SYSTEM CERTIFICATION PROCEDURE

PURPOSE
Determining the essentials of the stages of the audit process, such as receipt of the application, review, audit schedule, audit planning, performance, reporting, and recommendation of the result.
SCOPE
System Certification
DEFINITIONS
Terms in ISO 17021-1, ISO 17021-2, ISO 17021-3, ISO 20000-6, ISO 27006, ISO 22003, ISO 50003, ISO 19011, TURKAK Guidelines, IAF documents, EA documents are valid.
APPLICATION
Audit and Certification Process
Receiving the application, submitting the offer, and making the contract (FR-SP-02 Certification Contract),
Preparation of the audit program (FR-TR 14 Audit Program), its planning (PRS-11 Audit Planning Procedure),
Performing the Audit (stage one and stage two audit) (PRS-05 System Certification Procedure),
Certification Decision and Publication of the Certificate.
Surveillance
Re-Certification
Receiving the Application, Submitting the Offer, and Making the Contract
Customer requests are received with the FRTR01 Organization Information Form, they are reviewed according to the PRS25 Application Receipt and Review Procedure, the offer is prepared, and the contract is made after the customer’s approval.
Preparation of the Audit Program
An FR-TR-14 Audit Program is prepared for each certification cycle, the audit program covers all management system requirements.
Initial certification of the FR-TR-14 Audit Program includes the first audit in the first year following the certification decision, a surveillance audit in the second year, two surveillance audits in the third year, followed by a recertification audit before the certificate expires in the third year. The first three-year certification cycle begins with the certification decision. Subsequent cycles continue with the decision to recertify.
In determining the FR-TR-14 Audit Program and additional arrangements, the size of the client, the scope and complexity of the management system, products, and processes, as well as the results of previous audits, and the demonstrated level of effectiveness of the management system are taken into account.
Determination of Audit Scope
In line with the scope in the FR-TR-01 Organization Information Form, EA-NACE codes related to ISO 9001, ISO 14001, and ISO 45001, ISO 22000 Category, ISO 13485 technical area are determined.
A category is not determined in ISO 27001, ISO 27701, and ISO 20000-1.
Audit scope, EA-NACE codes, category, and technical area are reviewed at stage one and stage two audits, opening and closing meetings, performing the audit, and reviewing exclusions, if any.
Assignment of Audit Team
Internal and external auditors and technical experts are appointed according to SİSBEL policies and the “PRS1301 Audit Team Assignment Procedure”.
Planning The Audit
In line with the information in the FR-TR-01 Organization Information Form, the audit period is determined according to the PRS12_1 Information Security Management System Audit Time Determination Procedure, PRS12_2 Service Management System Audit Time Determination Procedure, PRS12 Audit Time Determination Procedure.
If This audit is the first certification audit, the FR-TR-06 Stage One Audit Plan is prepared for stage one, and the FR-TR-11 Audit Plan is prepared for stage two. If This audit is a surveillance audit, the FR-TR-11 Audit Plan is prepared. If This audit is a Re-Certification audit, the FR-TR for Re-Certification -11 Audit Plan is prepared.
FR-TR-11 Audit Plan is submitted for the approval of the customer a reasonable time before the audit, and the audit plan is put into practice after the approval of the customer.
Performing The Audit
Stage One Audit
In a staged audit, objective evidence showing the effectiveness of the organization in meeting the requirements of the relevant standard is reached in outline, and detailed audits are not performed.
The following issues are generally evaluated in a stage one audit of ISO 9001, ISO 14001, ISO 45001, ISO 27001, ISO 20000-1, ISO 22000, and ISO 13485 standards.
Reviewing documented information in the client’s management system,
Assessing client site and site-specific conditions and negotiating with client’s staff in determining readiness for phase two audit,
Understand the standard requirements for reviewing the client’s status and particularly identifying key performance or key issues, processes, objectives, and operation of the management system,
Obtain necessary information regarding the scope of the management system, including:
Customer’s site(s),
processes and equipment used,
Established control levels (especially for customers with multiple sites),
Applicable situational and regulatory requirements,
Verifying organization processes,
Reviewing the resource allocation for the tier two audit and agreeing with the client on the details of the tier two audit,
Focus on planning a stage two audit, providing an adequate understanding of the client’s management system and field operations in the context of the management system standard or other relevant documents.
To meet with the organization managers and relevant key personnel,
To determine the audit team correctly for the second stage/on-site audit,
To determine the compliance of the organization with the legal requirements related to the product and system,
To determine whether the organization is ready for audit,
To determine the risk status of the organization,
To detect major non-conformances beforehand, if any,
Evaluating whether internal audits have been carried out,
Evaluating whether a management review has been carried out,
Assessing the client’s readiness for their phase two audit,
To determine the adequacy of the documentation,
To confirm the scope of the application, to identify and evaluate the excluded processes, if any,
Evaluate the increase or decrease in the number of audit man days.
