, schemes most commonly describe a single, particular type of competence of persons. Separate schemes can commonly be established to demonstrate the fulfilment of specified requirements for other types of competence.
C.3 These schemes can describe a person and their competence as the only object of conformity assessment or can describe a person and their competence as one of multiple objects of conformity assessment. If the scheme includes other objects of conformity assessment, then the scheme can provide certification or can provide another type of attestation (in the review, decision, attestation function) in the methodology for the other objects of conformity assessment.
C.4 These schemes identify specified requirements related to persons and their competence. If the scheme includes objects of conformity assessment other than persons and their competence, then the scheme identifies different specified requirements for the other objects of conformity assessment and these different specified requirements do not apply to persons and their competence as an object of conformity assessment.
C.5 The following is an example of a conformity assessment scheme which includes certification of persons. The scheme describes a person with a type of competence as an object of conformity assessment and a maintenance process as an object of conformity assessment. The scheme identifies specified requirements for persons regarding their ability to analyse the functioning of defined types of production machinery and provides a methodology, including surveillance activities, for demonstrating that persons fulfil the specified requirements. In that methodology, certification is the type of attestation indicating a person’s fulfilment of specified requirements has been demonstrated. The scheme identifies different specified requirements for a maintenance process including various maintenance activities at specified frequencies performed by a certified person. The scheme provides a methodology, including surveillance activities, for demonstrating that the operation of a maintenance process fulfils the specified requirements. In this methodology, a second party attestation is referenced for indicating that a maintenance process’s fulfilment of specified requirements has been demonstrated.
C.6 ISO/IEC 17024 sets requirements for the competence, impartiality and consistent operation of a body performing Functional Approach activities, including certification, for demonstrating that a person fulfils specified requirements (a body for certification of persons).
C.7 In addition, ISO/IEC 17024 sets requirements for the description of the object of conformity assessment, types of specified requirements, and elements of the methodology including surveillance activities for a scheme intended to demonstrate that a person fulfils specified requirements. It also requires the certification body to have evidence that certain activities are included in the development, ongoing validation and ongoing review of the scheme. As a result, a scheme which references ISO/IEC 17024 as requirements for a body for certification of persons should meet the above requirements for conformity assessment schemes so there is no contradiction between the scheme and the related requirements in ISO/IEC 17024.
C.8 A scheme can describe persons and their competence as an object of conformity assessment, but the methodology can provide a type of attestation different than certification. Similarly, a scheme can provide certification as the attestation but describe objects of conformity assessment different than persons and their competence. Neither of these schemes would be a conformity assessment scheme which includes certification of persons.
D.1 The term “programme” instead of “scheme” is used when the rules and procedures for the methodology for performing conformity assessment include validation (see ISO/IEC 17029:2019 3.2) or verification (see ISO/IEC 17029:2019, 3.3). Validation is the confirmation of a claim through the provision of objective evidence, that the requirements for a specific intended future use or application have been fulfilled, in other words, confirmation of plausibility. Verification is the confirmation of a claim, through the provision of objective evidence, that specified requirements have been fulfilled, in other words, confirmation of truthfulness.
D.2 Conformity assessment programmes which include validation or verification:
— describe claims (declared information) as an object of conformity assessment, and
— provide a methodology for demonstrating a claim’s fulfilment of specified requirements that includes validation or verification as a determination function activity.
ISO/IEC TS 17035 and ISO/IEC 17029 (2019) (Note 2 to Clause 8, Annex A) provide guidance on the development, content and operation of conformity assessment programmes which include validation or verification.
D.3 These programmes identify specified requirements related to claims. These programmes can describe claims as the only object of conformity assessment or can describe claims as one of multiple objects of conformity assessment. If the programme includes other objects of conformity assessment, then the programme identifies a methodology for demonstrating that these other objects of conformity assessment fulfil specified requirements related to them. Neither the methodologies nor the specified requirements related to these other objects of conformity assessment apply to claims.
D.4 A methodology that includes validation or verification can include any type of selection function activities including any type of sampling activities and any type of review, decision, attestation function activities. Because validation and verification are part of a demonstration that a claim fulfils specified requirements only at one point in time surveillance activities can be omitted from the methodology.
