Thanks to several factors, such as what effort is needed and when, variations in deliverables, and even different requirements, compliance can be a tricky thing at times—one that always requires time, patience, and cost for an organization. Even more common attestations, like SOC 2 reports, can come as a Type 1 or Type 2, can require different levels of effort and cost, and can allow for an in-depth deliverable that covers the organization’s scope, system, and supporting controls. But what about ISO? With ISO—specifically management systems—the focus is on conformance to the requirements for a specific standard and the deliverable certificate spans a three-year term, with required surveillance reviews to ensure continued conformance.
During that three-year term, change can occur and is quite common. New systems can be introduced to the scope, which can also include various extensions and additional requirements, and organizations could be potentially be acquired or perform acquisitions of their own as well. Despite all that potential change, the ISO certificate, with the necessary surveillance assessments, will remain valid during that three-year term and adjust to the changes in the relevant management system.
But what if an organization wanted to change external auditors during that time period, or prior to the next term?
Thankfully, the International Organization for Standardization (ISO) made this a fairly simple process, and the International Accreditation Forum (IAF)—an organization consisting of accreditation bodies throughout the world—published a Mandatory Document (MD) regarding the requirements necessary for an ISO certification transfer. Said document is specifically referred to as the IAF Mandatory Document for the Transfer of Accredited Certification of Management Systems, or IAF MD 2:2017 (IAF MD-2), and it features several requirements for a proper handover.
What Requirements Are There to Transfer?
In order to transfer any management system certification, both the issuing certification body and the accepting certification body must be accredited by an accreditation body that sits on the IAF, and the accepting certification body must also be accredited for the management system standard that is the subject of the transferring certificate (i.e. the receiving certification body would have to be accredited for ISO 20000-1 to correctly perform a certification transfer for that standard). Additionally, the subject certificate must be valid and active for the transfer process to be completed.
With all that confirmed, both certification bodies must also adhere to the requirements of IAF MD-2 when performing the transfer, as there are requirements and responsibilities relevant to the issuing and accepting certification bodies.
What is Needed for the Transfer Review?
Simply put, the certification transfer process is moving an organization’s management system certificate from one certification body to another, and it requires a review of certain elements before anything can be done. According to IAF MD-2, the review process is mostly centered on the following:
- The receiving certification body’s assessment of the issuing certification body’s accreditation and on the previous work performed by the issuing certification body;
- The review of reports and other external audit-related documents; and
- Confirmation of the following:
- That the issuing certification body is active and in good standing;
- That the issuing certification body is accredited for the management system certificate that was issued; and
- That the issuing certification body performed their assessments in accordance with the related normative standards.
The transfer cannot be accepted by a receiving certification body if the issuer has not performed previous audits in conformance with the related normative standards. Should the organization wish to use a different certification body and that was the case, an initial certification would have to be performed.
How is the Transfer Performed?
As noted above, the review is generally an assessment of the issuing certification body’s work. The idea is that the certificate exchanges hands, so the receiver is ultimately relying on the work of the initial issuer to establish confidence that they can issue a management system certificate with their mark on it. If there are open nonconformities at the time of the transfer process—and there are different requirements for major and minor nonconformities—the receiving certification body is required to assess the organization’s efforts in closing those nonconformities. Additionally, there are also circumstances that require a deeper review of the organization’s management system to be performed, either onsite or through additional documentation requests, in order to create familiarity with the management system and address any discrepancies noted in the issuing certification body’s work.
As part of the assessment, the receiver is also required to communicate with the initial issuer regarding the intent of the organization to transfer, confirmation that the existing certificate is active and in good standing, and the continuation of the audit program of the receiving certification body. The initial issuer must formally respond to the communication before the transfer process can continue.
What Considerations Are There to Transferring?
Clearly, the transfer review is designed to be an easy, straightforward process. Once done, the original issuance date and the current expiration date for an existing certificate are maintained, and there is no disruption to the certification term. The receiving certification body is required to generally follow the same audit program over the remaining term as if, from an organization’s perspective, it is business as usual.
However, it is important to note that during a certification transfer, there can be no modifications to the scope of the management system, including locations. The intent of the transfer process is for the receiver to ultimately take over the external audit duties of the initial issuer, so no formal assessment of any scope modifications is conducted during an individual transfer review. As such, any modification to the scope, and resulting modifications on the revised certificate, would be covered during a formally scheduled audit—be it a separate scope modification review, surveillance review, or recertification review.
Yes, the transfer review procedure is simple and documented for easy reference. Organizations should be free to move from vendor to vendor, and IAF MD-2 allows for that flexibility. Whether it be an internal decision to reassess and switch vendors, or to consolidate multiple compliance needs under one vendor, the reasons for transferring a management system certificate can vary, just as can the nature of compliance as a whole. But with these transfers, though the process is uncomplicated, it is important to have an understanding of the process as an organization keeps the option open for consideration.
About the Authors
Ryan Mackie is a Principal at Schellman & Company. Ryan manages SOC, PCI-DSS, ISO, HIPAA, and Cloud Security Alliance (CSA) STAR Certification and Attestation service delivery and also oversees the firm-wide methodology and execution for the ISO certification services, including ISO 27001, ISO 9001, ISO 20000, and ISO 22301 as well as CSA STAR certification services. He has over 22 years of experience. Ryan also is an active member of the CSA and sits on the Open Control Framework committee which is responsible for the CSA STAR Program methodology and execution.
Alex Hsiung is a manager and ISO 27001 audit lead. Prior to joining Schellman, Alex worked as an Associate at KPMG, specializing in Sarbanes-Oxley compliance audits and IT advisory engagements. Alex also led and supported various other projects, including business process and information technology readiness assessments, internal audit services and regulatory compliance engagements. He has over 8 years of experience comprised of serving clients in various industries, including financial services, healthcare and manufacturing. Alex is a dedicated member of the ISO Service Team.
About the AuthorMore Content by Schellman & Company