ISO 27001 – CERTIFICATION PROCESS
Certification process:
Consilium Labs follows the ISO 17021 guidelines in conjunction with ISO 27006 and ISO 19011. As such, our certification process looks something like this:
Initial application:
We’ll kindly ask you to fill out an application form. We will then review the application form and might ask you for additional information.
Once we have received your form and are satisfied with the information you’ve provided we will go ahead and develop an audit program and will send a certification agreement your way.
The moment we receive your signed version of the certification agreement we’ll go ahead and do the following.
STAGE 1 AUDIT
We’ll formulate an audit plan for Stage 1 audit. A bit about stage 1 audit:
The Stage 1 audit provides a focus for planning of Stage 2 by gaining sufficient understanding of the client’s management system. Finding of the Stage 1 shall be documented and communicated to the applicant, informing of any findings that can be classified as non-conformities at the time of Stage 2 audit.
During Stage 1, identification of expertise required for specific scopes, sectors for initial/certification audit, scope of audit, client site details, processes and equipment, levels of control established, applicable statutory and regulatory requirement and allocation of resource requirements for Stage 2 are determined.
STAGE 2 AUDIT
The next step in the process would be to plan and then execute state 2 audit. A bit about stage 2 audit:
The purpose of stage 2 is to evaluate the implementation, including effectiveness, of the client’s management system. The audit is carried out as per audit methodology and shall start with opening meeting and conclude with a closing meeting. A full audit report is submitted after the audit with details of all the non-conformities found. The organization is required to identify root cause and take corrective actions as per the timeframe provided by Consilium labs.
Assuming you passed the stage 2 audit or was able to correct the NCRs identified, the lead auditor would make the recommendation to certify you and move the decision to the certification committee.
Assuming that you’re now certified, we want to make sure you stay certified and in conformance. In order to do so, we’ll need to visit you once a year to perform a surveillance audit.
SURVEILLANCE AUDIT
All certified companies are subject to regular surveillance and renewal of certification for compliance to the standard. Surveillance and re-certification audits are conducted as per laid down procedures. Surveillance audits are conducted at least once in a year except in the re-certification year. The date of surveillance audit shall not be more than 12 months from certification decision date. The purpose of surveillance is to verify that the approved ISMS continues to be implemented, to consider the implications of changes to that system initiated as a result of changes in the client’s operation.
From the moment you gained your first certification and throughout the certification cycle, we’ll work with you to ensure you’re keeping up with the standard. After the certification cycle is complete, we will reaffirm your commitment to work with us and maintain your level of conformity and move on to the next phase which is the – recertification.
RECERTIFICATION
A recertification audit is planned and conducted to evaluate the continued fulfilment of all of the requirements of the relevant management system standard or other normative document. The purpose of the recertification audit is to confirm the continued conformity and effectiveness of the management system as a whole, and its continued relevance and applicability for the scope of certification. For all the non-conformities reported, time limits for correction and corrective actions are defined by Consilium and these actions shall be implemented and verified prior to the expiration of certification. When recertification activities are successfully completed prior to the expiry date of the existing certification, certificate is renewed and issue date on a new certificate is on or after the recertification decision.
If Consilium has not completed the recertification audit or the certification body is unable to verify the implementation of corrections and corrective actions for any major nonconformity prior to the expiry date of the certification, then recertification is not recommended and the validity of the certification is not extended.