Audit Of Multi Site
Procedure for the audit and certification for multisite organization
1.0 Purpose
To define the process of the audit and certification of a management system operated by a multi-site organization to plan and accomplish a complete and effective audit of the client’s management system, in accordance with requirements of ISO/IEC 17021-1:2015, and other applicable international standards for certification bodies providing management system
certification as following:
Management Systems Certification scheme | Management Systems Certification Standard | Accreditation Standard | Other Guidelines |
Quality | ISO 9001:2015 | ISO 17021-3:2017 | IAF MD 5:2019 |
| ISO 13485:2016 |
| IAF MD 9:2022 |
Environmental | ISO 14001:2015 | ISO 17021-2:2016 | IAF MD 5:2019 |
Health and Safety | OHSAS 18001:2007 | ISO 17021-10:2018 | IAF MD 22:2019 and IAF MD 21 :2022 |
| ISO 45001:2018 | ISO 17021-10:2018 | IAF MD 22:2019 and IAF MD 21 :2022 |
Food Safety | ISO 22000:2018 | ISO 22003:2013 |
|
| HACCP | ISO 22003:2013 |
|
| FSSC 22000 | ISO 22003:2013 |
|
Information Technology | ISO 27001:2013 | ISO 27006:2015 |
|
Service Management | ISO 20000-1:2018 | ISO 20000-6:2017 | |
Energy | ISO 50001:2018 | ISO 50003:2021 |
|
Business Continuity | ISO 22301:2019 | ISO 17021-6:2014 |
|
Anti Bribery | ISO 37001:2016 | ISO 17021-8 |
|
Facility Management | ISO 41001:2018 | ISO 17021-11 |
|
Road Traffic | ISO 39001:2012 | ISO 17021-7:2014 |
|
Learning Service | ISO 29990:2010 |
|
|
and IAF mandatory document for managing the audit and certification of the management system operated by a multi-site organization, IAF MD1: 2018
1.2 Scope
This procedure is applicable to all quality management system, environmental management system, occupational health and safety management system, food safety management system, information technology service management system, information security management system, energy management system, and medical devices quality management system audits performed by LMS to certify client’s management system against the standards as below mentioned:
Management Systems Certification scheme | Management Systems Certification Standard | ||
Quality | ISO 9001:2015 | ||
| ISO 13485:2016 | ||
Environmental | ISO 14001:2015 | ||
Health and Safety | ISO 45001:2018 | ||
| |||
Food Safety | ISO 22000:2018 | ||
| HACCP | ||
| FSSC 22000 | ||
Information Technology | ISO 27001:2013 | ||
Service Management | ISO 20000-1:2018 | ||
Energy | ISO 50001:2018 | ||
Business Continuity | ISO 22301:2019 | ||
Anti Bribery | ISO 37001:2016 | ||
Facility Management | ISO 41001:2018 | ||
Road Traffic | ISO 39001:2012 | ||
Learning Service | ISO 29990:2010 |
1.3 Responsibility
Certification planning section head
Scheme manager
Management Systems Certification scheme | Management Systems Certification Standard |
Quality | ISO 9001:2015 |
Environmental | ISO 14001:2015 |
Energy | ISO 50001:2018 |
Business Continuity | ISO 22301:2019 |
Anti Bribery | ISO 37001:2016 |
Facility Management | ISO 41001:2018 |
Road Traffic | ISO 39001:2012 |
Learning Service | ISO 29990:2010 |
2. DEFINITIONS
2.1 Organization
Person or group of people that has its own functions with responsibilities, authorities and relationships to achieve its objectives.
(Source: Definition 3.1 of Annex SL of ISO/IEC Directives)
2.2 Permanent Site
Site (physical or virtual) where a client organization performs work or from which a service is provided on a continuing basis.
(Source: Adapted from ISO/IEC TS 17023:2013 Conformity assessment -- Guidelines for determining the duration of management system certification audits)
2.3 Temporary Site
Site (physical or virtual) where a client organization performs specific work or from which a service is provided for a finite period of time and which is not intended to become a permanent site. (Source: ISO/IEC TS 17023:2013)
2.4 Multi-site Organization
An organization covered by a single management system comprising an identified central function (not necessarily the headquarters of the organization) at which certain processes/activities are planned and controlled, and a number of sites (permanent, temporary or virtual) at which such processes/activities are fully or partially carried out.
2.5 Central Function
The function that is responsible for and centrally controls the management system (refer to Section 5).
2.6 Virtual Site
Virtual location where a client organization performs work or provides a service using an on-line environment allowing persons from different physical locations to execute processes.
Note 1: A virtual site cannot be considered as such where the processes must be executed in a physical environment e.g. warehousing, physical testing laboratories, installation or repairs to physical products.
Note 2: An example of such a virtual site is a design & development organization with all employees performing work located remotely, working in a cloud environment.
Note 3: A virtual site (e.g. an organization’s intranet) is considered a single site for the purpose of calculating of audit time.
Note 4: For further information, see also IAF MD 4: Use of Computer Assisted Auditing Techniques ("CAAT") for Accredited Certification of Management Systems.
2.7 Sub-scope
The scope of a single site.
Note: The scope of a single site might be the same as the full scope of the multi-site organization but may also be only a small part of the multi-site organization’s scope.
Note: The above definition of “sub-scope” is to be used for the purposes of implementing the requirements of this document (in contrast with the use of the term on page 2 of this document, where reference is made to “sub-scope” in the context of accreditation and not certification).
2.8 Top Management
Person or group of people who directs and controls an organization at the highest level.
(Source: ISO 9000: 2015 Quality management systems -- Fundamentals and vocabulary)
3. APPLICATION
3.1 Site
3.1.1 A site could include all land on which processes/activities under the control of an organization at a given location are carried out, including any connected or associated storage of raw materials, by-products, intermediate products, end products and waste material, and any equipment or infrastructure involved in the processes/activities, whether or not fixed. Alternatively, where required by law, definitions laid down in national or local licensing regimes shall apply.
3.1.2 Where it is not practicable to define a location (e.g. for services), the coverage of the certification should take into account the organization’s headquarters processes/activities as well as delivery of its services. Where relevant, the Certification Body may decide that the certification audit will be carried out only where the organization delivers its services. In such cases all the interfaces with its central function shall be identified and audited.
3.2 Temporary Site
3.2.1 Temporary sites that are covered by the organization's management system shall be subject to audit on a sample basis to provide evidence of the operation and effectiveness of the management system. They may, however be included within the scope of a multi-site certification and included on the certification document, subject to agreement between the Certification Body and the client organization. When temporary sites are shown on the certification documents, such sites shall be identified as temporary.
3.3 Multi-site Organization
3.3.1 A multi-site organization need not be a unique legal entity, but all sites shall have a legal or contractual link with the central function of the organization and be subject to a single management system, which is laid down, established and subject to continuous surveillance and internal audits by the central function. This means that the central function has rights to require that the sites implement corrective actions when needed in any site. Where applicable this should be set out in the formal agreement between the central function and the sites.
4. RATIONALE FOR THE PROPOSED APPROACH
4.1 This document deals with the auditing of a multi-site organization with a single management system.
4.2 Any one site may perform fully or partially the processes/activities covered by the scope of the management system, and different sites may belong to the same legal entity or not.
4.3 Any legal considerations concerning the organization’s management system extending over a single legal entity or multiple legal entities is generally irrelevant to the auditing of the management system, and unless otherwise stated are not covered in this document.
4.4 It is the organization’s management system which must be audited and certified; furthermore, by definition, a management system audit is only based on a limited sample of the information available. However it must be demonstrated that the management system is capable of achieving its intended results for all sites involved.
4.5 Therefore, it is logical to start by considering the organization and the implementation of its management system, and what type of sampling may be appropriate, if any.
4.6 In the case of a multi-site organization where each site is performing very similar processes/activities, there may be a clear case to be made for appropriate “site sampling” (e.g. a chain of franchise stores or a bank branch network). On the other hand, this document also addresses the situation where the application of site sampling is not appropriate. There may be many reasons for this, such as:
all the sites perform significantly different processes/activities in connection with the management system scope;
the client requests each site to be audited; or
there is a sector scheme or regulatory requirement stipulating that each site is to be audited systematically.
Between these two extreme cases, there are many multi-site organizations with part of their sites performing similar processes/activities while other sites are dedicated to very specific processes not performed elsewhere in the organization. As with any sampling process, proper site sampling limits sampling only to those sites which are performing very similar processes/activities, which are part of the organization’s scope.
5. ELIGIBILITY OF A MULTI-SITE ORGANIZATION FOR CERTIFICATION
5.1 The organization shall have a single management system.
5.2 The organization shall identify its central function. The central function is part of the organization and shall not be subcontracted to an external organization.
5.3 The central function shall have organizational authority to define, establish and maintain the single management system.
5.4 The organization’s single management system shall be subject to a centralized management review.
5.5 All sites shall be subject to the organization’s internal audit programme.
5.6 The central function shall be responsible for ensuring that data is collected and analyzed from all sites and shall be able to demonstrate its authority and ability to initiate organizational change as required in regard, but not limited, to:
(i) system documentation and system changes;
(ii) management review;
(iii) complaints;
(iv) evaluation of corrective actions;
(v) internal audit planning and evaluation of the results; and
(vi) statutory and regulatory requirements pertaining to the applicable standard(s).
Note: The central function is where operational control and authority from the top management of the organization is exerted over every site. There is no requirement for the central function to be located in a single site.
6. METHODOLOGIES
6.1 Methodology for Auditing of a Multi-site Organization Using Site Sampling
6.1.1 Conditions
6.1.1.1 Sampling of a set of sites is permitted where the sites are each performing very similar processes/activities.
6.1.1.2 Not all organizations fulfilling the definition of “multi-site organization” will be eligible for sampling.
6.1.1.3 Not all management systems standards are suitable for consideration for multi-site certification. For example, multi-site sampling would be unsuitable where the audit of variable local factors is a requirement of the standard. Specific rules also apply for some schemes, for example those including aerospace (AS 9100 series) or automotive (IATF 16949) and the requirements of such schemes shall take precedence.
6.1.1.4 Certification Bodies shall have documented procedures to restrict such sampling where site sampling is inappropriate to gain sufficient confidence in the effectiveness of the management system under audit. Such restrictions shall be defined by the Certification Body with respect to:
scope sectors or processes/activities (i.e. based on the assessment of risks or complexity associated with that sector or activity);
size of sites eligible for multi-site audit;
variations in the local implementation of the management system to address different processes/activities or different contractual or regulatory systems; and
use of temporary sites that operate under the management system of the organization even if they are not listed in the certification documents.
6.1.2 Sampling
6.1.2.1 The sample shall be partly selective based on the factors set out below and partly random, and shall result in a representative range of different sites being selected, ensuring all processes covered by the scope of certification will be audited.
6.1.2.2 At least 25% of the sample shall be selected at random.
6.1.2.3 Taking into account the provisions mentioned below, the remainder shall be selected so that the differences among the sites selected over the period of validity of the certificate is as large as possible.
6.1.2.4 The site selection shall consider, among others, the following aspects:
results of internal site audits and management reviews or previous certification audits;
records of complaints and other relevant aspects of corrective and preventive action;
significant variations in the size of the sites;
variations in shift patterns and work procedures;
complexity of the management system and processes conducted at the sites;
modifications since the last certification audit;
maturity of the management system and knowledge of the organization;
environmental issues and extent of aspects and associated impacts for environmental management systems;
differences in culture, language and regulatory requirements;
geographical dispersion; and
whether the sites are permanent, temporary or virtual.
6.1.2.5 This selection does not have to be done at the start of the audit process. It can also be done once the audit of the central function has been completed. In any case, the central function shall be informed of the sites to be included in the sample. This can be on relatively short notice, but shall allow adequate time for preparation for the audit.
6.1.3 Size of Sample
6.1.3.1 The Certification Body shall have a documented procedure for determining the sample size. This shall take into account all the factors described in this section.
6.1.3.2 The Certification Body shall have records on each application of sampling for each multi-site organization, justifying it is operating in accordance with this document.
6.1.3.3 The minimum number of sites to be visited per audit is:
Initial audit: the size of the sample shall be the square root of the number of sites: (y=√x), rounded up to the next whole number, where y = number of sites to be sampled and x = total number of sites.
Surveillance audit: the size of the annual sample shall be the square root of the number of sites with 0.6 as a coefficient (y=0.6 √x), rounded up to the next whole number.
Re-certification audit: the size of the sample shall be the same as for an initial audit. Nevertheless, where the management system has proved to be effective over the certification cycle, the size of the sample could be reduced to, y=0.8 √x, rounded up to the next whole number.
6.1.3.4 The central function (as detailed in Section 5) shall be audited during the initial certification and every recertification audit and at least once a calendar year as part of surveillance.