D.5 A methodology that includes validation or verification can also be silent about the review, decision, attestation function activities. In this situation, because no review and decision activities are performed in accordance with the programme, the reporting of information and results is not attestation (see ISO/IEC 17000:2020, 7.3). In this situation, the information and results of validation or verification can be used for any purpose, including but not limited to use as input to review, decision, attestation function activities in a different conformity assessment programme.
D.6 The following is an example of a conformity assessment programme which includes verification. The programme describes various processes as objects of conformity assessment. The processes are for gathering, processing and utilizing sources of renewable energy. The programme also describes claims (as a different object of conformity assessment) regarding carbon emissions from implementation of these processes as objects of conformity assessment. The programme identifies specified requirements for each type of process and provides a methodology, including surveillance, for demonstrating implemented processes’ fulfilment of specified requirements. In that methodology, certification is the type of attestation indicating a process’s fulfilment of specified requirements has been demonstrated. The programme identifies specified requirements for claims regarding carbon emissions from implementation of processes and provides a methodology for demonstrating a claim’s fulfilment of specified requirements. This methodology does not include surveillance and declaration is the type of attestation indicating a claim’s fulfilment of specified requirements has been demonstrated. The programme requires the methodology to be performed, including verification and declaration as activities, on an annual basis.
D.7 The following is an example of a verification scheme applied to greenhouse gas (GHG) emissions reporting. The scheme establishes the framework for verifying an organization’s declared carbon emissions reductions resulting from renewable energy projects. The object of verification is the declared reduction in emissions due to the implementation of specific renewable energy processes. The scheme defines verification criteria, including applicable regulatory standards, recognized emissions calculation methodologies, and data quality requirements. The verification methodology consists of an independent assessment of the declared emissions data, incorporating document review, data sampling, and site visits where necessary. This verification scheme does not include surveillance, as verification is a one-time or periodic assessment of the accuracy and reliability of declared emissions data. The scheme mandates verification to be conducted annually. The outcome of the verification process is an independent verification statement, confirming that the declared emissions reductions are accurate, consistent with the applicable methodologies, and supported by objective evidence.
D.8 ISO/IEC 17029 sets requirements for the competence, impartiality and consistent operation of a body performing validation or verification as a determination function activity, related selection function activities, and subsequent review, decision, attestation function activities (a validation/verification body). ISO/IEC 17029 refers to a validation/verification plan as the way to perform validation or verification as a determination function activity. These plans can be provided by the methodology in a conformity assessment programme. These and other required activities in ISO/IEC 17029 are a detailed methodology for all Functional Approach activities for demonstrating that a claim fulfils specified requirements (see ISO/IEC 17029:2019, Annex B). As a result, a programme which references ISO/IEC 17029 as requirements for a body performing validation or verification should provide a methodology for demonstrating claims’ fulfilment of specified requirements that is the same as, or at least not contradictory with, the detailed methodology in ISO/IEC 17029.
D.8 A programme can describe claims as an object of conformity assessment but provide a methodology that does not utilize validation or verification as a determination function activity. Such programmes are not a conformity assessment programme which includes validation or verification.
E.1 Conformity assessment schemes which include inspection provide at least one methodology for demonstrating fulfilment of specified requirements that includes inspection as a determination function activity. Inspection should be used as a Determination function activity only when it can deliver reliable information including, but not limited to, information about the fulfilment of specified requirements. See ISO/IEC 17000:2020, Figure A.1, output of the determination function activity.
E.2 A methodology that includes inspection can include other types of determination function activities including testing and auditing; any type of selection function activities including any type of sampling activities; any type of review, decision, attestation function activities; and any type of surveillance activities.
E.3 A methodology that includes inspection can also be silent about the review, decision, attestation function activities and surveillance activities. In this situation, because no review and decision activities are performed in accordance with the scheme, the reporting of information and results is not attestation (see ISO/IEC 17000:2020, 7.3). In this situation, the information and results of determination function activities (including inspection) can be used for any purpose, including but not limited to use as input to review, decision, attestation function activities in a different conformity assessment scheme.
