Assuring Compliance with

Social and Environmental

Standards
ISEAL Code of Good Practice
Version 2.0 – January 2018
 Contents
Foreword 5

Code Review Process 6

Introduction 7

1. Scope 9

2. Referenced Publications 9

3. Assurance System Desired Outcomes 9

4. Efficiency and Improvement 12

5. Rigour and Impartiality 15

6. Value and Accessibility 25

Appendix A: Definitions 28

2 3
 Foreword
ISEAL Alliance is the global membership association for sustainability
standards. ISEAL is a non-governmental organisation whose mission
is to strengthen sustainability standards systems for the benefit of
people and the environment.

ISEAL is the global leader in defining and communicating  

The ISEAL Code of Good Practice for Assuring
what good practice looks like for sustainability standards Compliance with Social and Environmental Standards
through guidance and credibility tools such as the Codes (Assurance Code) helps to ensure accurate results
of Good Practice. ISEAL has four strategic priorities in its from assessments of compliance and to encourage
work with sustainability standards: the use of assurance to support learning; and

 Deliver credibility expertise  

The ISEAL Code of Good Practice for Assessing the
Impacts of Social and Environmental Standards
 Measure and share impacts Systems (Impacts Code) supports standards systems
to measure and improve the results of their work
Catalyse improvements and scalable solutions and to ensure that standards are delivering the
desired impact.
 
Build support for credible standards
Individually, each Code is useful in strengthening a
ISEAL’s membership is open to all multi-stakeholder component of a standards system. However, users of
sustainability standards and accreditation bodies that standards and other stakeholders will have a higher level
demonstrate their ability to meet the ISEAL Codes of of confidence in the effectiveness of a standards system
Good Practice and accompanying requirements, and that when the Codes are implemented together.
commit to learning and improving. ISEAL also has a non-
member, subscriber category to engage with standards
Implementation
systems in development and other stakeholders with
a demonstrable commitment to the ISEAL objectives. This version of the Assurance Code (v2) was approved by
Further information about the ISEAL Alliance and its the ISEAL Board of Directors in January 2018. It becomes
membership is available at www.iseal.org effective for all evaluations from 1 January 2019.
Organisations who wish to apply for ISEAL Associate
Membership can apply using either v1 or v2 of the
ISEAL Codes of Good Practice build credibility Assurance Code up to 31 December 2018. Applications
The goal of all ISEAL Codes of Good Practice is to received after this date must relate to v2 only.
support standards systems to deliver positive social and
environmental impact. ISEAL Codes of Good Practice For more information on implementation timelines for
complement each other to achieve this: v2.0 of the Code, please visit the ISEAL Alliance website:
www.isealalliance.org/our-work/defining-credibility/
 
The ISEAL Code of Good Practice for Setting Social codes-of-good-practice
and Environmental Standards (Standard-Setting
Code) supports the development of standards that
are relevant and transparent and that reflect a
balance of stakeholder interests;

4 5
 Code Review Process Introduction
The public review and revision process for the Assurance Code takes place Purpose of the Assurance Code is to provide a framework for credible assurance
at least every five years. The next review is scheduled for 2023. that is delivered consistently by sustainability standards systems, so as to
improve the effectiveness of their assurance models in contributing to their
intended sustainability impacts.

Where a revision is warranted, the ISEAL Secretariat The Assurance Code sets out minimum criteria for
prepares the draft revisions and coordinates the implementation of the assurance management system
revision process. The ISEAL Technical Committee, and process, while also recognising that different
a permanent multi-stakeholder governance body, is assurance models can be effective for different
responsible for monitoring the Code revision process, purposes. The Assurance Code builds on a set of
signing off on drafts, and recommending approval of desired outcomes for effective assurance and
the revised Code to the ISEAL Board of Directors, based describes how they can be achieved in practice.
on both the content of the Code and on the quality
of the revision process. Version two of the Assurance Code focuses more
strongly on the accountability of the scheme owner
The ISEAL Alliance welcomes comments on the to ensure that the chosen assurance model is fit for
Assurance Code at any time. Comments will be purpose and that its effectiveness is monitored over
incorporated into the next review process. time. This enables the scheme owner to improve the
Please submit comments by mail or email to rigour, effectiveness, and value to stakeholders of
the address below. its assurance system and to be more responsive to
operating risks.
ISEAL Alliance
Development House The ISEAL Assurance Code normative Requirements
56-64 Leonard Street are structured around Desired Outcomes in sections
London 4, 5 and 6 below. The Desired Outcomes are the
EC2A 4LT results that a sustainability standards system should
United Kingdom seek to achieve with its assurance programme.
Complying with the Requirements that are linked
Email: assurance@isealalliance.org to each Desired Outcome should lead an organisation
to achieve those outcomes.

The Assurance Code also includes Guidance

that provides supplementary information to the
Requirements, as well as interpretation of key
phrases in the Requirements. The Guidance is an
important non-binding supplement to the Assurance
Code and should be taken into account when
applying the Code requirements. The Guidance
can be found in a separate column adjacent to
the Requirements.

