Featured Product
This Week in Quality Digest Live
Standards Features
Catherine Cooksey
Ensuring that measurements aid the broader industrial and scientific communities that depend on them
Clare Naden
One way is through a system of conformity assessment to ISO standards
Shaneé Dawkins
Research focuses on ensuring first responder communication tools are designed to meet users’ operational needs
Sheronda Jeffries
Inclusion of ISO 13485 certificates in IAF CertSearch could help protect first responders

More Features

Standards News
Design, develop, implement, continually improve risk management in systems and software engineering
ISO/IEC/IEEE 16085 has just been updated
Patient safety is a key focus in update of ISO 14155, the industry reference for good practice in clinical trials.
Is the standard adequate, or should it be improved? Deadline: Dec. 31, 2020
Good quality is adding an average of 11 percent to organizations’ revenue growth
Awards to be presented March 24, 2020, at the Quest for Excellence Conference, in National Harbor, MD
How the nation’s leading multistate cannabis company ensures quality and safety standards
New auditors must pass the exam before auditing for GFSI-recognized certification programs
ISO and WHO are working for universal access to quality health products that are all at once safe, effective, and affordable

More News

Grant Ramaley

Standards

The Currency of Credibility: Valid ISO Certification According to ISO

Verify ISO QMS certificates using the International Accreditation Forum (IAF) CertSearch database

Published: Thursday, January 21, 2021 - 12:02

As the 2020 pandemic threatened world health, a large number of unscrupulous companies began generating fake International Organization for Standardization (ISO) quality management system (QMS) certificates in an attempt to fool governments into buying personal protective equipment (PPE), ventilators, thermometers, and Covid-19 test kits. The credibility of ISO 13485 certificates used to certify medical devices suddenly became a crisis.

Aside from the obvious fake certificates, other companies were paying to get certificates with little or no oversight as to how they were earned. If the goal of getting certified is to gain worldwide recognition, it’s important to understand what makes an ISO certificate valid, especially when paying thousands of dollars for an ISO QMS certificate that may not be considered valid by ISO. Companies may think they are getting a credible certificate but find themselves exposed later when trying to sell their products to those who require certificates issued from accredited certification bodies.

But how do you know if a certificate is credible or valid? An answer to that question comes from ISO. Every year ISO publishes a survey of what they deem to be “valid” certificates. According to ISO, the survey “shows the number of valid certificates to ISO management standards (such as ISO 9001 and ISO 14001) reported for each country. The ISO survey counts the number of certificates issued by certification bodies that have been accredited by members of the International Accreditation Forum (IAF).” The last ISO survey indicated there are nearly 1.35 million valid certificates.

But what makes these certificates valid to the gold standard ISO uses? And what reliance should governments and others place on these certificates to verify validity of products—especially medical devices?

Simply put, the IAF certifies the organizations (called certification bodies) that issue ISO certificates using ISO/IEC standards for accreditation as their foundation. IAF members accredit the certifiers. How all this happens involves several layers and tiers of accountability and enforcement, all tied together to do one thing: to make sure your ISO certificate is one that can be recognized internationally. It is the IAF that ensures the certificates meet ISO’s gold standard.

Ultimately it is this international credibility that industry organizations are banking on when they lay down thousands of dollars to get their ISO management system certified. Many certificates are issued every year that do not meet the ISO’s threshold for being valid. Many fakes look legitimate, and more is being done to help us check certificates to make sure they can be trusted. And trust is what we need right now. These certificates provide a critical piece of evidence around the quality assurance of products we depend upon.

In order to help remedy this problem, the IAF established a worldwide database to help determine if an ISO QMS certificate is valid. IAF CertSearch was set up to only collect certificates sent to them by certification bodies that IAF members have properly accredited.

The database cannot include fake certificates or certificates from certification bodies that have not been accredited by an IAF-member accreditation body. The database also holds all information on the properly accredited certification bodies, and the IAF member accreditation bodies that accredited them. Currently the database holds information on nearly 100-percent of accredited certification bodies, although not all of them are visible to the public. Certification body visibility in the database is dependent upon the certification bodies voluntarily activating their CertSearch account. Not all have taken that step, and IAF and many accreditation bodies are pushing them to do so (see “More Must Be Done to Promote IAF CertSearch”).

Whether you buy products from Afghanistan, Zimbabwe, or somewhere in between, the supply chain is filled with certificates that the ISO survey does not consider valid. And though you may not be a regulator trying to protect citizens during a world health crisis, knowing the pedigree of your supplier’s ISO certificate is important to understand and weigh.

