The Currency of Credibility: Valid ISO Certification According to ISO

Verify ISO QMS certificates using the International Accreditation Forum (IAF) CertSearch database

Thu, 01/21/2021 - 12:02

As the 2020 pandemic threatened world health, a large number of unscrupulous companies began generating fake International Organization for Standardization (ISO) quality management system (QMS) certificates in an attempt to fool governments into buying personal protective equipment (PPE), ventilators, thermometers, and Covid-19 test kits. The credibility of ISO 13485 certificates used to certify medical devices suddenly became a crisis.

ADVERTISEMENT

Aside from the obvious fake certificates, other companies were paying to get certificates with little or no oversight as to how they were earned. If the goal of getting certified is to gain worldwide recognition, it’s important to understand what makes an ISO certificate valid, especially when paying thousands of dollars for an ISO QMS certificate that may not be considered valid by ISO. Companies may think they are getting a credible certificate but find themselves exposed later when trying to sell their products to those who require certificates issued from accredited certification bodies.

 …

Want to continue?
Log in or create a FREE account.
By logging in you agree to receive communication from Quality Digest. Privacy Policy.

Comments

Grant: The IAF CertSearch process that you cite in your article could be a very helpful technique to verify the ISO 9001 certificates claimed by companies are legitimate.

For several reasons, the IAF CertSearch site is not effectively maintained. As you mentioned in the article, the Certification Bodies (CBs) only list 450,000 certificates out of the total of 1.35 million combined certificates, so over two thirds of the companies can’t be validated as being approved through the IAF- Accreditation Body (AB)- CB process. The ISO Survey of Management System Standard Certifications – 2018 – Explanatory Note, ISO reports: “Some certification bodies that are important in some countries did not participate”. I entered IAF CertSearch to look for several of my clients who hold ISO 9001:2015 certificates from large international CBs, accredited by ANAB. Less than one fourth of these companies appeared in the IAF data base. When I went to the CB’s website, I found the companies. I don’t understand why the ABs and IAF allow the CBs to avoid reporting the number of clients they certified to the ISO Survey; should be a requirement of a CB to maintain their accreditation.

A bigger concern is the number of potentially ‘Fake” ISO 9001;2015 certificates issued in China by CBs holding accreditation by ABs in the IAF network. The report: ‘Faking ISO 9001 in China: An exploratory study’ by Iñaki Heras-Saizarbitoria and Olivier Boiral (2018) provides evidence that many of the near 300,000 ISO 9001:2015 Chinese Certificates are fake. According to the report, over one third of the approximately 800,000 ISO 9001:2015 certificates in the world may be fraudulent. Link to the report:

Researchgate link: https://www.researchgate.net/publication/328520072_Faking_ISO_9001_in_China_An_exploratory_study

Grant, your premise: “It is the IAF that ensures the certificates meet ISO’s gold standard”, needs to be confirmed by the leadership of IAF and ISO. If the research paper on Fake China ISO 9001 certificates is not accurate, the IAF needs to provide evidence that the ISO 9001 certification process in China meets the requirements expected of all the companies you cite in your article— ‘and what reliance should governments and others place on these certificates to verify validity of products—especially medical devices?’

Milt Dentch

Thank you Mitch,

The IAF Database Management Committee has been working to address the reasons CABs have for not uploading their certificates.  The biggest hurdles have been overcome, such as protecting against poaching clients, security, EU GDPR compliance, all have been resolved.

It is important that all efforts be exhausted to accommodate our stakeholders' concerns.  Even so, the IAF is committed to a full database.   We have learned much since its launch in late 2019.

Although you have raised the issue of fake certificates in China, the larger countries also have more 'credible' certs than smaller countries. I'm sure its frustrating to be a CEO paying to play by the rules, only to be tainted by so many companies playing outside the rules, as if this were some 'game' where cheating didn't matter.  

This Pandemic has proven the importance of IAF CertSearch.  It has already detected over 160 fake certificates, and that number has grown since I was last told.

However, because the database is nearly 100% full of the CABs, as the IAF members uploaded all the CABs they have accredited under the IAF MLA; so that part of the database is being used now to determine if the CAB is there.   Two regulators have used it for screening their ISO 13485 medical device QMS certs.  