6 7
 1. Scope 3. Assurance System
The ISEAL Assurance Code specifies normative
Desired Outcomes
requirements for implementing an assurance system.
Sustainability assurance should be seen as a tool that
Requirements in the Code aim to support credible
supports the achievement of sustainability impacts.
and effective systems for managing risks to the
The foundations of assurance remain focused on
integrity of the assurance process and maximising the
accurate assessments of compliance. However, it is
value of assurance. While the Assurance Code can
also critical for the scheme owner to have a good
apply generically to assurance systems for assessing
understanding of the effectiveness of its assurance
conformity with all types of standards, it is intended to
strategies, through good information management
apply primarily to assurance of sustainability standards
systems, and to find additional ways to create value
and related chain of custody standards. The Code does
for stakeholders from the assurance process.
not cover licensing or control of scheme labels.
On the next page is a graphical representation of the
The Assurance Code applies to schemes that include desired outcomes that frame the requirements in
assurance and oversight within their assurance the Assurance Code. The dual intent of these desired
systems. It is the responsibility of the scheme owner outcomes is to connect assurance activities with the
to ensure that the Code requirements are complied ultimate goal of achieving sustainability impacts and
with throughout their assurance system. to align assurance activities with the ISEAL Credibility
Principles. The desired outcomes can be used as a guide
to evaluate the effectiveness of different assurance
2. Referenced Publications strategies, while providing flexibility to apply a broad
range of credible approaches to deliver assurance.
ISEAL Impacts Code: 2014. Code of Good
Practice for Assessing the Impacts of Social and
Environmental Standards

ISO/IEC 2382:2015 Information Technology

– Vocabulary

ISO 9000:2015 Quality Management Systems

– Vocabulary

ISO 14001:2015 Environmental Management Systems

– Requirements with guidance for use

ISO 17000:2004 Conformity assessment

– Vocabulary and general principles

ISO 26000:2010 Guidance on Social Responsibility

ISEAL Sustainability Claims Good Practice Guide (2015)

8 9
 3. Assurance System
Desired Outcomes
Assurance system supports
achievement of defined
sustainability impacts

4.5 ISEAL Credibility Principles

ISEAL Orange
CMYK 0.46.100.0
RGB 223.155.24
Hex #F99B1C

ISEAL Forest Green

The assurance system results in Effectiveness and efficiency of The assurance system is accessible
CMYK 60.10.100.0
RGB 137.168.52
Hex #76B043

ISEAL Red
CMYK 0.94.78.0
RGB 196.41.55
Hex #EE333F

accurate assessments of compliance the assurance system are improved and adds value to clients
ISEAL Purple
CMYK 50.80.0.15
RGB 116.68.129
Hex #7D478D
ISEAL Orange
CMYK 0.46.100.0
RGB 223.155.24
Hex #F99B1C

over time
ISEAL Forest Green
CMYK 60.10.100.0
RGB 137.168.52
Hex #76B043

ISEAL Red
CMYK 0.94.78.0
RGB 196.41.55
Hex #EE333F

ISEAL Purple
CMYK 50.80.0.15
RGB 116.68.129
Hex #7D478D

Rigour Improvement

5.5 5.6 4.2 4.1 4.3 6.1 6.2 6.3

Transparency Impartiality
The assurance The assurance The assurance Risks to the The scheme Assurance Clients derive Barriers to Information
system is system is system is integrity of owner is model is fit for additional access are about how the
implemented implemented implemented the assurance responsible purpose value from minimised system operates
consistently competently impartially system are for and makes assurance is easily available
Truthfulness Relevance
managed improvements
to the assurance
system

Sustainability Efficiency
5.1 5.2 5.4 4.4
Operating Assessment Oversight is Assurance Risks are Assurance Data about Client has Eligibility Assessment
procedures follows independent personnel are assessed data is performance access to requirements takes a
are clear and operating and effective competent regularly relevant and is shared advice and are clear risk-based Engagement Accessibility
sufficient procedures accurate with clients resources approach
Icons in the diagram indicate
coverage by Assurance Code

5.3
Outputs of Skills and Assurance Assurance Data is Good
recognised knowledge personnel personnel collected information
schemes are are defined are trained are assessed from various management
equivalent sources system in place