E.4 Conformity assessment schemes which provide a methodology that includes inspection can provide other methodologies for demonstrating fulfilment of other specified requirements by other objects of conformity assessment.
E.5 The following is an example of a conformity assessment scheme which includes inspection. The scheme describes the process of installing a building material as an object of conformity assessment. The scheme identifies specified requirements for the process of installing the building material comprised of requirements for applying the material and interfacing it with other building elements. Inspection as a determination function activity is included in the methodology for demonstrating fulfilment by an installation since inspection will provide reliable information about fulfilment of specified requirements. The scheme is silent on the review, decision, attestation function activities and surveillance activities in the methodology. As a result, the information and results from inspection can be used for any purpose acceptable to the persons or organizations involved.
E.6 ISO/IEC 17020 sets requirements for the competence, impartiality and consistent operation of a body performing inspection as a determination function activity and performing related selection function activities. ISO/IEC 17020 refers to inspection methods and procedures as the way to perform selection and determination function activities. These methods and procedures can be provided by the methodology in a conformity assessment scheme. For conformity assessment schemes which are silent regarding the review, decision, attestation function and surveillance activities, and include only inspection as a determination function activity, the inspection methods and procedures can be the entire methodology in the conformity assessment scheme.
F.1 Conformity assessment schemes which include testing provide at least one methodology for demonstrating the fulfilment of specified requirements that includes testing as a determination function activity. Testing should be used as a determination function activity only when it can deliver reliable information including , but not limited to, information about the fulfilment of specified requirements. See ISO/IEC 17000:2020, Figure A.1, output of the determination function activity.
F.2 A methodology that includes testing can include other types of determination function activities including inspection and auditing; any type of Selection function activities including any type of sampling activities (e.g. associated with subsequent testing); any type of review, decision, attestation function activities; and any type of surveillance activities.
F.3 A methodology that includes testing can also be silent about the review, decision, attestation function activities and surveillance activities. In this situation, because no review and decision activities are performed in accordance with the scheme, the reporting of information and results is not attestation (see ISO/IEC 17000:2020, 7.3). In this situation, the information and results of determination function activities (including testing) can be used for any purpose, including but not limited to use as input to review, decision, attestation function activities in a different conformity assessment scheme.
F.4 Conformity assessment schemes which provide a methodology that includes testing can provide other methodologies for demonstrating the fulfilment of other specified requirements by other objects of conformity assessment.
F.5 The following is an example of a conformity assessment scheme which includes testing. The scheme describes a type of building material as an object of conformity assessment. The scheme identifies specified requirements for strength and weather resistance for the type of building material. Testing as a determination function activity is included in the methodology for demonstrating fulfilment by a building material since testing will provide reliable information about fulfilment of specified requirements. The scheme is silent on the review, decision, attestation function activities and surveillance activities in the methodology. As a result, the information and results from testing can be used for any purpose acceptable to the persons or organizations involved.
F.6 ISO/IEC 17025 sets requirements for the competence, impartiality and consistent operation of a laboratory performing testing as a determination function activity and performing related selection function activities (e.g. sampling associated with subsequent testing). ISO/IEC 17025 refers to methods as the way to perform selection and determination function activities. These methods can be provided by the methodology in a conformity assessment scheme. For conformity assessment schemes which are silent regarding the review, decision, attestation function and surveillance activities, and include only testing as a determination function activity, the methods can be the entire methodology in the conformity assessment scheme.
G.1 Conformity assessment schemes which include accreditation:
— describe conformity assessment bodies as an object of conformity assessment;
— identify specified requirements related to the competence, impartiality, and consistent operation of the conformity assessment bodies; and
— provide a methodology with accreditation as attestation to indicate that a conformity assessment body’s fulfilment of the specified requirements for competence, impartiality and consistent operation has been demonstrated. (See ISO/IEC 17000:2020, 7.7).
G.2 Conformity assessment schemes which include accreditation can describe one type of conformity assessment body or can describe multiple types of conformity assessment bodies as objects of conformity assessment.
