Certification Process for Information

Security Management System (ISMS) 


Introduction 

This document outlines the steps that customers must follow to achieve Information Security Management System (ISMS) certification. It includes essential procedures, the certification scheme, appeals process, and dispute resolution guidelines for all new applicants.

Scope 

This process applies to customers seeking certification and to Ignyte Assurance LLC (Ignyte) support staff in North America. It adheres to Ignyte’s 17021-1 Quality Manual, the ISO 17021-1 standard, and applicable International Accreditation Service (IAS) mandatory requirements for Management Systems.

Application for Certification 

Customers must have a documented and implemented ISMS conforming to ISO/IEC 27001 and other necessary certification documents. 

Ignyte maintains documented procedures for conducting comprehensive initial certification audits to verify ISMS implementation and compliance with ISO/IEC 27001 standards. This includes document reviews, interviews, and on-site or virtual evaluations. 

Ignyte also performs periodic surveillance and recertification audits to ensure ongoing conformity. Surveillance audits are typically conducted annually, while recertification audits occur every three years. These audits verify that corrective actions for any non-conformities are timely and effective.

Ignyte provides certification services exclusively to legally established organizations. Applicants must be registered entities in accordance with the laws of their respective countries. However, Ignyte may consider exceptions on a case-by-case basis, taking into account the legal provisions of the country where the organization operates.

Upon requesting services, customers receive Ignyte’s ISMS Certification Application Package. This package contains essential details and explanations regarding the ISMS and the scope of accreditation. At a minimum, the application package includes:

  • Customer Information Form (CIF)

  • Technical Scoping Questionnaire

  • Non-Disclosure Agreement

Before applying for certification, organizations must meet specific prerequisites:

  • Implementation: Implement the management system for a minimum of three months to demonstrate adherence to the documented system.

  • Management Review: Conduct at least one management review of the documented management system in line with relevant standards.

During the application phase, the completed CIF must be signed by the authorized representatives of the applicant organization and submitted to Ignyte along with the necessary documentation. Ignyte reserves the right to request additional information about relevant personnel before accepting the application for further processing.

The collected information from the application is crucial for preparing remote, on-site, or hybrid assessments. This data helps in evaluating the nature of the organization's business and its supporting activities, ensuring a thorough understanding of the applicant’s operations.

Application Review 

Ignyte reviews applications and documents to ensure all necessary information about the applicant's ISMS, scope, and processes are available for an effective audit. 

The review ensures clear documentation and communication of certification requirements to the applicant organization and addresses any misunderstandings or discrepancies about certification requirements between Ignyte and the applicant. 

Ignyte assesses its capability to perform certification activities tailored to the scope of certification requested. This includes:

  • Scope of Certification: Ensuring competence in the specific areas covered by the certification.

  • Operational Locations: Accommodating the various locations where the applicant organization operates.

  • Audit Duration: Estimating and allocating the appropriate amount of time required to complete the audits.

  • Additional Considerations: Addressing factors such as language requirements, safety conditions, and any potential threats to impartiality.

Ignyte maintains detailed records of application reviews for auditing and reference purposes.

Application Decision 

Upon completion of the application review, Ignyte will decide whether to accept or decline the application for certification. This decision will be communicated formally to the applicant, providing reasons for acceptance or rejection. If the application is declined, Ignyte will maintain documentation of the decision and the reasons for record-keeping purposes.

Formal Proposal & Certification Agreement 

Based on the application, the Business Development team prepares a proposal and Certification Agreement outlining audit activities, scope, locations, and timeframes. This includes a detailed description of the ISMS scope, boundaries and interfaces, identifying all sites taking part in the certification audit, estimating the time required to complete the audit activities, and noting any special conditions such as language requirements, safety concerns, or threats to impartiality. Upon acceptance, a legally enforceable agreement is provided to the customer covering all sites within the certification scope.