Stakeholders Risks are

provide input identified

10 11
 4. Efficiency and Improvement
Clause 4.1 Scheme owner is responsible for and makes improvements to the
assurance system
Clause Topic Requirement Guidance Clause Topic Requirement Guidance
4.1.1 Accountability The scheme owner shall delineate 4.3.1 NOTE: For further guidance on acceptable
responsibilities and lines of accountability Cont. claims, please refer to the ISEAL Claims Good
within the assurance system and define Practice Guide www.isealalliance.org/claims1
terms of reference for relevant committees. For further guidance on data collection in the
The scheme owner’s senior management context of monitoring and evaluation, please
shall be responsible for the overall refer to the ISEAL Impacts Code of Good
functioning and improvement of Practice www.isealalliance.org/impacts2
the assurance system, including
information management and risk
management systems. Clause 4.4 Assurance data is relevant and accurate
Clause Topic Requirement Guidance
Clause 4.2 Risks to the integrity of the assurance system are managed 4.4.1 Data sources The scheme owner shall maintain a list of the
data sources it uses to monitor risks to the
Clause Topic Requirement Guidance
integrity of the assurance system.
4.2.1 Risk The scheme owner’s senior assurance staff In most cases, risks will arise or change
Management shall maintain a risk management plan frequently which can trigger regular 4.4.2 Information The scheme owner shall maintain an The information management system
Plan that includes a list of the most significant reviews of the risk management plan, management information management system that can be used to inform risk management,
risks to the integrity of the assurance e.g. at least every 6 months. system supports gathering, management and analysis assurance system learning, and
system, a quantification of those risks, of relevant data from internal and external monitoring and evaluation.
and a description of the strategies being sources, including compliance data from
employed to mitigate each of these risks. assurance providers and oversight bodies.
The plan shall include a revision schedule 4.4.3 Data integrity The scheme owner shall have adequate data The protocol can include criteria
and be revised as risks arise or change. control protocols and sufficient capacity to to assess data completeness and
4.2.2 Liability and The scheme owner shall have adequate Arrangements that are adequate to cover ensure data consistency and integrity for consistency, and can outline how the
Financing arrangements to cover liabilities arising liabilities can include insurance, reserves, the data it manages. data is maintained and updated at
from its operations and shall have the contract language, etc. Arrangements regular intervals.
financial stability and resources required can match the scale of operation of 4.4.4 Data The scheme owner shall define who owns This information can include who is
to carry out those operations. the scheme. governance different types of assurance system data responsible for making changes to
and what data is available to whom and each type of data. It can also include
under what conditions. a publicly available data policy that
Clause 4.3 A
 ssurance model is fit for purpose summarizes the use, distribution
and format by which each type of
Clause Topic Requirement Guidance
data owned by the organization is
4.3.1 Assurance The scheme owner shall prescribe The choice of structure and activities made available.
model an assurance structure and activities includes definition of the types of A data registry can support the
commensurate with the scope of the assessment to be employed (see clause development of a data governance
scheme, risks inherent in the sector, type 5.1.2 and accompanying guidance for policy. When developing a data
of data collected, and end uses of the more information). governance policy, the scheme owner
scheme, including the types of claims being may want to consider how to comply
made by assurance system actors, and shall with national privacy laws related
be able to provide a rationale for its choice to data security and holding of
of structure and activities. personal data.

1. https://www.isealalliance.org/credible-sustainability-standards/what-are-credible-sustainability-standards
2. https://www.isealalliance.org/credible-sustainability-standards/iseal-codes-good-practice

12 13
 5. Rigour and Impartiality
Clause 4.5 E ffectiveness and efficiency of the assurance system are maintained Clause 5.1 O
 perating procedures support consistent implementation of the
and improved over time assurance system
Clause Topic Requirement Guidance Clause Topic Requirement Guidance
4.5.1 Management The scheme owner’s senior management The scheme owner can choose to make 5.1.1 Documented The scheme owner shall have a documented
reviews shall conduct management reviews at least use of the following resources to inform management management system that specifies
once a year to assess performance of its its management review: system requirements for implementation of its
assurance system, update classification assurance system and includes at least:

Any internal or external system audits
of risks, and inform improvements. that have been conducted; N
 ormative standard or standards;
The scheme owner shall use analysis of C
 riteria for accepting assurance providers
 isk assessments of the assurance
R
assurance system data to inform those to the scheme (6.2.1);
system and mitigation measures taken;
assessments and risk classification.
 ny recommendations from assurance
A C
 riteria for accepting clients to the
providers and the oversight body to scheme (6.2.1);
support system improvements; T ypes of client assessment used in the
S ystematic review of client scheme and a methodology for each
assessments (audits); (5.1.2);
External audits of assurance providers; P
 rocedure for regulating exceptions to the
standard or assessment process (5.1.5);
 nalysis of the types and nature of
A
complaints received; R
 equirements for the certificate and/or
claims related to assurance status (5.1.11);
Chain-of-custody checks;
M
 ethodology for oversight of assurance
Customer (and public) surveys;
providers (5.4.1); and
Client surveys;
D
 ocument and record control procedures
 onitoring labelled products in
M (5.1.14).
the market;
S takeholder input regarding the quality 5.1.2 Assessment The scheme owner shall require assurance Different types of assessment carried
of the assurance system; methodology providers to follow a consistent, out by assurance providers can include
documented methodology that specifies pre-assessments, full audits, surveillance
Monitoring and evaluation data;
requirements for each type of assessment audits, on-site audits, document reviews,
 nalysis of market and scientific
A of clients, is sufficient to determine client external group or multi-site audits,
trends; and conformance with the requirements, and is unannounced audits, witness audits,
 riteria and data to assess strengths
C commensurate with the claims being made parallel audits, remote audits, etc.
and weaknesses of the assurance by assurance system actors. The assessment Independent assessment is a necessary
system. methodology shall include procedures for at component of schemes that allow
least the following activities: public claims of compliance. Third party,
4.5.2 Improvement The scheme owner’s senior management
A
 ssessment of conformance with the independent, accredited certification is
feedback loop shall take preventive measures to manage
standard; the most credible form of assessment.
risks to the integrity of the assurance
system and shall oversee effective R
 eview and decision;
implementation of improvements identified I ssuance of a certificate, where this is part
in data analysis and management reviews. of the scheme;
P
 eriodic re-assessment.
For each type of assessment used, the
scheme owner shall specify requirements
for conducting the assessment that includes
at least the following:
f requency and intensity of assessment;

Requirements continue on the next page...