6.1.3.5 The size or frequency of the sample shall be increased where the Certification Body’s risk analysis of the process/activity covered by the management system subject to certification indicates special circumstances in respect of factors such as:
the size of the sites and number of employees;
the complexity or risk level of the process/activity and of the management system;
variations in working practices (e.g. shift working);
variations in process/activities undertaken;
records of complaints and other relevant aspects of corrective and preventive action;
any multinational aspects; and
results of internal audits and management review.
6.1.3.6 When the organization has a hierarchical system of branches (e.g. head (central) office, national offices, regional offices, local branches), the sampling model for initial audit as defined above applies to each level.
Example:
1 head office: visited at each audit cycle (initial or surveillance or recertification)
4 national offices: sample = 2: minimum 1 at random
27 regional offices: sample = 6: minimum 2 at random
1700 local branches: sample = 42: minimum 11 at random
The sample of regional offices should include at least one regional office controlled by each national office. The sample of local branches should include at least one local branch controlled by each regional office. This may result in the sample size at each level exceeding the minimum sample size calculated in accordance with paragraph 6.1.3.3.
6.1.3.7 The sampling process shall be part of the management of the audit programme. At any time (i.e. before planning the surveillance audit, or when any organization site changes its structure, or in case of acquisition of new site(s) which will be added into the certification boundary), the Certification Body shall review the sampling foreseen in the audit programme in order to establish the need to adjust the sample size prior to auditing the sample with a view to maintaining certification.
6.1.4 Additional Sites
6.1.4.1 On the application of inclusion of new sites or a new group of sites to join an already certified multi-site organization, the Certification Body shall determine the required activities to be performed before including the new site(s) in the certificate. This shall include consideration of whether or not to audit the new site(s). After inclusion of the new site(s) in the certificate, the sample size for future surveillance or recertification audits shall be determined.
6.2 Methodology for Auditing of Multi-site Organizations Where Site Sampling Using Section 6.1 is not Appropriate
6.2.1 The audit programme shall consist of an initial audit and recertification audit of all sites. In surveillance audits, 30% of sites, rounded up to the whole number, shall be covered in a calendar year. Each audit will include the central function. The sites selected for the second surveillance audit will normally be different from the sites selected for the first surveillance audit.
6.2.2 The audit programme shall be designed to ensure that all processes covered by the certification scope are audited over each cycle.
6.2.3 Additional Sites
On the application of a new site to join an already certified multi-site organization, the site shall be audited before being included in the certificate, in addition to the planned surveillance in the audit programme. After inclusion of the new site in the certificate, it shall be cumulated with the previous ones for determining the audit time for future surveillance or recertification audits.
6.3 Methodology for Auditing Multi-site Organizations that Include a Combination of Sites that can be Sampled and Other Sites that Cannot be Sampled
The audit programme shall be established using Section 6.1 for those sites that can be sampled and Section 6.2 for the remaining part of the organization where Section 6.1 is not appropriate.
7. AUDIT AND CERTIFICATION
The Certification Body shall have documented procedures to deal with audits under its multi-site procedure. Such procedures shall establish the way the Certification Body satisfies itself that the single management system governs the processes/activities at all the sites, and is actually applied to all the sites. The Certification Body shall justify and record the rationale for proceeding with any approach to the auditing and certification of a multi-site organization.
7.1 Application and Application Review
7.1.1 The Certification Body shall obtain necessary information concerning the applicant organization to:
confirm that a single management system is deployed across the organization;
determine the scope of the management system being operated and the requested scope of certification and, if applicable, sub-scopes;
understand the legal and contractual arrangements for each site;
understand “what happens where” i.e. processes/activities provided at each site and identify the central function;
determine the degree of centralization of process/activities which are delivered to all sites (e.g. purchasing);
determine interfaces between the different sites;
determine which sites may be applicable for sampling (i.e. where very similar processes/activities are provided) and those that are not eligible;
take into consideration other relevant factors (see also IAF MD 4, IAF MD 5, IAF MD 11: IAF Mandatory Document for Application of ISO/IEC 17021 for Audits of Integrated Management Systems (IMS), ISO/IEC TS 17023);
determine the audit time for the organization;
determine the audit team(s)’ competence required; and
identify the complexity and scale of the processes/activities (e.g. one or many) covered by the management system.
7.2 Audit Programme
7.2.1 In addition to the requirement in ISO/IEC 17021-1:2015 clause 9.1.3, the audit programme shall at least include or refer to the following:
processes/activities provided on each site;
identification of those sites which are liable to be sampled, and which are not; and
identification of sites which are covered by sampling, and which are not.
7.2.2 When determining the audit programme, the Certification Body shall allow sufficient additional time for activities which are not part of the calculated audit time, such as travelling, communicating among audit team members, post-audit meetings, etc. due to the specific configuration of the organization to be audited.
Note: Remote auditing techniques may be used, provided that the processes to be audited are of such a nature that remote auditing is appropriate (see ISO/IEC 17021-1 and IAF MD 4)
7.2.3 Where audit teams consisting of more than one member are used at any point, it shall be the responsibility of the Certification Body, in conjunction with the team leader, to identify the technical competence required for each part of the audit and for each site and to allocate appropriate team members for each part of the audit.
7.3 Calculation of Audit Time
7.3.1 An organization that satisfies the eligibility criteria may consist of sites that can be sampled, sites that cannot be sampled or a combination of both. The audit time must be sufficient to undertake an effective audit irrespective of the makeup of the organization.
Unless precluded by specific schemes, the reduction of audit time per sampled site shall not be greater than 50%.
For example, 30% is the maximum reduction in audit time allowed by IAF MD 5 while 20% is to be considered the maximum reduction allowed for the single management system processes performed by the central function and any potential centralised processes (e.g. purchasing).
The audit time per selected site (whether it comes from sampling as in 6.1, from non-sampling as in 6.2 or from mixed methodology as in 6.3), including elements of the central function if applicable, shall be calculated for each site using the applicable IAF documents (e.g. IAF MD 5 for quality and environmental management systems, IAF MD 11 for integrated management systems) and, where necessary, any applicable sector scheme requirements for the calculation of man-days.
7.4 Audit Plan
7.4.1 In addition to the requirement in ISO/IEC 17021-1:2015 clause 9.2.3, the Certification Body shall at least consider the following when preparing the audit plan:
certification scope and sub-scopes for each site;
management system standard for each site, if multiple management system standards are being considered;
processes/activities to be audited;
audit time for each site; and
allocated audit team.
7.5 Initial Audit: Stage 1
During Stage 1, the audit team shall complete the information to:
confirm the audit programme;
plan Stage 2, taking into account the processes/activities to be audited in each site; and
confirm that the Stage 2 audit team has the required competence.
7.6 Initial Audit: Stage 2
At the outcome of the initial audit, the audit team shall document which processes were audited on each site visited. This information will be used to amend the audit programme and audit plans for subsequent surveillance audits.
7.7 Nonconformities and Certification
7.7.1 When nonconformities, as defined in ISO/IEC 17021-1, are found at any individual site, either through the organization’s internal auditing or from auditing by the Certification Body, investigation shall take place to determine whether the other sites may be affected. Therefore, the Certification Body shall require the organization to review the nonconformities to determine whether or not they indicate an overall system deficiency applicable to other sites. If they are found to do so, corrective action shall be performed and verified both at the central function and at the individual affected sites. If they are found not to do so, the organization shall be able to demonstrate to the Certification Body the justification for limiting its follow-up corrective action.
7.7.2 The Certification Body shall require evidence of these actions and increase its sampling frequency and/or the size of sample until it is satisfied that control is re-established.
7.7.3 At the time of the decision-making process, if any site has a major nonconformity, certification shall be denied to the whole multi-site organization of listed sites pending satisfactory corrective action.
7.7.4 It shall not be admissible that, to overcome the obstacle raised by the existence of a nonconformity at a single site, the organization seeks to exclude from the scope the "problematic" site during the certification process.
7.8 Certification Documents
7.8.1 The certification document shall reflect the scope of certification and the sites and /legal entities (where applicable) covered by the multi-site certification.
7.8.2 Certification documents shall contain the name and address of all the sites, reflecting the organization to which the certification documents relate. The scope or other reference on these documents shall make it clear that the certified activities are performed by the sites on the list. However, if a site’s activities only include a subset of the organization’s scope, the certification document shall include the site’s sub-scope. When temporary sites are shown on the certification documents, such sites shall be identified as temporary.
7.8.3 Where certification documents for one site are issued, they shall include:
that it is the management system of the whole organization which is certified;
the activities performed for that specific site / legal entity which are covered by this certification;
traceability with the main certificate, e.g. a code; and
a statement saying “the validity of this certificate depends on the validity of the main certificate”.
Under no circumstances, can this certification document be issued to the name of the site/legal entity or suggest that this site/legal entity is certified (the one certified is the client organization), nor shall it include a declaration of conformity of the site processes/activities to the normative document.
7.8.4 The certification documentation will be withdrawn in its entirety if any of the sites does not fulfil the necessary provisions for the maintenance of the certification.
7.9 Surveillance Audits
7.9.1 Surveillance of multi-site organizations that can be sampled shall be audited in accordance with Section 6.1. The audit time per site shall be calculated in accordance with Clause 7.3 above.
7.9.2 Surveillance of multi-site organizations that cannot be sampled in accordance with Section 6.1 is based on auditing 30% of the sites plus the central function. The sites selected for the second surveillance of a certification cycle shall normally not include any sites sampled as part of the first surveillance audit. The audit time per site shall be calculated in accordance with Clause 7.3 above.
7.10 Recertification Audits
7.10.1 Recertification of multi-site organizations that can be sampled shall be audited in accordance with Section 6.1. The audit time per site shall be calculated in accordance with Clause 7.3 above.
7.10.2 Recertification of multi-site organizations that cannot be sampled shall be audited as per initial audit, i.e. all sites audited plus the central function. The audit time per site and central function shall be calculated in accordance with Clause 7.3 above.
Management Systems Certification scheme | Management Systems Certification Standard |
Health and Safety | ISO 45001:2018 |
B.10 AUDIT TIME OF A MULTI-SITE OH&SMS
B.10.1 In the case of an OH&SMS system operated over multiple sites the CAB shall establish if site sampling is permitted or not, based on the evaluation of the level of OH&S risks associated with the activities and processes carried out in each site included in the scope of certification. Records of such evaluations and rationale of decisions taken shall be made available to the AB at assessment.
B.10.2 The requirements for OH&SMS multiple site certification, both when sampling is permitted and when sampling is not permitted, are covered in more detail by the different scenarios provided in the new IAF MD 1 document for auditing and certification of a management system managed by a multi-site organization, in which all references to IAF MD5 requirements shall be understood as amended by this Appendix w.r.t. IAF MD 22.
B.10.3 Combined with clause B.10.2
B.11 CONTROL OF EXTERNALLY PROVIDED FUNCTIONS OR PROCESSES (OUTSOURCING)
B.11.1 If an organization outsources part of its functions or processes, it is the responsibility of the CAB to obtain evidence that the organization has effectively determined the type and extent of controls to be applied in order to ensure that the externally provided functions or processes do not adversely affect the effectiveness of the OH&SMS, including the organization’s ability to control its OH&S risks and commitments to comply with legal requirements.
B.11.2 The CAB will audit and evaluate the effectiveness of the organization's OH&SMS in managing any supplied activity and the risk this poses to OH&S performance of its own activities and processes and conformity requirements. This may include gathering feedback on the level of effectiveness from suppliers, based:
on the criteria applied by the organization for the evaluation, selection, monitoring of performance and re-evaluation of these external providers based on their ability to provide functions or processes in accordance with specified requirements, in compliance with the legal requirements, and
on the risk that the external providers can adversely affect the organization’s ability to control its own OH&S risks.
B.11.3 Even if auditing the complete provider’s management system is not required, the CAB shall consider those processes or functions included within the scope of the organization’s OH&SMS, which have been outsourced to external providers to plan and accomplish an effective audit.
B.11.4. The CAB should be able to establish this during the preparation of the certification programme and further verify it during the initial audit, and before every surveillance and recertification audit.
Management Systems Certification scheme | Management Systems Certification Standard |
Food Safety Management | HACCP ISO 22000:2018
|
9 Process requirements
9.1 General requirements
9.1.1 The certification body shall precisely define the scope of certification in terms of levels of the food
chain (e.g. primary production, food processing, packaging material production), category(ies) and sectors
according to Annex A. The certification body shall not exclude part of the processes, sectors, products or
services from the scope of certification when those processes, sectors, products or services have an influence
on the food safety of the end products.
9.1.2 The certification body shall have a process for choosing the audit day, time and season so that the
audit team has the opportunity of auditing the organization operating on a representative number of product
lines, categories and sectors covered by the scope.
9.1.3 All the requirements given in 9.1.1 to 9.1.3 of ISO/IEC 17021:2006 apply.
9.1.4 The certification body shall have documented procedures for determining audit time, and for each
client the certification body shall determine the time needed to plan and accomplish a complete and effective
audit of the client’s FSMS. The audit time determined by the certification body, and the justification for the
determination, shall be recorded. In determining the audit time, the certification body should consider Annex B
and shall consider, among other things, the following aspects:
a) requirements of the relevant FSMS standard;
b) size and complexity of the organization;
c) technological and regulatory context;
d) any outsourcing of any activities included in the scope of the FSMS;
e) results of any prior audits;
f) number of sites and multi-site considerations.