Additional considerations for ISO 22000.
The organization shall establish prerequisite programs appropriate to its work (e.g. legal and regulatory rules);
FSMS, the organization’s adequate and appropriate methods and processes for the identification and assessment of food safety hazards and the selection and grouping of subsequent control measures (or combinations),
Food safety legislation applications of the relevant sector of the organization,
GGYS, the organization’s food safety policy and achievement of objectives,
Validation, validation, and development programs comply with the FSMS standard requirements,
Reporting of a stage one audit
Findings related to the standard items are recorded in the audit report, and the classes of nonconformities are determined and recorded in the nonconformity report.
If there are deviations that change the number of audit man days, this situation is brought to the attention of the organization in order to increase the number of auditor days and audit fee, and the stage is recorded in an audit report.
The results of a stage one audit are recorded in the audit report, the report is reviewed for adequacy, and if there is a nonconformity in its content, the necessary corrective action is taken by discussing with the auditor who wrote the report.
If there is a problem with the suitability of the audit team, the suitability of the lead auditor and team members is reassessed.
If there is a significant deviation from the information in the application and the contract, the organization is contacted to increase the number of auditor days and to re-determine the cost.
Performing On-Site/ Stage Two Audit
Audit is carried out in line with the previously agreed FR-TR-11 Audit Plan.
FR-TR-11 Audit Plan has been prepared in a flexible structure, if necessary, changes can be made to the FR-TR-11 Audit Plan.
The change made in the FR-TR-11 Audit Plan is limited to changing the audit order of the processes or changing the task in the audit team, the change does not reduce the audit time, the process and the standard items to be audited.
If a change has been made in the FR-TR-11 Audit Plan, this situation and its justification are written in the Audit Reports.
Site audits consist of the following processes.
Opening meeting,
Audit,
Reporting,
Closing meeting
Opening Meeting
The opening meeting is held according to the “FR-TR-03 Opening and Closing Meeting Checklist”.
The official opening meeting is held with the customer’s management and those responsible for the functions and processes to be audited.
Each item in the FR-TR-03 Opening and Closing Meeting Checklist is explained to the participants, the participants are informed about the conduct of the audit and the participants are given the opportunity to ask questions.
The opening meeting is tried to be held in a way that does not exceed half an hour.
Participants and the audit team sign the FR-TR-04 Opening and Closing Meeting Participation Form.
After the opening meeting is completed, the audit team holds an evaluation meeting among themselves, and the field audit starts after the meeting.
Audit
It is carried out in line with the previously agreed FR-TR-11 Audit Plan.
Evidence of conformity or non-compliance is noted against the relevant items by using the Audit Report.
The sampling rate to be taken in the audit is determined by the auditors according to the time planned for the audit and the risk status of the product service.
The supervisory board makes evaluations among itself and, if necessary, revises the audit plan for the following days and remaining times.
During the audit, the auditor or technical expert does not make a statement to the organization regarding compliance and non-compliance.
No decision is made regarding the audit before the audit is completed, if there is a major non-compliance, an assessment is made by the audit committee, the customer is informed, and it is decided to terminate the audit or to continue the audit by changing the target.
Reporting
The audit report is completed before the end of the audit, if possible, and not later than two weeks after the audit.
The audit report is prepared by the lead auditor in line with the findings of the other audit team.
As a minimum, the audit report should contain information about conformities, nonconformities, strengths and weaknesses of the organization, samples made in the audit, audited or unaudited areas, etc., regarding the relevant management system of the organization. includes the audit team’s decision.
Samples taken to show that the audited standard item is implemented by the organization are written in the audit report. Samples taken must be in verifiable format.
The audit report is prepared in a format that will show which processes of the organization are audited.
Audit report(s) in combined audits; clearly defines all the requirements of each standard.
FR-TR-07 Non-Conformity Report and FR-TR-05 Audit Participation Form are attached to the audit report.
A surveillance audit of one standard may be combined with an initial certification audit or recertification audit of another. In such cases, the audit report should clearly indicate the relevant parts of each standard.
Writing of nonconformities: Any nonconformity that does not have objective evidence is not written regardless of its size. Written nonconformities should be in a way to show which article of the standard was violated, why it was violated, objective evidence of non-conformity, and the extent of nonconformity. It is a necessity to get the approval of the organization by agreeing with the organization on the existence of non-conformities. Nonconformities are identified into two types: Major (major), Minor (minor).