14 15
 Clause Topic Requirement Guidance Clause Topic Requirement Guidance
5.1.2 sampling protocol for assessment; 5.1.6 Group Where assurance includes assessment of Internal management systems can
Cont. knowledge and skills required in assessment groups, the scheme owner shall specify include the following elements:
an auditor or assessment team (if requirements for assurance providers to D
 escription of the roles, responsibilities
assessment team is used); consistently evaluate the effectiveness of and competencies of individuals
a group’s internal management system in responsible for different aspects of
minimum set of issues that need to be
identifying and resolving non-conformities the internal management system;
checked in every assessment;
within the group.
a means of calculating the time needed P
 rocedures for obtaining agreements
for an assessment; with all group members to ensure
group members understand what
sources of evidence to be assessed;
is required of them and to allow
minimum content of assessment reports; for assessments, both internal
and and external;
timelines for submission of completed P
 rocedures for approval and removal
reports, following assessments. of members;
5.1.3 Sampling The scheme owner shall define a sampling Sampling within the assessment means P
 rocedures for annual decision-making
within the procedure for assurance providers to use defining the basis on which auditors on the assurance status of each
assessment during the assessment that includes, at will determine what to look at during member in the group;
minimum, a description of when sampling the assessment, e.g. the most common C
 hain of custody / product flow;
is to be employed in the assessment, problematic issues, the issues with the
G
 roup and group member record
the depth and intensity of sampling, and highest risk, the easiest issues to check,
keeping requirements;
guidelines for the type of sampling to be etc. This can include determining the
employed in each instance. selection of a sample within a group or P
 rocedure for internal assessment; and
multi-site. P
 rocedure for sanctions and appeals

5.1.4 Use of The scheme owner shall require that External assessments can include:
technical interpreters or technical experts employed A
 review of the documentation of the
experts by assurance providers or oversight bodies internal management system to ensure
are independent of the client, unless this is internal assessments have been carried
not feasible due to logistical constraints. In out, records are complete and non-
all cases, the names and affiliations of these conformities are resolved;
experts shall be included in audit reports.
A
 n audit of a sample of group members
5.1.5 Exceptions The scheme owner shall have a procedure An exceptions procedure is useful even in to assess the accuracy of the results of
for regulating exceptions to the standard or cases of anticipating future exceptions the internal management system;
assessment process. Exceptions can include exemptions, P
 rocedures to address non-
which provide for situations where a conformities including sanctions in the
requirement is not applicable; case of systemic failure of the internal
Elements of an exceptions procedure can management system.
include that: 5.1.7 Group non- Where assurance includes assessment
a ssurance providers receive approval conformities of groups, the scheme owner shall define
from the standards system owner or consequences for non-conformities in
oversight body for each exception; individual group members. Where the
t he scheme owner or oversight body number of non-conformities identified in
makes a list of existing exceptions sampling individual group members signifies
available to all assurance providers and a systemic problem with the group’s
clients working within the standards internal management system, the scheme
system so that these are applied owner shall ensure that this results in non-
consistently; and conformities being issued against the group
as a whole.
e xceptions are only valid until the
next standard review exercise, at which
time they are considered as input to
the review.

16 17
 Clause Topic Requirement Guidance Clause Topic Requirement Guidance
5.1.8 Decision- The scheme owner shall define a decision- Examples of decision-making protocols 5.1.12 Complaints The scheme owner shall have in place
making making protocol for compliance assessment can include scorecards, traffic light procedure a publicly available and accessible
mechanism that enables consistent determination of systems, critical criteria, etc. complaints resolution procedure and
levels of non-conformity, and shall require shall require this also of its assurance
assurance providers to implement it. providers and oversight bodies. Each
procedure shall require the respective
5.1.9 Appeals The scheme owner shall require assurance body to:
providers and oversight bodies to
investigate and take appropriate
implement a publicly available appeals
action regarding relevant complaints,
procedure whereby clients and assurance
within defined timelines;
providers respectively can appeal
assessment decisions. r eview and take any necessary
corrective actions; and
5.1.10 Remediation The scheme owner shall require assurance
k eep a record of all complaints
and providers and oversight bodies to follow
and resulting actions to be made
consequences consistent procedures on remediating non-
available for internal audits and
conformities, which shall include defined
management reviews.
time limits for implementing corrective
actions, steps for verifying corrective 5.1.13 Misrepresentation The scheme owner shall ensure Actions can also include market
actions, and repercussions of continued and corruption monitoring activities are in place that surveillance to detect fraudulent
non-conformity. include actions to identify and mitigate claim use.
misrepresentation or corruption. These The mechanism for stakeholders could
5.1.11 Integrity of The scheme owner shall have procedures The rules governing use and
actions shall include at least: be the scheme’s complaints process
assurance in place that define the rules governing use communication of assurance status,
status and communication of assurance status, claims and references to assurance f ollow-up of suspended clients to but this should then specifically
claims of compliance, and references to can include that the client: monitor cessation of claims; and accommodate informal and confidential
assurance, and shall require that clients a publicly available mechanism for allegations of corruption.
c onforms to the requirements
comply with these rules. of the assurance provider when stakeholders to report instances Monitoring activities can be
NOTE: For further guidance on acceptable making public reference to its of potential misrepresentation implemented by assurance providers,
claims, please refer to the ISEAL Claims assurance status; or corruption. or by oversight bodies in the
Good Practice Guide www.iseal.org/claims3 case of monitoring assurance
 oes not make or permit any
d
providers’ performance.
misleading statement regarding its
assurance status; 5.1.14 Records and The scheme owner shall implement
 pon withdrawal of its assurance
u document control document control procedures that guide
status, discontinues its use of all the management and storage of system
advertising matter that contains a documents and records.
reference to assurance;
a mends all advertising matter
when the scope of assurance has
been reduced;
 oes not imply that assurance applies
d
to activities and sites outside the
scope of assurance; and
 oes not use its assurance status in
d
such a manner that would bring the
assurance system into disrepute
and lose public trust.