G.3 These schemes can describe only conformity assessment bodies as objects of conformity assessment or can describe conformity assessment bodies plus other types of objects of conformity assessment. If the scheme includes other objects of conformity assessment, then the scheme can provide any other type of attestation (in the review, decision, attestation function) in the methodology to demonstrate that those other objects of conformity assessment fulfil specified requirements.
G.4 If the scheme includes objects of conformity assessment other than conformity assessment bodies, then the scheme identifies different specified requirements for the other objects of conformity assessment and these different specified requirements do not apply to conformity assessment bodies as an object of conformity assessment.
G.5 The following is an example of a conformity assessment scheme which includes accreditation. The scheme describes a type of cleaning service as an object of conformity assessment and indicates an inspection body performs inspection of completion of cleaning. The scheme also describes inspection bodies as an object of conformity assessment and identifies specified requirements for competence, impartiality and consistent operation. The scheme provides a methodology for demonstrating that an inspection body fulfils specified requirements. In this methodology accreditation is the type of attestation (in the review, decision, attestation function) indicating an inspection body’s fulfilment of specified requirements has been demonstrated.
G.6 ISO/IEC 17011 sets requirements for the competence, impartiality and consistent operation of a body performing Functional Approach activities, including accreditation (an accreditation body), for demonstrating that a conformity assessment body fulfils specified requirements for competence, impartiality and consistent operation. ISO/IEC 17011 refers to required activities as the way to perform selection and determination function activities. These and other required activities in ISO/IEC 17011 are a detailed methodology for all Functional Approach activities including surveillance activities for demonstrating that a conformity assessment body fulfils specified requirements for competence, impartiality and consistent operation. As a result, a scheme which references ISO/IEC 17011 as requirements for an accreditation body should provide a methodology for demonstrating conformity assessment bodies fulfil specified requirements that is the same as, or at least not contradictory with, the detailed methodology in ISO/IEC 17011.
G.7 A scheme can achieve this by remaining silent on the methodology for demonstrating that a conformity assessment body fulfils specified requirements for competence, impartiality, and consistent operation and referencing ISO/IEC 17011 as specified requirements for an accreditation body. In this situation, the detailed methodology in ISO/IEC 17011 will be used by the accreditation body.
G.8 A scheme can describe conformity assessment bodies as an object of conformity assessment, but the methodology could provide a type of attestation different than accreditation. Similarly, a scheme can describe conformity assessment bodies as an object of conformity assessment, but identify specified requirements unrelated to competence, impartiality and consistent operation. Finally, a scheme could identify specified requirements for competence, impartiality, and consistent operation for an object of conformity assessment that is not a conformity assessment body. None of these schemes would be a conformity assessment scheme which includes accreditation.
H.1 Conformity assessment schemes which include peer assessment (which can also be referred to as peer evaluation):
— describe bodies (conformity assessment bodies and accreditation bodies, see ISO/IEC 17000:2020, 4.2 Note 1 to entry) as objects of conformity assessment, and
— include peer assessment performed by representatives of other bodies in, or candidates for, an agreement group (see ISO/IEC 17000:2020, 9.10) as a determination function activity in the methodology for demonstrating a body’s fulfilment of specified requirements.
These schemes can identify specified requirements for competence, impartiality and consistent operation of bodies or can identify other types of specified requirements for bodies.
H.2 Conformity assessment schemes which include peer assessment can describe only one type of body or can describe different types of bodies as objects of conformity assessment.
H.3 These schemes can describe only bodies as objects of conformity assessment or can describe bodies plus other types of objects of conformity assessment. If the scheme includes objects of conformity assessment other than bodies, then the scheme identifies different specified requirements for the other objects of conformity assessment and these different specified requirements do not apply to bodies as an object of conformity assessment.
H.4 A methodology that includes peer assessment can include other types of determination function activities; any type of Selection function activities including any type of sampling activities; any type of review, decision, attestation function activities; and any type of surveillance activities.
