Initial certification audit, Stage 1
The planning of Noordbeek Certification shall ensure that the objectives of stage 1 can be met and the client shall be informed of any ‘on site’ activities during stage 1.
The objectives of stage 1 are to:
- review the client’s management system documented information;
- evaluate the client’s site-specific conditions and to undertake discussions with the client’s personnel to determine the preparedness for stage 2;
- review the client’s status and understanding regarding requirements of the standard, in particular with respect to the identification of key performance or significant aspects, processes, objectives and operation of the management system;
- obtain necessary information regarding the scope of the management system, including:
- the client’s site(s);
- processes and equipment used;
- levels of controls established (particularly in case of multisite clients);
- applicable statutory and regulatory requirements;
- review the allocation of resources for stage 2 and agree the details of stage 2 with the client;
- provide a focus for planning stage 2 by gaining a sufficient understanding of the client’s management system and site operations in the context of the management system standard or other normative document;
- evaluate if the internal audits and management reviews are being planned and performed, and that the level of implementation of the management system substantiates that the client is ready for stage 2.
Documented conclusions with regard to fulfilment of the stage 1 objectives and the readiness for stage 2 shall be communicated to the client, including identification of any areas of concern that could be classified as a nonconformity during stage 2.
In determining the interval between stage 1 and stage 2, consideration shall be given to the needs of the client to resolve areas of concern identified during stage 1. Noordbeek Certification may also need to revise its arrangements for stage 2. If any significant changes which would impact the management system occur, Noordbeek Certification shall consider the need to repeat all or part of stage 1. The client shall be informed that the results of stage 1 may lead to postponement or cancellation of stage 2.
Initial certification audit, Stage 2
The purpose of stage 2 is to evaluate the implementation, including effectiveness, of the client’s management system. The stage 2 shall take place at the site(s) of the client. It shall include the auditing of at least the following:
- information and evidence about conformity to all requirements of the applicable management system standard or other normative documents;
- performance monitoring, measuring, reporting and reviewing against key performance objectives and targets (consistent with the expectations in the applicable management system standard or other normative document);
- the client’s management system ability and its performance regarding meeting of applicable statutory, regulatory and contractual requirements;
- operational control of the client’s processes;
- internal auditing and management review;
- management responsibility for the client’s policies.
The audit team shall analyse all information and audit evidence gathered during stage 1 and stage 2 to review the audit findings and agree on the audit conclusions.
Where multi-site sampling is used for the audit of a client’s management system covering the same activity in various geographical locations, Noordbeek Certification shall develop a sampling programme to ensure proper audit of the management system. The rationale for the sampling plan shall be documented for each client.
Multi-site sampling is only allowed if:
- All the sites are covering the same activities;
- All sites are operating under the same ISMS, which is centrally administered and audited and subject to central management review;
- All sites are included within the client’s internal ISMS audit programme;
- All sites are included within the client’s ISMS management review programme.
If Noordbeek Certification wishes to use a sample-based approach a procedure should be followed to ensure the follow:
- The initial contract review identifies, to the greatest extent possible, the difference between sites such that an adequate level of sampling is determined;
- A representative number of sites have been sampled by Noordbeek Certification, taking into account:
- The results of internal audits of the head office and the sites;
- The results of management review;
- Variations in the size of the sites;
- Variations in the business purpose of the sites;
- Complexity of the information systems at the different sites;
- Variations in working practices;
- Variations in activities undertaken;
- Variations of design and operation of controls;
- Potential interaction with critical information systems or information systems processing sensitive information;
- Any differing legal requirements;
- Geographical and cultural aspects;
- Risk situation of the sites;
- Information security incidents at the specific sites;
- A representative sample is selected from all sites within the scope of the client’s ISMS; this selection shall be based upon judgmental choice to reflect the factors presented above as well as a random element;
- Every site included in the ISMS which is subject to significant risks is audited by Noordbeek Certification prior to certification;
- The audit programme has been designed in the light of the above requirements and covers representative samples of the scope of the ISMS certification within the three year period;
- In the case of a nonconformity being observed, either at the head office or at a single site, the corrective action procedure applies to the head office and all sites covered by the certificate.