IAF CertSearch is the first worldwide database designed to help users determine if an ISO certificate is valid. Although the database currently has just 450,000 of the 1.35 million certificates, you can use the database to look up the name of the certification body to see if they were accredited by an IAF-member accreditation body. If you find the certificate is not listed, but the certification body’s name on the certificate is listed in the database, you will have to go to the certification body’s website for now to make sure you don’t have a fake certificate. All certification bodies accredited by IAF are required to offer a means to validate certificates. Hopefully in the future, you will be able to fully verify the validity of a certificate using IAF CertSearch. As mentioned earlier, it is also possible at this time that the certification body has not activated their account in the database. If you know your registrar is accredited, encourage them to activate their account, it helps everyone. Already, the database has been put to use by medical device regulatory authorities vetting suspicious certification bodies.

As the British Standards Institution and other large certification bodies have noted a significant increase in the number of fake ISO certificates, every certificate should be checked, especially if the ISO certificate is from a critical supplier. One regulatory authority reported they had used the database to screen their existing collection of ISO 13485 certificates and found half of the certificates didn’t qualify as valid. This was largely discovered by checking to see if the certification body was listed in the IAF database.

While ISO and IAF continue to work toward filling its worldwide database with 1.4 million certificates in 2021, we now have knowledge and tools needed to thwart one of the biggest threats to certification and begin to shield the world from fake certificates. The responsibility to screen ISO certificates is now more critical than ever, and not just for regulators trying to protect the public health.

For more information on how to use the IAF certification database to screen ISO management system certificates or look up whether a certification body has been accredited by an IAF-member accreditation body, visit www.iafcertsearch.org.

Story update 2/2/2021: Clarification was added regarding visibility of certification bodies in the CertSearch database. A CB won't be visible if the CB has not activated their CertSearch account.

Discuss

About The Author

Grant Ramaley’s picture

Grant Ramaley

Grant Ramaley is the director of regulatory affairs for Aseptico Inc., a manufacturer and marketer of dental support equipment in the United States and Canada since 1975.  Ramaley also is co-chairman of the Regulatory Affairs and Standards Committee for the Dental Trade Alliance, Convener for the ISO 13485 Working Group at the International Accreditation Forum, and Technical Committee Advisor to the Asian Harmonization Working Party.

Comments

Credibility of IAF Backed Certificates

First, I completely back the IAF because the IAF is the ONLY organization in the world that has "Accredited" certs accepted by all IAF members. Although there are "other" accreditation bodies in existence, I would never accept an ISO cert that does not have a mark of an IAF member because their is absolutely no accountability. I consider myself as one of the most forensic auditors anywhere. My competencies are very broad. I know that I was the first auditor in the USA to identify a FAKE QS 9000 cert by a company that created a falsified cert with the CB's mark on the cert. At that time, everyone accepted their cert including Ford, Chrysler and GM. I was the only one to dig into the cert's credibility. With CertSearch, the scope will eventually lock down all valid ISO certs and credibility as I personally do not consider any other accreditation valid. Likewise, in the USA, over 85% of resumes / CV's are falsified in some manner. There are too many organizations accepting these as validation for the specific education. If issues with CertSearch exist, this must be approached as a method to correct and move forward. I did not identify anyone stating specific scenarios that could be researched to allow the IAF to do a root cause analysis, complete the required corrections and to finalize with adequate and effective corrective & preventive actions to eliminate the risk.

Inaccurate

Unfortunately, the article is not accurate. The IAF CertSearch database has already been found to have contained (and may still contain) unaccredited certificates. The data is also out of date, poorly updated, and utterly reliant on the CBs to self-maintain. The IAF does not do any due diligence to verify the accuracy or currency of the data.

Furthermore, overall CB participation is very low. As of right now, to verify a certificate I have to check a list of about TEN different verification sources, of which CertSearch is only one. Of them, CertSearch is almost never found to have the lastest information, if it even provides a result at all.

The root cause comes down to the fact that the IAF did not make participation in CertSearch a mandatory part of accreditation, but left it "optional" to appease the very bodies they are supposed to be overseeing. In other schemes, such as AS9100 and IATF 16949, participation in such registries is mandatory. The IAF succumbed to the complaints of its laziest and shadiest members, and abdicated its duties here.

Until participation in the database is made a mandatory part of accreditation, CertSearch is worthless.

The Currency of Credibility: Valid ISO Certification

Grant: The IAF CertSearch process that you cite in your article could be a very helpful technique to verify the ISO 9001 certificates claimed by companies are legitimate.

