Surveillance & Recertification | Guardian Middle East

Accredited · Recognised · Verified

UAF United Accreditation Foundation USA · Management Systems

IAS International Accreditation Service USA · Management Systems

IAF MLA IAF Multilateral Recognition International · MLA Signatory

QS Qatar Standards RB066-26 · ISO 9001/14001/45001

Step 6 is the 3-year certification cycle. Year 1 and Year 2 each require a surveillance audit under ISO/IEC 17021-1 §9.6. Year 3 requires a recertification audit under §9.7. Successful recertification issues a new 3-year certificate, beginning the next cycle. The cycle also accommodates scope variation, scope reduction, certificate suspension, and certificate withdrawal where circumstances warrant.

The 3-Year Cycle

Cycle Overview

Accredited management system certifications operate on a 3-year cycle. The cycle architecture is defined by ISO/IEC 17021-1 and applicable IAF Mandatory Documents:

Year	Audit Type	Outcome
Year 0	Initial certification, Stage 1 + Stage 2	Certificate issued for the 3-year cycle following the Step 5 certification decision. For details on certificate issuance and approval criteria, return to the certification decision stage.
Year 1	Surveillance audit	Confirmation that the management system continues to fulfil applicable requirements; certificate continues in force.
Year 2	Surveillance audit	Second annual surveillance; certificate continues in force.
Year 3	Recertification audit	Comprehensive evaluation of the management system over the 3-year cycle. Successful outcome issues a new 3-year certificate, beginning the next cycle.

Cycle Variations by Tier

The 3-year cycle applies consistently across Tier 1, Tier 2, and Tier 3 management system standards. Tier 4 (Guardian Approved Scheme) management system standards follow the same 3-year cycle. Some specific certifications operate on different cycles:

ISO 26000 — Attestation (Tier 4) — Annual cycle. Each Attestation is renewed annually based on the structured self-assessment evaluation.
Some Inspection Body activities (under ISO/IEC 17020) — Cycle defined by the specific inspection-body accreditation scope and the contracted inspection program.

Surveillance vs Recertification — Different Audit Objectives

Although both surveillance and recertification involve auditing the management system, their objectives differ:

Surveillance audit — confirms continued conformity, addresses focus areas, samples nominated processes/elements, reviews use of certification marks, and reviews response to changes.
Recertification audit — performs a comprehensive evaluation of the management system over the entire 3-year cycle, verifying continued effectiveness, continued improvement, and the basis for granting a new 3-year certificate.

Both audit types use the audit conduct framework established at Stage 2, including nonconformity classification (major / minor / opportunity for improvement) under ISO/IEC 17021-1 §9.4 and the structural separation of audit team and certification decision-maker under §9.5.

Surveillance Audits (ISO/IEC 17021-1)

Frequency and Timing

Two surveillance audits are conducted in the 3-year cycle — one in Year 1 and one in Year 2. The first surveillance audit must be conducted within 12 months of the initial certification decision date (Step 5 decision date). Subsequent surveillance audits follow at approximately annual intervals. Specific dates are agreed in the audit programme established at Step 2.

Surveillance Audit Objectives — Per ISO/IEC 17021-1

Continued conformity — confirmation that the management system continues to fulfil applicable requirements of the standard.
Effective management of changes — verification that changes affecting the certified scope are managed effectively.
Sampling of processes and elements — audit of nominated processes, departments, and elements per the audit programme. Over the 3-year cycle, the cumulative surveillance sampling provides reasonable coverage of the management system.
Use of certification marks — review of how the client refers to the certification — including marketing materials, websites, products, advertisements, and stakeholder communications.
Internal audit and management review — verification that the internal audit programme continues to operate and management review continues at the required frequency.
Corrective action and continual improvement — review of evidence of corrective action and continual improvement since the previous audit.
Response to changes — verification of the client’s response to changes in the standard, regulatory environment, accreditation requirements, or applicable IAF Mandatory Documents.
Closure of prior nonconformities — verification of closure of any minor nonconformities raised at the previous audit (which may have been carried forward as open with corrective action plans).

Surveillance Audit Duration

Surveillance audit duration is calculated under IAF MD 5 — typically a portion of the initial-cycle audit duration, applied annually. For most engagements, surveillance is approximately one-third of the initial Stage 2 audit duration, with adjustments for sectoral and scope-specific factors.

