Certification scopes (26/10/2020)

A recent finding from our UKAS visits has highlighted the need to clarify and communicate guidance to everyone on the acceptable wording of the certification scopes for all the standards we certify.

In simple terms, the certification scope is the scope of the client’s management system, what is designed to cover, do or produce.  Where we and any interested parties is the wording that appears on their certificate.

The findings focused on an element in a certification scope that would be hard to audit, prove and guarantee for anyone who may be making a buying decision partly based the certification.  In essence, it was the presence of an adjective describing a characteristic of the scope.  In this case it was “secure” and the scope was:

Secure information technology infrastructure and virtual desktop outsourced services…”

In this specific case, whilst the company did undertake period tests of its IT security, nobody could guarantee that it’s ever be 100% secure and not could we in the available time, resources and skillsets, audit that it was, therefore the adjective had to be removed.

In the past, we have also had similar wording proposed by clients for certification, using terms such as “using the latest available technology” or “to provide guaranteed delivery services”. Such claims are very difficult to audit and prove irrefutably. It is therefore best to have scopes that are straight forward with no adjectives and as they say “does what it says on the tin!”

Another element that clients have asked for is confirmation in their scope that they are working with, certified or comply with other management systems and norms in such as “working with BS XXXX” or other industry standards, memberships or codes of conduct.  Current accreditation rules do not allow other standards to be described within certifications scopes and as above and it could be very difficult to prove that a client meets all these standards without undertaking audits of them ourselves.

A common issue that also arises with certification scopes is that they also do not necessarily reflect the services, products or activities that a client may portray on their website.  Websites are used to promote the extent of a company’s endeavours, no matter how long ago they took place and they can be subject to a little creative licence, especially from designers and copy writers.  Photographs can be stock photos used from a commercial library and do not reflect the premises or people that they have.  As auditors, we should be mindful of this and check that what they claim is reflected in their management system to be a true, unambiguous representation of them.  In fact in the 2015 versions of 9001 and 14001, there are references referring to the need to meet their claims for their products and services (9001 – Clause 8.2.2 (b) & whilst not audited 14001 App. A, A.4.3, para 2).