9.1.5 For multi-site organizations, the requirements given in 9.1.5.1 and 9.5.1.3 apply.
9.1.5.1 Where the certification body is certifying a multi-site organization under one certificate, the
following conditions apply:
a) all sites are of the same activity and are located within the same country;
b) all sites are operating under one centrally controlled and administered FSMS as defined in Clause 4 of
ISO 22000:2005, or equivalent for other FSMSs;
c) an internal audit has been conducted on each site within the three years prior to certification;
d) following certification, an internal audit shall be carried out on each site within the certification period;
e) the internal audits of all sites shall comply with ISO 22000 or equivalent;
f) audit findings of the individual sites shall be considered indicative of the entire system and correction shall
be implemented accordingly.
9.1.5.2 The use of multi-site sampling is only possible for organizations with more than 20 sites and only
for categories A, B, G, H and J (see Table A.1). This applies both to the initial certification and to surveillance
audits.
9.1.5.3 Where the certification body offers multi-site certification, the certification body shall utilize a
sampling programme to ensure an effective audit of the FSMS where
a) the sampling for more than 20 sites shall be at the ratio of 1 site per 5 sites with a minimum of 20. All sites
shall be randomly selected and, after the audit, no sampled sites may be nonconforming (i.e. not meeting
certification thresholds for ISO 22000),
b) evaluation of the audit findings of the sampled sites shall be deemed equivalent to the internal audit
findings of the same sites of the organization,
c) at least annually, an audit of the central FSMS shall be performed,
d) at least annually, surveillance audits shall be performed on the sampled sites, and
e) audit findings of the sampled sites shall be considered indicative of the entire system and correction shall
be implemented accordingly.
Table 1 gives examples of the number of sites to audit when sampling is used.
Table 1 — Examples of the number of sites to be audited when multi-site sampling is used
Total number of sites
x between
1 and 20 21 22 23 24 25 26 27 28
Number of sites above 20 0 1 2 3 4 5 6 7 8
Additional number of sites to audit 0 1 1 1 1 1 2 2 2
Number of sites to be audited x 21 21 21 21 21 22 22 22
9.1.6 All the requirements given in 9.1.6 to 9.1.9 of ISO/IEC 17021:2006 apply.
9.1.7 The certification body shall provide a written report for each audit. The report shall be based on
relevant guidance provided in ISO 19011. The audit team may identify opportunities for improvement but shall
not recommend specific solutions. Ownership of the audit report shall be maintained by the certification body.
The report shall include references to PRPs used by the organization, HACCP methodology used, comments
on the HACCP team, and other issues relevant to the FSMS.
Management Systems Certification scheme | Management Systems Certification Standard |
Food Safety Management | FSSC 22000 (ver 4.1) |
7.2 Multiple sites
7.2.1 General principles
1) Certification of multi-site organizations and multi-site sampling (as described in ISO/TS 22003:2013 and ISO/IEC 17021-1:2015) is not applicable to the following food chain categories as listed in ISO/TS 22003:2013:
a) CI, CII, CIII and CIV,
b) DI and DII, c) I and d) K.
2) For the food chain categories shown under
1) the Scheme requires that every site shall have:
a) a separate audit,
b) a separate report,
c) a separate certificate, and
d) every site shall be entered separately in the database.
3) Certification of multi-site organizations as shown in ISO/TS 22003:2013, clause 9.1.5 shall be applicable for the following food chain categories as listed in ISO/TS 22003:2013:
a) A,
b) E,
c) FI,
d) G.
7.2.2 Exceptions - applicable for categories C, D, I and K The Scheme does offer exceptions for three main categories of organizations shown in section 7.2.1, that have multiple sites such as organizations: a) where some functions pertinent to the certification are controlled by a head office separate to the site(s), b) with different operations at one site, c) with off-site activities.
7.2.3 Head office functions Functions pertinent to the certification but controlled by a head office separate to the site(s) could include for example: a) Procurement, b) Supplier approval or c) Quality assurance.
7.2.3.1 Auditing head office functions
1) In all cases where functions pertinent to the certification are controlled by a head office, the Scheme requires that those functions are audited interviewing the personnel described in the food safety management system as having the delegated authority and responsibility for these functions.
2) The functions at the head office are audited separately and every site belonging to the group shall have:
a) a separate audit,
b) a separate report and
c) a separate certificate.
7.2.3.2 Auditing sites in a multi-site organization
1) An audit at the head office cannot assess the degree of implementation at site level.
a) The auditor shall visit the sites to conduct that part of the audit.
b) The head office audit shall be carried out prior to the site audit.
2) The subsequent audit at the site(s) shall include a confirmation that the requirements set out by head office are appropriately incorporated into site specific documents and implemented in practice.
3) The site audit report and certificate shall show which functions have been audited at the head office. 4) The report of the head office audit has a validity of 12 months.
5) The head office cannot take responsibility for all functions within the scope of the certification, and can therefore not receive a separate certificate.
6) The head office is mentioned on the site certificate by use of wording such as “An audit was carried out at (name and location of head office) on DDMMYY to assess the following function(s) (describe functions audited at the head office)”.
7.2.3.3 Dealing with nonconformities
1) Where nonconformities are noted in head office or separate sites, these are assumed to have impact on the equivalent procedures applicable to all sites.
2) Corrective actions shall therefore address issues of communication across the certified sites and appropriate actions for impacted sites.
3) Such nonconformities and corrective actions shall be clearly identified in the relevant section of the audit report.
4) The nonconformities shall be cleared in accordance with the CB procedures before issuing the site certificate.
7.2.4 Organizations with different operations at one site
1) In cases where different operations are located on one site, for example where a manufacturing operation is linked to a packing operation, both shall be considered for certification under a single scope based on one audit, report and certificate provided that both are:
a) subject to one audit appropriate to the combined scope;
b) part of the same legal entity.
2) The preferred description on the certificate in such cases is to use the name of the legal entity as the primary name. For example: “XYZ company, operating as ABC processing and 123 packaging, (insert address)”.
7.2.5 Off-site activities
7.2.5.1 Split-process
1) A certified organization has a (single) process that is split between different sites that shall be part of the same legal entity. The primary site is the sole receiver/customer of the secondary site(s).
a) For example, a semi-finished product is moved to a separate site for a specific process step or steps to be carried out, and is returned to the primary location for completion.
b) Such processes shall, by exception, be considered for certification under a single scope and one certificate.
7.2.5.2 Management of off-site activities The off-site activities shall meet with the following requirements:
1) The off-site activities are included in the primary site food safety management system.
2) The scope statement of the primary certified site shall show the on-site and off-site activities.
3) The audit report shall include all relevant requirements at both the primary and secondary sites and allow audit findings to be identified as site specific.
4) The number of secondary sites shall be limited to a maximum of five.
Management Systems Certification scheme | Management Systems Certification Standard |
Energy Management | ISO 50001 |
Procedure for the audit and certification for multisite organization
1.0 Purpose
To define the process of the audit and certification of a management system operated by a multi-site organization to plan and accomplish a complete and effective audit of the client’s management system, in accordance with requirements of ISO/IEC 17021-1:2015, and other applicable international standards for certification bodies providing management system certification as following:
Management Systems Certification scheme | Management Systems Certification Standard | Accreditation Standard | Other Guidelines |
Quality | ISO 9001:2015 | ISO 17021-3:2017 | IAF MD 5:2015 |
| ISO 13485:2016 |
| IAF MD 9:2017 |
Environmental | ISO 14001:2015 | ISO 17021-2:2016 | IAF MD 5:2015 |
Health and Safety | OHSAS 18001:2007 | ISO 17021-10:2018 | IAF MD 22:2018 and IAF MD 21 :2018 |
| ISO 45001:2018 | ISO 17021-10:2018 | IAF MD 22:2018 and IAF MD 21 :2018 |
Food Safety | ISO 22000:2018 | ISO 22003:2013 |
|
| HACCP | ISO 22003:2013 |
|
| FSSC 22000 | ISO 22003:2013 |
|
Information Technology | ISO 27001:2013 | ISO 27006:2015 |
|
Service Management | ISO 20000-1:2018 | ISO 20000-6:2017 | IAF MD 18:2015 |
Energy | ISO 50001:2018 | ISO 50003:2021 |
|
Business Continuity | ISO 22301:2019 | ISO 17021-6:2014 |
|
Anti Bribery | ISO 37001:2016 | ISO 17021-8 |
|
Facility Management | ISO 41001:2018 | ISO 17021-11 |
|
Road Traffic | ISO 39001:2012 | ISO 17021-7:2014 |
|
Learning Service | ISO 29990:2010 |
|
|
and IAF mandatory document for managing the audit and certification of the management system operated by a multi-site organization, IAF MD1: 2018
1.2 Scope
This procedure is applicable to all quality management system, environmental management system, occupational health and safety management system, food safety management system, information technology service management system, information security management system, energy management system, and medical devices quality management system audits performed by LMS to certify client’s management system againist the standards as below mentioned:
Management Systems Certification scheme | Management Systems Certification Standard |
Quality | ISO 9001:2015 |
| ISO 13485:2016 |
Environmental | ISO 14001:2015 |
Health and Safety | OHSAS 18001:2007 |
| ISO 45001:2018 |
Food Safety | ISO 22000:2018 |
| HACCP |
| FSSC 22000 |
Information Technology | ISO 27001:2013 |
Service Management | ISO 20000-1:2018 |
Energy | ISO 50001:2018 |
Business Continuity | ISO 22301:2019 |
Anti Bribery | ISO 37001:2016 |
Facility Management | ISO 41001:2018 |
Road Traffic | ISO 39001:2012 |
Learning Service | ISO 29990:2010 |
1.3 Responsibility
Certification planning section head
Scheme manager
Management Systems Certification scheme | Management Systems Certification Standard |
Quality | ISO 9001:2015 |
Environmental | ISO 14001:2015 |
Energy | ISO 50001:2018 |
Business Continuity | ISO 22301:2019 |
Anti Bribery | ISO 37001:2016 |
Facility Management | ISO 41001:2018 |
Road Traffic | ISO 39001:2012 |
Learning Service | ISO 29990:2010 |
2. DEFINITIONS
2.1 Organization
Person or group of people that has its own functions with responsibilities, authorities and relationships to achieve its objectives.
(Source: Definition 3.1 of Annex SL of ISO/IEC Directives)
2.2 Permanent Site
Site (physical or virtual) where a client organization performs work or from which a service is provided on a continuing basis.
(Source: Adapted from ISO/IEC TS 17023:2013 Conformity assessment -- Guidelines for determining the duration of management system certification audits)
2.3 Temporary Site
Site (physical or virtual) where a client organization performs specific work or from which a service is provided for a finite period of time and which is not intended to become a permanent site. (Source: ISO/IEC TS 17023:2013)
2.4 Multi-site Organization
An organization covered by a single management system comprising an identified central function (not necessarily the headquarters of the organization) at which certain processes/activities are planned and controlled, and a number of sites (permanent, temporary or virtual) at which such processes/activities are fully or partially carried out.
2.5 Central Function
The function that is responsible for and centrally controls the management system (refer to Section 5).
2.6 Virtual Site
Virtual location where a client organization performs work or provides a service using an on-line environment allowing persons from different physical locations to execute processes.
Note 1: A virtual site cannot be considered as such where the processes must be executed in a physical environment e.g. warehousing, physical testing laboratories, installation or repairs to physical products.
Note 2: An example of such a virtual site is a design & development organization with all employees performing work located remotely, working in a cloud environment.
Note 3: A virtual site (e.g. an organization’s intranet) is considered a single site for the purpose of calculating of audit time.
Note 4: For further information, see also IAF MD 4: Use of Computer Assisted Auditing Techniques ("CAAT") for Accredited Certification of Management Systems.
2.7 Sub-scope
The scope of a single site.
Note: The scope of a single site might be the same as the full scope of the multi-site organization but may also be only a small part of the multi-site organization’s scope.
Note: The above definition of “sub-scope” is to be used for the purposes of implementing the requirements of this document (in contrast with the use of the term on page 2 of this document, where reference is made to “sub-scope” in the context of accreditation and not certification).
2.8 Top Management
Person or group of people who directs and controls an organization at the highest level.
(Source: ISO 9000: 2015 Quality management systems -- Fundamentals and vocabulary)
3. APPLICATION
3.1 Site
3.1.1 A site could include all land on which processes/activities under the control of an organization at a given location are carried out, including any connected or associated storage of raw materials, by-products, intermediate products, end products and waste material, and any equipment or infrastructure involved in the processes/activities, whether or not fixed. Alternatively, where required by law, definitions laid down in national or local licensing regimes shall apply.