Multi-Site Sampling at Surveillance

For multi-site clients, surveillance audits follow IAF MD 1 — a sample of sites is audited at each surveillance, with the full portfolio receiving cumulative coverage over the 3-year cycle. The sampling plan is documented and reviewed at each cycle.

Surveillance Audit Outputs

Surveillance audit report including audit findings and any nonconformities raised.
Confirmation of continued conformity (or otherwise).
Recommendation to the certification decision-maker.
Decision-maker review and decision: continue certification, continue with conditions, suspend, or withdraw.
Updated certificate status if relevant (e.g., scope variation effective).

Recertification Audit (ISO/IEC 17021-1)

Timing of Recertification

The recertification audit must be conducted before the certificate expiry date — typically scheduled to allow 3 to 6 months for audit conduct, audit reporting, corrective action (if required), certification decision, and new certificate issuance. The new certificate is effective from the day after the previous certificate’s expiry, providing seamless continuity.

Recertification Audit Objectives — Per ISO/IEC 17021-1

Recertification is a comprehensive audit covering the 3-year cycle. Specific objectives:

Comprehensive evaluation — assessment of the management system as a whole, not just sampled elements as in surveillance.
Effectiveness over the full cycle — review of the system’s continued effectiveness across the 3-year cycle, including trend analysis.
Maintenance and improvement — verification that the system has been maintained and improved over the cycle.
Management review of the full cycle — review of management review records covering the cycle.
Corrective action review — review of all nonconformities, corrective actions, and closure verification across the cycle.
Statutory and regulatory currency — verification that the client maintains awareness of and compliance with current statutory and regulatory requirements.
Audit program effectiveness — review of how the surveillance + recertification audit program has supported the client’s continued conformity.

Recertification Audit Duration

Recertification audit duration is typically two-thirds to full Stage 2 duration, calculated under IAF MD 5. Specific durations are confirmed in the recertification audit team appointment notification.

Recertification — Stage 1 Component (where applicable)

Where there have been significant changes to the management system, scope, or organizational structure during the cycle — or where the recertification audit is conducted for a transferred client — a Stage 1-equivalent component may be added to the recertification audit. This is to confirm the system’s readiness for full recertification assessment.

Recertification Decision

The recertification decision follows the same Step 5 framework, The full decision-making methodology is explained in the certification decision stage. — the appointed decision-maker is structurally independent of the audit team, reviews the documented inputs, and selects from the defined decision options (grant, conditional grant, defer, refuse). The same tier-specific decision authority applies as at initial certification.

Recertification Outcome

Successful recertification — new 3-year certificate issued, effective from the day after the previous certificate expiry. IAF CertSearch listing updated.
Recertification with conditions — new certificate issued with documented conditions (e.g., advanced first surveillance).
Recertification deferred — corrective action required before recertification can be granted. Where the certificate expires before recertification is granted, the client falls out of valid certification — the next certificate, when granted, is treated as a new initial certification.

Recertification refused — significant systemic gaps preclude recertification. Certificate expires; the client may pursue Guardian’s Complaints and Appeals process if there are grounds.

Scope Variation

What Scope Variation Means

Scope variation is a change to the certified scope during the cycle — typically:

Addition of activities — bringing additional activities under the existing certified scope.
Reduction of activities — removing activities from the certified scope.
Addition of sites — adding sites to a multi-site certification.
Closure of sites — removing sites from a multi-site certification.
Change of scope statement wording — refining the scope statement without material change to activities.

Scope Variation Process

Notification — the client notifies Guardian Middle East LLC of the proposed scope variation.
Assessment — Guardian assesses whether the variation can be addressed at the next surveillance / recertification audit, or requires a special audit.
Special audit (where required) — for material additions to scope, a special audit (not just sampling at surveillance) is required to confirm the new scope conforms to the standard.
Decision — the certification decision-maker confirms the scope variation. New certificate issued reflecting the revised scope; IAF CertSearch entry updated.
Fee implication — material scope additions typically attract additional audit days and fees, calculated under IAF MD 5.