Certification Audit Activities 

The certification audit is a two-stage process. The Stage 1 Audit involves reviewing the customer’s ISMS documentation to ensure it meets ISO/IEC 27001 requirements, evaluating the physical site(s) and conditions to prepare for the Stage 2 audit, assessing the organization’s readiness for the Stage 2 audit, and identifying potential areas of concern that could result in non-conformities. This stage also includes understanding key performance indicators, significant aspects, and compliance with regulatory requirements, as well as verifying that the customer has conducted internal audits and management reviews according to ISO/IEC 27001 standards.

Initial Step

An opening meeting is conducted to kick off the audit stages and re-communicate the objectives to the Customer personnel. Ignyte will send an email requesting the Customer's availability to schedule this meeting appropriately. During the meeting, the Ignyte team will discuss the audit schedule and provide portal access for the Customer to upload relevant management system documents for review. The adequacy of the management system documentation is assessed, and any deficiencies are communicated to the Customer through the Ignyte Portal.

Stage 1 Audit

The first stage of the initial certification audit involves reviewing the Management System framework—ISMS (ISO 27001) and relevant documents to ensure consistency with management system requirements. This review aims to:

  • Audit Documentation: Evaluate the Customer’s management system documentation.

  • Site Evaluation: Assess the Customer’s location and site-specific conditions.

  • Preparedness Discussions: Engage with the Customer’s personnel to determine readiness for the Stage 2 audit.

  • Status Assessment: Understand the Customer’s status and understanding of the standard requirements, focusing on key performance aspects, processes, objectives, and system operation.

  • Information Collection: Gather necessary information about the scope of the management system, processes, locations, and compliance with statutory and regulatory aspects (e.g., quality, environmental, legal aspects, associated risks).

  • Resource Allocation: Assess and agree on resource allocation for the Stage 2 audit.

  • Audit Planning: Plan the Stage 2 audit by understanding the Customer’s management system and site operations.

  • Internal Audits: Evaluate if internal audits and management reviews are planned and performed to validate the Customer’s readiness for the Stage 2 audit.

It is recommended that at least part of the Stage 1 audit be carried out at the Customer’s location to achieve these objectives. A closing meeting is conducted at the end of the Stage 1 review, where findings are documented and communicated, including any areas of concern that could be classified as nonconformities during the Stage 2 audit. Based on the Customer’s readiness, Ignyte and the Customer will determine the interval between Stage 1 and Stage 2 audits, including any necessary delays or cancellations.

Stage 2 Audit

The second stage of the initial certification audit consists of either on-site or remote fieldwork. This stage includes in-depth testing of the framework and procedures to determine the design and operating effectiveness of control objectives and activities related to the ISMS. The ISMS is assessed against its specific requirements to ensure full conformance to the standard and its effectiveness as an operating management system.

At the conclusion of the Stage 2 audit, the audit team meets with the Customer for a closing meeting. During this meeting, the audit team provides an indication of the conformity of the Customer’s management system. The Customer has the opportunity to ask questions about the findings and audit results.

After the Stage 2 audit, the audit team analyzes the information and evidence gathered during both stages, reviews the findings, and agrees on the audit conclusions. These conclusions form the basis for the recommendation to the certification decision-making team to either issue or deny the certification. The audit report provided to the certification decision-making team includes:

  • The audit report

  • Confirmation of the information provided during the application review

  • Any changes to the audit plan with justification

  • Comments on nonconformities and, where applicable, corrections and corrective actions taken by the Customer

  • A recommendation on whether to grant certification, along with any conditions or observations

Ignyte will base its certification recommendation on a thorough assessment of the audit findings, conclusions, and any pertinent information, such as public data or feedback from the Customer on the audit report. The final certification decision will be communicated to the Customer no later than four weeks after completing Stage 2.

Should Ignyte be unable to confirm the implementation of corrections and corrective actions for any significant nonconformity within six months from the last day of Stage 2, an additional Stage 2 audit will be scheduled before making a certification recommendation.

Sampling Guidelines 

If a customer has multi-site locations, Ignyte’s audit team will determine the sample size requirements based on the function of the location, and if needed, apply standard sampling methodology using IAF MD-1, as it applies to ISO 17021-1. 

Surveillance and Maintenance 

After a Customer receives initial certification, it is valid for three years and includes ongoing surveillance activities. At a minimum, a surveillance audit must be conducted annually, with the first audit occurring no later than 12 months from the certification decision date of Stage 2.