3.1.2 Where it is not practicable to define a location (e.g. for services), the coverage of the certification should take into account the organization’s headquarters processes/activities as well as delivery of its services. Where relevant, the Certification Body may decide that the certification audit will be carried out only where the organization delivers its services. In such cases all the interfaces with its central function shall be identified and audited.
3.2 Temporary Site
3.2.1 Temporary sites that are covered by the organization's management system shall be subject to audit on a sample basis to provide evidence of the operation and effectiveness of the management system. They may, however be included within the scope of a multi-site certification and included on the certification document, subject to agreement between the Certification Body and the client organization. When temporary sites are shown on the certification documents, such sites shall be identified as temporary.
3.3 Multi-site Organization
3.3.1 A multi-site organization need not be a unique legal entity, but all sites shall have a legal or contractual link with the central function of the organization and be subject to a single management system, which is laid down, established and subject to continuous surveillance and internal audits by the central function. This means that the central function has rights to require that the sites implement corrective actions when needed in any site. Where applicable this should be set out in the formal agreement between the central function and the sites.
4. RATIONALE FOR THE PROPOSED APPROACH
4.1 This document deals with the auditing of a multi-site organization with a single management system.
4.2 Any one site may perform fully or partially the processes/activities covered by the scope of the management system, and different sites may belong to the same legal entity or not.
4.3 Any legal considerations concerning the organization’s management system extending over a single legal entity or multiple legal entities is generally irrelevant to the auditing of the management system, and unless otherwise stated are not covered in this document.
4.4 It is the organization’s management system which must be audited and certified; furthermore, by definition, a management system audit is only based on a limited sample of the information available. However it must be demonstrated that the management system is capable of achieving its intended results for all sites involved.
4.5 Therefore, it is logical to start by considering the organization and the implementation of its management system, and what type of sampling may be appropriate, if any.
4.6 In the case of a multi-site organization where each site is performing very similar processes/activities, there may be a clear case to be made for appropriate “site sampling” (e.g. a chain of franchise stores or a bank branch network). On the other hand, this document also addresses the situation where the application of site sampling is not appropriate. There may be many reasons for this, such as:
all the sites perform significantly different processes/activities in connection with the management system scope;
the client requests each site to be audited; or
there is a sector scheme or regulatory requirement stipulating that each site is to be audited systematically.
Between these two extreme cases, there are many multi-site organizations with part of their sites performing similar processes/activities while other sites are dedicated to very specific processes not performed elsewhere in the organization. As with any sampling process, proper site sampling limits sampling only to those sites which are performing very similar processes/activities, which are part of the organization’s scope.
5. ELIGIBILITY OF A MULTI-SITE ORGANIZATION FOR CERTIFICATION
5.1 The organization shall have a single management system.
5.2 The organization shall identify its central function.The central function is part of the organization and shall not be subcontracted to an external organization.
5.3 The central function shall have organizational authority to define, establish and maintain the single management system.
5.4 The organization’s single management system shall be subject to a centralized management review.
5.5 All sites shall be subject to the organization’s internal audit programme.
5.6 The central function shall be responsible for ensuring that data is collected and analyzed from all sites and shall be able to demonstrate its authority and ability to initiate organizational change as required in regard, but not limited, to:
(i) system documentation and system changes;
(ii) management review;
(iii) complaints;
(iv) evaluation of corrective actions;
(v) internal audit planning and evaluation of the results; and
(vi) statutory and regulatory requirements pertaining to the applicable standard(s).
Note: The central function is where operational control and authority from the top management of the organization is exerted over every site. There is no requirement for the central function to be located in a single site.
6. METHODOLOGIES
6.1 Methodology for Auditing of a Multi-site Organization Using Site Sampling
6.1.1 Conditions
6.1.1.1 Sampling of a set of sites is permitted where the sites are each performing very similar processes/activities.
6.1.1.2 Not all organizations fulfilling the definition of “multi-site organization” will be eligible for sampling.
6.1.1.3 Not all management systems standards are suitable for consideration for multi-site certification. For example, multi-site sampling would be unsuitable where the audit of variable local factors is a requirement of the standard. Specific rules also apply for some schemes, for example those including aerospace (AS 9100 series) or automotive (IATF 16949) and the requirements of such schemes shall take precedence.
6.1.1.4 Certification Bodies shall have documented procedures to restrict such sampling where site sampling is inappropriate to gain sufficient confidence in the effectiveness of the management system under audit. Such restrictions shall be defined by the Certification Body with respect to:
scope sectors or processes/activities (i.e. based on the assessment of risks or complexity associated with that sector or activity);
size of sites eligible for multi-site audit;
variations in the local implementation of the management system to address different processes/activities or different contractual or regulatory systems; and
use of temporary sites that operate under the management system of the organization even if they are not listed in the certification documents.
6.1.2 Sampling
6.1.2.1 The sample shall be partly selective based on the factors set out below and partly random, and shall result in a representative range of different sites being selected, ensuring all processes covered by the scope of certification will be audited.
6.1.2.2 At least 25% of the sample shall be selected at random.
6.1.2.3 Taking into account the provisions mentioned below, the remainder shall be selected so that the differences among the sites selected over the period of validity of the certificate is as large as possible.
6.1.2.4 The site selection shall consider, among others, the following aspects:
results of internal site audits and management reviews or previous certification audits;
records of complaints and other relevant aspects of corrective and preventive action;
significant variations in the size of the sites;
variations in shift patterns and work procedures;
complexity of the management system and processes conducted at the sites;
modifications since the last certification audit;
maturity of the management system and knowledge of the organization;
environmental issues and extent of aspects and associated impacts for environmental management systems;
differences in culture, language and regulatory requirements;
geographical dispersion; and
whether the sites are permanent, temporary or virtual.
6.1.2.5 This selection does not have to be done at the start of the audit process. It can also be done once the audit of the central function has been completed. In any case, the central function shall be informed of the sites to be included in the sample. This can be on relatively short notice, but shall allow adequate time for preparation for the audit.
6.1.3 Size of Sample
6.1.3.1 The Certification Body shall have a documented procedure for determining the sample size. This shall take into account all the factors described in this section.
6.1.3.2 The Certification Body shall have records on each application of sampling for each multi-site organization, justifying it is operating in accordance with this document.
6.1.3.3 The minimum number of sites to be visited per audit is:
Initial audit: the size of the sample shall be the square root of the number of sites: (y=√x), rounded up to the next whole number, where y = number of sites to be sampled and x = total number of sites.
Surveillance audit: the size of the annual sample shall be the square root of the number of sites with 0.6 as a coefficient (y=0.6 √x), rounded up to the next whole number.
Re-certification audit: the size of the sample shall be the same as for an initial audit. Nevertheless, where the management system has proved to be effective over the certification cycle, the size of the sample could be reduced to, y="0.8" √x, rounded up to the next whole number.
6.1.3.4 The central function (as detailed in Section 5) shall be audited during the initial certification and every recertification audit and at least once a calendar year as part of surveillance.
6.1.3.5 The size or frequency of the sample shall be increased where the Certification Body’s risk analysis of the process/activity covered by the management system subject to certification indicates special circumstances in respect of factors such as:
the size of the sites and number of employees;
the complexity or risk level of the process/activity and of the management system;
variations in working practices (e.g. shift working);
variations in process/activities undertaken;
records of complaints and other relevant aspects of corrective and preventive action;
any multinational aspects; and
results of internal audits and management review.
6.1.3.6 When the organization has a hierarchical system of branches (e.g. head (central) office, national offices, regional offices, local branches), the sampling model for initial audit as defined above applies to each level.
Example:
1 head office: visited at each audit cycle (initial or surveillance or recertification)
4 national offices: sample = 2: minimum 1 at random
27 regional offices: sample = 6: minimum 2 at random
1700 local branches: sample = 42: minimum 11 at random
The sample of regional offices should include at least one regional office controlled by each national office. The sample of local branches should include at least one local branch controlled by each regional office. This may result in the sample size at each level exceeding the minimum sample size calculated in accordance with paragraph 6.1.3.3.
6.1.3.7 The sampling process shall be part of the management of the audit programme. At any time (i.e. before planning the surveillance audit, or when any organization site changes its structure, or in case of acquisition of new site(s) which will be added into the certification boundary), the Certification Body shall review the sampling foreseen in the audit programme in order to establish the need to adjust the sample size prior to auditing the sample with a view to maintaining certification.
6.1.4 Additional Sites
6.1.4.1 On the application of inclusion of new sites or a new group of sites to join an already certified multi-site organization, the Certification Body shall determine the required activities to be performed before including the new site(s) in the certificate. This shall include consideration of whether or not to audit the new site(s). After inclusion of the new site(s) in the certificate, the sample size for future surveillance or recertification audits shall be determined.
6.2 Methodology for Auditing of Multi-site Organizations Where Site Sampling Using Section 6.1 is not Appropriate
6.2.1 The audit programme shall consist of an initial audit and recertification audit of all sites. In surveillance audits, 30% of sites, rounded up to the whole number, shall be covered in a calendar year. Each audit will include the central function. The sites selected for the second surveillance audit will normally be different from the sites selected for the first surveillance audit.
6.2.2 The audit programme shall be designed to ensure that all processes covered by the certification scope are audited over each cycle.
6.2.3 Additional Sites
On the application of a new site to join an already certified multi-site organization, the site shall be audited before being included in the certificate, in addition to the planned surveillance in the audit programme. After inclusion of the new site in the certificate, it shall be cumulated with the previous ones for determining the audit time for future surveillance or recertification audits.
6.3 Methodology for Auditing Multi-site Organizations that Include a Combination of Sites that can be Sampled and Other Sites that Cannot be Sampled
The audit programme shall be established using Section 6.1 for those sites that can be sampled and Section 6.2 for the remaining part of the organization where Section 6.1 is not appropriate.
7. AUDIT AND CERTIFICATION
The Certification Body shall have documented procedures to deal with audits under its multi-site procedure. Such procedures shall establish the way the Certification Body satisfies itself that the single management system governs the processes/activities at all the sites, and is actually applied to all the sites. The Certification Body shall justify and record the rationale for proceeding with any approach to the auditing and certification of a multi-site organization.
7.1 Application and Application Review
7.1.1 The Certification Body shall obtain necessary information concerning the applicant organization to:
confirm that a single management system is deployed across the organization;
determine the scope of the management system being operated and the requested scope of certification and, if applicable, sub-scopes;
understand the legal and contractual arrangements for each site;
understand “what happens where” i.e. processes/activities provided at each site and identify the central function;
determine the degree of centralization of process/activities which are delivered to all sites (e.g. purchasing);
determine interfaces between the different sites;
determine which sites may be applicable for sampling (i.e. where very similar processes/activities are provided) and those that are not eligible;
take into consideration other relevant factors (see also IAF MD 4, IAF MD 5, IAF MD 11: IAF Mandatory Document for Application of ISO/IEC 17021 for Audits of Integrated Management Systems (IMS), ISO/IEC TS 17023);
determine the audit time for the organization;
determine the audit team(s)’ competence required; and
identify the complexity and scale of the processes/activities (e.g. one or many) covered by the management system.
7.2 Audit Programme
7.2.1 In addition to the requirement in ISO/IEC 17021-1:2015 clause 9.1.3, the audit programme shall at least include or refer to the following:
processes/activities provided on each site;
identification of those sites which are liable to be sampled, and which are not; and
identification of sites which are covered by sampling, and which are not.
7.2.2 When determining the audit programme, the Certification Body shall allow sufficient additional time for activities which are not part of the calculated audit time, such as travelling, communicating among audit team members, post-audit meetings, etc. due to the specific configuration of the organization to be audited.
Note: Remote auditing techniques may be used, provided that the processes to be audited are of such a nature that remote auditing is appropriate (see ISO/IEC 17021-1 and IAF MD 4)
7.2.3 Where audit teams consisting of more than one member are used at any point, it shall be the responsibility of the Certification Body, in conjunction with the team leader, to identify the technical competence required for each part of the audit and for each site and to allocate appropriate team members for each part of the audit.
7.3 Calculation of Audit Time
7.3.1 An organization that satisfies the eligibility criteria may consist of sites that can be sampled, sites that cannot be sampled or a combination of both. The audit time must be sufficient to undertake an effective audit irrespective of the makeup of the organization.
Unless precluded by specific schemes, the reduction of audit time per sampled site shall not be greater than 50%.
For example, 30% is the maximum reduction in audit time allowed by IAF MD 5 while 20% is to be considered the maximum reduction allowed for the single management system processes performed by the central function and any potential centralised processes (e.g. purchasing).
The audit time per selected site (whether it comes from sampling as in 6.1, from non-sampling as in 6.2 or from mixed methodology as in 6.3), including elements of the central function if applicable, shall be calculated for each site using the applicable IAF documents (e.g. IAF MD 5 for quality and environmental management systems, IAF MD 11 for integrated management systems) and, where necessary, any applicable sector scheme requirements for the calculation of man-days.
7.4 Audit Plan
7.4.1 In addition to the requirement in ISO/IEC 17021-1:2015 clause 9.2.3, the Certification Body shall at least consider the following when preparing the audit plan:
certification scope and sub-scopes for each site;
management system standard for each site, if multiple management system standards are being considered;
processes/activities to be audited;
audit time for each site; and
allocated audit team.
