Blog

What Is ISO/IEC 17021-1 and Why Should You Care?

When choosing a certification body, 17021 conformance is the single most important factor to verify.

← Back to Blog
Published 8 April 2026 · BCERT Editorial · 7 min read

If you are pursuing ISO certification, you have probably spent a great deal of time thinking about your own management system. But have you considered the management system of the body that will certify you? ISO/IEC 17021-1:2015 is the standard that sets out the requirements for organisations that audit and certify management systems. Understanding it will help you choose a credible certification body and ensure your certificate is worth the paper it is printed on.

What ISO/IEC 17021-1 Actually Is

Published by the International Organization for Standardization and the International Electrotechnical Commission, ISO/IEC 17021-1:2015 establishes the requirements that certification bodies (CBs) must meet to demonstrate they are competent, consistent, and impartial in their audit and certification activities.

In simpler terms: just as ISO 9001 tells organisations how to manage quality, 17021-1 tells certification bodies how to manage the certification process itself. It is the standard for the standards enforcers.

The full title is "Conformity assessment — Requirements for bodies providing audit and certification of management systems — Part 1: Requirements", and it applies to any CB that certifies organisations to standards such as ISO 9001, ISO 27001, ISO 14001, or ISO 45001.

Key Clauses and What They Require

The standard is comprehensive. Here are the clauses that matter most when evaluating a certification body:

Impartiality (Clause 4.2)

This is arguably the most critical requirement. A certification body must identify threats to its impartiality and either eliminate them or manage them to an acceptable level. The CB must not offer consultancy to the organisations it certifies, and it must have an impartiality committee with stakeholder representation that oversees its activities. At BCERT, we publish our impartiality commitment openly on our impartiality page.

Competence of Personnel (Clause 7)

Auditors must be competent in both the audit process and the specific management system standard they are auditing. This means formal qualifications, relevant work experience, auditor training, and ongoing professional development. The CB must have a documented process for selecting, training, and monitoring its auditors.

The Audit Process (Clauses 9.1–9.4)

17021-1 prescribes a structured two-stage initial certification audit:

  • Stage 1: Documentation review and readiness assessment, typically conducted partly off-site
  • Stage 2: On-site audit of implementation and effectiveness

It also requires annual surveillance audits and a full recertification audit every three years. The methodology, audit time calculations, and reporting requirements are all specified.

Certification Decisions (Clause 9.5)

The person or committee that makes the certification decision must be different from those who conducted the audit. This separation ensures objectivity. The decision-maker reviews the audit report, findings, and evidence before granting, maintaining, renewing, expanding, reducing, suspending, or withdrawing certification.

Complaints and Appeals (Clause 9.7–9.8)

Every CB must have a documented process for handling complaints and appeals related to its certification activities. Organisations that are audited must have recourse if they believe the audit was conducted unfairly or the decision was incorrect.

Why It Matters When Choosing a CB

Your ISO certificate is only as credible as the body that issued it. A certificate from a CB that does not conform to 17021-1 may not be recognised by clients, regulators, or procurement bodies. Here is what is at stake:

  • Client confidence: Sophisticated clients and public-sector bodies check whether your CB is accredited and operates to 17021-1.
  • Regulatory acceptance: In some industries, only certificates from accredited CBs satisfy regulatory requirements.
  • Audit quality: A CB that follows 17021-1 is more likely to send competent auditors who add value rather than simply tick boxes.
  • Market recognition: Accredited certificates carry a recognised mark (such as an accreditation body logo) that non-conformant CBs cannot use.

How to Check If Your CB Conforms

The primary mechanism for verifying 17021-1 conformance is accreditation. An accreditation body (such as UKAS in the UK, or ASCB) independently assesses the certification body against 17021-1. Here is how to verify:

  1. Ask the CB for their accreditation certificate and check which accreditation body issued it.
  2. Verify the accreditation on the accreditation body's public register.
  3. Confirm the CB is accredited for the specific standard you need (e.g., ISO 27001, not just ISO 9001).
  4. Check the scope — some CBs are only accredited for certain sectors or regions.

Red Flags of Non-Conformant CBs

Be cautious of certification bodies that exhibit any of the following behaviours:

  • Offering consultancy and certification together: This is a direct violation of impartiality requirements. If the same organisation helps you build your system and then certifies it, there is an inherent conflict of interest.
  • Guaranteeing certification before the audit: No legitimate CB can guarantee an outcome. The audit must be objective.
  • Unusually short audit durations: 17021-1 includes guidance on audit time based on organisation size and complexity. Drastically reduced time suggests corners are being cut.
  • No accreditation or vague accreditation claims: If a CB cannot produce a verifiable accreditation certificate, proceed with extreme caution.
  • No separation of audit and decision: If the auditor tells you on the last day that you have passed, the certification decision process may not be independent.

BCERT's Commitment to 17021-1

At BCERT, conformance with ISO/IEC 17021-1 is not a box to tick — it is the foundation of everything we do. We maintain a fully documented management system that addresses every clause of the standard. Our auditors are rigorously qualified and regularly evaluated. Certification decisions are made independently by our review committee, and our impartiality committee meets regularly to review potential threats to objectivity.

We believe transparency builds trust. That is why we publish our impartiality statement, our complaints process, and our certificate registry publicly. You can verify any BCERT-issued certificate through our online registry.

Choose a certification body you can trust

BCERT operates in full conformance with ISO/IEC 17021-1. Start your certification journey with confidence.

Apply for Certification →