Major:
Failure to meet one or more requirements of the management system standard,
A state of significant doubt about the organization’s ability to achieve the results intended by the management system,
Minor (minor): Partial deviations from the implementation of the management system, incomplete/incorrect applications.
Observation: Activities that are not open to identify minor nonconformities and carry the risk of minor nonconformities in the future.
Tipex and correction fluid are not used in the correction of typographical errors during the writing of audit reports. Two lines are drawn on the part where the error is made, that part is indicated using a hash sign.
The audit team makes its recommendation on the outcome of the audit based on:
If the certification scope of the organization is not determined correctly, if the exclusions are not made correctly, certification advice cannot be made.
In case of major non-compliance in the audits, it cannot be recommended to grant, maintain, suspend, or expand the certification.
If there is minor nonconformity in the audits, it is recommended that the certification be given, maintained, suspended, and scope-widening decisions are made in case of taking corrective action.
Observations do not affect the decision about the audit result positively or negatively.
Closing Meeting
The closing meeting is held according to the “FR-TR-03 Opening and Closing Meeting Checklist”.
The official closing meeting is held with the customer’s senior management and those responsible for the functions and processes audited. In ISO 45001 audits, the workplace health worker is also required to attend the closing meeting. In case of non-participation, the justification is recorded in the audit report.
Each item in the FR-TR-03 Opening and Closing Meeting Checklist is explained to the participants, the participants are informed about the outcome of the audit and the participants are given the opportunity to ask questions.
The closing meeting is tried to be held in a way that does not exceed half an hour.
Participants and the audit team sign the FR-TR-04 Opening and Closing Meeting Participation Form.
After the closing meeting is completed, the field audit activity is completed.
Follow Up Audit
In case of major nonconformities that need to be verified on-site, a follow-up audit is planned.
Verification of the follow-up audit can be done by a documented statement or on-site audit; this is determined at the end of the audit. The decision to carry out the follow-up audit on the site or confirm it with a documented statement is determined in accordance with the following rules.
With a documented statement, if the non-conformities have arisen from the documentation and can be corrected by revision,
Correction of nonconformities is verified by performing on-site audits if practices require an on-site audit.
A Follow-up audit can be performed with an auditor assigned in the relevant field from the audit team or an auditor and technical expert who is not appointed in the related field.
In follow-up audits, only non-conformance verification is performed, and evidence of corrective action is examined.
All details regarding the audit findings in the follow-up activity are recorded in the Audit Report. After the corrective action is verified, the certification process begins.
The Process of Making Decisions for Granting, Maintaining, Suspending, Suspending, Withdrawal, Scope Expansion, or Reduction of Certification
Decisions for granting, maintaining, suspending, suspending, withdrawing, expanding, or narrowing the scope of certification are taken by the “SISBEL Certification Committee” and are not transferred to second and third parties in any way.
SİSBEL Certification Committee; The Certification Manager consists of SİSBEL full-time staff and SİSBEL external auditors and technical experts. Auditors and decision-makers are composed of completely independent, impartial, and different persons. Decisions regarding the audit result are taken unanimously.
In order to decide on the audit result, SİSBEL full-time personnel assigned in the relevant technical field or one of the SİSBEL external auditors and technical experts, who did not take part in the audit that was evaluated, is selected.
The audit report, nonconformities, management system documents of the organization, and FR-BE-01 Certification Committee Decision Minute are sent to the auditor or technical expert who takes part in the SISBEL Certification Committee.
Audit reports, nonconformities, correct classification of nonconformities, adequacy of objective evidence, availability of evidence, if any, to support, audit team, accuracy and effectiveness of audit plan, exclusions and justification, recommendation of the audit team, and organization’s documents are reviewed and FR-BE -01 It is recorded with the Certification Committee Decision Minute.
The certification Manager takes the decision regarding the audit result in line with the FR-BE-01 Certification Committee Decision Minute.
If the certification manager has taken part as an auditor in the audits of the evaluated organization, he cannot act as a decision-maker or as a member of the certification committee. In these cases, a full-time or part-time staff of SİSBEL takes charge as the Certification Manager.
Printing The Certificate
Certificates are published for one year or three years provided that the validity period of the document is three years.
Initial certification, re-certification and revision dates on the document indicate the decision date of the certification committee.
In the Validity date part, one year later date is written based on the first certification committee decision date. The revision number is incremented every audit period.
The certificate is printed using the FR-BE-01 Certification Committee Decision Minute and mask certificate.
In case of certification in multiple branches or sites, only one document related to the organization is registered and the name and addresses of the organization center are written on the document, the list of addresses of other branches or areas included in the certification process is given in the form of a list in addition to the main certificate.
In case of certification in multiple branches or areas, clearly in the certification scope section of the certificate; It is stated that the product/service produced is the result of the joint activities of the branches or businesses in the list.