7.5 Initial Audit: Stage 1
During Stage 1, the audit team shall complete the information to:
confirm the audit programme;
plan Stage 2, taking into account the processes/activities to be audited in each site; and
confirm that the Stage 2 audit team has the required competence.
7.6 Initial Audit: Stage 2
At the outcome of the initial audit, the audit team shall document which processes were audited on each site visited. This information will be used to amend the audit programme and audit plans for subsequent surveillance audits.
7.7 Nonconformities and Certification
7.7.1 When nonconformities, as defined in ISO/IEC 17021-1, are found at any individual site, either through the organization’s internal auditing or from auditing by the Certification Body, investigation shall take place to determine whether the other sites may be affected. Therefore, the Certification Body shall require the organization to review the nonconformities to determine whether or not they indicate an overall system deficiency applicable to other sites. If they are found to do so, corrective action shall be performed and verified both at the central function and at the individual affected sites. If they are found not to do so, the organization shall be able to demonstrate to the Certification Body the justification for limiting its follow-up corrective action.
7.7.2 The Certification Body shall require evidence of these actions and increase its sampling frequency and/or the size of sample until it is satisfied that control is re-established.
7.7.3 At the time of the decision-making process, if any site has a major nonconformity, certification shall be denied to the whole multi-site organization of listed sites pending satisfactory corrective action.
7.7.4 It shall not be admissible that, to overcome the obstacle raised by the existence of a nonconformity at a single site, the organization seeks to exclude from the scope the "problematic" site during the certification process.
7.8 Certification Documents
7.8.1 The certification document shall reflect the scope of certification and the sites and /legal entities (where applicable) covered by the multi-site certification.
7.8.2 Certification documents shall contain the name and address of all the sites, reflecting the organization to which the certification documents relate. The scope or other reference on these documents shall make it clear that the certified activities are performed by the sites on the list. However, if a site’s activities only include a subset of the organization’s scope, the certification document shall include the site’s sub-scope. When temporary sites are shown on the certification documents, such sites shall be identified as temporary.
7.8.3 Where certification documents for one site are issued, they shall include:
that it is the management system of the whole organization which is certified;
the activities performed for that specific site / legal entity which are covered by this certification;
traceability with the main certificate, e.g. a code; and
a statement saying “the validity of this certificate depends on the validity of the main certificate”.
Under no circumstances, can this certification document be issued to the name of the site/legal entity or suggest that this site/legal entity is certified (the one certified is the client organization), nor shall it include a declaration of conformity of the site processes/activities to the normative document.
7.8.4 The certification documentation will be withdrawn in its entirety if any of the sites does not fulfil the necessary provisions for the maintenance of the certification.
7.9 Surveillance Audits
7.9.1 Surveillance of multi-site organizations that can be sampled shall be audited in accordance with Section 6.1. The audit time per site shall be calculated in accordance with Clause 7.3 above.
7.9.2 Surveillance of multi-site organizations that cannot be sampled in accordance with Section 6.1 is based on auditing 30% of the sites plus the central function. The sites selected for the second surveillance of a certification cycle shall normally not include any sites sampled as part of the first surveillance audit. The audit time per site shall be calculated in accordance with Clause 7.3 above.
7.10 Recertification Audits
7.10.1 Recertification of multi-site organizations that can be sampled shall be audited in accordance with Section 6.1. The audit time per site shall be calculated in accordance with Clause 7.3 above.
7.10.2 Recertification of multi-site organizations that cannot be sampled shall be audited as per initial audit, i.e. all sites audited plus the central function. The audit time per site and central function shall be calculated in accordance with Clause 7.3 above.
Management Systems Certification scheme | Management Systems Certification Standard |
Health and Safety | OHSAS 18001:2007 ISO 45001:2018 |
B.10 AUDIT TIME OF A MULTI-SITE OH&SMS
B.10.1 In the case of an OH&SMS system operated over multiple sites the CAB shall establish if site sampling is permitted or not, based on the evaluation of the level of OH&S risks associated with the activities and processes carried out in each site included in the scope of certification. Records of such evaluations and rationale of decisions taken shall be made available to the AB at assessment.
B.10.2 The requirements for OH&SMS multiple site certification, both when sampling is permitted and when sampling is not permitted, are covered in more detail by the different scenarios provided in the new IAF MD 1 document for auditing and certification of a management system managed by a multi-site organization, in which all references to IAF MD5 requirements shall be understood as amended by this Appendix w.r.t. IAF MD 22.
Until its coming into force, the respective requirements of IAF MD 1:2007 and MD 19:2016 continue to apply. The proportion of the total time spent on each site shall take into account situations where certain management system processes are not relevant to the site.
B.10.3 Combined with clause B.10.2
B.11 CONTROL OF EXTERNALLY PROVIDED FUNCTIONS OR PROCESSES (OUTSOURCING)
B.11.1 If an organization outsources part of its functions or processes, it is the responsibility of the CAB to obtain evidence that the organization has effectively determined the type and extent of controls to be applied in order to ensure that the externally provided functions or processes do not adversely affect the effectiveness of the OH&SMS, including the organization’s ability to control its OH&S risks and commitments to comply with legal requirements.
B.11.2 The CAB will audit and evaluate the effectiveness of the organization's OH&SMS in managing any supplied activity and the risk this poses to OH&S performance of its own activities and processes and conformity requirements. This may include gathering feedback on the level of effectiveness from suppliers, based:
on the criteria applied by the organization for the evaluation, selection, monitoring of performance and re-evaluation of these external providers based on their ability to provide functions or processes in accordance with specified requirements, in compliance with the legal requirements, and
on the risk that the external providers can adversely affect the organization’s ability to control its own OH&S risks.
B.11.3 Even if auditing the complete provider’s management system is not required, the CAB shall consider those processes or functions included within the scope of the organization’s OH&SMS, which have been outsourced to external providers to plan and accomplish an effective audit.
B.11.4. The CAB should be able to establish this during the preparation of the certification programme and further verify it during the initial audit, and before every surveillance and recertification audit.
Management Systems Certification scheme | Management Systems Certification Standard |
Food Safety Management | HACCP ISO 22000:2018
|
9 Process requirements
9.1 General requirements
9.1.1 The certification body shall precisely define the scope of certification in terms of levels of the food
chain (e.g. primary production, food processing, packaging material production), category(ies) and sectors
according to Annex A. The certification body shall not exclude part of the processes, sectors, products or
services from the scope of certification when those processes, sectors, products or services have an influence
on the food safety of the end products.
9.1.2 The certification body shall have a process for choosing the audit day, time and season so that the
audit team has the opportunity of auditing the organization operating on a representative number of product
lines, categories and sectors covered by the scope.
9.1.3 All the requirements given in 9.1.1 to 9.1.3 of ISO/IEC 17021:2006 apply.
9.1.4 The certification body shall have documented procedures for determining audit time, and for each
client the certification body shall determine the time needed to plan and accomplish a complete and effective
audit of the client’s FSMS. The audit time determined by the certification body, and the justification for the
determination, shall be recorded. In determining the audit time, the certification body should consider Annex B
and shall consider, among other things, the following aspects:
a) requirements of the relevant FSMS standard;
b) size and complexity of the organization;
c) technological and regulatory context;
d) any outsourcing of any activities included in the scope of the FSMS;
e) results of any prior audits;
f) number of sites and multi-site considerations.
9.1.5 For multi-site organizations, the requirements given in 9.1.5.1 and 9.5.1.3 apply.
9.1.5.1 Where the certification body is certifying a multi-site organization under one certificate, the
following conditions apply:
a) all sites are of the same activity and are located within the same country;
b) all sites are operating under one centrally controlled and administered FSMS as defined in Clause 4 of
ISO 22000:2005, or equivalent for other FSMSs;
c) an internal audit has been conducted on each site within the three years prior to certification;
d) following certification, an internal audit shall be carried out on each site within the certification period;
e) the internal audits of all sites shall comply with ISO 22000 or equivalent;
f) audit findings of the individual sites shall be considered indicative of the entire system and correction shall
be implemented accordingly.
9.1.5.2 The use of multi-site sampling is only possible for organizations with more than 20 sites and only
for categories A, B, G, H and J (see Table A.1). This applies both to the initial certification and to surveillance
audits.
9.1.5.3 Where the certification body offers multi-site certification, the certification body shall utilize a
sampling programme to ensure an effective audit of the FSMS where
a) the sampling for more than 20 sites shall be at the ratio of 1 site per 5 sites with a minimum of 20. All sites
shall be randomly selected and, after the audit, no sampled sites may be nonconforming (i.e. not meeting
certification thresholds for ISO 22000),
b) evaluation of the audit findings of the sampled sites shall be deemed equivalent to the internal audit
findings of the same sites of the organization,
c) at least annually, an audit of the central FSMS shall be performed,
d) at least annually, surveillance audits shall be performed on the sampled sites, and
e) audit findings of the sampled sites shall be considered indicative of the entire system and correction shall
be implemented accordingly.
Table 1 gives examples of the number of sites to audit when sampling is used.
Table 1 — Examples of the number of sites to be audited when multi-site sampling is used
Total number of sites
x between
1 and 20 21 22 23 24 25 26 27 28
Number of sites above 20 0 1 2 3 4 5 6 7 8
Additional number of sites to audit 0 1 1 1 1 1 2 2 2
Number of sites to be audited x 21 21 21 21 21 22 22 22
9.1.6 All the requirements given in 9.1.6 to 9.1.9 of ISO/IEC 17021:2006 apply.
9.1.7 The certification body shall provide a written report for each audit. The report shall be based on
relevant guidance provided in ISO 19011. The audit team may identify opportunities for improvement but shall
not recommend specific solutions. Ownership of the audit report shall be maintained by the certification body.
The report shall include references to PRPs used by the organization, HACCP methodology used, comments
on the HACCP team, and other issues relevant to the FSMS.
Management Systems Certification scheme | Management Systems Certification Standard |
Food Safety Management | FSSC 22000 (ver 4.1) |
7.2 Multiple sites
7.2.1 General principles
1) Certification of multi-site organizations and multi-site sampling (as described in ISO/TS 22003:2013 and ISO/IEC 17021-1:2015) is not applicable to the following food chain categories as listed in ISO/TS 22003:2013:
a) CI, CII, CIII and CIV,
b) DI and DII, c) I and d) K.
2) For the food chain categories shown under
1) the Scheme requires that every site shall have:
a) a separate audit,
b) a separate report,
c) a separate certificate, and
d) every site shall be entered separately in the database.
3) Certification of multi-site organizations as shown in ISO/TS 22003:2013, clause 9.1.5 shall be applicable for the following food chain categories as listed in ISO/TS 22003:2013:
a) A,
b) E,
c) FI,
d) G.
7.2.2 Exceptions - applicable for categories C, D, I and K The Scheme does offer exceptions for three main categories of organizations shown in section 7.2.1, that have multiple sites such as organizations: a) where some functions pertinent to the certification are controlled by a head office separate to the site(s), b) with different operations at one site, c) with off-site activities.
7.2.3 Head office functions Functions pertinent to the certification but controlled by a head office separate to the site(s) could include for example: a) Procurement, b) Supplier approval or c) Quality assurance.
7.2.3.1 Auditing head office functions
1) In all cases where functions pertinent to the certification are controlled by a head office, the Scheme requires that those functions are audited interviewing the personnel described in the food safety management system as having the delegated authority and responsibility for these functions.
2) The functions at the head office are audited separately and every site belonging to the group shall have:
a) a separate audit,
b) a separate report and
c) a separate certificate.
7.2.3.2 Auditing sites in a multi-site organization
1) An audit at the head office cannot assess the degree of implementation at site level.
a) The auditor shall visit the sites to conduct that part of the audit.
b) The head office audit shall be carried out prior to the site audit.
2) The subsequent audit at the site(s) shall include a confirmation that the requirements set out by head office are appropriately incorporated into site specific documents and implemented in practice.
3) The site audit report and certificate shall show which functions have been audited at the head office. 4) The report of the head office audit has a validity of 12 months.
5) The head office cannot take responsibility for all functions within the scope of the certification, and can therefore not receive a separate certificate.
6) The head office is mentioned on the site certificate by use of wording such as “An audit was carried out at (name and location of head office) on DDMMYY to assess the following function(s) (describe functions audited at the head office)”.
7.2.3.3 Dealing with nonconformities
1) Where nonconformities are noted in head office or separate sites, these are assumed to have impact on the equivalent procedures applicable to all sites.
2) Corrective actions shall therefore address issues of communication across the certified sites and appropriate actions for impacted sites.
3) Such nonconformities and corrective actions shall be clearly identified in the relevant section of the audit report.
4) The nonconformities shall be cleared in accordance with the CB procedures before issuing the site certificate.