Additional surveillance audits may be scheduled based on the complexity of the Customer's services, any changes to the scope of the management system, incidents, or modifications to facilities or infrastructure (such as hardware, software, or personnel) that support the management system.

Surveillance audits ensure that the certified management system remains effectively designed and operational. These activities include on-site audits to verify the management system's adherence to ISO 27001 requirements. Other surveillance activities may involve:

  • Inquiries: Ignyte may inquire about specific aspects of the certification.

  • Review of Statements: Evaluating any Customer statements about its operations, such as promotional materials or website content.

  • Document Requests: Asking for documents and records in either paper or electronic format.

  • Performance Monitoring: Other methods to monitor the certified Customer's performance.

Although not always full system audits, surveillance audits are on-site and planned in conjunction with other surveillance activities to ensure continuous fulfillment of requirements between certification and recertification audits. These audits also include:

  • Internal Audits and Management Review: Reviewing internal audits and management evaluations.

  • Nonconformity Actions: Assessing actions taken to address nonconformities identified in previous audits.

  • Complaint Handling: Reviewing the treatment of complaints.

  • Effectiveness Evaluation: Evaluating the management system's effectiveness in achieving the Customer's objectives.

  • Continual Improvement: Monitoring progress in planned improvement activities.

  • Operational Control: Ensuring ongoing control of operations.

  • Change Review: Assessing any changes to the system.

  • Certification Marks: Reviewing the use of marks and references to certification.

A report of the surveillance audit results is provided to both the Customer and the certification decision-maker. If a nonconformity or situation arises that could lead to suspension or withdrawal of the certification, the team lead will report this for review by a different audit team to determine if certification can be maintained. Ignyte ensures certification is maintained based on the Customer's continuous compliance with ISO 27001 requirements.

Recertifications 

Ignyte plans and conducts recertification audits to assess the ongoing compliance of a Customer's management system with all ISO 27001 requirements. These audits verify the continued conformity and effectiveness of the management system, as well as its relevance and applicability within the scope of certification.

The recertification audit evaluates the performance of the management system throughout the certification period and includes a review of previous surveillance audit reports.

In cases where significant changes have occurred to the management system, the Customer, or the operational context (such as changes in legislation), a Stage 1 audit may be necessary. For organizations with multiple sites, audit planning ensures adequate on-site coverage to maintain confidence in the certification.

The recertification process includes an on-site audit that addresses several key aspects:

  • Effectiveness: Assessing the overall effectiveness of the management system in light of internal and external changes, and its continued relevance to the scope of certification.

  • Commitment to Improvement: Evaluating the commitment demonstrated to maintaining and improving the management system to enhance overall performance.

  • Achievement of Objectives: Determining whether the certified management system contributes to achieving the organization’s policy and objectives.

If nonconformities or a lack of evidence of conformity are identified during the recertification audit, Ignyte sets time limits for correction and corrective actions to be completed before the certification expires.

Ignyte makes recertification decisions based on the recertification audit results, a review of the management system’s performance over the certification period, and any complaints received from users of the certification.

When recertification activities are completed successfully before the current certificate expires, the new certificate's expiry date is based on the existing certificate's expiry date. The issue date on the new certificate is on or after the recertification decision date.

If Ignyte has not completed the recertification audit or cannot verify the implementation of corrections and corrective actions for any nonconformity before the current certificate expires, recertification will not be recommended, and the certificate’s validity will not be extended. Ignyte must inform the Customer of this decision and the implications of the certificate's expiration.

If a certificate expires following a recertification audit, Ignyte can restore it within six months provided the outstanding recertification activities are completed. Otherwise, at least a Stage 2 audit must be conducted to achieve restoration. The effective date on the restored certificate will be on or after the recertification decision date, and the expiry date will align with the previous certification cycle.

Scope Expansion Audits 

Customers may occasionally request changes to the scope of a certified management system. In such cases, Ignyte will review the application and determine the necessary audit activities to perform a scope modification audit. This audit can be scheduled alongside a regular surveillance audit if appropriate.

