The correct answer is the certification body, because ISO/IEC 17021-1 clearly assigns responsibility for establishing the audit scope and audit criteria to the certification body, not to the audit team or the auditee. The certification body is responsible for managing the certification process, ensuring consistency, impartiality, and compliance with accreditation requirements.
The audit scope defines the boundaries of the certification audit, including organizational units, locations, activities, and processes to be audited. The audit criteria define the set of policies, procedures, and requirements against which conformity is assessed, such as ISO/IEC 27001 requirements, statutory obligations, and internal ISMS policies. While the audit team leader may plan how the audit will be conducted within the defined scope, they do not determine the scope itself.
Option A is incorrect because the audit team leader’s role is to manage the audit execution, prepare the audit plan, and coordinate audit activities, not to establish the official scope or criteria. Option B is incorrect because although discussions with the auditee are necessary to understand the organization and confirm scope feasibility, the final authority remains with the certification body.
This separation of responsibility ensures independence and prevents organizations from unduly influencing the certification boundaries. Therefore, the certification body is the entity that establishes the audit scope and audit criteria.
