There is an increasing discussion about an “ISO 26000 Assessment” mid 2011 onwards. This site and its sub-sites clarify the basics and recommend an action line.

To recall: The ISO 26000 clarifies in its scope (area of application) that it does not contain requirements and therefore

there is no ISO 26000 certification, contractual use etc.

So, since an assessment would also need to be based on requirements,

there is no ISO 26000 assessment either.

More detailed deliberations include a description of the basic differences between certification and assessment, both performed by so-called “third parties”, and a proposal for a way forward, which is perfectly in line with the letter and intent of ISO 26000: by using the 26k-issue-tool.

  • Certification vs. assessment
  • How to trust certification service providers?
  • In contrast to certification, assessment steps can be described this way…
  • Is there an ISO 26000 assessment?
  • A final word
  • How to step forward

Assessment – Self-Assessment

Guido Gürtler, 2011.12

Certification vs. assessment

Before entering into details it seems to be worthwhile to highlight the basic difference between certification and
assessment, as far as relevant for the discussion of ISO 26000. Certification normally is based on standardized requirements.

What would be the normal certification steps (which are, however, not applicable to ISO 26000)?

  • The definition of standardized requirements is the resulcertification stepst of the consensus-driven standardization process. Such standardized requirements represent objective criteria because the delegates of all national ISO member bodies member had reached consensus so that the criteria found so to say worldwide approval.
  • A certification service provider performs an audit by comparing the status quo of an organisation with the standardized requirements. The results are taken into an audit report. Such audit reports are regularly not published.If the certification provider concludes that the requirements are properly met, a certificate may be issued. Certificates are “valid” only for a limited period of time, some need to be renewed every year. An ISO 9000 audit for example can cost easily several thousand Euros.

How to trust certification service providers?

The IAF (International Accreditation Forum) accredits these service providers if they fulfill the IAF criteria. The assurance level criteria are explained e.g. at . The IAF outlines four (4) levels of assurance, ranging from low to very high in confidence.

Since ISO 26000 expresses clearly in its scope that it is not to be used for certification, IAF accredited certification providers would disregard IAF rules when offering an ISO 26000 certificate. However, certification providers may distinguish their services between accredited ones and non-accredited ones, and consequently offer an ISO 26000 certificate outside their accredited business. Such a practice would be an evident misuse of ISO 26000.

In contrast to certification, assessment steps can be descrassessment stepsibed this way:

An assessment needs also to be based on requirements but they are not standardized, they represent subjective criteria. Subjectivity is given because the requirements are specified by a “private” organisation. Logically, the requirements of one assessment provider (e.g. a score system) may significantly differ from the requirements defined by a different service provider (e.g. a percentage system). An assessment is also often called evaluation or test. Certification providers, correctly not offering ISO 26000 certification, may well offer ISO 26000 assessment services but one should always be aware that the assessment criteria vary from one provider to the other and are basically not comparable.

Searching the Internet for “ISO 26000 assessment” brings up service offers like “Performance ISO 26000 assessment” by SGS, “ISO 26000 assessment service” by Ecocert, “assessment of implementation level of ISO 26000 guidance” by Rina, “ISO 26000 and CSR performance ladder” by DNV, and there are several others.

Such incomparable assessment offers have only one thing in common: one needs to pay for them, like for certification. By the way: certification providers can be accredited by IAF for conducting their certification business properly but there’s no comparable accreditation of assessment bodies.
Finally: The result of an assessment is an assessment report, which normally is not published either.

Is there an ISO 26000 assessment?

As said, an assessment is based on requirements and ISO 26000 does not contain requirements.

So, logically, there is no ISO 26000 assessment!

However, it is worthwhile to recall that ISO 26000 is an international guidance standard, offers recommendations, proposals, advice, and orientation; every user is free in deciding on how to use the advice. According to its mandate ISO 26000 is supposed to be “easy to understand and easy to use”, so that assessment services may be offered but there is no obligation at all to make use of them. In contrast, ISO itself recommends in a brief note how to report on the successful use of ISO 26000, see

To be precise: if there are other “XYZ documents” developed that claim for example to be “based on ISO 26000”, they may have transformed the ISO 26000 guidance into their private/subjective “XYZ requirements” so that one can be assessed against. However, result then is an “XYZ assessment”, not an “ISO 26000 assessment”.

The “NORMAPME ISO 26000 user guide for European SMEs”, accessible at or at puts it this way, after having referenced the ISO 26000 scope:

“In consequence ISO 26000 must not be referenced in contracts or governmental regulation, and – since it does not contain requirements – it must not be used for assessment or certification. An assessment would need to score the ISO 26000 issues
(e.g. to what degree the guidance on a particular issue is followed) and would thereby transpose the guidance into a measurable requirement. Particularly, SMEs should be aware of this because certification bodies may offer assessment, an “ISO 26000 Certificate” or include ISO 26000 into other certification packages, all being an evident misuse of the guidance standard.”


Self-analysis means that you investigate yourself in how far you would like to follow the ISO 26000 guidance. Self-analysis, often called self-assessment is a very normal process. Every organisation may, at an appropriate point of time, study the ISO 26000 and make up its mind where the ISO 26000 guidance offers the opportunity to enhance its social responsibility or, in other words, may help to create or intensify the organisation’s contributions to society.

Such self-analysis is a process conducted by an organisation in its own responsibility, so that the only remaining question is how the results can be documented and communicated. The tool for self-analysis is called “26k-issue-tool”, see its description at and the tool itself, which can be downloaded here. Its use is free, for non-commercial purposes. Its use does not require any services from outside the organisation like audits or certification, consultancy, assessment, or training. At the mentioned website you will see also that IFAN, the International Federation of standards users, supports the application of this tool.

The 26k-issue-tool lists the ISO 26000 issues and poses six essential questions per issue. TheLogo We use ISO 26000 rev2 tool (an Excel sheet) being completed with the answers is an excellent way to demonstrate your deliberations and decisions.

Another quite easy way is that you put “We use ISO 26000” on your letterhead or any other appropriate place, since you have identified with the 26k-issue-tool the recommendations relevant to your organization and which activities you could undertake. Or, you simply put the logo offered here on your letterhead or other suitable documents.
For your easy use it can be downloaded here, in JPG format. Its use is free.

A final word:
You as entrepreneur or manager of an organization have all responsibility and liability for
what you do.

A certificate or an assessment, issued by a different organization,
will not exonerate you in any lawsuit or dispute.

Only your own responsibility counts and it does not matter whether one talks about ISO 26000 self-assessment, self-evaluation, or self-certification. The “self-” is decisive because it demonstrates that you are taking your responsibility.
And: Who ever would know the details of your organization, and the demands of the society you are operating in, better than yourself?

How to step forward?

Just try the 26k-issue-tool!
Practice the same procedure with your customers, clients, and any other partners.
Deny other costly service offers!

Scroll to Top