Similarly, a Customer might request an audit on short notice, perhaps due to complaints or significant changes. In these instances, Ignyte will inform the certified Customer in advance about the conditions under which these short-notice audits will be conducted. Special attention will be given to assigning the audit team, as the limited timeframe reduces the opportunity for the Customer to object to specific team members.

Unannounced/Short-Notice Audits 

There are instances when Ignyte must conduct short-notice or unannounced audits of certified Customers. These audits may be necessary to investigate complaints, respond to changes, or follow up on suspended Customers. When Ignyte decides to perform such an audit, it will inform the certified Customer in advance about the conditions under which the audit will be conducted.

All necessary planning documents will be prepared for an unannounced or short-notice audit, and the audit will follow Ignyte’s established methodology.

These unannounced or short-notice audits are not replacements for the regular audit schedule but are considered out-of-schedule audits for specific purposes. They are treated as additional projects for the Customer and will be performed and tracked accordingly within Ignyte’s internal systems.

Criteria for Certification 

The Customer is issued a Certification of Registration, which provides clear and detailed information about the organization’s certification. This document includes the scope of the certification, the audit criteria (such as the standard or other normative documents), and the certification's validity period (refer to the Certificate Generation Process).

Ignyte conducts accredited ISO 27001:2013 audits for its Customers in accordance with the International Accreditation Forum, Inc.'s Mandatory Document (IAF MD) 26, as well as relevant accreditation body policies for transitioning to ISO 27001:2022.

For each Customer with a valid ISMS certification, Ignyte provides official certification documents, such as a letter or certificate signed by an authorized officer. These documents specify the scope of the granted certification and the standard (e.g., ISO/IEC 27001) to which the ISMS is certified. Additionally, the certificate references the specific version of the Statement of Applicability.

Ignyte adopts and documents certification criteria for each organization based on the relevant management system standards (e.g., ISO 27001) and any other documents required for certification relevant to the function performed.

Communication of Criteria Changes

Any changes to the certification criteria will be communicated to the Customer via registered mail, email, or other means. A reasonable timeframe will be provided for implementing the modified criteria. Ignyte will adopt any transition policies announced by the accreditation body and inform certification Customers accordingly. The Customer must communicate any objections or acceptance in writing within 30 days of receiving the amended criteria. If no communication is received within this period, it will be assumed that the Customer agrees to adopt the new criteria.

The implementation of the updated criteria will be verified during each Customer's assessment. For major changes in the criteria, Ignyte reserves the right to conduct an additional assessment.

If a Customer chooses not to adopt the updated criteria, they may opt out of the certification, and the certificate will be withdrawn as of the implementation date of the revised criteria.

All ISMS Customers will be informed in advance about the ISO/IEC 27001:2022 Transition Plan and related timelines for upgrading existing 2013 version certifications. Failure to meet the deadlines specified in the transition plan will result in the withdrawal of the 2013 version certificate after October 31, 2025.

Ignyte has legally enforceable arrangements to ensure that certified Customers notify Ignyte without delay of any matters that may affect the management system's capability to meet the certification standards. These matters include, but are not limited to:

  • Legal Entity Status: Changes in legal entity status or ownership.

  • Organization and Management: Changes in key managerial, decision-making, or technical staff.

  • Contact Address and Sites: Changes in contact address and sites.

  • Scope of Operations: Changes in the scope of operations under the certified management system.

  • Management System Changes: Major changes to the management system and processes.

Certification Decision

Ignyte ensures that the individuals or committees responsible for making certification or recertification decisions are different from those who conducted the audits. Before making a certification decision, Ignyte confirms:

  • The audit team's information is sufficient for certification requirements and scope.

  • Management reviews and internal ISMS audits are effective and maintained.

  • Nonconformities have been effectively corrected and verified by the audit team.

  • There are no unfulfilled management system requirements or doubts about the system's ability to achieve its intended outcomes.

  • Planned corrections and corrective actions for any other non-conformities have been reviewed and accepted.

The criteria for auditing a Customer’s ISMS are based on the relevant ISMS standard and explained by an impartial committee with the necessary technical expertise. This explanation is published by Ignyte.

