ISO 9001:2015 - Scope of Registration

[Perspicuity]

OP, if your auditor wrote this up against ISO9001:2015 section 4.3, and addresses it against the “scope of certification” I believe the auditor to be totally wrong. 4.3 requires “[FONT=&quot]The scope of the organization’s quality management system shall be available and be maintained as documented information”.[/FONT] It also states that the scope shall “provide justification for any requirement of this International Standard that the organization determines is not applicable to the scope of its quality management system. The scope on the certificate is normally (for most registrars) 15 words or less. You could exhaust your 15 word limit just explaining what you don’t do!

A company’s context documentation is usually where you will find the documented scope required by 4.3 to be “maintained”. The “scope statement” is not “maintained” by the company, it is “maintained” by the registrar (after all, the company does not issue the cert).

ISO 17021-1 section 5.1.3 “The certification body shall be responsible for, and shall retain authority for, its decisions relating to certification, including the granting, refusing, maintaining of certification, expanding or reducing the scope of certification, renewing, suspending or restoring following suspension, or withdrawing of certification.”

 

[AndyN]

OP, if your auditor wrote this up against ISO9001:2015 section 4.3, and addresses it against the “scope of certification” I believe the auditor to be totally wrong. 4.3 requires “[FONT=&quot]The scope of the organization’s quality management system shall be available and be maintained as documented information”.[/FONT] It also states that the scope shall “provide justification for any requirement of this International Standard that the organization determines is not applicable to the scope of its quality management system. The scope on the certificate is normally (for most registrars) 15 words or less. You could exhaust your 15 word limit just explaining what you don’t do!

A company’s context documentation is usually where you will find the documented scope required by 4.3 to be “maintained”. The “scope statement” is not “maintained” by the company, it is “maintained” by the registrar (after all, the company does not issue the cert).

ISO 17021-1 section 5.1.3 “The certification body shall be responsible for, and shall retain authority for, its decisions relating to certification, including the granting, refusing, maintaining of certification, expanding or reducing the scope of certification, renewing, suspending or restoring following suspension, or withdrawing of certification.”

"A company’s context documentation is usually where you will find the documented scope required by 4.3 to be “maintained”."

I'd like to understand what "Context Documentation" is. In my experience, a scope is present in some type of quality manual. The scope of certification isn't going to be the same as the scope of the QMS, in a number of cases, so I don't understand how fitting it to 15 words is relevant, nor why the justification has anything to do with the scope of certification. I believe you may be confusing the practices of Certification Bodies with the requirements of ISO 9001:2015

 

[Perspicuity]

Many companies have opted to eliminate the quality manual (which is allowed by 9001:2015); however, they still must maintain documentation on issues (4.1), interested parties (4.2), and scope (4.3). It is arguable whether 4.1/4.2 are required as part of the scope, but most find it easier to skip the argument and include them into some sort of organizational context (4.0) document (no need to capitalize until you give it a name).

I agree abolutely…..”scope of certification isn't going to be the same as the scope of the QMS”.

Scope of the QMS is required by ISO9001:2015, Scope of Certification is governed by ISO17021-1. Scope of the QMS can be unlimited in size; Scope of Certification has to fit on the cert (hence a usual 15 word or less target). Scope of Certification should be a subset of the QMS scope.

The OP indicated that the auditor wrote up the scope “which appears on our certificate”; that scope is not governed by 4.3. If it were, it would need to include justifications for non-applicables. Again, I agree absolutely, “justification has” nothing “to do with the scope of certification”. Hence 4.3 has no governance over the Scope of Certification. Governance is established by ISO17021-1, should be created initially during the Stage 2, and should be monitored/updated by the auditor/CB with the blessing of the client during surveillances and re-certification to ensure its ongoing suitability. It should never be the subject of a finding unless that finding is resultant from an audit of the CB. I believe the OP’s auditor may be confusing the responsibility of the CB with the requirements of ISO9001:2015.

