How Does the ISO Certification Transfer Process Work?
So you're a certified organization, and you're considering switching certification bodies, but want to know more about what that process looks like and whether or not you're eligible to do so. In this video, we'll discuss how this process, what's referred to as its certification transfer works including the eligibility requirements and cooperation that needs to be in place amongst the various parties involved.
First, what is a certification transfer?
Well, it's a cooperation between both an issuing certification body, the certification body that holds your ISO certification, and an accepting certification body, the certification body that the organization tends to transfer their certificate to, with the overall intent to transfer a valid accredited certification.
Now the requirements for certification transfer that we'll walk through in this video aren't Schellman specific, but rather they're required for all certification transfers as mandated in IAF MD 2, which is a mandatory document published by the International Accreditation Forum (IAF).
Your next question is likely: Why would somebody transfer?
Much like the decision to switch your audit firm for any type of audit. There are often times when organizations decide to switch their ISO certification body over the course of their certification life cycle.
Here at Schellman, one of the main reasons we accept certification transfers is due to organizations wanting to take full advantage of the multitude of audits that we perform for our clients, which are outlined in great detail on our website and include areas such as SOC, ISO, Healthcare, Federal, and Privacy related audit and assessment services, amongst others.
So we've talked about what a certification transfer is, but what about the eligibility requirements?
- In its simplest form, the certification being transferred must be active and not in a suspended state.
- The issuing certification body must also have an active accreditation, which is in good standing with their accreditation body and the certification itself must be accredited.
Once we've met the eligibility requirements, the accepting certification body is ready to start what's referred to as the pre-transfer review, where these requirements are further assessed along with supporting documentation.
It's important to note that this is not an audit, but rather a due diligence review in order to obtain sufficient information about the validity of the certification to make a decision about whether or not to accept the transfer.
The objective of this process is to gain an understanding and confirm the following:
- The scope of the certification falls within both the issuing and accepting certification bodies' accreditation
- The reasons for the transfer
- Whether or not this certification is active and valid and recognized as being so by the issuing accreditation body
- A review of recent certification reports such as surveillance and recertification
- The status of any outstanding non-conformities
- And finally, the status of any complaints taken against the certification.
Unsatisfactory or incomplete reviews of these items may result in the accepting certification body denying the transfer or treating the client as a new client. In lieu of going through the transfer process. More on that at the end of this video.
If there are no issues, then we can proceed with the transfer and follow the same certification scheme that the issuing certification body had already established, such as proceeding to a surveillance or recertification review. Now in completing the steps, we talked through in this video, a key element is that there is cooperation between the issuing and accepting certification bodies. This is essential for the effective transfer process and for maintaining the integrity of the certification in question.
Certain documents and assurances, as authorized by the client, will be shared by the issuing certification body to the accepting certification body. That can include
- Certification audit reports
- Corrective action plans
- The validity of the certification, etc.
And the issuing certification body is not permitted to suspend or revoke the certification once they realize it's in the process of being transferred, and before the transfer process is completed.
Once that transfer process is completed, the accepting certification body will then be required to inform the issuing certification body of the completion of such activities so that they can update their client records and certification directory accordingly.
Lastly, there may be situations where either certain certifications are ineligible for transfer based on the eligibility requirements discussed earlier in this video or clients prefer to start fresh with a new certification body as opposed to proceeding ahead with the certification transfer process.
What are the advantages or disadvantages of transferring your ISO Certification?
The most obvious advantage of doing the certification transfer is time and money, which I know is important to most people. The certification transfer process is fairly low touch and quick, and it allows the accepting certification body to pick up where the issuing certification body left off and the certification cycle once completed. By foregoing the certification transfer process, you would be treated as a new client, and thus required to undergo the Stage 1 and Stage 2 initial certification process, which is likely to be a more expensive and time-consuming option, given the increased time and effort to perform these baseline reviews.
But in cases where organizations do not meet the eligibility requirements for certification transfer, it's unavoidable in order to switch certification bodies.
Now I hope that helped you understand how the certification transfer process and if you're curious to hear more about our ISO services or have any other questions, please reach out to me via our website.
About DANNY MANIMBO
Danny Manimbo is a Principal with Schellman based in Denver, Colorado. As a member of Schellman’s West Coast / Mountain region management team, Danny is primarily responsible for leading Schellman's AI and ISO practices as well as the development and oversight of Schellman's attestation services. Danny has been with Schellman for 10 years and has over 13 years of experience in providing data security audit and compliance services.