For several reasons, the IAF CertSearch site is not effectively maintained. As you mentioned in the article, the Certification Bodies (CBs) only list 450,000 certificates out of the total of 1.35 million combined certificates, so over two thirds of the companies can’t be validated as being approved through the IAF- Accreditation Body (AB)- CB process. The ISO Survey of Management System Standard Certifications – 2018 – Explanatory Note, ISO reports: “Some certification bodies that are important in some countries did not participate”. I entered IAF CertSearch to look for several of my clients who hold ISO 9001:2015 certificates from large international CBs, accredited by ANAB. Less than one fourth of these companies appeared in the IAF data base. When I went to the CB’s website, I found the companies. I don’t understand why the ABs and IAF allow the CBs to avoid reporting the number of clients they certified to the ISO Survey; should be a requirement of a CB to maintain their accreditation.

A bigger concern is the number of potentially ‘Fake” ISO 9001;2015 certificates issued in China by CBs holding accreditation by ABs in the IAF network. The report: ‘Faking ISO 9001 in China: An exploratory study’ by Iñaki Heras-Saizarbitoria and Olivier Boiral (2018) provides evidence that many of the near 300,000 ISO 9001:2015 Chinese Certificates are fake. According to the report, over one third of the approximately 800,000 ISO 9001:2015 certificates in the world may be fraudulent. Link to the report:

Researchgate link: https://www.researchgate.net/publication/328520072_Faking_ISO_9001_in_China_An_exploratory_study

Grant, your premise: “It is the IAF that ensures the certificates meet ISO’s gold standard”, needs to be confirmed by the leadership of IAF and ISO. If the research paper on Fake China ISO 9001 certificates is not accurate, the IAF needs to provide evidence that the ISO 9001 certification process in China meets the requirements expected of all the companies you cite in your article— ‘and what reliance should governments and others place on these certificates to verify validity of products—especially medical devices?’

Milt Dentch

China

The IAF cannot rein in the actions of China because the senior executive position is *held* by China.

The IAF's president is also the chief executive of CNAS, the Chinese National Accreditation Service. Before that, he held other senior leadership roles in the IAF going back at least a decade or more. Therefore, no reasonable person can assume that the IAF would hold any power over CNAS, which is responsible for publishing many of the "fake" ISO certifications coming out of China.

Chinese executives then hold major leadership roles in the various IAF "Regional Accreditation Bodies," enabling them to have sway in those bodies as well. The "RAGs" are responsible for executing IAF oversight in the various global regions, but in effect work to maintain the status quo, allowing CBs and ABs to literally commit crimes with impunity. 

China's national plans for both increasing its role in standards development ("China Standards 2035 Plan") and increasing its exports ("Made in China 2025 Plan") are official government policies, and the IAF leadership is sworn to uphold those before acting on their own interests, under Chinese law. Officials who refuse -- including the leadership of the IAF -- can be arrested. Those policies ensure that China pumps out hundreds of thousands of dubious ISO certificates in order to improve the reputation of its products, in order to hit the "Made in China 2025" milestones and export goals.

With the IAF managed by China -- the world's largest producer of fake ISO certificates -- the resulting CertSearch product cannot be trusted either.

Thank you Mitch,The IAF

Thank you Mitch,

The IAF Database Management Committee has been working to address the reasons CABs have for not uploading their certificates.  The biggest hurdles have been overcome, such as protecting against poaching clients, security, EU GDPR compliance, all have been resolved.

It is important that all efforts be exhausted to accommodate our stakeholders' concerns.  Even so, the IAF is committed to a full database.   We have learned much since its launch in late 2019.

Although you have raised the issue of fake certificates in China, the larger countries also have more 'credible' certs than smaller countries. I'm sure its frustrating to be a CEO paying to play by the rules, only to be tainted by so many companies playing outside the rules, as if this were some 'game' where cheating didn't matter.  

This Pandemic has proven the importance of IAF CertSearch.  It has already detected over 160 fake certificates, and that number has grown since I was last told.

However, because the database is nearly 100% full of the CABs, as the IAF members uploaded all the CABs they have accredited under the IAF MLA; so that part of the database is being used now to determine if the CAB is there.   Two regulators have used it for screening their ISO 13485 medical device QMS certs.  

I call these the 'gold standard' because our 'gold' is better spent on an ISO cert that ISO says so credible.  'Credibility' is what we pay for, whether or not our currency is 'gold'. 

Just to comment further. The

Just to comment further. The claim that the database is complete is wholly false. A search for ISO 9001 bodies accredited by ANAB shows only SIX results. The official ANAB website reports that the body has 81 bodies accredited for ISO 9001. Major certification bodies are still not participating in CertSearch.