3. https://www.isealalliance.org/credible-sustainability-standards/what-are-credible-sustainability-standards

18 19
 Clause 5.2 A
 ssessment is implemented according to operating procedures Clause 5.4 T here is independent oversight of implementation

Clause Topic Requirement Guidance Clause Topic Requirement Guidance

5.2.1 Legality The scheme owner shall ensure that 5.4.1 Oversight The scheme owner shall specify
oversight bodies and assurance providers mechanism the approach to oversight and its
are legally incorporated entities. implementation appropriate to the scope
and operations of the scheme. This
5.2.2 Legal The scheme owner shall have legally Getting agreement from clients on use
shall include the frequency of oversight,
contracts enforceable contracts with oversight bodies of their data, confidentiality of that data,
responsibilities for different functions,
and assurance providers (either directly or and related obligations is critical. These
procedures to be followed, and reporting
through the oversight body) that delineate agreements with clients can be made
requirements back to the scheme owner.
responsibilities and obligations, including either by the assurance provider or by
data use and confidentiality. The scheme the scheme owner. The scheme owner can devolve
owner shall also require this of assurance responsibility for defining the details of
providers with their clients. Where the implementation to the oversight body but
scheme owner is the assurance provider, shall retain authority for defining the overall
it shall have legally enforceable contracts approach and shall be clear on exactly who
with the clients. has responsibility for defining which parts
of the oversight system.
5.2.3 Internal audits The scheme owner shall require that The oversight process shall include a review
assurance providers conduct annual internal of the performance of assurance providers
audits on scheme-related performance and and auditors in conducting the assessment.
share the results with the scheme owner.
5.4.2 Independence The scheme owner shall ensure that the This means that the oversight body is
5.2.4 Responsibility The scheme owner shall require that of oversight oversight body is independent of the usually a separate organisation from the
for oversight bodies and assurance providers assurance provider(s) being assessed. assurance provider but it is possible that
outsourcing take responsibility for ensuring the quality independence can be shown in other ways.
and integrity of all assurance activities
outsourced to another body. 5.4.3 Competence The scheme owner shall ensure that
of oversight assessment staff within the oversight
5.2.5 Authority for The scheme owner shall ensure that personnel body have in-depth knowledge of the
assurance oversight bodies and assurance providers standard and its intent, and of the scheme’s
decisions retain authority for decisions related to assurance requirements.
their assessments (i.e. the decision-making
is not outsourced). 5.4.4 Authority The scheme owner shall ensure that the
of oversight oversight body has the authority to take
bodies action regarding the compliance status of
assurance provider(s). Where the scheme
owner is the assurance provider, it shall
Clause 5.3 Outputs of recognised schemes are equivalent ensure that issues raised by the oversight
body are addressed and remediated.
Clause Topic Requirement Guidance 5.4.5 Accreditation Where the scheme incorporates Where other forms of oversight are
5.3.1 Equivalence Where the scheme owner accepts as Equivalence arrangements differ from accreditation as an oversight mechanism, implemented, the scheme owner may
arrangements equivalent or partially equivalent the proxy accreditation in that the former is the scheme owner shall ensure that also want to consider regular evaluation
assurance results of another scheme or about equivalence of assessment results accreditation bodies comply with the against ISO/IEC 17011 to improve the
body, it shall define the steps taken or in different schemes while the latter current version of ISO/IEC 17011 in addition quality of its oversight system.
additional assurance activities required is about the competence of assurance to the Assurance Code requirements
to have confidence in the results of the bodies to carry out assessments in that apply to oversight bodies.
other scheme. the same scheme.