Ignyte’s documentation includes policies and procedures for the certification process, ensuring proper use and application of documents and auditing and certifying the Customer organization’s ISMS.

After completing the audit adequacy review, the Team Leader makes the certification decision and submits the report, auditor notes, and necessary documents to the technical reviewer. Once the technical review is completed, the report is sent to the Quality Assurance (QA) team.

The QA team reviews the report for accuracy, grammar, spelling, and compliance with Ignyte standards. If non-conformities are found, the report is returned to the audit team for remediation. The QA team coordinates with the team leader to address issues and submits the revised report to the Certification Decision Authority, maintaining a record of all non-conformity issues.

If compliant, the certificate is created, and the report, certification decision letter, and certificate are submitted to the Certification Decision Authority for final review and approval. The Certification Decision Authority uses the Audit Report Adequacy Checklist to make the final certification decision.

After approval, the Audit Report, Certification Decision Letter, Certificate, and Customer Feedback Form are released to the Customer.

Decisions for granting, refusing, maintaining, expanding or reducing the scope, renewing, suspending, restoring, or withdrawing certifications are not outsourced.

Certificate of Registration

The certificate will feature the Ignyte logo, the Accreditation body logo (if applicable), the Customer's name, the address of the organization's premises, the certificate number, the scope of certification, the approval date of the certification, the issue date, and the expiry date.

Certificates are valid for at least one year, with the issue and expiry dates clearly indicated. The original certification date will be maintained on the Customer’s certificate, even if it lapses for a period, provided that:

  • The new certification cycle is initiated, and the new expiry date is indicated.

  • The last certification cycle expiry date and the date of the recertification audit are included.

Granting of Certification

Certification is granted to the Customer after completing the assessment procedure and meeting the following conditions:

  • The Customer meets the certification criteria, and all non-conformities identified during the assessment have been resolved to Ignyte's satisfaction.

  • There are no adverse reports, information, or complaints regarding the Customer’s implementation of the certification system.

  • The Customer’s clients are satisfied with the products or services offered, and Ignyte may seek feedback from selected clients and stakeholders.

Initial certification is valid for 1 to 3 years. Ignyte issues accredited ISO 27001:2013 certificates in accordance with IAF MD 26 and relevant accreditation body policies for transitioning to ISO 27001:2022. All ISO 27001:2013 certificates will expire on October 31, 2025.

If any adverse issues arise, the Customer will have the opportunity to explain their position in writing to Ignyte. The final decision on granting or continuing certification will be based on the facts and results of this explanation, made by the Chief Risk Officer (CRO) and the QA Department Head.

Ignyte will issue accredited ISO 27001:2022 certificates to Customers only after receiving the necessary accreditation approvals from the relevant accreditation body.

Maintaining Certification 

Ignyte maintains certification by ensuring that Customers continue to meet the management system standard requirements. Certification may be upheld based on a positive conclusion from the audit team leader without further independent review, provided that:

  1. Any nonconformity or situation that may lead to suspension or withdrawal of certification is reported by the audit team leader to Ignyte. A review is then initiated by competent personnel different from those who conducted the audit to determine whether certification can be maintained.

  2. Ignyte's competent personnel monitor surveillance activities and auditor reports to confirm the effective operation of certification activities.

Certification for an organization will be maintained for three years if the following conditions are met:

  • The Customer continues to meet certification criteria, and all nonconformities identified during surveillance assessments are resolved to Ignyte's satisfaction.

  • There are no adverse reports, information, or complaints about the organization’s system implementation.

  • The organization’s customers are satisfied with the products or services provided.

If any adverse issues arise, the Customer will be given an opportunity to explain their position in writing to Ignyte. The final decision regarding the maintenance of certification will be based on facts and the results of this explanation, made by the Head of the ISO Group.

The Ignyte team manager ensures audits are completed within designated timeframes and escalates issues to the ISO Partner and COO if a customer’s certification expires. Any other factors affecting certification will also be reported to the ISO Partner and COO.