The audit shall address the client’s head office activities to ensure that a single ISMS applies to all sites and delivers central management at the operational level. The audit shall address all the issues outlined above.
Definition and handling of major and minor nonconformities
A nonconformity is a non-fulfilment of a requirement. This can be:
- Major nonconformity
This is a nonconformity that affects the capability of the management system to achieve the intended results. A nonconformities could be classified as major in the following circumstances:
- If there is a significant doubt that effective process control is in place, or that products or services will meet specified requirements;
- A number of minor nonconformities associated with the same requirement or issue could demonstrate a systemic failure and thus constitute a major nonconformity.
- Minor nonconformity
This is a nonconformity that does not affect the capability of the management system to achieve the intended results
For any major nonconformities, Noordbeek Certification has to review, accept and verify the correction and corrective actions before granting certification, expanding or reducing the scope of certification, renewing, suspending or restoring, or withdrawing of certification. For any minor nonconformities, Noordbeek Certification has to review and accept the client’s plan for correction and corrective action.
If Noordbeek Certification is not able to verify the implementation of corrections and corrective actions of any major nonconformity within 6 months after the last day of Stage 2, Noordbeek Certification shall conduct another Stage 2 prior to recommending certification.
Surveillance audits are on-site audits, but are not necessarily full system audits, and shall be planned together with the other surveillance activities so that Noordbeek Certification can maintain confidence that the client’s certified management system continues to fulfil requirements between recertification audits. Each surveillance for the relevant management system standard shall include:
- internal audits and management review;
- a review of actions taken on nonconformities identified during the previous audit;
- complaints handling;
- effectiveness of the management system with regard to achieving the certified client’s objectives and the intended results of the respective management system (s);
- progress of planned activities aimed at continual improvement;
- continuing operational control;
- review of any changes;
- use of marks and/or any other reference to certification.
The purpose of the recertification audit is to confirm the continued conformity and effectiveness of the management system as a whole, and its continued relevance and applicability for the scope of certification. A recertification audit shall be planned and conducted to evaluate the continued fulfilment of all of the requirements of the relevant management system standard or other normative document. This shall be planned and conducted in due time to enable for timely renewal before the certificate expiry date.
The recertification activity shall include the review of previous surveillance audit reports and consider the performance of the management system over the most recent certification cycle.
Recertification audit activities may need to have a stage 1 in situations where there have been significant changes to the management system, the organization, or the context in which the management system is operating (e.g. changes to legislation).
The recertification audit shall include an on-site audit that addresses the following:
- the effectiveness of the management system in its entirety in the light of internal and external changes and its continued relevance and applicability to the scope of certification;
- demonstrated commitment to maintain the effectiveness and improvement of the management system in order to enhance overall performance;
- the effectiveness of the management system with regard to achieving the certified client’s objectives and the intended results of the respective management system (s).
For any major nonconformity, Noordbeek Certification shall define time limits for correction and corrective actions. These actions shall be implemented and verified prior to the expiration of certification.
When recertification activities are successfully completed prior to the expiry date of the existing certification, the expiry date of the new certification can be based on the expiry date of the existing certification. The issue date on a new certificate shall be on or after the recertification decision.
Not completing the recertification audit
If the client has not completed the recertification audit or Noordbeek Certification is unable to verify the implementation of corrections and corrective actions for any major non-conformity prior to the expiry date of the certification, then recertification shall not be recommended and the validity of the certification shall not be extended. The client shall be informed and the consequences shall be explained.
Following expiration of certification, Noordbeek Certification can restore certification within 6 months provided that the outstanding recertification activities are completed, otherwise at least a stage 2 shall be conducted. The effective date on the certificate shall be on or after the recertification decision and the expiry date shall be based on prior certification cycle.