H.5 A methodology that includes peer assessment can also be silent about the review, decision, attestation function activities and surveillance activities. In this situation, because no review and decision activities are performed in accordance with the scheme, the reporting of information and results is not attestation (see ISO/IEC 17000:2020, 7.3). In this situation, the information and results of Determination function activities (including peer assessment) can be used for any purpose, including but not limited to use as input to review, decision, attestation function activities in a different conformity assessment scheme.
H.6 The bodies as objects of conformity assessment in these schemes can be the same bodies referenced in the methodologies for demonstrations that other objects of conformity assessment described by the scheme fulfil specified requirements. For example, testing laboratories, inspection bodies, various types of certification bodies, and accreditation bodies referenced in the methodologies for demonstrations related to other objects of conformity can themselves be described as the object of conformity assessment whose fulfilment of specified requirements is demonstrated following a methodology which includes peer assessment.
H.7 The following is an example of a conformity assessment scheme which includes peer assessment. The scheme describes glass sand (intended for use in the manufacture of optical products as an object of conformity assessment and identifies requirements for purity as the related specified requirements. The methodology for demonstrating that glass sand fulfils the specified requirements include reference to test methods and references testing laboratories to perform test methods and follow other activities provided in the methodology. This methodology is silent regarding review, decision, attestation function activities and surveillance activities. Testing laboratories are also described as objects of conformity assessment in the scheme and the scheme identifies ISO/IEC 17025 as specified requirements for testing laboratories. The methodology for demonstrating that testing laboratories fulfil ISO/IEC 17025 references an agreement group of testing laboratories to perform peer assessment as a determination function activity but provides no other details regarding Functional Approach activities including no details regarding surveillance activities. As a result, the specific activities in the methodology to use peer assessment as a determination function activity to demonstrate testing laboratories fulfilment of ISO/IEC 17025 are decided by the specific agreement group identified in the scheme.
H.8 ISO/IEC 17040 sets requirements for an organization that administers a peer assessment process and requirements for selection function activities, peer assessment as a determination function activity, and review activities in the review, decision, attestation function. These required activities in ISO/IEC 17040 are a detailed methodology for the Functional Approach activities through review but set no requirements for decision, attestation, or surveillance activities. As a result, a scheme which references ISO/IEC 17040 as requirements for peer assessment should provide a methodology that is the same as, or at least not contradictory with, the detailed methodology in ISO/IEC 17040. A scheme can achieve this by remaining silent on the methodology for Functional Approach activities through review and referencing ISO/IEC 17040 as requirements for peer assessment. In this situation, the detailed methodology in ISO/IEC 17040 will be used.
I.1 Conformity assessment schemes which include declaration provide a methodology with declaration as the attestation (in the review, decision, attestation function) to indicate an object of conformity assessment’s fulfilment of the specified requirements has been demonstrated
I.2 Conformity assessment schemes which include declaration can describe any type of object of conformity assessment and identify any type of specified requirements. The methodology provided by the scheme can include any type of selection function activities including any type of sampling activities, any type of determination function activities, any type of review and decision activities, and any type of surveillance activities.
I.3 These schemes can include multiple objects of conformity assessment with a methodology related to each. Each methodology will indicate whether declaration or another type of attestation is performed for indicating a demonstration of fulfilment of specified requirements exists.
I.4 The following is an example of a conformity assessment scheme which includes declaration. Company P purchases a material from Company S. The purchase agreement is the scheme and describes the purchased material as an object of conformity assessment and the quality management system at Company S as an object of conformity assessment. The scheme identifies specified requirements for the material and provides a methodology for demonstrating material provided fulfils specified requirements. In that methodology declaration is the type of attestation indicating that the material’s fulfilment of specified requirements has been demonstrated. The methodology is silent on surveillance activities and instead specifies a frequency for repeating the activities specified in the methodology resulting in declaration. The scheme identifies different specified requirements for the quality management system and provides a methodology, including surveillance activities, for demonstrating the quality management system fulfils specified requirements. In that methodology certification is the type of attestation indicating that the quality management system’s fulfilment of specified requirements has been demonstrated.