7.2.4 Organizations with different operations at one site
1) In cases where different operations are located on one site, for example where a manufacturing operation is linked to a packing operation, both shall be considered for certification under a single scope based on one audit, report and certificate provided that both are:
a) subject to one audit appropriate to the combined scope;
b) part of the same legal entity.
2) The preferred description on the certificate in such cases is to use the name of the legal entity as the primary name. For example: “XYZ company, operating as ABC processing and 123 packaging, (insert address)”.
7.2.5 Off-site activities
7.2.5.1 Split-process
1) A certified organization has a (single) process that is split between different sites that shall be part of the same legal entity. The primary site is the sole receiver/customer of the secondary site(s).
a) For example, a semi-finished product is moved to a separate site for a specific process step or steps to be carried out, and is returned to the primary location for completion.
b) Such processes shall, by exception, be considered for certification under a single scope and one certificate.
7.2.5.2 Management of off-site activities The off-site activities shall meet with the following requirements:
1) The off-site activities are included in the primary site food safety management system.
2) The scope statement of the primary certified site shall show the on-site and off-site activities.
3) The audit report shall include all relevant requirements at both the primary and secondary sites and allow audit findings to be identified as site specific.
4) The number of secondary sites shall be limited to a maximum of five.
Management Systems Certification scheme | Management Systems Certification Standard |
Energy Management | ISO 50001 |
Management Systems Certification scheme | Management Systems Certification Standard |
Medical Devices QMS | ISO 13485 |
MD 9.1.5 Multi-site sampling
Sites involved in design, development and manufacturing of medical devices (Table A.1.1-1.6) cannot be sampled.
Management Systems Certification scheme | Management Systems Certification Standard |
Information Security
| ISO 27001:2013
|
Management Systems Certification scheme | Management Systems Certification Standard |
Service Management System | ISO 20000-1:2018 |
The requirements in ISO/IEC 17021-1:2015, 9.1.5 apply. In addition, the following requirements and guidance apply.
9.1.5.1 SM9.1.5.1 Criteria for multi-site sampling If a client has a number of locations, certification bodies may use a sample-based approach to multi-site certification audits if all locations are:
a) operating under the same SMS, which is centrally administered;
b) included within the client’s internal audit programme;
c) included within the client’s management review programme.
9.1.6 Multiple management systems standards The requirements in ISO/IEC 17021-1:2015, 9.1.6 apply. In addition, the following requirements and guidance apply.
9.1.6.1 SM9.1.6.1 Combining management system audits An SMS audit can be combined with audits of other management systems. A combined or integrated audit shall ensure that the audit evidence fulfils the requirements specified in ISO/IEC 20000-1 withinthe scope of the audit. All findings relating to ISO/IEC 20000-1 shall be easily identifiable in audit reports. The integrity of the ISO/IEC 20000-1 audit shall not be adversely affected by the combination of audits.
9.1.6.2 SM9.1.6.2 Combining management system audits for ISO/IEC 20000-1 and ISO/IEC 27001 Where an audit is combined for ISO/IEC 27001 and ISO/IEC 20000-1, the information security management process in ISO/IEC 20000-1 shall be audited to ensure that:
a) the information security policy is relevant to the SMS and the services;
b) relevant information security risks are identified and information security controls are implemented to support the SMS and the services.
The auditor may find some supporting evidence from the information security management system (ISMS). If the scope of the ISMS is outside of the scope of the SMS, then the information security management process in ISO/IEC 20000-1 shall be audited as a standalone process without the support of the ISMS. The information security policy, risks and controls shall be audited to ensure that they are appropriate for the services within the scope of the client’s SMS.
Records:
LMS-FM-005 Application and Contract Review
LMS-FM-007 Multi Site Client Information
Procedure for the audit and certification for multisite organization
1.0 Purpose
To define the process of the audit and certification of a management system operated by a multi-site organization to plan and accomplish a complete and effective audit of the client’s management system, in accordance with requirements of ISO/IEC 17021-1:2015, and other applicable international standards for certification bodies providing management system certification as following:
Management Systems Certification scheme | Management Systems Certification Standard | Accreditation Standard | Other Guidelines |
Quality | ISO 9001:2015 | ISO 17021-3:2017 | IAF MD 5:2015 |
| ISO 13485:2016 |
| IAF MD 9:2017 |
Environmental | ISO 14001:2015 | ISO 17021-2:2016 | IAF MD 5:2015 |
Health and Safety | OHSAS 18001:2007 | ISO 17021-10:2018 | IAF MD 22:2018 and IAF MD 21 :2018 |
| ISO 45001:2018 | ISO 17021-10:2018 | IAF MD 22:2018 and IAF MD 21 :2018 |
Food Safety | ISO 22000:2018 | ISO 22003:2013 |
|
| HACCP | ISO 22003:2013 |
|
| FSSC 22000 | ISO 22003:2013 |
|
Information Technology | ISO 27001:2013 | ISO 27006:2015 |
|
Service Management | ISO 20000-1:2018 | ISO 20000-6:2017 | IAF MD 18:2015 |
Energy | ISO 50001:2018 | ISO 50003:2014 |
|
Business Continuity | ISO 22301:2012 | ISO 17021-6:2014 |
|
Anti Bribery | ISO 37001:2016 | ISO 17021-8 |
|
Facility Management | ISO 41001:2018 | ISO 17021-11 |
|
Road Traffic | ISO 39001:2012 | ISO 17021-7:2014 |
|
Learning Service | ISO 29990:2010 |
|
|
and IAF mandatory document for managing the audit and certification of the management system operated by a multi-site organization, IAF MD1: 2018
1.2 Scope
This procedure is applicable to all quality management system, environmental management system, occupational health and safety management system, food safety management system, information technology service management system, information security management system, energy management system, and medical devices quality management system audits performed by LMS to certify client’s management system againist the standards as below mentioned:
Management Systems Certification scheme | Management Systems Certification Standard |
Quality | ISO 9001:2015 |
| ISO 13485:2016 |
Environmental | ISO 14001:2015 |
Health and Safety | OHSAS 18001:2007 |
| ISO 45001:2018 |
Food Safety | ISO 22000:2018 |
| HACCP |
| FSSC 22000 |
Information Technology | ISO 27001:2013 |
Service Management | ISO 20000-1:2018 |
Energy | ISO 50001:2018 |
Business Continuity | ISO 22301:2012 |
Anti Bribery | ISO 37001:2016 |
Facility Management | ISO 41001:2018 |
Road Traffic | ISO 39001:2012 |
Learning Service | ISO 29990:2010 |
1.3 Responsibility
Certification planning section head
Scheme manager
Management Systems Certification scheme | Management Systems Certification Standard |
Quality | ISO 9001:2015 |
Environmental | ISO 14001:2015 |
Energy | ISO 50001:2018 |
Business Continuity | ISO 22301:2012 |
Anti Bribery | ISO 37001:2016 |
Facility Management | ISO 41001:2018 |
Road Traffic | ISO 39001:2012 |
Learning Service | ISO 29990:2010 |
2. DEFINITIONS
2.1 Organization
Person or group of people that has its own functions with responsibilities, authorities and relationships to achieve its objectives.
(Source: Definition 3.1 of Annex SL of ISO/IEC Directives)
2.2 Permanent Site
Site (physical or virtual) where a client organization performs work or from which a service is provided on a continuing basis.
(Source: Adapted from ISO/IEC TS 17023:2013 Conformity assessment -- Guidelines for determining the duration of management system certification audits)
2.3 Temporary Site
Site (physical or virtual) where a client organization performs specific work or from which a service is provided for a finite period of time and which is not intended to become a permanent site. (Source: ISO/IEC TS 17023:2013)
2.4 Multi-site Organization
An organization covered by a single management system comprising an identified central function (not necessarily the headquarters of the organization) at which certain processes/activities are planned and controlled, and a number of sites (permanent, temporary or virtual) at which such processes/activities are fully or partially carried out.
2.5 Central Function
The function that is responsible for and centrally controls the management system (refer to Section 5).
2.6 Virtual Site
Virtual location where a client organization performs work or provides a service using an on-line environment allowing persons from different physical locations to execute processes.
Note 1: A virtual site cannot be considered as such where the processes must be executed in a physical environment e.g. warehousing, physical testing laboratories, installation or repairs to physical products.
Note 2: An example of such a virtual site is a design & development organization with all employees performing work located remotely, working in a cloud environment.
Note 3: A virtual site (e.g. an organization’s intranet) is considered a single site for the purpose of calculating of audit time.
Note 4: For further information, see also IAF MD 4: Use of Computer Assisted Auditing Techniques ("CAAT") for Accredited Certification of Management Systems.
2.7 Sub-scope
The scope of a single site.
Note: The scope of a single site might be the same as the full scope of the multi-site organization but may also be only a small part of the multi-site organization’s scope.
Note: The above definition of “sub-scope” is to be used for the purposes of implementing the requirements of this document (in contrast with the use of the term on page 2 of this document, where reference is made to “sub-scope” in the context of accreditation and not certification).
2.8 Top Management
Person or group of people who directs and controls an organization at the highest level.
(Source: ISO 9000: 2015 Quality management systems -- Fundamentals and vocabulary)
3. APPLICATION
3.1 Site
3.1.1 A site could include all land on which processes/activities under the control of an organization at a given location are carried out, including any connected or associated storage of raw materials, by-products, intermediate products, end products and waste material, and any equipment or infrastructure involved in the processes/activities, whether or not fixed. Alternatively, where required by law, definitions laid down in national or local licensing regimes shall apply.
3.1.2 Where it is not practicable to define a location (e.g. for services), the coverage of the certification should take into account the organization’s headquarters processes/activities as well as delivery of its services. Where relevant, the Certification Body may decide that the certification audit will be carried out only where the organization delivers its services. In such cases all the interfaces with its central function shall be identified and audited.
3.2 Temporary Site
3.2.1 Temporary sites that are covered by the organization's management system shall be subject to audit on a sample basis to provide evidence of the operation and effectiveness of the management system. They may, however be included within the scope of a multi-site certification and included on the certification document, subject to agreement between the Certification Body and the client organization. When temporary sites are shown on the certification documents, such sites shall be identified as temporary.
3.3 Multi-site Organization
3.3.1 A multi-site organization need not be a unique legal entity, but all sites shall have a legal or contractual link with the central function of the organization and be subject to a single management system, which is laid down, established and subject to continuous surveillance and internal audits by the central function. This means that the central function has rights to require that the sites implement corrective actions when needed in any site. Where applicable this should be set out in the formal agreement between the central function and the sites.
4. RATIONALE FOR THE PROPOSED APPROACH
4.1 This document deals with the auditing of a multi-site organization with a single management system.
4.2 Any one site may perform fully or partially the processes/activities covered by the scope of the management system, and different sites may belong to the same legal entity or not.
4.3 Any legal considerations concerning the organization’s management system extending over a single legal entity or multiple legal entities is generally irrelevant to the auditing of the management system, and unless otherwise stated are not covered in this document.
4.4 It is the organization’s management system which must be audited and certified; furthermore, by definition, a management system audit is only based on a limited sample of the information available. However it must be demonstrated that the management system is capable of achieving its intended results for all sites involved.
4.5 Therefore, it is logical to start by considering the organization and the implementation of its management system, and what type of sampling may be appropriate, if any.
4.6 In the case of a multi-site organization where each site is performing very similar processes/activities, there may be a clear case to be made for appropriate “site sampling” (e.g. a chain of franchise stores or a bank branch network). On the other hand, this document also addresses the situation where the application of site sampling is not appropriate. There may be many reasons for this, such as:
all the sites perform significantly different processes/activities in connection with the management system scope;
the client requests each site to be audited; or
there is a sector scheme or regulatory requirement stipulating that each site is to be audited systematically.
Between these two extreme cases, there are many multi-site organizations with part of their sites performing similar processes/activities while other sites are dedicated to very specific processes not performed elsewhere in the organization. As with any sampling process, proper site sampling limits sampling only to those sites which are performing very similar processes/activities, which are part of the organization’s scope.
5. ELIGIBILITY OF A MULTI-SITE ORGANIZATION FOR CERTIFICATION
5.1 The organization shall have a single management system.
5.2 The organization shall identify its central function.The central function is part of the organization and shall not be subcontracted to an external organization.
5.3 The central function shall have organizational authority to define, establish and maintain the single management system.
5.4 The organization’s single management system shall be subject to a centralized management review.
5.5 All sites shall be subject to the organization’s internal audit programme.
5.6 The central function shall be responsible for ensuring that data is collected and analyzed from all sites and shall be able to demonstrate its authority and ability to initiate organizational change as required in regard, but not limited, to:
(i) system documentation and system changes;
(ii) management review;
(iii) complaints;
(iv) evaluation of corrective actions;
(v) internal audit planning and evaluation of the results; and
(vi) statutory and regulatory requirements pertaining to the applicable standard(s).
Note: The central function is where operational control and authority from the top management of the organization is exerted over every site. There is no requirement for the central function to be located in a single site.