If the customer makes a request to the certified enterprise or branch to obtain a partial document independent of the main document, this request can only be made by writing the part on the main document of that customer that meets the scope and referring to the main document.
Document status information of the client (where the document is in effect, suspended, etc.) is shared via e-mail upon request.
Surveillance Audit
Surveillance audits are carried out once in each calendar year, excluding the year of recertification. The first surveillance audit to be carried out after the first certification cannot exceed 12 months from the date of certification.
The FRTR01 Organization Information Form confirms whether there has been any change in the customer’s certification conditions.
Nonconformities detected in the previous audit are verified on-site.
The same procedure is used for the certification audit.
It is carried out to cover some of the articles of the standard.
In total, all activities of the organization are audited once, with two surveillance audits.
Surveillance audits include at least the following:
Internal audits and management review,
Reviewing the actions taken on the nonconformities identified during the previous audit,
Handling complaints,
The effectiveness of the management system in terms of achieving the objectives of the certified customer and the objectives of the relevant management system(s),
The development of planned activities aiming at continuous improvement,
Operational control is maintained,
Reviewing the changes,
Re-Certification Audit
Re Certificate audit is done every 3 years.
It is carried out to cover all the clauses of the standard.
It is evaluated whether the entire system has been reviewed during the certification period.
Nonconformity variability and trend are taken into account.
The effectiveness of corrective actions is taken into account.
It can be planned in two stages when deemed necessary. Under normal circumstances, a staged audit is not carried out, if there have been significant changes in the scope of the certificate, its documents, address, and employees, a staged audit can be made.
Re-certification audit is carried out before the expiry of three years. If the re-certification audit is successful before the validity period of the certificate expires, the first certification period is taken as the basis for the validity period of the certificate.
If, before the validity period of the certificate, the recertification audit cannot be completed or if corrective and corrective action for any major nonconformity cannot be verified, recertification is not recommended, and the validity of the certificate is not extended. The customer is informed, and the next steps are explained.
Transfer Certification
The transfer is made only for valid accredited documents. However, in cases where the commercial activities of the certification body are terminated or its accreditation is canceled, the customer is considered as applying for the first time and the first certification procedure is applied. Certificates that are suspended or in danger of being suspended will not be accepted for transfer.
It is obligatory for the certification-transferring organization to submit its ongoing document and auditor’s reports. The validity period of the document is three years from the certification period written in the transferred document. Example: If the customer transfers while the certification is certificated for two years, the certification with a validity period of one year is published, and the validity date on the certificate remains the same.
In the transfer of a certificate, if the prerequisites for the transfer are met and there are no problems at the review stage, the recommendation to issue the certificate is submitted to the Certification Committee. If no audit (certification, re-certification, surveillance, follow-up) is required as a result of the first review, the previous certification system model is used to complete the current surveillance and certificate renewal program.
Certification to be requested from organizations that want to transfer documents is given below.
A certificate that is still valid,
Previous audit reports carried out,
Nonconformities and corrective actions identified in the audits,
Customer’s official documents.
Scope Expansion or Narrowing Control
Procedures for scope change applications are made according to the “PRS-07 Scope Expansion and Reduction Procedure”.
Special Audit:
The concentration of complaints about certified customers, handling of changes, suspension of the certificate, etc. controls in cases.
Performed on a schedule, with the client briefed beforehand about the reason for the audit and the audit, or it can be done unannounced.
REFERENCES
ISO 17000, ISO 17021-1, ISO 17021-2, ISO 17021-3, ISO 27006, ISO 22003, ISO 50003, ISO 19011,
TURKAK Guides,
IAF documents,
EA documents,
ISO 9001, ISO 14001, ISO 27001, ISO 45001, ISO 22000, ISO 22003, ISO 13485
PRS-05 System Certification Procedure,
PRS 07 Scope Expansion and Reduction Procedure
PRS-11 Audit Planning Procedure,
PRS-13 Conformity Assessment Personnel Assignment Procedure,
PRS12 Audit Day Period Determination Procedure,
PRS25 Procedure for Receiving and Reviewing Applications,
FRTR01Organization Information Form,
FR-TR-03 Opening and closing meeting checklist
FR-SP-02 Certification Agreement,
FR-TR 14 Audit Program.
REVISION
Revision 01: 09/03/2021 Certification criteria have been added.
Revision 02: 10.10.2021 ISO 27001, ISO 27701, and ISO 20000-1 have been added.
Revision 03. The obligation to attend the workplace health worker was added to the closing meeting (ISO 45001) on 10.03.2022.

Publishing Date:01.06.2008 Re Publishing Date:02.07.2018 Revision No/Date:03/10.03.2022 PRS-05