I call these the 'gold standard' because our 'gold' is better spent on an ISO cert that ISO says so credible.  'Credibility' is what we pay for, whether or not our currency is 'gold'. 

I'd be interested to know how you can claim the "database is nearly 100% full" -- it sounds like you're suggesting it includes all CBs, when it only includes a fraction of them -- and that the issue of poaching has "been resolved." 

There is no evidence of any of that being true, nor could they be without making CertSearch participation mandatory. I am open to being disproved, however.

Clarifications

IAF member Accreditation Bodies that are members of the IAF MLA are required to upload all of the CABs they have Accredited.  During phase 1, which has long passed, that seems to have gone very well.  So I indicated it was likely to be nearly 100%. 

In fact querries to the IAF Database manager, regarding missing CABs, have proven the CAB was not accredited by an AB signatory member of the IAF MLA.   During investigations with help from the database manager, some CABs were found using fake accreditation marks from IAF member ABs!. 

CABs using fake AB marks appear will not be in the database, since of course the system makes that impossible. So if the CAB is not in the database, please contact CertSearch, there could be yet-another bigger problem.  165 fraudulant certs have been detected by the database manager.  Contacting the database manager is easy to do.

So again I will say, it is MANDATORY under enforceable arrangements for all IAF MLA members ABs to uplaod the CABs they accredit.  This is not 'voluntary' it is mandatory.  So if the CAB is not in the database, they are not likely operating under an accreditation by an IAF member AB, who has signed the IAF MLA.  

Efforts to make poaching Principle #14 acceptable to CABs

The previous Chairman of the CERTSEARCH Database Management Committee represented CABs exclusively.  He was nominated by IAF member ABs, in further effort to reach out with an olive branch to CABs; to give them leadership on the database to achieve all of the Principles, especially principle #14.   That helped us achieve agreement that the database met 'Principle #14.  So if the IAF member CABs who insisted on Principle #14 are now satisfied with it, that is good enough for me.  Are their any that will say it is NOT impossible to use it for poaching, of course.  Poachers will try to use it, but will find it frustrating for a number of reasons, mainly because of the efforts applied to satisfy #14.  

Hi Christopher,

Solid observation, and we poked around a bit to find out where the difference between the IAF database and ANAB (as an example) comes from, since IAF requires that the ABs upload all their CB information.

Here is what we found.

According to my CertSearch contact: “It is mandatory for accreditation bodies to upload details on the certification bodies they have accredited for management systems, so that is how we work out the total number. 99% of ABs have uploaded their data.” 

However, specific to ANAB, here is what ANAB says:

“We have all of our CBs in CertSearch and we maintain the data.  We have over 100 CBs in CertSearch and only 52 have activated their own CB, which is the disconnect [between the ANAB database and IAF CertSearch].  Only the CB’s who activate their CB will show to the public. So right now about 50% of ANAB’s accredited CBs have activated their account.  While we have ‘requested’ them to do so and have done several outreaches, it is not required… ”

So, from a user perspective, you are correct. Although the IAF CertSearch database is about 99% complete with CBs, according to IAF, the only ones visible to the public (that come up in a search) are those that have been activated. Activation is voluntary and not all CBs have chosen to activate their CertSearch entry. If ANAB is indicative, as it could well be, then only a subset of that 99% is visible (50% of CBs activated, in the case of ANAB).

We have updated the article to clarify this point, thanks for pointing it out.

The problem the IAF faces is how to get all the CBs to activate their data in the CertSearch database. According to IAF, they are in the process of tackling the “activation” issue so that all CBs in the database will be visible to the public.

An update from 2022. The IAF has now published an official FAQ that reveals it never had "100%" participation, despite the false and fraudulent reporting here by QD and Ramely. In their FAQ, they clearly state, "IAF CertSearch needs to change because the current funding model has not worked and the database contains only 35% of accredited management systems certificates."

This report was always demonstrably false, but allowed to remain in print anyway. It just took some time for IAF to admit the lie.

Here is some more information from an IAF representative supplied to QD regarding why some CBs (as Chris Paris discovered) don't show up in the IAF database. As mentioned in an earlier comment, this is because those CBs haven't activated their account in CertSearch. This means that many CBs don't show up in an IAF search even though the data is there.