I.5 ISO/IEC 17050-1 sets general requirements for a body performing declaration, determination function activities, contents of statements of conformity issued in declaration, and surveillance activities. ISO/IEC 17050-2 sets requirements for documentation supporting the statement of conformity issued in declaration. As a result, a scheme which references ISO/IEC 17050-1 or ISO/IEC 17050-2 as requirements should provide a methodology consistent with the general requirements specified in each document.
I.6 If none of the methodologies provided by a scheme include declaration as a type of attestation, then such a scheme is not a conformity assessment scheme which includes declaration.
(Informative)
Conformity assessment schemes that include multiple types of objects of conformity assessment
J.1 Conformity assessment schemes which describe multiple types of objects of conformity assessment can also identify the specified requirements applicable to each type of object of conformity. In addition, these schemes can provide a separate methodology for demonstrating each type of object of conformity assessment fulfils the related specified requirements. Other Annexes in this document provide examples of such schemes.
J.2 As a result, the combination of a type of object of conformity assessment (e.g. a type of product, process, service, management system, person’s competence, claim, or body), the specified requirements that apply to it, and the methodology for demonstrating that the type of object of conformity assessment fulfils related specified requirements can be used to analyse the components of a scheme or in the development of a new scheme.
J.3 In other words, a scheme which includes multiple objects of conformity assessment can be developed or analysed as different combinations of:
— a type of object of conformity assessment;
— related specified requirements, and
— a methodology to demonstrate that type of object of conformity assessment fulfils the related specified requirements.
The following examples of schemes are analysed using a three-column table with each row of the table being a distinct combination of object of conformity assessment, related specified requirements, and methodology.
J.4 EXAMPLE 1
J.4.1 The ABC scheme is intended to provide assurance to recreational boat owners that docking services on lakes and rivers in a specific country consistently and effectively protect boats from damage, provide reasonable security of boats, and protect safety during the use of boats. In the scheme, docking services are certified to published standards related to damage protection and security for boats and national regulations for safety practices. The scheme provides a procedure for inspection and audit as determination function activities as an input to initial service certification and as annual surveillance activities. The scheme defines the format of a certificate to be issued to operators of docking services which expires after 3 years, after which the docking service provider must submit a new application and undergo the entire service certification process. The scheme requires individuals who perform inspections as part of the service certification process to be certified for their competence in recreational boating safety. The scheme identifies an approved list of person certifications that the scheme owner has found acceptable using internal procedures. The scheme further requires the service certification bodies to be accredited to an international standard for competence, impartiality, and consistent operation; and that the accreditation bodies be a signatory to a regional multilateral agreement with a scope that includes the referenced international standard for competence, impartiality, and consistent operation of service certification bodies. The scheme requires docking service providers to have a quality management system which meets an international standard. The docking service provider must annually self-audit the quality management system as an input to annual declaration. The docking service provider must also make a summary of the quality management system publicly available and submit the results of annual self-audit to the scheme owner. The scheme provides a checklist for self-audit and a template for the certificate issued during declaration.
J.4.2
Type of object of conformity assessment | Related specified requirements | Methodology for demonstrating that the type of object of conformity assessment fulfils related specified requirements |
1a. Docking services on lakes and rivers in the identified country | 1b. Published standards for damage protection to boats and security of boats while docked; national regulations for boating safety | 1c. Scheme rules and procedures including the use of certified persons for specific activities, the details of the statement of conformity to be issued, and the details of surveillance activities to be performed |
2a. Person performing inspection | 2b. Requirements for recreational boating safety competence as developed by each referenced person certification body (details not specified by the scheme) | 2c. Rules and procedures including certification as attestation as developed by each referenced person certification body (details not specified by the scheme) |
3a. Person certification body | 3b. Acceptability requirements as developed by the scheme owner but not included in publicly available scheme information | 3c. Acceptance rules and procedures as practiced by the scheme owner but not included in publicly available scheme information |
4a. Service certification body | 4b. International standard for competence, impartiality and consistent operation | 4c. Accreditation rules and procedures as practiced by MLA signatory accreditation bodies (details not specified by the scheme) |
5a. Accreditation body | 5b. Requirements for signatory status to the regional multilateral recognition agreement with specified scope (details not specified by the scheme) | 5c. Rules and procedures as practiced by the regional multilateral recognition organization (details not specified by the scheme) |
6a. Quality management system | 6b. International standard for quality management systems | 6c. Scheme rules and procedures for self-audit activities and the details of the certificate to be issued |
Figure J.1 — Examples for scheme content
J.4.3
The ABC scheme refers to and utilizes other schemes, in whole or in part, in rows 2, 4 and 5.