20 21
 Clause 5.5 The assurance system is implemented competently

Clause Topic Requirement Guidance Clause Topic Requirement Guidance

5.4.6 Proxy Where the scheme owner accepts Such measures can include one or more 5.5.1 Personnel The scheme owner shall define
accreditation assurance providers that have been of the following strategies: competencies the qualifications and competency
accredited against other scopes, they shall In-depth monitoring of a specific requirements for its assurance staff and
require that those assurance providers issue across all assurance providers for auditors and other assurance personnel,
carry out regular internal audits against in the standards system, to compare, as well as the verification mechanisms to
the scheme-specific scope and share the and therefore determine the level assess whether the requirements
results and any remediation with the of competence and consistency of are fulfilled.
scheme owner. The scheme owner shall assurance across the standards system; Competencies shall include at least in-
also require those assurance providers to depth knowledge of the standard and its
 eview audits: onsite visit to a client
R
meet personnel competence requirements intent, the sector(s) in which the standard
without the auditor but with the last
set by the scheme owner. Additionally, the applies, an understanding of the goals of
inspection report. This is not a full
scheme owner shall employ supplementary the standards system, and, in particular, the
inspection but more a spot check to
measures to assess the scheme-specific critical sustainability issues in the standard.
see if the inspection report of the
competence of assurance providers.
assurance provider correlates with 5.5.2 Building The scheme owner shall require that
what is seen at the time. This also competence assurance provider and oversight body
includes a client interview to get their auditors and other assurance personnel,
impression of their assurance provider. including the scheme owner’s assurance
Review audits generally do not last staff, receive initial training and ongoing
more than a few hours but can yield professional development according to the
valuable insight into the competence requirements of their respective positions.
of assurance providers;
 eview of information obtainable
R 5.5.3 Auditor The scheme owner shall require assurance
from the databases of assurance calibration providers to implement an ongoing
providers in order to reduce onsite programme for auditor and assurance
visits to offices of assurance providers. personnel calibration. Where the scheme
Time and money can be saved if data employs multiple oversight bodies, it shall
review is performed remotely, rather require a similar programme of calibration
than onsite; for the auditors of these bodies.
 eview of the effort (usually measured
R 5.5.4 Evaluation of The scheme owner shall require that
as time) spent on audits. If this competency auditor competence is demonstrated on
information is entered in a database a recurring basis through evaluation by
the oversight body could have a assurance providers, oversight bodies, or
good idea of the effort expended for other entities, using defined verification
different types of audits and could mechanisms that include witnessing
compare this with the performance auditor performance.
of assurance providers; and
 eview of client assessment reports
R
(audit reports) and subsequent follow-
up of discrepancies discovered.

22 23
 6. Value and Accessibility
Clause 5.6 The assurance system is implemented impartially Clause 6.1 A
 ssurance system delivers additional value to clients
Clause Topic Requirement Guidance Clause Topic Requirement Guidance
5.6.1 Impartiality As part of its risk management plan, the Transparency is one potential 6.1.1 Information The scheme owner shall ensure that Performance insights can be as simple
and Conflicts scheme owner shall define and document contributing factor to maintaining on performance insights are provided to as providing the client with audit
of interest potential risks to impartiality and conflicts impartiality and avoiding conflict performance clients. reports and noting changes since the
of interest within its assurance system and of interest. previous report. However, additional
how these potential risks and conflicts value for the client can be derived from
should be avoided or mitigated. The communicating improvements over time,
scheme owner shall have a mechanism performance in relation to peers, or in
for monitoring efforts to manage these assisting clients to understand where
risks and conflicts. and how they can improve.

5.6.2 Auditor As part of the assessment of risks to Some of the practices that can mitigate
impartiality impartiality, the scheme owner shall the risks to impartiality include: Clause 6.2 Barriers to access are minimised
assess the potential risks to auditor r otation of auditors and other technical
impartiality and, where warranted, shall experts in assessments; Clause Topic Requirement Guidance
require assurance providers and oversight
assurance body rotation; 6.2.1 Accessibility The scheme owner shall have publicly Eligibility requirements can also be made
bodies to implement practices to mitigate
 ccasionally having second set of eyes
o available information that describes publicly available by the oversight body.
these risks.
- have a second auditor join; and eligibility requirements for assurance Examples of acceptable restrictions on
providers and clients, and the rationale access include:
 itness audit / inspection every x
w
behind any restrictions on access.
time period. R
 equiring membership in the scheme
as a prerequisite for application, so
5.6.3 Impartiality Where the scheme owner allows Some steps that could reduce the
long as membership fee levels do not
in the auditors or other assurance personnel potential for conflict of interest include:
prevent stakeholders from applying
assessment to provide information to clients during  roviding information in accordance
p for membership;
the assessment, the scheme owner shall with guidance notes issued by the
document the types of information that can D
 enying participation to stakeholders
scheme owner;
be provided and the steps taken to avoid who do not meet a scheme-specific,
 aving a consistent approach for how
h publicly available Codes of Ethics or
conflicts of interest.
information is offered to clients; and a Policies of Association;
r ecording in the audit report the type L imiting geographic or sectoral scope
of information provided. based on the competence or capacity
5.6.4 Impartial The scheme owner shall require that of the scheme;
decision- assurance providers and oversight bodies N
 ew schemes or pilot initiatives that
making use competent personnel other than the limit focus or number of clients; and
auditor or audit team to make impartial V
 ariations in intensity of assessments
decisions on compliance. based on risk profiles.

6.2.2 Risk-based Where a risk-based approach is used to

assessment determine assessment frequency and
intensity in assurance or oversight, the
scheme owner shall have a documented
risk management protocol to assess the
risk level of clients or assurance providers
and the resulting assessment frequency
and intensity, and shall require its use
by assurance providers and oversight
bodies respectively.