According to the IAF rep:

"Quite frankly, some CBs, even some accredited by ANAB, have been resistive to even activating their IAF CertSearch accounts, let alone submitting data.

"This is why TIA QuEST Forum’s requirement, effective as of December 2020, that all accredited CBs who offer TL 9000 Certification activate their IAF CertSearch accounts is so remarkable.

"Unfortunately, we’ve seen some CBs go to tremendous lengths to avoid activating their accounts, clinging to a mistaken belief, even when confronted with data from the IAF CertSearch developer, that security and controls are not in place to address poaching.  Other CBs have noted that their concerns are not regarding poaching but about monetization of access to the certification.  But this argument is difficult to understand because quite frankly, a certified organization can promote its accredited certification anywhere it chooses to post a copy of its certificate – on the certified organization’s websites, by emailing a copy of the certificate to its partners and customers and requesting that they promote and post the certificate.

"ANAB has all of its accredited CBs listed within IAFCertSearch but only about half have activated their IAF CertSearch account and only those CB’s who have activated their IAF CertSearch account will show to the public.

"Again, this is why TIA QuEST Forum’s requirement is so important.

"IAF CertSearch has been engaging with the accredited CB community to hear and address their concerns for quite some time.  The difficulty is that even when data, like information regarding the security and controls in place to address poaching is shared, it doesn’t appear to be heard.

"Hopefully, as consumers and industry learn more about the benefits of IAF CertSearch and demand that their accredited CBs take action, including activating their accounts and ultimately submitting certification data, the accredited CBs will begin to hear us."

Some of this is covered in the article "More Must Be Done to Promote IAF CertSearch"

Just to comment further. The claim that the database is complete is wholly false. A search for ISO 9001 bodies accredited by ANAB shows only SIX results. The official ANAB website reports that the body has 81 bodies accredited for ISO 9001. Major certification bodies are still not participating in CertSearch.

Certsearch reports only 2 (as in two) bodies accredited by the Chinese body CNAS, for which the IAF's own president is the executive. In reality, CNAS has 100+ such bodies.

I am stunned that the IAF would make such outrageously false claims which are disproved with only five minutes of verification.

Hi Chris,

Try searching for CBs accredited by an Accreditation Body.  Start there.  ANAB shows 51.

I agree that it seems a little odd that there are multiple searches made for variations of ISO 9001, (e.g.  ISO 9001:2008, ISO 9001:2015. etc). Using CertSearch it is best to lookup using the bare minimum (e.g. ISO 9001) no date.  So if you use CertSearch to lookup how many CABs ANAB has accredited, it is 45...if you search 'ISO 9001' - do not use a dated version of ISO 9001.

Poaching?

This is Principle #14 of the requirements for crippling IAF CertSearch as a tool for Poaching

#14 - The IAF database will need to have controls necessary to prevent or limit unauthorized data mining (to prevent competitive poaching) as well other security measures to ensure data integrity and protect against unauthorized access to, and use of, the data.

The argument is not whether it CAN be poached at all, but whether its worth trying to poach it.  It really doesn't support poachers needs...

China is using the IAF, but IAF Mandatory Requirements are created by the world.  Although I am sure China desires to use what IAF can provide, so do all the other countries .  As usual, it is not China leading, but Europe and the Americas, with many of the other sectoral MS standards. The ISO survey data shows that clearly.  In my experience, Europe has by far more influence than any region, but even if they all vote one way, I have seen them lose at the final ballot count.  China has very little voting power, so in reality their perceived power is quite limited at IAF.  They are however mindful of what IAF can do for them, as are all the other countries, even the smaller ones... more credibility means more ease of exporting goods.

With regard to whether or not the database becomes mandatory sooner, or later, by way of IAF or by way of Medical Device Regulator making it mandatory (for manufactures to supply medical devices to their healthcare system) pressures will continue to mount.  Medical Device Regulators, including US FDA and regulators at the Global Harmonization Working Party www.ahwp.info (they just changed their name) have a very strong interest in using IAF CertSearch for screening certs and are using it now.  Those CABs that are favored, their AB will have to qualify them under the IAF MLA to maximize their credibility.  