All ISMS Customers have been informed about the ISO/IEC 27001:2022 Transition Plan and timelines for upgrading existing 2013 version certifications. Failure to meet the deadlines will result in the withdrawal of the 2013 version certificate after October 31, 2025.

Suspension and Restoration 

Ignyte will suspend an organization's certification if the Customer’s management system consistently or seriously fails to meet certification requirements, if the Customer does not allow required surveillance or recertification audits, or if the Customer voluntarily requests suspension.

During suspension, the Customer's certification is temporarily invalid. Ignyte ensures Customers refrain from promoting their certification during this period. The suspended status of the certificate will be made publicly accessible, and appropriate measures will be taken.

If the issues leading to suspension are not resolved within the established timeframe, the certification will be withdrawn or its scope reduced. Suspension shall not exceed six months.

Ignyte will reduce the certification scope if the Customer consistently fails to meet certification requirements for certain parts of the scope. This reduction will comply with the certification standard requirements.

Ignyte has agreements with Customers ensuring that, upon certificate withdrawal, the Customer ceases all use of advertising materials referencing their certified status. Ignyte will accurately state the certification status (suspended, withdrawn, or reduced) upon request.

Certification suspension may occur under the following conditions:

  • The organization requests suspension.

  • Misuse of the Ignyte logo or certificate.

  • Incorrect references to certification status.

  • Failure to meet agreed standards consistently.

  • Non-compliance with financial requirements.

  • Actions bringing disrepute to Ignyte.

  • Wilful misdeclaration in the application form.

  • Non-compliance with the terms of the certification agreement.

  • Serious complaints from interested parties.

  • Other conditions deemed appropriate by Ignyte.

In such cases, Ignyte will formally notify the organization, citing the intention to suspend the certificate and requesting remedial actions within 30 days. The Customer will have the opportunity to explain their position in writing. The final decision on suspension will be based on the facts and the presentation results, made by the CRO and QA Department Head.

If no improvement occurs, a registered letter will be sent to the organization, detailing the suspension conditions and consequences, including refraining from promoting certification. The certified status will be made publicly accessible via the Ignyte website, and other publication modes may be considered if necessary.

The organization must take prompt corrective actions and inform Ignyte within the stipulated time. An audit or visit may be scheduled to verify compliance. Persistent delays in corrective actions may lead to the withdrawal of certificates and logos, as decided by the CRO.

The suspension may be lifted once the indicated conditions are fulfilled within the stipulated time. Otherwise, the certification will be withdrawn or canceled. Suspension periods are limited to six months, extendable by three months only under specific justified circumstances approved by the CRO.

Withdrawal of Certification 

The organization’s certification will be withdrawn, and agreements will be canceled under the following circumstances:

  • When the conditions listed in the “Suspension and Restoration” section exist, and the organization fails to take corrective actions as informed to Ignyte.

  • If the certification criteria change and the organization either cannot or will not ensure conformance to the new requirements within the stipulated time.

  • All ISMS Customers have been informed about the ISO/IEC 27001:2022 Transition Plan and related timelines for upgrading existing 2013 version certifications. Failure to meet these deadlines will result in the withdrawal of the 2013 version certificate after October 31, 2025.

In such cases, formal communication will be sent to the organization and/or relevant regulatory or standard governing body, specifying the intention to withdraw certification and requesting a response within 30 days. The Customer will have the opportunity to explain its position in writing to Ignyte and/or the governing body. The final decision on the withdrawal of the certificate will be based on the facts and the presentation results, made by the CRO, QA Department Head, and/or the governing body.

This process involves notifying the organization by registered letter (or equivalent) and any other necessary publications. The withdrawal information will be made publicly accessible through the Ignyte website. Organizations may dispute or appeal against Ignyte’s decision, which will be addressed according to the specified procedure.

Once the certificate of registration is withdrawn, and if the organization wishes to be recertified, Ignyte will conduct a re-assessment. Upon finalizing the withdrawal, the following actions are taken:

  • The organization is informed in writing (letter, email, fax, etc.) to return the certificates and logos issued or confirm they are made obsolete/withdrawn to prevent misuse.