 

[Golfman25]

"A company’s context documentation is usually where you will find the documented scope required by 4.3 to be “maintained”."

I'd like to understand what "Context Documentation" is. In my experience, a scope is present in some type of quality manual. The scope of certification isn't going to be the same as the scope of the QMS, in a number of cases, so I don't understand how fitting it to 15 words is relevant, nor why the justification has anything to do with the scope of certification. I believe you may be confusing the practices of Certification Bodies with the requirements of ISO 9001:2015

Actually I think he is differentiating between the scope of the QMS and the scope listed on the ISO cert. The cert scope is usually pretty simple -- "we make things." The QMS scope would be more detailed and deal with various processes, exclusions, etc. -- what is included and not included in the QMS.

 

[Golfman25]

I know of a client who was warned, by their CB auditor, that their IATF auditor training certificate MUST reference ISO 9001:2015! It would become a MAJOR nc at the stage 2 if not fixed.

Would someone help me to understand the value in this?

While there is zero value, it seems to me the lazy auditor's way of "proving" you where trained to the current standard and not some outdated version.

 

[AndyN]

Many companies have opted to eliminate the quality manual (which is allowed by 9001:2015); however, they still must maintain documentation on issues (4.1), interested parties (4.2), and scope (4.3). It is arguable whether 4.1/4.2 are required as part of the scope, but most find it easier to skip the argument and include them into some sort of organizational context (4.0) document (no need to capitalize until you give it a name).

Surely, if an organization has understood the "needs and expectations of interested parties" why have they dispensed with their Quality Manual? I've yet to find an organization that a) has customers who don't want to see some form of quality manual and b) need some form of road map to the QMS.

 

[AndyN]

While there is zero value, it seems to me the lazy auditor's way of "proving" you where trained to the current standard and not some outdated version.

I think you give too much credit...

 

[Sidney Vianna]

Auditors are our friends, even if, as them, they’re sometimes scary.

Even when they line their pockets by issuing NC's?
Apparently, at least, one CB charges fees when reviewing corrective action plans for issued nonconformities, based on the information we get @ the Registrar Charges Per CAR Written thread.

 

[Pancho]

Sorry I ain't bashing with y'all. Most of us, humans, want to do good, act professionally and meet the standards of our employer, our trade and our ethics. Sometimes we miss, though it is rarely a problem with motives or competence. Ain't it the system?! We preach this to and of employees. Why not suppliers? Are they different? I don't think too much so.

We rightfully expect high quality from suppliers (especially auditors) and it is much harder to correct recurring problems from them. But the same problem-solving techniques we use internally can work with supplier non-conformities. You ask who has time to deal with these issues. Really? Who has time to not deal with them?

External auditors suffer from information asymmetry. They know a lot from their exposure to many diverse clients, but little about a particular client's business or specific processes. This can cause overconfidence and mistakes. But not usually stupidity nor malice.

The few times we've had whimsical findings, we talk to the auditor and the issue is resolved quickly, with minimal time loss. And if it weren't, we shouldn't be wasting time getting emotional, or taking uncalled for CA on the whim. Why is the auditor writing silly things? Once you find root, take action: explain, document, escalate, change supplier, etc. CI works on all issues. Likely someone at the CB knows this too.

 

[Nadaabo]

Hi Stevey,
I am currently taking a course on understanding the ISO 9001:2015 standard.
They outlined how with the new standard, you have to be able to show that you have considered the external/internal issues, interested parties and products and services.
We have two scopes, a brief one liner for our certificate and an entire paragraph that spells out where we are, what work we do, where we belong in our corporation, etc.
The only benefit to adding the delivery on your scope is that when other companies are searching for vendors (like you guys), they will read through the brief statement and consider your company as a potential vendor. If delivery is a service that is provided that gives your company an edge over others, then it is a bonus.
It is silly if the auditor tries to give you a non-conformance, all it is is an opportunity for improving.