6. METHODOLOGIES
6.1 Methodology for Auditing of a Multi-site Organization Using Site Sampling
6.1.1 Conditions
6.1.1.1 Sampling of a set of sites is permitted where the sites are each performing very similar processes/activities.
6.1.1.2 Not all organizations fulfilling the definition of “multi-site organization” will be eligible for sampling.
6.1.1.3 Not all management systems standards are suitable for consideration for multi-site certification. For example, multi-site sampling would be unsuitable where the audit of variable local factors is a requirement of the standard. Specific rules also apply for some schemes, for example those including aerospace (AS 9100 series) or automotive (IATF 16949) and the requirements of such schemes shall take precedence.
6.1.1.4 Certification Bodies shall have documented procedures to restrict such sampling where site sampling is inappropriate to gain sufficient confidence in the effectiveness of the management system under audit. Such restrictions shall be defined by the Certification Body with respect to:
scope sectors or processes/activities (i.e. based on the assessment of risks or complexity associated with that sector or activity);
size of sites eligible for multi-site audit;
variations in the local implementation of the management system to address different processes/activities or different contractual or regulatory systems; and
use of temporary sites that operate under the management system of the organization even if they are not listed in the certification documents.
6.1.2 Sampling
6.1.2.1 The sample shall be partly selective based on the factors set out below and partly random, and shall result in a representative range of different sites being selected, ensuring all processes covered by the scope of certification will be audited.
6.1.2.2 At least 25% of the sample shall be selected at random.
6.1.2.3 Taking into account the provisions mentioned below, the remainder shall be selected so that the differences among the sites selected over the period of validity of the certificate is as large as possible.
6.1.2.4 The site selection shall consider, among others, the following aspects:
results of internal site audits and management reviews or previous certification audits;
records of complaints and other relevant aspects of corrective and preventive action;
significant variations in the size of the sites;
variations in shift patterns and work procedures;
complexity of the management system and processes conducted at the sites;
modifications since the last certification audit;
maturity of the management system and knowledge of the organization;
environmental issues and extent of aspects and associated impacts for environmental management systems;
differences in culture, language and regulatory requirements;
geographical dispersion; and
whether the sites are permanent, temporary or virtual.
6.1.2.5 This selection does not have to be done at the start of the audit process. It can also be done once the audit of the central function has been completed. In any case, the central function shall be informed of the sites to be included in the sample. This can be on relatively short notice, but shall allow adequate time for preparation for the audit.
6.1.3 Size of Sample
6.1.3.1 The Certification Body shall have a documented procedure for determining the sample size. This shall take into account all the factors described in this section.
6.1.3.2 The Certification Body shall have records on each application of sampling for each multi-site organization, justifying it is operating in accordance with this document.
6.1.3.3 The minimum number of sites to be visited per audit is:
Initial audit: the size of the sample shall be the square root of the number of sites: (y=√x), rounded up to the next whole number, where y = number of sites to be sampled and x = total number of sites.
Surveillance audit: the size of the annual sample shall be the square root of the number of sites with 0.6 as a coefficient (y=0.6 √x), rounded up to the next whole number.
Re-certification audit: the size of the sample shall be the same as for an initial audit. Nevertheless, where the management system has proved to be effective over the certification cycle, the size of the sample could be reduced to, y="0.8" √x, rounded up to the next whole number.
6.1.3.4 The central function (as detailed in Section 5) shall be audited during the initial certification and every recertification audit and at least once a calendar year as part of surveillance.
6.1.3.5 The size or frequency of the sample shall be increased where the Certification Body’s risk analysis of the process/activity covered by the management system subject to certification indicates special circumstances in respect of factors such as:
the size of the sites and number of employees;
the complexity or risk level of the process/activity and of the management system;
variations in working practices (e.g. shift working);
variations in process/activities undertaken;
records of complaints and other relevant aspects of corrective and preventive action;
any multinational aspects; and
results of internal audits and management review.
6.1.3.6 When the organization has a hierarchical system of branches (e.g. head (central) office, national offices, regional offices, local branches), the sampling model for initial audit as defined above applies to each level.
Example:
1 head office: visited at each audit cycle (initial or surveillance or recertification)
4 national offices: sample = 2: minimum 1 at random
27 regional offices: sample = 6: minimum 2 at random
1700 local branches: sample = 42: minimum 11 at random
The sample of regional offices should include at least one regional office controlled by each national office. The sample of local branches should include at least one local branch controlled by each regional office. This may result in the sample size at each level exceeding the minimum sample size calculated in accordance with paragraph 6.1.3.3.
6.1.3.7 The sampling process shall be part of the management of the audit programme. At any time (i.e. before planning the surveillance audit, or when any organization site changes its structure, or in case of acquisition of new site(s) which will be added into the certification boundary), the Certification Body shall review the sampling foreseen in the audit programme in order to establish the need to adjust the sample size prior to auditing the sample with a view to maintaining certification.
6.1.4 Additional Sites
6.1.4.1 On the application of inclusion of new sites or a new group of sites to join an already certified multi-site organization, the Certification Body shall determine the required activities to be performed before including the new site(s) in the certificate. This shall include consideration of whether or not to audit the new site(s). After inclusion of the new site(s) in the certificate, the sample size for future surveillance or recertification audits shall be determined.
6.2 Methodology for Auditing of Multi-site Organizations Where Site Sampling Using Section 6.1 is not Appropriate
6.2.1 The audit programme shall consist of an initial audit and recertification audit of all sites. In surveillance audits, 30% of sites, rounded up to the whole number, shall be covered in a calendar year. Each audit will include the central function. The sites selected for the second surveillance audit will normally be different from the sites selected for the first surveillance audit.
6.2.2 The audit programme shall be designed to ensure that all processes covered by the certification scope are audited over each cycle.
6.2.3 Additional Sites
On the application of a new site to join an already certified multi-site organization, the site shall be audited before being included in the certificate, in addition to the planned surveillance in the audit programme. After inclusion of the new site in the certificate, it shall be cumulated with the previous ones for determining the audit time for future surveillance or recertification audits.
6.3 Methodology for Auditing Multi-site Organizations that Include a Combination of Sites that can be Sampled and Other Sites that Cannot be Sampled
The audit programme shall be established using Section 6.1 for those sites that can be sampled and Section 6.2 for the remaining part of the organization where Section 6.1 is not appropriate.
7. AUDIT AND CERTIFICATION
The Certification Body shall have documented procedures to deal with audits under its multi-site procedure. Such procedures shall establish the way the Certification Body satisfies itself that the single management system governs the processes/activities at all the sites, and is actually applied to all the sites. The Certification Body shall justify and record the rationale for proceeding with any approach to the auditing and certification of a multi-site organization.
7.1 Application and Application Review
7.1.1 The Certification Body shall obtain necessary information concerning the applicant organization to:
confirm that a single management system is deployed across the organization;
determine the scope of the management system being operated and the requested scope of certification and, if applicable, sub-scopes;
understand the legal and contractual arrangements for each site;
understand “what happens where” i.e. processes/activities provided at each site and identify the central function;
determine the degree of centralization of process/activities which are delivered to all sites (e.g. purchasing);
determine interfaces between the different sites;
determine which sites may be applicable for sampling (i.e. where very similar processes/activities are provided) and those that are not eligible;
take into consideration other relevant factors (see also IAF MD 4, IAF MD 5, IAF MD 11: IAF Mandatory Document for Application of ISO/IEC 17021 for Audits of Integrated Management Systems (IMS), ISO/IEC TS 17023);
determine the audit time for the organization;
determine the audit team(s)’ competence required; and
identify the complexity and scale of the processes/activities (e.g. one or many) covered by the management system.
7.2 Audit Programme
7.2.1 In addition to the requirement in ISO/IEC 17021-1:2015 clause 9.1.3, the audit programme shall at least include or refer to the following:
processes/activities provided on each site;
identification of those sites which are liable to be sampled, and which are not; and
identification of sites which are covered by sampling, and which are not.
7.2.2 When determining the audit programme, the Certification Body shall allow sufficient additional time for activities which are not part of the calculated audit time, such as travelling, communicating among audit team members, post-audit meetings, etc. due to the specific configuration of the organization to be audited.
Note: Remote auditing techniques may be used, provided that the processes to be audited are of such a nature that remote auditing is appropriate (see ISO/IEC 17021-1 and IAF MD 4)
7.2.3 Where audit teams consisting of more than one member are used at any point, it shall be the responsibility of the Certification Body, in conjunction with the team leader, to identify the technical competence required for each part of the audit and for each site and to allocate appropriate team members for each part of the audit.
7.3 Calculation of Audit Time
7.3.1 An organization that satisfies the eligibility criteria may consist of sites that can be sampled, sites that cannot be sampled or a combination of both. The audit time must be sufficient to undertake an effective audit irrespective of the makeup of the organization.
Unless precluded by specific schemes, the reduction of audit time per sampled site shall not be greater than 50%.
For example, 30% is the maximum reduction in audit time allowed by IAF MD 5 while 20% is to be considered the maximum reduction allowed for the single management system processes performed by the central function and any potential centralised processes (e.g. purchasing).
The audit time per selected site (whether it comes from sampling as in 6.1, from non-sampling as in 6.2 or from mixed methodology as in 6.3), including elements of the central function if applicable, shall be calculated for each site using the applicable IAF documents (e.g. IAF MD 5 for quality and environmental management systems, IAF MD 11 for integrated management systems) and, where necessary, any applicable sector scheme requirements for the calculation of man-days.
7.4 Audit Plan
7.4.1 In addition to the requirement in ISO/IEC 17021-1:2015 clause 9.2.3, the Certification Body shall at least consider the following when preparing the audit plan:
certification scope and sub-scopes for each site;
management system standard for each site, if multiple management system standards are being considered;
processes/activities to be audited;
audit time for each site; and
allocated audit team.
7.5 Initial Audit: Stage 1
During Stage 1, the audit team shall complete the information to:
confirm the audit programme;
plan Stage 2, taking into account the processes/activities to be audited in each site; and
confirm that the Stage 2 audit team has the required competence.
7.6 Initial Audit: Stage 2
At the outcome of the initial audit, the audit team shall document which processes were audited on each site visited. This information will be used to amend the audit programme and audit plans for subsequent surveillance audits.
7.7 Nonconformities and Certification
7.7.1 When nonconformities, as defined in ISO/IEC 17021-1, are found at any individual site, either through the organization’s internal auditing or from auditing by the Certification Body, investigation shall take place to determine whether the other sites may be affected. Therefore, the Certification Body shall require the organization to review the nonconformities to determine whether or not they indicate an overall system deficiency applicable to other sites. If they are found to do so, corrective action shall be performed and verified both at the central function and at the individual affected sites. If they are found not to do so, the organization shall be able to demonstrate to the Certification Body the justification for limiting its follow-up corrective action.
7.7.2 The Certification Body shall require evidence of these actions and increase its sampling frequency and/or the size of sample until it is satisfied that control is re-established.
7.7.3 At the time of the decision-making process, if any site has a major nonconformity, certification shall be denied to the whole multi-site organization of listed sites pending satisfactory corrective action.
7.7.4 It shall not be admissible that, to overcome the obstacle raised by the existence of a nonconformity at a single site, the organization seeks to exclude from the scope the "problematic" site during the certification process.
7.8 Certification Documents
7.8.1 The certification document shall reflect the scope of certification and the sites and /legal entities (where applicable) covered by the multi-site certification.
7.8.2 Certification documents shall contain the name and address of all the sites, reflecting the organization to which the certification documents relate. The scope or other reference on these documents shall make it clear that the certified activities are performed by the sites on the list. However, if a site’s activities only include a subset of the organization’s scope, the certification document shall include the site’s sub-scope. When temporary sites are shown on the certification documents, such sites shall be identified as temporary.
7.8.3 Where certification documents for one site are issued, they shall include:
that it is the management system of the whole organization which is certified;
the activities performed for that specific site / legal entity which are covered by this certification;
traceability with the main certificate, e.g. a code; and
a statement saying “the validity of this certificate depends on the validity of the main certificate”.
Under no circumstances, can this certification document be issued to the name of the site/legal entity or suggest that this site/legal entity is certified (the one certified is the client organization), nor shall it include a declaration of conformity of the site processes/activities to the normative document.
7.8.4 The certification documentation will be withdrawn in its entirety if any of the sites does not fulfil the necessary provisions for the maintenance of the certification.
7.9 Surveillance Audits
7.9.1 Surveillance of multi-site organizations that can be sampled shall be audited in accordance with Section 6.1. The audit time per site shall be calculated in accordance with Clause 7.3 above.
7.9.2 Surveillance of multi-site organizations that cannot be sampled in accordance with Section 6.1 is based on auditing 30% of the sites plus the central function. The sites selected for the second surveillance of a certification cycle shall normally not include any sites sampled as part of the first surveillance audit. The audit time per site shall be calculated in accordance with Clause 7.3 above.
7.10 Recertification Audits
7.10.1 Recertification of multi-site organizations that can be sampled shall be audited in accordance with Section 6.1. The audit time per site shall be calculated in accordance with Clause 7.3 above.