J.5 EXAMPLE 2
The RST company has established a scheme via a contract with the JKL installation company. Per the contract the JKL installation company will install a production system at the identified RST company location using specific products and layout as specified by the RST company. The inspection group within JKL will inspect the completed installation regarding the products installed and the layout of the installation. The contract requires the JKL inspection group to be peer assessed by the corporate RST inspection group for fulfilment of an international standard for competence, impartiality, and consistent operation. The information and results of the inspections and the peer assessment will be reviewed by the RST Director of Engineering and approved or disapproved as a confirmation the contract specifications for the installation of the new system have been met and final payment to JKL installation company can be released. After installation, the JKL inspection group will inspect the process once each shift for 1 month to measure and report the actual volume of raw material being processed per hour compared to the design specification value. The JKL inspection group will select samples of the output of the process once each shift and deliver them to the RST company quality control laboratory for testing in accordance with a national standard test method for comparison with design specification characteristics for material produced. The information and results of these inspections and tests will be provided to the RST Director of Engineering.
J.5.2
Type of object of conformity assessment | Related specified requirements | Methodology for demonstrating that the type of object of conformity assessment fulfils related specified requirements |
1a. Installation of new production system | 1b. Contract requirements for products comprising system and layout of installation | 1c. Scheme rules and procedures indicating the JKL inspection group to perform selection and determination function activities (inspection); scheme rules and procedures indicating RST director of engineering to perform review, decision, attestation function activities; scheme silent on surveillance activities |
2a. JKL inspection group | 2b. International standard for competence, impartiality, and consistent operation of an inspection body | 2c. Scheme rules and procedures indicating corporate RST inspection group to perform Selection and determination function activities (peer assessment); scheme silent on review, decision, attestation function activities; scheme silent on surveillance activities |
3a. New production system in operation | 3b. Design specification value of volume of raw material processed per hour | 3c. Scheme rules and procedures indicating JKL inspection group to perform selection and determination function activities (inspection); scheme silent on review, decision, attestation function activities; scheme silent on surveillance activities |
4a. Material produced by new production system | 4b. Design specification characteristics of material produced | 4c. Scheme rules and procedures indicating JKL inspection group to perform selection function activities (sampling); scheme rules and procedures indicating RST quality control lab to perform determination function activities (testing); scheme silent on review, decision, attestation function activities; scheme silent on surveillance activities |
Figure J.5 — Examples for scheme content
J.5.3
The RST contract scheme does not refer to or utilize any other schemes.
K.1 This Annex provides a table with common or typical characteristics, including activities (as first-, second-, or third-party activities), for schemes which reference the indicated CASCO Toolbox standard as requirements for a body performing activities within the scheme. In all cases, however, schemes should be developed to meet the needs and reflect the inputs from stakeholders and interested parties, especially persons or organizations relying on the scheme for assurance.
