Noordbeek Certification only carries out assignments for ISO 27001, NEN 7510, or ISO 27001 and NEN 7510 together, in relation to certification.
For related assurance engagements for NEN 7512 and 7513, please refer to Noordbeek B.V.
We do not carry out internal audits at certification clients of Noordbeek Certification.
To determine the number of audit days, we follow the guidelines in the ISO 27006 and NCS 7510 standards. This number is based on the number of FTEs in your organization and the relevant aspects mentioned in these standards that can influence the audit time calculation.
Initial certification audit, Stage 1
The planning of Noordbeek Certification shall ensure that the objectives of stage 1 can be met and the client shall be informed of any ‘on site’ activities during stage 1.
The objectives of stage 1 are to:
Documented conclusions with regard to fulfilment of the stage 1 objectives and the readiness for stage 2 shall be communicated to the client, including identification of any areas of concern that could be classified as a nonconformity during stage 2.
In determining the interval between stage 1 and stage 2, consideration shall be given to the needs of the client to resolve areas of concern identified during stage 1. Noordbeek Certification may also need to revise its arrangements for stage 2. If any significant changes which would impact the management system occur, Noordbeek Certification shall consider the need to repeat all or part of stage 1. The client shall be informed that the results of stage 1 may lead to postponement or cancellation of stage 2.
The purpose of stage 2 is to evaluate the implementation, including effectiveness, of the client’s management system. The stage 2 shall take place at the site(s) of the client. It shall include the auditing of at least the following:
The audit team shall analyse all information and audit evidence gathered during stage 1 and stage 2 to review the audit findings and agree on the audit conclusions.
The audit criteria are used as a reference to determine the conformity of the Information System Management System (ISMS). The applicable criteria for the assignment are:
Where multi-site sampling is used for the audit of a client’s management system covering the same activity in various geographical locations, Noordbeek Certification shall develop a sampling programme to ensure proper audit of the management system. The rationale for the sampling plan shall be documented for each client.
Multi-site sampling is only allowed if:
If Noordbeek Certification wishes to use a sample-based approach a procedure should be followed to ensure the follow:
The audit shall address the client’s head office activities to ensure that a single ISMS applies to all sites and delivers central management at the operational level. The audit shall address all the issues outlined above.
A nonconformity is a non-fulfilment of a requirement. This can be:
For any major nonconformities, Noordbeek Certification has to review, accept and verify the correction and corrective actions before granting certification, expanding or reducing the scope of certification, renewing, suspending or restoring, or withdrawing of certification. For any minor nonconformities, Noordbeek Certification has to review and accept the client’s plan for correction and corrective action.
If Noordbeek Certification is not able to verify the implementation of corrections and corrective actions of any major nonconformity within 6 months after the last day of Stage 2, Noordbeek Certification shall conduct another Stage 2 prior to recommending certification.
Surveillance audits are on-site audits, but are not necessarily full system audits, and shall be planned together with the other surveillance activities so that Noordbeek Certification can maintain confidence that the client’s certified management system continues to fulfil requirements between recertification audits. Each surveillance for the relevant management system standard shall include:
The purpose of the recertification audit is to confirm the continued conformity and effectiveness of the management system as a whole, and its continued relevance and applicability for the scope of certification. A recertification audit shall be planned and conducted to evaluate the continued fulfilment of all of the requirements of the relevant management system standard or other normative document. This shall be planned and conducted in due time to enable for timely renewal before the certificate expiry date.
The recertification activity shall include the review of previous surveillance audit reports and consider the performance of the management system over the most recent certification cycle.
Recertification audit activities may need to have a stage 1 in situations where there have been significant changes to the management system, the organization, or the context in which the management system is operating (e.g. changes to legislation).
The recertification audit shall include an on-site audit that addresses the following:
For any major nonconformity, Noordbeek Certification shall define time limits for correction and corrective actions. These actions shall be implemented and verified prior to the expiration of certification.
When recertification activities are successfully completed prior to the expiry date of the existing certification, the expiry date of the new certification can be based on the expiry date of the existing certification. The issue date on a new certificate shall be on or after the recertification decision.
Not completing the recertification audit
If the client has not completed the recertification audit or Noordbeek Certification is unable to verify the implementation of corrections and corrective actions for any major non-conformity prior to the expiry date of the certification, then recertification shall not be recommended and the validity of the certification shall not be extended. The client shall be informed and the consequences shall be explained.
Following expiration of certification, Noordbeek Certification can restore certification within 6 months provided that the outstanding recertification activities are completed, otherwise at least a stage 2 shall be conducted. The effective date on the certificate shall be on or after the recertification decision and the expiry date shall be based on prior certification cycle.
Special audits
If necessary, Noordbeek Certification can carry out a special audit, whether or not as an audit in two phases.
Following an application to extend the scope of a certification already granted, Noordbeek Certification will conduct an assessment of the application and determine any audit activities necessary to decide whether or not the extension can be granted. This can be performed in combination with a surveillance audit.
It may be necessary for Noordbeek Certification to conduct short-term or unannounced audits of certified clients to investigate complaints, or in response to changes, or as a follow-up to suspended clients.
In such cases:
If Noordbeek Certification finds a deviation that may lead to suspension, withdrawal or restriction, the client will be contacted. If consultation does not lead to a solution, the Certification Committee will be informed. This committee can decide to suspend, withdraw or restrict.
Noordbeek Certification suspends certification in cases where, for example:
In the event of suspension, the certification of the client's management system is temporarily invalid.
Noordbeek Certification reinstates the suspended certification when the issue that led to the suspension has been resolved. Failure to resolve the issues that led to the suspension within a time set by Noordbeek Certification will lead to withdrawal or reduction of the scope of certification. (Note: In most cases, the suspension would not exceed six months.)
Noordbeek Certification will limit the scope of certification to exclude those parts that do not meet the requirements, when the certified client has persistently or seriously failed to meet the certification requirements for those parts of the scope of certification. Such a reduction must be in accordance with the requirements of the standard used for certification.
If a client has a NEN 7510 certificate, but no longer processes health information, surveillance audits or recertification audits may no longer be carried out for NEN 7510. In this situation, the Certification Committee may decide to terminate the work of Noordbeek Certification for NEN 7510.
Noordbeek Certification B.V.
Rijndijk 235
2394 CD Hazerswoude
Chamber of Commerce 80529585