ISO/IEC 17021

The audit programme for the initial certification shall include a two-stage initial audit, surveillance audits in the first and second years following the certification decision, and a recertification audit in the third year prior to expiration of certification. The first three-year certification cycle begins with the certification decision.

Surveillance Audits

Surveillance audits shall be conducted at least once a calendar year, except in recertification years. The date of the first surveillance audit following initial certification shall not be more than 12 months from the certification decision date.

It can be necessary to adjust the frequency of surveillance audits to accommodate factors such as seasons or management systems certification of a limited duration such as a temporary construction site.

Recertification Audit

Recertification audit activities may need to include a stage 1 in situations where there have been significant changes to the management system, the organization, or the context in which the management system is operating such as changes to legislation.

When recertification activities are successfully completed prior to the expiry date of the existing certification, the expiry date of the new certification can be based on the expiry date of the existing certification.

Short-Notice Audits

It may be necessary for the certification body to conduct audits of certified clients at short notice or unannounced to investigate complaints, respond to changes, or follow up on suspended clients.