Scope Reduction (Voluntary)

Where the client voluntarily reduces certified scope, the change is typically effective from the next surveillance audit, with the certificate revised at that point. The reduction does not require a special audit — only confirmation that the reduced scope continues to conform to the standard.

Suspension of Certification

When Suspension Applies

Suspension of certification under ISO/IEC 17021-1 applies in circumstances including:

Failure to address major nonconformities — major nonconformities not addressed within agreed timelines.
Failure to permit surveillance audit — failure to facilitate the surveillance audit at the required frequency.
Voluntary request — at the client’s request (e.g., during a period when the client cannot conform due to operational changes).
Misuse of certification marks — misuse not corrected following formal warning.
Material change in compliance — material change in the client’s compliance status (e.g., loss of regulatory authorisation that was the basis of the certified scope).
Other serious breaches — of the certification contract or applicable requirements.

Suspension Process

Decision — the certification decision-maker (or in urgent cases, an authorised quality manager) decides to suspend, with documented rationale.
Notification — the client is formally notified of suspension, the reasons, and the conditions for lifting suspension.
IAF CertSearch update — the IAF CertSearch entry is updated to reflect suspended status.
Suspension period — typically up to 6 months, during which the client is required to address the issues that led to suspension. Where suspension extends beyond 6 months, withdrawal typically follows.
Reinstatement — once the issues are resolved and verified, the certification decision-maker decides to reinstate.
Public claim during suspension — clients may NOT continue to claim certification during suspension. Doing so is misuse of certification.

Voluntary Suspension

Clients facing temporary operational changes (e.g., site closure for renovation, restructuring) may request voluntary suspension. Voluntary suspension is typically granted where the client formally requests it and provides the rationale. Reinstatement requires confirmation that the underlying conditions for certification continue to apply.

Withdrawal of Certification

When Withdrawal Applies

Withdrawal of certification — the formal removal of the certification — applies in circumstances including:

Suspension period exceeded — suspension that has not been resolved within the suspension period.
Serious or repeated misuse — of certification marks or claims.
Material breach of certification contract — that cannot be remediated.
Loss of underlying authority — e.g., revocation of regulatory authorisation that was the basis of the certified scope.
Voluntary withdrawal — at the client’s request (e.g., the client no longer requires the certification).
Cessation of business — the client ceases the activities within the certified scope.

Withdrawal Process

Decision — the certification decision-maker decides to withdraw, with documented rationale.
Notification — the client is formally notified of withdrawal, with effective date.
IAF CertSearch update — the IAF CertSearch entry is updated to reflect withdrawn status.
Cessation of marks use — the client must immediately cease use of the certification marks, including from websites, marketing materials, products, and any references.
Certificate return — the original certificate (where issued in physical form) is returned to Guardian; digital certificates are deactivated.
Public withdrawal disclosure — Guardian may disclose the withdrawal to the accreditation body, regulators, or other parties as required by ISO/IEC 17021-1 or applicable IAF Mandatory Documents.

Re-application After Withdrawal

A client whose certification has been withdrawn may re-apply for certification. Re-application is treated as a new initial certification — fresh Step 1 (Inquiry), fresh Step 2 (Application & KYC, including fresh CDD), fresh Stage 1 + Stage 2. Where the withdrawal was due to systemic issues, the re-application requires demonstrated resolution of those issues.

Tier-Specific Surveillance & Recertification

The surveillance and recertification framework applies consistently across all four tiers, For a complete explanation of certification responsibilities across entities and tiers, review the multi-entity disclosure framework, with tier-specific decision authority:

Tier 1, Tier 2 (excluding ISO 22301) — surveillance and recertification audits conducted by Guardian Assessment Pvt Ltd appointed audit team; decision by Guardian Assessment Pvt Ltd.
Tier 2 (ISO 22301 only) — surveillance and recertification audits conducted by the Third-Party CB’s appointed audit team (IAS-Accredited under MSCB 154); decision by the Third-Party CB; Guardian Middle East LLC coordinates locally.
Tier 3 — surveillance and recertification audits conducted by TNV Global Limited’s appointed audit team; decision by TNV Global Limited; Guardian Middle East LLC coordinates locally.
Tier 4 (Guardian Approved Scheme) — surveillance and recertification audits conducted by Guardian Middle East LLC’s appointed audit team under the Guardian Approved Scheme procedures; decision by Guardian Middle East LLC.