Certsearch reports only 2 (as in two) bodies accredited by the Chinese body CNAS, for which the IAF's own president is the executive. In reality, CNAS has 100+ such bodies.

I am stunned that the IAF would make such outrageously false claims which are disproved with only five minutes of verification.

Using IAF CertSearch - For CAB searches

Hi Chris,

Try searching for CBs accredited by an Accreditation Body.  Start there.  ANAB shows 51.

I agree that it seems a little odd that there are multiple searches made for variations of ISO 9001, (e.g.  ISO 9001:2008, ISO 9001:2015. etc). Using CertSearch it is best to lookup using the bare minimum (e.g. ISO 9001) no date.  So if you use CertSearch to lookup how many CABs ANAB has accredited, it is 45...if you search 'ISO 9001' - do not use a dated version of ISO 9001.

Poaching?

This is Principle #14 of the requirements for crippling IAF CertSearch as a tool for Poaching

#14 - The IAF database will need to have controls necessary to prevent or limit unauthorized data mining (to prevent competitive poaching) as well other security measures to ensure data integrity and protect against unauthorized access to, and use of, the data.

The argument is not whether it CAN be poached at all, but whether its worth trying to poach it.  It really doesn't support poachers needs...

China is using the IAF, but IAF Mandatory Requirements are created by the world.  Although I am sure China desires to use what IAF can provide, so do all the other countries .  As usual, it is not China leading, but Europe and the Americas, with many of the other sectoral MS standards. The ISO survey data shows that clearly.  In my experience, Europe has by far more influence than any region, but even if they all vote one way, I have seen them lose at the final ballot count.  China has very little voting power, so in reality their perceived power is quite limited at IAF.  They are however mindful of what IAF can do for them, as are all the other countries, even the smaller ones... more credibility means more ease of exporting goods.

With regard to whether or not the database becomes mandatory sooner, or later, by way of IAF or by way of Medical Device Regulator making it mandatory (for manufactures to supply medical devices to their healthcare system) pressures will continue to mount.  Medical Device Regulators, including US FDA and regulators at the Global Harmonization Working Party www.ahwp.info (they just changed their name) have a very strong interest in using IAF CertSearch for screening certs and are using it now.  Those CABs that are favored, their AB will have to qualify them under the IAF MLA to maximize their credibility.  

IAF will not have to make uploading ISO certs mandatory for this to a become 'mandatory' business necessity for CABs.  Other industry sectors that use ISO certs are already applying more pressure to make it mandatory.  For instance, TL9001 for telecom now requires CABs to activate their accounts with IAF CertSearch or they cannot issue ISO TL 9001 certs anymore. Who willl be next?  Auto industry? Aerospace?  Food Safety GFSI?  I think 'mandatory' is a matter of 'when' not 'if'.  As it has already begun.  If you are a CAB and offer your clients cert posted as 'credible' to the world, and your competitors do not...

There's so much wrong with

There's so much wrong with this answer, I can't play whack-a-mole with it.

Suffice to say you admit that ANAB reports 45 CBs, but ANAB has over 80 CBs for ISO 9001. So rather than retract your false claim that the database is "nearly 100% complete," you just admitted that in the case of ANAB you barely broke 50%. We know that 50% is not equal to 100% because math exists.

Your arguments on having "resolved" poaching are spurious (CBs don't want any list of clients anywhere, because competing CBs only need the name and address of the client, they don't need to have API or backdoor access), and I won't even get into your logic behind China and the refusal to make CertSearch "mandatory" because you merely wish it to be.

Just stunningly bad, all around. But par for the course for IAF I guess.

I'd be interested to know how

I'd be interested to know how you can claim the "database is nearly 100% full" -- it sounds like you're suggesting it includes all CBs, when it only includes a fraction of them -- and that the issue of poaching has "been resolved." 

There is no evidence of any of that being true, nor could they be without making CertSearch participation mandatory. I am open to being disproved, however.

To Clarify

Clarifications

IAF member Accreditation Bodies that are members of the IAF MLA are required to upload all of the CABs they have Accredited.  During phase 1, which has long passed, that seems to have gone very well.  So I indicated it was likely to be nearly 100%. 

In fact querries to the IAF Database manager, regarding missing CABs, have proven the CAB was not accredited by an AB signatory member of the IAF MLA.   During investigations with help from the database manager, some CABs were found using fake accreditation marks from IAF member ABs!. 