24 25
 Clause 6.3 Information about how the system operates is easily available

Clause Topic Requirement Guidance Clause Topic Requirement Guidance

6.3.1 Publicly The scheme owner shall ensure the In some cases, oversight bodies can 6.3.2 Stakeholder input The scheme owner shall define the Gathering additional stakeholder input
available following information about their assurance make this information publicly available points in the assurance and oversight about the assurance system beyond
information system and its implementation is current on behalf of the scheme owner. processes at which stakeholders input from ongoing operations (e.g.
and publicly available:  ata ownership and availability refers
D may provide input to about client complaints mechanism) is not required,
Description of the structure of the to what data is made available to and assurance provider performance but can strengthen the credibility
assurance system including decision- whom and for what purposes. respectively and shall ensure of the assessment and be useful
making (4.3.1); stakeholders are informed of these information to support assurance
S cheme owners can decide what
opportunities to engage. system improvements. Stakeholders
Information on data ownership and basic assessment information should
can potentially provide input to
availability (4.4.4); be shared. Basic information can
assessments, on the quality of auditors
Criteria for accepting assurance providers include: dates, locations and scope
or the assurance process, and on risks to
and clients to the scheme (6.2.1); of auditing, team composition,
the integrity of assurance.
number and type of non-conformities,
Application procedures for clients;
certification status. Good practice 6.3.3 Changes to the The scheme owner shall have defined
Current list of oversight bodies and is to make summary reports of assurance system protocols for implementation of changes
assurance providers that are approved assessment findings for every client in requirements, including timelines by
to work in the assurance scheme; publicly available. which changes come into effect and
General information on fees charged  aking basic assessment information
M mechanisms to communicate those
to clients and applicants; available applies to existing clients changes to affected stakeholders.
Description of the assessment who have failed a reassessment
methodology: type(s) of assessment but not to new applicants.
employed, how clients are assessed,
how often, and by whom, and the
basis for decisions (evaluation
framework) (5.1.2);
Policy on information provision
(knowledge sharing) to clients by
assurance providers (5.6.3);
Description of how stakeholders
can provide input to the assurance
process (6.3.2);
Description of consequences for
different levels of non-conformity
(5.1.10);
Summary of resolved complaints (5.1.12)
Steps taken to have confidence in
the results of other schemes deemed
equivalent or partially equivalent
(5.3.1);
Current list of certified clients, their
scope of assurance, and expiry date of
their certificate (where expiry dates are
used) (the list can be made available
at the assurance provider level); and
Basic information about the results
of assessments of both clients and
assurance providers.

26 27
 Appendix A:
Definitions
Appeal Certificate Data Information Management System
Request by the client to the assurance provider or Generic expression used to include all means of Reinterpretable representation of information in A documented set of procedures and processes
by the assurance provider to the oversight body for communicating that fulfilment of specified requirements a formalized manner suitable for communication, for information management, including functions
reconsideration of their assessment decision. has been demonstrated. (adapted from ISO 17000) interpretation or processing. (adapted from ISO/IEC 2382) of controlling the acquisition, analysis, retention,
(adapted from ISO 17000) retrieval and distribution of information.
Certification Data governance
Assessment The issuance of a third-party statement that fulfilment Internal audit
The overall management of the availability, usability,
The combined processes of audit, review and decision of specified conformance requirements have been An internal, systematic, documented process for
integrity, and security of the data employed in an
on a client’s conformance with the requirements of a demonstrated. (adapted from ISO 17000) obtaining records, statements of fact or other relevant
organisation. A data governance programme includes
standard or of the assurance provider’s conformance information and assessing them objectively to determine
a governing mechanism, a defined set of procedures,
with requirements for assurance. Claim the extent to which specified requirements are fulfilled
and a plan to execute those procedures.
A message used to set apart and promote a product, to support the objectives of an assurance system.
Assessment methodology process, business or service with reference to one or (adapted from ISO 17000)
Equivalence
The steps that comprise an assessment in order more of the pillars of sustainability: social, economic
An assessment that different assurance processes Internal Management System
to provide assurance. and/or environmental. NOTE: The ISEAL Sustainability
achieve functionally equivalent results.
Claims Good Practice Guide (2015) provides further In group assurance, the documented set of procedures
Assurance guidance on developing and managing environmental, and processes that a group will implement to ensure it
social and/or economic claims.
Exception can achieve its specified requirements. The existence of
Demonstrable evidence that specified requirements
An instance when a specified requirement in a standard an Internal Management System allows the assurance
relating to a product, process, system, person or body
Client or policy is excluded from conformity evaluation or is provider to delegate inspection of individual group
are fulfilled. (adapted from ISO 17000)
adapted for a particular circumstance. members to an identified body within the group.
The person or enterprise that is seeking assurance of
Assurance provider their conformance with the requirements in a standard.
External Assessment Licensing
Body responsible for performing the assessment
Complaint In group assurance, the systematic inspection and review The issuance of an official permission to make, use
of clients. NOTE: In the context of this Code, an
of the internal management system performed by the or own a claim.
accreditation body is considered an oversight body Expression of dissatisfaction, other than appeal, by any
assurance provider.
rather than an assurance provider. person or organisation to a scheme owner, assurance
provider or oversight body relating to their respective Management review
activities, where a response is expected. (adapted from
Group Evaluation of fulfilment and effectiveness of the
Audit
ISO 17000) An organized body of people or enterprises that share collective services and processes that comprise
A component of an assessment. A systematic,
similar characteristics, are part of a shared internal an assurance management system, including the
documented process for obtaining records, statements
Conformity management system and, for assessment purposes, performance of the scheme owner, assurance providers,
of fact or other relevant information and assessing them
are considered as a single client (eg: groups of farmers, and oversight body.
objectively to determine the extent to which specified Demonstration that requirements of a standard
of retail stores, of distributors).
requirements are fulfilled. (adapted from ISO 17000) are fulfilled.
Multi-site Operation
Group Member An enterprise with multiple production sites that are
Auditor Corruption
The individual enterprise (eg: farmer, retail store owner, centrally managed and are assessed as one client.
Person who performs the audit. The abuse of entrusted power for private gain. Examples
distributor) that is enrolled in a group assurance scheme.
of corruption include bribery, conflict of interest, fraud,
Calibration money laundering, embezzlement, concealment and Non-compliance
obstruction of justice, and trading in influence.
Information An identified occurrence of non-conformance with
The process by which different auditors and other
(adapted from ISO 26000) Knowledge concerning objects such as facts, events, one requirement of a standard, identified as part of
personnel involved in assurance exchange knowledge
things, processes, ideas or concepts that, within a an assessment. Synonym: non-conformity
and learn from each other to achieve more consistent
certain context, has a particular meaning. (adapted
interpretation and application of the standard.
from ISO/IEC 2382)