ISO 26000 Attestation under the Guardian Approved Scheme follows an annual cycle rather than 3-year — each Attestation is renewed annually based on the structured self-assessment evaluation. The 3-year cycle described elsewhere on this page does NOT apply to ISO 26000.

Certificate Verification

Throughout the 3-year cycle and across all tiers, certificate status is publicly verifiable:

Tier 1, Tier 2, Tier 3 — IAF CertSearch (https://www.iafcertsearch.org) — searchable by client name, certificate number, or standard. Status updated for grant, surveillance, recertification, suspension, withdrawal.
Tier 4 (Guardian Approved Scheme) — verification by request to info@guardian.qa. Tier 4 certificates are NOT listed on IAF CertSearch; this is part of the transparent disclosure of the non-accredited scheme.
ISO 26000 Attestation — verification by request to info@guardian.qa. Annual cycle rather than 3-year; current Attestation status confirmed on request.

Where a stakeholder, customer, or regulator wishes to verify a Guardian certification, the route is the IAF CertSearch directory for accredited certifications and a verification request to Guardian for Tier 4 / Attestation cases. Guardian’s response to verification requests is timely (typically within 5 business days).

USE OF GUARDIAN AND ACCREDITATION MARKS

Certified organisations may use Guardian Approved Mark and UAF/IAS accreditation mark — subject to Guardian’s Use of Marks Policy.

Full policy: → Use-of- Marks

COMPLAINTS & APPEALS

Independent complaints and appeals process per ISO/IEC 17021-1:2015.

Full process: → Complaints & appeals

GET STARTED — CONTACT GUARDIAN

Guardian Middle East LLC | Serving the Middle East
QFC Licence 03870 · Doha, Qatar

Location: Abo Hamour Area, Doha, Qatar
P.O. Box: 23277, Doha, Qatar
Mobile: +974 7770 2602 | +974 7213 7770
Email: info@guardian.qa
Website: www.guardian.qa

Or submit an enquiry: → Contact

Frequently Asked Questions

Q1. How often will I be audited?

In a typical 3-year cycle: Year 1 — surveillance audit; Year 2 — surveillance audit; Year 3 — recertification audit. So three audits across the 3-year cycle. After successful recertification, the cycle restarts with another two surveillance audits (Years 1 and 2 of the new cycle) and a recertification audit (Year 3). For ISO 26000 Attestation, the cycle is annual.

Q2. What's the difference between surveillance and recertification?

Surveillance audits (Years 1 and 2) confirm continued conformity through sampling — they do not re-audit the entire system each year. Recertification audit (Year 3) is a comprehensive evaluation of the management system across the entire 3-year cycle, verifying effectiveness and improvement. Successful recertification issues a new 3-year certificate; surveillance audits maintain the existing certificate.

Q3. How long does a surveillance audit take?

Surveillance audit duration is calculated under IAF MD 5 — typically approximately one-third of the initial Stage 2 audit duration, applied annually. For most engagements, a typical surveillance is 1 to 3 audit days. Multi-site clients may have longer surveillance audits to accommodate site sampling per IAF MD 1. Specific durations are confirmed in the audit team appointment notification.

Q4. What if I miss a surveillance audit?

Failure to facilitate the surveillance audit at the required frequency is grounds for suspension of certification under ISO/IEC 17021-1 §9.6. Clients facing scheduling difficulties should communicate proactively with Guardian — rescheduling within reasonable windows is typically accommodated. Persistent failure to permit audits, however, leads to suspension and ultimately withdrawal.

Q5. Can I add new activities to my scope mid-cycle?

Yes — through scope variation. The client notifies Guardian of the proposed addition; Guardian assesses whether the addition can be addressed at the next surveillance / recertification audit, or whether it requires a special audit. Material additions typically require a special audit and additional audit days under IAF MD 5. The certificate is revised on grant of the variation, and IAF CertSearch is updated.

Q6. What happens at recertification?

The recertification audit is a comprehensive evaluation of the management system across the full 3-year cycle. The audit team evaluates effectiveness, maintenance, improvement, response to changes, internal audit and management review across the cycle, and corrective action history. The decision-maker reviews the documented audit record and decides: grant new certificate, conditional grant, defer pending corrective action, or refuse recertification.