CABs using fake AB marks appear will not be in the database, since of course the system makes that impossible. So if the CAB is not in the database, please contact CertSearch, there could be yet-another bigger problem.  165 fraudulant certs have been detected by the database manager.  Contacting the database manager is easy to do.

So again I will say, it is MANDATORY under enforceable arrangements for all IAF MLA members ABs to uplaod the CABs they accredit.  This is not 'voluntary' it is mandatory.  So if the CAB is not in the database, they are not likely operating under an accreditation by an IAF member AB, who has signed the IAF MLA.  

Efforts to make poaching Principle #14 acceptable to CABs

The previous Chairman of the CERTSEARCH Database Management Committee represented CABs exclusively.  He was nominated by IAF member ABs, in further effort to reach out with an olive branch to CABs; to give them leadership on the database to achieve all of the Principles, especially principle #14.   That helped us achieve agreement that the database met 'Principle #14.  So if the IAF member CABs who insisted on Principle #14 are now satisfied with it, that is good enough for me.  Are their any that will say it is NOT impossible to use it for poaching, of course.  Poachers will try to use it, but will find it frustrating for a number of reasons, mainly because of the efforts applied to satisfy #14.  

IAF on CB account activation

Here is some more information from an IAF representative supplied to QD regarding why some CBs (as Chris Paris discovered) don't show up in the IAF database. As mentioned in an earlier comment, this is because those CBs haven't activated their account in CertSearch. This means that many CBs don't show up in an IAF search even though the data is there.

According to the IAF rep:

"Quite frankly, some CBs, even some accredited by ANAB, have been resistive to even activating their IAF CertSearch accounts, let alone submitting data.

"This is why TIA QuEST Forum’s requirement, effective as of December 2020, that all accredited CBs who offer TL 9000 Certification activate their IAF CertSearch accounts is so remarkable.

"Unfortunately, we’ve seen some CBs go to tremendous lengths to avoid activating their accounts, clinging to a mistaken belief, even when confronted with data from the IAF CertSearch developer, that security and controls are not in place to address poaching.  Other CBs have noted that their concerns are not regarding poaching but about monetization of access to the certification.  But this argument is difficult to understand because quite frankly, a certified organization can promote its accredited certification anywhere it chooses to post a copy of its certificate – on the certified organization’s websites, by emailing a copy of the certificate to its partners and customers and requesting that they promote and post the certificate.

"ANAB has all of its accredited CBs listed within IAFCertSearch but only about half have activated their IAF CertSearch account and only those CB’s who have activated their IAF CertSearch account will show to the public.

"Again, this is why TIA QuEST Forum’s requirement is so important.

"IAF CertSearch has been engaging with the accredited CB community to hear and address their concerns for quite some time.  The difficulty is that even when data, like information regarding the security and controls in place to address poaching is shared, it doesn’t appear to be heard.

"Hopefully, as consumers and industry learn more about the benefits of IAF CertSearch and demand that their accredited CBs take action, including activating their accounts and ultimately submitting certification data, the accredited CBs will begin to hear us."

Some of this is covered in the article "More Must Be Done to Promote IAF CertSearch"

Re: Percent CBs in IAF database

Hi Christopher,

Solid observation, and we poked around a bit to find out where the difference between the IAF database and ANAB (as an example) comes from, since IAF requires that the ABs upload all their CB information.

Here is what we found.

According to my CertSearch contact: “It is mandatory for accreditation bodies to upload details on the certification bodies they have accredited for management systems, so that is how we work out the total number. 99% of ABs have uploaded their data.” 

However, specific to ANAB, here is what ANAB says:

“We have all of our CBs in CertSearch and we maintain the data.  We have over 100 CBs in CertSearch and only 52 have activated their own CB, which is the disconnect [between the ANAB database and IAF CertSearch].  Only the CB’s who activate their CB will show to the public. So right now about 50% of ANAB’s accredited CBs have activated their account.  While we have ‘requested’ them to do so and have done several outreaches, it is not required… ”

So, from a user perspective, you are correct. Although the IAF CertSearch database is about 99% complete with CBs, according to IAF, the only ones visible to the public (that come up in a search) are those that have been activated. Activation is voluntary and not all CBs have chosen to activate their CertSearch entry. If ANAB is indicative, as it could well be, then only a subset of that 99% is visible (50% of CBs activated, in the case of ANAB).

We have updated the article to clarify this point, thanks for pointing it out.

The problem the IAF faces is how to get all the CBs to activate their data in the CertSearch database. According to IAF, they are in the process of tackling the “activation” issue so that all CBs in the database will be visible to the public.