28 29
 On-site assessment Sanction Common Synonyms
An assessment occurring on the physical site of a Repercussion of non-conformity with one or more Term Synonyms
client’s operations. requirements in a standard.
Assessment Audit
Outsourcing Self-declaration Assessment methodology Audit procedure
The contractual obtaining of goods or services from A statement issued by a client, on behalf of itself, and
a third party. based on its own determination, that states its status Assurance Certification, verification
against specified conformance requirements of a
Assurance Provider Certification body, verification body, conformity assessment body (CAB)
Oversight standard. (adapted from ISO 14001)
Assessment of an assurance provider’s demonstration Audit Inspection, evaluation, verification
of competence to carry out specific assurance tasks. Stakeholder
(adapted from ISO 17000) Individual or group that has an interest in any decision Auditor Inspector, verifier, assessor
or activity of an organization. (ISO 26000) Certificate Statement of conformity, Assurance Statement
Oversight body
Body responsible for performing the assessment of Standards system Client Operator, enterprise, entity, participant, producer, member
assurance providers. The collective of organisations responsible for the
Internal Assessment Internal audit
activities involved in the implementation of a standard,
Peer review including standard setting, capacity building, assurance, Oversight Accreditation
Assessment of a client against specified requirements labelling and monitoring.
Oversight provider Accreditation body
by other clients in, or candidates for, an organised
group. (adapted from ISO 17000) Scheme owner Scheme owner Standards system owner
The organisation that is responsible for the standards
Proxy accreditation system and accountable for the performance of its
A type of oversight employed by a scheme, whereby assurance system. The scheme owner determines the
recognition of another scheme’s oversight mechanism objectives and scope of the standards system, as well
is deemed sufficient to demonstrate assurance. as the rules for how the scheme will operate and the
standards against which conformance will be assessed.
NOTE: The scheme owner can be the standards owner,
Publicly available
assurance provider, a governmental authority, trade
Easily accessible online or otherwise to the public. association, group of assurance providers or other body.

Reassessment Surveillance
An assessment conducted for the purpose of renewing Assurance activities used to monitor misrepresentation
a certificate. and misuse of claims and labels in order, to support
assurance.
Risk
The chance of something happening that will have Third-party assurance
an impact on objectives. It is measured in terms of a Assurance activity that is performed by a person or body
combination of the probability of an event and the that is independent of the person or organization that
severity of its consequences. provides the object of assurance and of user interests
in that object. (adapted from ISO 17000)
Risk mitigation (Risk reduction)
Actions taken to lessen the probability, negative Verification
consequences, or both, associated with a risk. Confirmation, through the provision of objective
evidence, that specified requirements have been
Risk register fulfilled. (adapted from ISO 9000) Our Cover
Document containing the results of risk analyses and risk © Forest Stewardship Council (FSC). ISEAL Member Forest Stewardship Council is dedicated to promoting responsible management
of the world’s forests.
response planning. The risk register details significant
risks, potentially including description, category, cause, Photography
probability of occurring, impact(s) on objectives, We would like to thank all members that provided photography for this ISEAL code of Good Practice.
proposed responses, owners, and current status. Page 2 and 31 © LEAF. Page 4, 11 and 24 © Rainforest Alliance. Page 6 and 7 © Global Coffee Platform. Page 8 © Better Cotton Initiative.
Page 9 and 14 © UTZ Certified. Page 19 © Fairtrade. Page 22 © Responsible Jewellery Council. Page 23 © Bonsucro.
Page 27 © Roundtable on Sustainable Palm Oil.

Editor ISEAL Secretariat

30 Graphic Designer Kelly Gregory | kellylouisegregory@hotmail.com 31
ISEAL Alliance
56-64 Leonard Street
London
EC2A 4LT
United Kingdom

+44 (0)20 3246 0066

info@isealalliance.org
twitter.com/isealalliance
www.iseal.org