7.10.2 Recertification of multi-site organizations that cannot be sampled shall be audited as per initial audit, i.e. all sites audited plus the central function. The audit time per site and central function shall be calculated in accordance with Clause 7.3 above.
Management Systems Certification scheme | Management Systems Certification Standard |
Health and Safety | OHSAS 18001:2007 ISO 45001:2018 |
B.10 AUDIT TIME OF A MULTI-SITE OH&SMS
B.10.1 In the case of an OH&SMS system operated over multiple sites the CAB shall establish if site sampling is permitted or not, based on the evaluation of the level of OH&S risks associated with the activities and processes carried out in each site included in the scope of certification. Records of such evaluations and rationale of decisions taken shall be made available to the AB at assessment.
B.10.2 The requirements for OH&SMS multiple site certification, both when sampling is permitted and when sampling is not permitted, are covered in more detail by the different scenarios provided in the new IAF MD 1 document for auditing and certification of a management system managed by a multi-site organization, in which all references to IAF MD5 requirements shall be understood as amended by this Appendix w.r.t. IAF MD 22.
Until its coming into force, the respective requirements of IAF MD 1:2007 and MD 19:2016 continue to apply. The proportion of the total time spent on each site shall take into account situations where certain management system processes are not relevant to the site.
B.10.3 Combined with clause B.10.2
B.11 CONTROL OF EXTERNALLY PROVIDED FUNCTIONS OR PROCESSES (OUTSOURCING)
B.11.1 If an organization outsources part of its functions or processes, it is the responsibility of the CAB to obtain evidence that the organization has effectively determined the type and extent of controls to be applied in order to ensure that the externally provided functions or processes do not adversely affect the effectiveness of the OH&SMS, including the organization’s ability to control its OH&S risks and commitments to comply with legal requirements.
B.11.2 The CAB will audit and evaluate the effectiveness of the organization's OH&SMS in managing any supplied activity and the risk this poses to OH&S performance of its own activities and processes and conformity requirements. This may include gathering feedback on the level of effectiveness from suppliers, based:
on the criteria applied by the organization for the evaluation, selection, monitoring of performance and re-evaluation of these external providers based on their ability to provide functions or processes in accordance with specified requirements, in compliance with the legal requirements, and
on the risk that the external providers can adversely affect the organization’s ability to control its own OH&S risks.
B.11.3 Even if auditing the complete provider’s management system is not required, the CAB shall consider those processes or functions included within the scope of the organization’s OH&SMS, which have been outsourced to external providers to plan and accomplish an effective audit.
B.11.4. The CAB should be able to establish this during the preparation of the certification programme and further verify it during the initial audit, and before every surveillance and recertification audit.
Management Systems Certification scheme | Management Systems Certification Standard |
Food Safety Management | HACCP ISO 22000:2018
|
9 Process requirements
9.1 General requirements
9.1.1 The certification body shall precisely define the scope of certification in terms of levels of the food
chain (e.g. primary production, food processing, packaging material production), category(ies) and sectors
according to Annex A. The certification body shall not exclude part of the processes, sectors, products or
services from the scope of certification when those processes, sectors, products or services have an influence
on the food safety of the end products.
9.1.2 The certification body shall have a process for choosing the audit day, time and season so that the
audit team has the opportunity of auditing the organization operating on a representative number of product
lines, categories and sectors covered by the scope.
9.1.3 All the requirements given in 9.1.1 to 9.1.3 of ISO/IEC 17021:2006 apply.
9.1.4 The certification body shall have documented procedures for determining audit time, and for each
client the certification body shall determine the time needed to plan and accomplish a complete and effective
audit of the client’s FSMS. The audit time determined by the certification body, and the justification for the
determination, shall be recorded. In determining the audit time, the certification body should consider Annex B
and shall consider, among other things, the following aspects:
a) requirements of the relevant FSMS standard;
b) size and complexity of the organization;
c) technological and regulatory context;
d) any outsourcing of any activities included in the scope of the FSMS;
e) results of any prior audits;
f) number of sites and multi-site considerations.
9.1.5 For multi-site organizations, the requirements given in 9.1.5.1 and 9.5.1.3 apply.
9.1.5.1 Where the certification body is certifying a multi-site organization under one certificate, the
following conditions apply:
a) all sites are of the same activity and are located within the same country;
b) all sites are operating under one centrally controlled and administered FSMS as defined in Clause 4 of
ISO 22000:2005, or equivalent for other FSMSs;
c) an internal audit has been conducted on each site within the three years prior to certification;
d) following certification, an internal audit shall be carried out on each site within the certification period;
e) the internal audits of all sites shall comply with ISO 22000 or equivalent;
f) audit findings of the individual sites shall be considered indicative of the entire system and correction shall
be implemented accordingly.
9.1.5.2 The use of multi-site sampling is only possible for organizations with more than 20 sites and only
for categories A, B, G, H and J (see Table A.1). This applies both to the initial certification and to surveillance
audits.
9.1.5.3 Where the certification body offers multi-site certification, the certification body shall utilize a
sampling programme to ensure an effective audit of the FSMS where
a) the sampling for more than 20 sites shall be at the ratio of 1 site per 5 sites with a minimum of 20. All sites
shall be randomly selected and, after the audit, no sampled sites may be nonconforming (i.e. not meeting
certification thresholds for ISO 22000),
b) evaluation of the audit findings of the sampled sites shall be deemed equivalent to the internal audit
findings of the same sites of the organization,
c) at least annually, an audit of the central FSMS shall be performed,
d) at least annually, surveillance audits shall be performed on the sampled sites, and
e) audit findings of the sampled sites shall be considered indicative of the entire system and correction shall
be implemented accordingly.
Table 1 gives examples of the number of sites to audit when sampling is used.
Table 1 — Examples of the number of sites to be audited when multi-site sampling is used
Total number of sites
x between
1 and 20 21 22 23 24 25 26 27 28
Number of sites above 20 0 1 2 3 4 5 6 7 8
Additional number of sites to audit 0 1 1 1 1 1 2 2 2
Number of sites to be audited x 21 21 21 21 21 22 22 22
9.1.6 All the requirements given in 9.1.6 to 9.1.9 of ISO/IEC 17021:2006 apply.
9.1.7 The certification body shall provide a written report for each audit. The report shall be based on
relevant guidance provided in ISO 19011. The audit team may identify opportunities for improvement but shall
not recommend specific solutions. Ownership of the audit report shall be maintained by the certification body.
The report shall include references to PRPs used by the organization, HACCP methodology used, comments
on the HACCP team, and other issues relevant to the FSMS.
Management Systems Certification scheme | Management Systems Certification Standard |
Food Safety Management | FSSC 22000 (ver 4.1) |
7.2 Multiple sites
7.2.1 General principles
1) Certification of multi-site organizations and multi-site sampling (as described in ISO/TS 22003:2013 and ISO/IEC 17021-1:2015) is not applicable to the following food chain categories as listed in ISO/TS 22003:2013:
a) CI, CII, CIII and CIV,
b) DI and DII, c) I and d) K.
2) For the food chain categories shown under
1) the Scheme requires that every site shall have:
a) a separate audit,
b) a separate report,
c) a separate certificate, and
d) every site shall be entered separately in the database.
3) Certification of multi-site organizations as shown in ISO/TS 22003:2013, clause 9.1.5 shall be applicable for the following food chain categories as listed in ISO/TS 22003:2013:
a) A,
b) E,
c) FI,
d) G.
7.2.2 Exceptions - applicable for categories C, D, I and K The Scheme does offer exceptions for three main categories of organizations shown in section 7.2.1, that have multiple sites such as organizations: a) where some functions pertinent to the certification are controlled by a head office separate to the site(s), b) with different operations at one site, c) with off-site activities.
7.2.3 Head office functions Functions pertinent to the certification but controlled by a head office separate to the site(s) could include for example: a) Procurement, b) Supplier approval or c) Quality assurance.
7.2.3.1 Auditing head office functions
1) In all cases where functions pertinent to the certification are controlled by a head office, the Scheme requires that those functions are audited interviewing the personnel described in the food safety management system as having the delegated authority and responsibility for these functions.
2) The functions at the head office are audited separately and every site belonging to the group shall have:
a) a separate audit,
b) a separate report and
c) a separate certificate.
7.2.3.2 Auditing sites in a multi-site organization
1) An audit at the head office cannot assess the degree of implementation at site level.
a) The auditor shall visit the sites to conduct that part of the audit.
b) The head office audit shall be carried out prior to the site audit.
2) The subsequent audit at the site(s) shall include a confirmation that the requirements set out by head office are appropriately incorporated into site specific documents and implemented in practice.
3) The site audit report and certificate shall show which functions have been audited at the head office. 4) The report of the head office audit has a validity of 12 months.
5) The head office cannot take responsibility for all functions within the scope of the certification, and can therefore not receive a separate certificate.
6) The head office is mentioned on the site certificate by use of wording such as “An audit was carried out at (name and location of head office) on DDMMYY to assess the following function(s) (describe functions audited at the head office)”.
7.2.3.3 Dealing with nonconformities
1) Where nonconformities are noted in head office or separate sites, these are assumed to have impact on the equivalent procedures applicable to all sites.
2) Corrective actions shall therefore address issues of communication across the certified sites and appropriate actions for impacted sites.
3) Such nonconformities and corrective actions shall be clearly identified in the relevant section of the audit report.
4) The nonconformities shall be cleared in accordance with the CB procedures before issuing the site certificate.
7.2.4 Organizations with different operations at one site
1) In cases where different operations are located on one site, for example where a manufacturing operation is linked to a packing operation, both shall be considered for certification under a single scope based on one audit, report and certificate provided that both are:
a) subject to one audit appropriate to the combined scope;
b) part of the same legal entity.
2) The preferred description on the certificate in such cases is to use the name of the legal entity as the primary name. For example: “XYZ company, operating as ABC processing and 123 packaging, (insert address)”.
7.2.5 Off-site activities
7.2.5.1 Split-process
1) A certified organization has a (single) process that is split between different sites that shall be part of the same legal entity. The primary site is the sole receiver/customer of the secondary site(s).
a) For example, a semi-finished product is moved to a separate site for a specific process step or steps to be carried out, and is returned to the primary location for completion.
b) Such processes shall, by exception, be considered for certification under a single scope and one certificate.
7.2.5.2 Management of off-site activities The off-site activities shall meet with the following requirements:
1) The off-site activities are included in the primary site food safety management system.
2) The scope statement of the primary certified site shall show the on-site and off-site activities.
3) The audit report shall include all relevant requirements at both the primary and secondary sites and allow audit findings to be identified as site specific.
4) The number of secondary sites shall be limited to a maximum of five.
Management Systems Certification scheme | Management Systems Certification Standard |
Energy Management | ISO 50001 |
Management Systems Certification scheme | Management Systems Certification Standard |
Medical Devices QMS | ISO 13485 |
MD 9.1.5 Multi-site sampling
Sites involved in design, development and manufacturing of medical devices (Table A.1.1-1.6) cannot be sampled.
Management Systems Certification scheme | Management Systems Certification Standard |
Information Security
| ISO 27001:2013
|
Management Systems Certification scheme | Management Systems Certification Standard |
Service Management System | ISO 20000-1:2018 |
The requirements in ISO/IEC 17021-1:2015, 9.1.5 apply. In addition, the following requirements and guidance apply.
9.1.5.1 SM9.1.5.1 Criteria for multi-site sampling If a client has a number of locations, certification bodies may use a sample-based approach to multi-site certification audits if all locations are:
a) operating under the same SMS, which is centrally administered;
b) included within the client’s internal audit programme;
c) included within the client’s management review programme.
9.1.6 Multiple management systems standards The requirements in ISO/IEC 17021-1:2015, 9.1.6 apply. In addition, the following requirements and guidance apply.
9.1.6.1 SM9.1.6.1 Combining management system audits An SMS audit can be combined with audits of other management systems. A combined or integrated audit shall ensure that the audit evidence fulfils the requirements specified in ISO/IEC 20000-1 withinthe scope of the audit. All findings relating to ISO/IEC 20000-1 shall be easily identifiable in audit reports. The integrity of the ISO/IEC 20000-1 audit shall not be adversely affected by the combination of audits.
9.1.6.2 SM9.1.6.2 Combining management system audits for ISO/IEC 20000-1 and ISO/IEC 27001 Where an audit is combined for ISO/IEC 27001 and ISO/IEC 20000-1, the information security management process in ISO/IEC 20000-1 shall be audited to ensure that:
a) the information security policy is relevant to the SMS and the services;
b) relevant information security risks are identified and information security controls are implemented to support the SMS and the services.
The auditor may find some supporting evidence from the information security management system (ISMS). If the scope of the ISMS is outside of the scope of the SMS, then the information security management process in ISO/IEC 20000-1 shall be audited as a standalone process without the support of the ISMS. The information security policy, risks and controls shall be audited to ensure that they are appropriate for the services within the scope of the client’s SMS.
Records:
LMS-FM-005 Application and Contract Review
LMS-FM-007 Multi Site Client Information