Table K.1 — Typical characteristics of schemes which reference the standards included in the CASCO Toolbox
CASCO Toolbox standards | Self-declaration ISO/IEC 17050-1 ISO/IEC 17050-2 | Certification - management systems ISO/IEC 17021-1 | Certification - product, process or service ISO/IEC 17065 | Certification – persons ISO/IEC 17024 | Inspection ISO/IEC 17020 | Testing ISO/IEC 17025 | Validation/ Verification ISO/IEC 17029 | Accreditation ISO/IEC 17011 | Peer assessment ISO/IEC 17040 |
|---|---|---|---|---|---|---|---|---|---|
Characteristics of schemes | |||||||||
Object of conformity assessment | Any | Management system | Product, process or service | Person competence | Any object for which inspection is suitable (e.g. plant and equipment, facility or other asset, product, service, process) | Any object for which testing is suitable (e.g. material, product, equipment, or system) | Claim | Conformity assessment bodies | Conformity assessment bodies and accreditation bodies |
Selection | First-party | Third-party | First- or third-party | Third-party | First-, second- or third-party | First-, second- or third-party | First-, second- or third-party | Third-party | Second-party |
Determination | First-, second- or third-party | Third-party | First- or third-party | Third-party | First-, second- or third-party | First-, second- or third-party | First-, second- or third-party | Third-party | Second-party |
Common determination activities | Audit, inspection, testing | Audit | Audit, design review, evaluation, inspection, testing | Examination, assessment | Inspection | Testing | Validation/ Verification | Assessment | Assessment, evaluation |
Review and decision | First-party | Third-party | Third-party | Third-party | First-, second- or third-party | First-, second- or third-party | First-, second- or third-party | Third-party | Second-party |
Attestation | First-party | Third-party | Third-party | Third-party | First-, second- or third-party | First-, second- or third-party | First-, second- or third-party | Third-party | Second-party |
Statement of conformity | Letter, report, certificate | Certificate | Certificate, mark, internet listing | Certificate | Certificate, part of the report | Part of the report | Statement | Certificate | Certificate |
Validity period for statement of Conformity | No Valid only at the point in time that it is issued | Yes Valid for period specified by the scheme | Yes Valid for period specified by the scheme | Yes Valid for period specified by the scheme | Yes or No Depending on the scheme | Yes or No Depending on the scheme | No Valid only at the point in time that it is issued | Yes Valid for period specified by the scheme | Yes Valid for period specified by the scheme |
Surveillance | No | Yes | Yes or No Depending on the scheme. | Yes or No Depending on the scheme | Yes or No Depending on the scheme | No | No | Yes | Yes |
Other relevant CASCO Toolbox standards |
|
| ISO/IEC TR 17026 ISO/IEC TR 17028 ISO/IEC TR 17032 |
|
|
| ISO/IEC TS 17035 |
|
|
[1] ISO 28590, Sampling procedures for inspection by attributes — Introduction to the ISO 2859 series of standards for sampling for inspection by attributes
[2] ISO 3951‑1, Sampling procedures for inspection by variables — Part 1: Specification for single sampling plans indexed by acceptance quality limit (AQL) for lot-by-lot inspection for a single quality characteristic and a single AQL
[3] ISO 10576, Statistical methods — Guidelines for the evaluation of conformity with specified requirements
[4] ISO/IEC 17007, Conformity assessment – Guidance for drafting developing normative documents suitable for use for conformity assessment
[5] ISO/IEC 17020, Conformity assessment –Requirements for the operation of various types of bodies performing inspection
[6] ISO/IEC 17021 (all parts), Conformity assessment – Requirements for bodies providing audit and certification of management systems
[7] ISO/IEC 17024, Conformity assessment – General requirements for bodies operating certification of persons
[8] ISO/IEC 17025, General requirements for the competence of testing and calibration laboratories
[9] ISO/IEC 17030, Conformity assessment — General requirements for third-party marks of conformity
[10] ISO/IEC/TR 17032, Conformity assessment — Guidelines and examples of a scheme for the certification of processes
[11] ISO/IEC 17029, Conformity assessment — General principles and requirements for validation and verification bodies
[12] ISO 22514‑1, Statistical methods in process management — Capability and performance — Part 1: General principles and concepts
[13] ISO 31000, Risk management — Guidelines
[14] ISO/IEC/TR 17028, Conformity assessment — Guidelines and examples of a certification scheme for services
[15] ISO/IEC/TR 17026, Conformity assessment — Example of a certification scheme for tangible products
[16] ISO/IEC 17065, Conformity assessment — Requirements for bodies certifying products, processes and services
[17] ISO/IEC 17011, Conformity assessment — Requirements for accreditation bodies accrediting conformity assessment bodies
[18] ISO/IEC 17040, Conformity assessment — General requirements for peer assessment of conformity assessment bodies and accreditation bodies