  • The organization’s status will be updated in the “List of Certified Companies” published on the Ignyte website as decided by the CRO.

  • If an organization makes a false claim regarding certification by Ignyte, appropriate actions, including corrective measures, publication of the transgression, and legal actions, if necessary, will be taken.

The CRO is responsible for all decisions on suspension, extension of suspensions, and withdrawals. Upon request, Ignyte will accurately state the status of a Customer's certification as being suspended, withdrawn, or reduced.

Cancellation of Certification

The organization’s certification will be canceled at the Customer's request, resulting in the termination of agreements. This process involves notifying the organization by registered letter (or equivalent) and any other necessary publications. The cancellation information will be made publicly accessible through the Ignyte website.

If the organization wishes to be recertified after the Certificate of Registration is canceled, Ignyte will conduct a re-assessment.

Upon finalizing the cancellation, the following actions are taken:

  • The organization and/or relevant regulatory or standard governing body will be notified in writing (letter, email, fax, etc.) to return the certificates and logos issued or confirm that they have been made obsolete/withdrawn to prevent misuse.

  • The organization’s status will be updated or amended in the “List of Certified Companies” published on the Ignyte website as decided by the CRO.

Transfer of Certification 

The transfer of certification refers to recognizing an existing and valid management system certification issued by one accredited certification body (issuing certification body) by another accredited certification body (accepting certification body) to issue its certification. Concurrent certifications by more than one certification body are not encouraged by the IAF.

Only certifications covered by an IAF or Regional MLA signatory accreditation at level 3, and where applicable, levels 4 and 5, are eligible for transfer. Certifications not covered by such accreditations are treated as new Customers. Valid accredited certifications can be transferred, but suspended certificates cannot.

If a certification body’s accreditation has expired, been suspended, or withdrawn, the transfer must be completed within six months or by the certification’s expiration, whichever is sooner. The accepting certification body must inform the accreditation body before the transfer.

The accepting certification body must obtain sufficient information to make a certification decision and inform the transferring Customer of the process, including arrangements for the certification cycle. The certification review includes a documentation review and, if needed, a pre-transfer visit to confirm the validity of the certification.

Key points of the review include:

  • Confirming the Customer’s certification falls within the accredited scope of both certification bodies.

  • Ensuring the issuing certification body’s accredited scope is within its accreditation body’s MLA scope.

  • Understanding the reasons for seeking a transfer.

  • Verifying that the sites hold a valid accredited certificate and reviewing previous audit reports and nonconformities.

  • Reviewing complaints received and actions taken.

  • Establishing an audit plan and program.

  • Confirming engagement with regulatory bodies relevant to the certification scope.

According to ISO/IEC 17021-1:2015 clause 9.5.2, the accepting certification body shall not issue certification until:

  • All outstanding major nonconformities have been corrected.

  • Plans for correction and corrective action for all minor nonconformities are accepted.

If issues prevent the transfer, the Customer is treated as a new Customer, and the justification is documented. The normal certification decision-making process must be followed, ensuring that personnel making the decision are different from those conducting the pre-transfer review.

If no problems are identified during the pre-transfer review, the certification cycle is based on the previous cycle. The accepting certification body establishes the audit program for the remainder of the cycle. The organization’s initial certification date can be quoted on the documents, indicating previous certification by a different body.

Cooperation between the issuing and accepting certification bodies is essential. The issuing body must provide all necessary documents and information. If the issuing body does not cooperate, the accepting body must document the reasons and seek information from other sources.

The transferring Customer must authorize the issuing certification body to provide the required information. The issuing certification body should not suspend or withdraw the certification if the Customer continues to meet certification requirements.

The accepting certification body or transferring Customer may contact the accreditation body if the issuing certification body fails to provide information or unjustly suspends or withdraws the certification. The accreditation body should have a process to address this situation.

Once the accepting certification body issues the certification, it will inform the issuing body.

Complaints

A description of the complaints-handling process is made publicly accessible. Submission, investigation, and decision on complaints will not result in discriminatory actions against the complainant.