Q7. What if my recertification is refused?

Refusal of recertification means the certificate expires without renewal. The client may pursue Guardian's Complaints and Appeals process if there are grounds — procedural fairness, factual error, or breach of Guardian's procedures. Where the client wishes to re-apply after the refusal, re-application is treated as a new initial certification (fresh Step 1, fresh Step 2, fresh Stage 1 + Stage 2).

Q8. Can my certification be suspended?

Yes, under ISO/IEC 17021-1 §9.6 in circumstances including failure to address major nonconformities, failure to facilitate surveillance, misuse of certification marks not corrected after formal warning, material change in compliance status, or voluntary client request. Suspension is typically up to 6 months — beyond which withdrawal typically follows. During suspension, the client may NOT claim certification.

Q9. What if my certification is withdrawn?

Withdrawal is the formal removal of the certification. The client must cease all use of certification marks immediately — websites, marketing materials, products, and any references. The IAF CertSearch entry is updated to reflect withdrawal. The client may re-apply for certification — re-application is treated as a new initial certification with fresh Step 1, Step 2, and audit cycle.

Q10. How do customers verify my certification is current?

Tier 1, Tier 2, and Tier 3 accredited certificates are verified through IAF CertSearch (https://www.iafcertsearch.org) — searchable by client name, certificate number, or standard. The IAF CertSearch entry shows current status (active, suspended, withdrawn, expired). Tier 4 (Guardian Approved Scheme) certificates are verified by request to info@guardian.qa — Tier 4 is NOT on IAF CertSearch, by design of the transparent non-accredited scheme.

Q11. What if my organisation is acquired or merges during the cycle?

Material organisational changes — acquisition, merger, change of beneficial ownership, change of legal entity — must be notified to Guardian promptly under the certification contract. The implications depend on the change: continuation under the same certificate (where the certified scope and operating context are preserved), scope variation (where scope changes), CDD refresh (where beneficial ownership changes), or in some cases, the certification cannot transfer to the new entity without a new certification engagement.

Q12. Do my fees change at surveillance and recertification?

The certification engagement contract executed at Step 2 typically defines surveillance and recertification fees. Surveillance fees are typically lower than initial Stage 2 fees because audit duration is shorter. Recertification fees are typically between surveillance and initial Stage 2 fees. Material scope variations during the cycle may attract additional fees calculated under IAF MD 5. Fee structures are transparent in the contract.

Q13. Can I switch to a different certification body during the cycle?

Yes — through certification transfer under ISO/IEC 17021-1 §9.1.3. Transfer review verifies the existing certificate, reasons for transfer, recent audit reports, and the absence of major outstanding nonconformities. Transfer-friendly scenarios are typically accommodated; transfers are not used as a route to circumvent unresolved nonconformities. Detail in Wave 2 at /process/certification-transfer/.

Q14. Does the same audit team conduct every audit?

Not necessarily. Auditor rotation is required under applicable IAF Mandatory Documents to maintain audit-team independence over extended client relationships. The audit team for each surveillance / recertification is appointed by Guardian — typically with continuity in the Audit Team Leader for cycle continuity, but with rotation of auditors. The client is notified of the audit team for each audit and may raise documented impartiality concerns.

Let’s discuss your Iso Certification needs—reach out today

Compliance Footnotes

Step 6 (Surveillance & Recertification) is conducted under ISO/IEC 17021-1 §9.6 (Surveillance) and §9.7 (Recertification). Audit duration is calculated under IAF MD 5 with sector-specific application per IAF MD 11. Multi-site sampling follows IAF MD 1. Nonconformity classification follows §9.4. The audit team is structurally independent of the certification decision-maker per §9.5. Tier-specific decision authority applies — Tier 1 and Tier 2 (excluding ISO 22301) by Guardian Assessment Pvt Ltd; Tier 2 (ISO 22301) by Third-Party CB (IAS-Accredited MSCB 154); Tier 3 by TNV Global Limited; Tier 4 (Guardian Approved Scheme) by Guardian Middle East LLC under internal scheme. ISO 26000 Attestation operates on annual cycle, not 3-year. Guardian Middle East LLC operates under QFC Licence 03870.

Step 6 — Surveillance & Recertification