IAF will not have to make uploading ISO certs mandatory for this to a become 'mandatory' business necessity for CABs.  Other industry sectors that use ISO certs are already applying more pressure to make it mandatory.  For instance, TL9001 for telecom now requires CABs to activate their accounts with IAF CertSearch or they cannot issue ISO TL 9001 certs anymore. Who willl be next?  Auto industry? Aerospace?  Food Safety GFSI?  I think 'mandatory' is a matter of 'when' not 'if'.  As it has already begun.  If you are a CAB and offer your clients cert posted as 'credible' to the world, and your competitors do not...

There's so much wrong with this answer, I can't play whack-a-mole with it.

Suffice to say you admit that ANAB reports 45 CBs, but ANAB has over 80 CBs for ISO 9001. So rather than retract your false claim that the database is "nearly 100% complete," you just admitted that in the case of ANAB you barely broke 50%. We know that 50% is not equal to 100% because math exists.

Your arguments on having "resolved" poaching are spurious (CBs don't want any list of clients anywhere, because competing CBs only need the name and address of the client, they don't need to have API or backdoor access), and I won't even get into your logic behind China and the refusal to make CertSearch "mandatory" because you merely wish it to be.

Just stunningly bad, all around. But par for the course for IAF I guess.

The IAF cannot rein in the actions of China because the senior executive position is *held* by China.

The IAF's president is also the chief executive of CNAS, the Chinese National Accreditation Service. Before that, he held other senior leadership roles in the IAF going back at least a decade or more. Therefore, no reasonable person can assume that the IAF would hold any power over CNAS, which is responsible for publishing many of the "fake" ISO certifications coming out of China.

Chinese executives then hold major leadership roles in the various IAF "Regional Accreditation Bodies," enabling them to have sway in those bodies as well. The "RAGs" are responsible for executing IAF oversight in the various global regions, but in effect work to maintain the status quo, allowing CBs and ABs to literally commit crimes with impunity. 

China's national plans for both increasing its role in standards development ("China Standards 2035 Plan") and increasing its exports ("Made in China 2025 Plan") are official government policies, and the IAF leadership is sworn to uphold those before acting on their own interests, under Chinese law. Officials who refuse -- including the leadership of the IAF -- can be arrested. Those policies ensure that China pumps out hundreds of thousands of dubious ISO certificates in order to improve the reputation of its products, in order to hit the "Made in China 2025" milestones and export goals.

With the IAF managed by China -- the world's largest producer of fake ISO certificates -- the resulting CertSearch product cannot be trusted either.

Submitted by ChrisParis on Mon, 01/25/2021 - 05:15

Unfortunately, the article is not accurate. The IAF CertSearch database has already been found to have contained (and may still contain) unaccredited certificates. The data is also out of date, poorly updated, and utterly reliant on the CBs to self-maintain. The IAF does not do any due diligence to verify the accuracy or currency of the data.

Furthermore, overall CB participation is very low. As of right now, to verify a certificate I have to check a list of about TEN different verification sources, of which CertSearch is only one. Of them, CertSearch is almost never found to have the lastest information, if it even provides a result at all.

The root cause comes down to the fact that the IAF did not make participation in CertSearch a mandatory part of accreditation, but left it "optional" to appease the very bodies they are supposed to be overseeing. In other schemes, such as AS9100 and IATF 16949, participation in such registries is mandatory. The IAF succumbed to the complaints of its laziest and shadiest members, and abdicated its duties here.

Until participation in the database is made a mandatory part of accreditation, CertSearch is worthless.

Submitted by William J. Anderson (not verified) on Fri, 02/05/2021 - 12:04

First, I completely back the IAF because the IAF is the ONLY organization in the world that has "Accredited" certs accepted by all IAF members. Although there are "other" accreditation bodies in existence, I would never accept an ISO cert that does not have a mark of an IAF member because their is absolutely no accountability. I consider myself as one of the most forensic auditors anywhere. My competencies are very broad. I know that I was the first auditor in the USA to identify a FAKE QS 9000 cert by a company that created a falsified cert with the CB's mark on the cert. At that time, everyone accepted their cert including Ford, Chrysler and GM. I was the only one to dig into the cert's credibility. With CertSearch, the scope will eventually lock down all valid ISO certs and credibility as I personally do not consider any other accreditation valid. Likewise, in the USA, over 85% of resumes / CV's are falsified in some manner. There are too many organizations accepting these as validation for the specific education. If issues with CertSearch exist, this must be approached as a method to correct and move forward. I did not identify anyone stating specific scenarios that could be researched to allow the IAF to do a root cause analysis, complete the required corrections and to finalize with adequate and effective corrective & preventive actions to eliminate the risk.

