Beyond the Initial Audit

Posted byAayush GoelPosted iniso 27001Tags:, , , , , , , , , , ,

Objective of beyond the Initial Audit

  • Surveillance activities
  • Surveillance audit
  • Recertification audit
  • Certification– Special cases (extension, withdrawal, transfer)
  • Using the ISO trademarks

Surveillance Activities

  • Surveillance activities ensure that typical fields and functions covered by the management system are monitored on a regular basis
  • The certification body must take into account changes made by the certified client and changes introduced to his management system

Surveillance activities can also include:

  • Enquiries from the certification body to the certified client on aspects of certification
  • Review of a Website or promotional material
  • Investigations of the organization following a complaint (short-notice special audit)
  • Written follow-up request

Surveillance Audits

  • Surveillance audits should be conducted at least once a year
  • Surveillance audits are on-site audits that are not necessarily full system audits
  • The duration of a surveillance audit 1/3 of the time spent on the initial audit

Re-certification Audit

  • A recertification audit shall be planned and conducted to evaluate the continued fulfillment of all of the requirements every three years
  • Recertification audit shall consider the performance of the management system over the period of certification, and include the review of previous surveillance audit reports
  • The duration of a recertification audit should be about 2/3 of the time spent on the initial audit

Certification

Special cases

  1. Extension
    • Many audited firms prefer defining a reduced scope for a first certification and request an extension during the following years
    • The extension audit can be conducted during the surveillance audit
    • If the extension certification is not granted, the organization does not cancel its current certification
  2. Suspension or withdrawal 
    • An organization can have its certification withdrawn when the certified management system has constantly or severely failed to comply with certification requirements, including the requirement related to the effectiveness of the management system
    • The certification body must make public any certification suspension
  3. Transfer
    • Transferring a registration form one certification body to another is always possible even if the auditee has signed a long-term agreement
    • The auditee must present the following documents
      • Request for transfer
      • Last audit report
      • Last corrective actions plan
      • Copy of the valid certification registration

Use of ISO Trade marks

  • A certified organization is authorized to display publically its certification and to use it for marketing purposes
  • The certification cannot be displayed directly on a product or in a way that would lead to believe that the product is certified
  • The certification body will provide to the auditee a logo that can be used for marketing

Discover more from Information Security Blogs

Subscribe to get the latest posts sent to your email.

Leave a comment

Discover more from Information Security Blogs

Subscribe now to keep reading and get access to the full archive.

Continue reading