Just returned from a meeting with the IAF Database Management Committee that wrote IAF MD28, which now requires IAF member ABs to activate their accounts at IAF Certsearch as well as enforce requirements in MD28 that are framed of the contracts with the CBs below them, so all IAF Accredited CBs must activate their IAF CertSearch accounts and upload their certs, or risk the consequences of nonconformities, which if not resolved, will escalate and lead to what end you can rightly imagine.   And it seems ABs and CBs are indeed taking this seriously, because as of October, 1,950,000 certs were entered into the database, most of them just in the last six months. 

What impressed me most about the presentation in Berlin last week was the slide showing support from industry, from Boeing, Airbus, Tesla and Space-X and so many, many more.  The slide was dotted with logos of 50 or so well-known companies. 

In April I personally met with two representatives from two of the largest companies in the US and their Purchasing' Chiefs, and they plan to screen their supply chain using IAF CertSearch.  This will save them time and money, every year, especially when IAF CertSearch improves and rolls out its toolkits for purchasing departments to have real time monitoring of the certs they rely on.   

It has taken 5 years to get to this point, and indeed because MD28 had only been published in October 2023, with a 1 year transition period, surely IAF had done all it could in the last few years to make it easier, better, and more secure for CABs concerned with poaching, etc. 

The days of it being voluntary are over.   

As William suggests, this is not merely due, but long overdue and yet not too late to do what we all need.  We needed a place to go, to have some internationally recognized benchmark to trust a cert. 

Even as much as some may poke at any remaining imperfections or argue against this, because not all its members and creators carry US Citizenship, what good is there in returning to the past with all the uncertainty, which IAF CertSearch can cure so much doubt?  Fake certs cannot be entered, ever!  Can IAF Accredited CBs upload non-accredited certs?  That would risk their international accreditation status!

Certified companies need this.  Supply chains need this.  REGULATORS need this.  IAF CertSearch is now able to deliver that one thing we all thought we had paid for when we hung our cert on the wall, but may not have ever had! 

IAF simply provides the levelness on some fundamental benchmarks for earning some decent levels of trust.  If that doesn't matter, then what does? 

ISO [Geneva] only promotes these certs issued under the IAF framework of 'International Accreditation' because they are the only certs following the entire chain of oversight under ISO/IEC 17011 and ISO/IEC 17021.  And yes, they also fallow International Mandatory Documents (MDs), such as MD8 and MD9 to the accreditation standards when applied to the certification against the Medical device QMS 13485.  The IAF MDs matter. They support audits by making sure auditors have the write competencies.  The even AB assessors have them too.  Its a massif infrastructure that makes the Certificate everything we though important; something worth trusting, everywhere.  And so regulators, like those at the www.ghwp.info asked IAF to make IAF CertSearch Mandatory, and so IAF MD28 was born out of so many letters from so many companies, mostly US!

IAF is not led by one country, but by an Executive Commitee and a massif voting block of 75 nations.  Its current Chair  is from Italy leads Accredia.  Italy's government has so many demands for using credible ISO certs to get government contracts, they are uniquely a standout nation for promoting ISO Management Systems use.  The Chairman of the IAF Emanuelle has indeed led IAF well to this now greatest and final achievement.   

The Database Management Committee has done an amazing job putting the finishing touches on IAF CertSearch and its IT manager in Australia has endure some of the hardest challenges to make something that works so well and his team at Quality Trade will only continue to improve it.  Nigel has wished to build a business with IAF, to ensure trade upon Quality has a solid foundation.

We owe all these folks our support as what they have done will support the quality of everything and help us all do better, though perhaps later than we had wished.

Add new comment