Upon receiving a complaint, Ignyte will confirm whether it pertains to certification activities for which it is responsible and, if so, will address it. If the complaint involves a certified Customer, the examination will consider the effectiveness of the certified management system.

Complaints about a certified Customer will be referred to the Customer at an appropriate time.

Ignyte has a documented process for receiving, evaluating, and making decisions on complaints, ensuring confidentiality for both the complainant and the subject of the complaint.

The complaints-handling process includes:

  1. An outline of the steps for receiving, validating, investigating, and deciding on the complaint.

  2. Tracking and recording complaints and the actions taken in response.

  3. Ensuring appropriate corrections and corrective actions are implemented.

  4. Responsibility for gathering and verifying all necessary information to validate the complaint lies with Ignyte Assurance.

  5. Whenever possible, Ignyte will acknowledge receipt of the complaint and provide progress updates and the outcome to the complainant.

  6. Decisions communicated to the complainant will be made by or reviewed and approved by individuals not previously involved in the complaint.

Ignyte will formally notify the complainant of the conclusion of the complaints handling process whenever possible.

Ignyte, together with the Customer and the complainant, will decide whether and to what extent the subject of the complaint and its resolution will be made public.

Transfer Evaluation Process

Step 1 – Customer Relation Personnel:

  • Obtain a filled Customer Information Form.

  • Obtain a copy of the Customer’s existing valid certificate.

  • Obtain the reason for seeking transfer and details of any current engagements with regulatory bodies regarding legal compliance relevant to the certification scope.

  • Obtain copies of previous assessment reports from the last audit cycle and any closed non-conformities.

  • Obtain necessary management system documents.

  • Obtain any legal documentation reflecting changes in entity name, address, ownership, etc.

Step 2 – Transfer Review:

  • The assigned assessor will perform the transfer review.

  • The assessor will receive and review all documents identified in Step 1.

  • Review any other relevant documentation, such as audit notes and checklists.

  • Verify the validity of the certification through:

    • Verification of the Customer’s valid certificate.

    • Reviewing the last audit report issued by the certification body.

    • Reviewing legal documentation.

    • Examining formal communications for the closure of non-conformities sent by the certified organization to the certifying body.

  • Ensure outstanding non-conformities are closed with the issuing certification body before transfer, if practical. Otherwise, evaluate and close them during the transfer audit.

  • The reviewer will complete the Certificate Transfer Evaluation recommendation, compile supporting documents, and forward them to the CRO and QA Department Head for decision review.

Step 3 – Decision Making Review:

  • The CRO and QA Department Head will review the documents submitted by the assessor.

  • If the transfer is approved, the certificate will be updated to reflect legal entity changes and reissued to the Customer.

    • The issue and expiration dates will remain unchanged.

  • If the transfer is not approved, the Customer will be notified that a new assessment must be performed.

Step 4 – Maintenance of Customer Information:

  • Upon receiving the complete package, Operations will update the Customer information, including:

    • Date for the next activity.

    • Certification date.

    • Customer name.

Complaints, Appeals, and Disputes 

Ignyte provides efficient and satisfactory services as outlined in the Request Form. However, if any party feels that Ignyte's decision or conduct is unjust and prejudicial, they may appeal in writing to seek redress.

Appeals, complaints, and disputes are promptly addressed by Ignyte and kept confidential. Information obtained from sources other than the Customer is also kept confidential. This procedure applies to all certification decisions, including maintenance.

Personnel involved in investigating appeals, complaints, or disputes will not have been directly involved in the activities of the organization or any party involved in the issue during the certification cycle.

The submission, investigation, and decision on appeals and complaints will not result in discriminatory actions against the appellant or complainant.

If the Management Representative or the CRO cannot resolve appeals or complaints, they will be referred to the COO. If further resolution is needed, the matter will be escalated to the Committee for Safeguarding Impartiality.

A summary of appeals and complaints received, and actions taken, is forwarded to the Management Representative for presentation at the Management Review meeting. Actions decided upon in the Management Review meeting are implemented to ensure further effectiveness.

Complaints Handling Process 

Any complaint received by Ignyte Assurance, whether related to Ignyte functions or the Customer, is taken seriously and thoroughly investigated. The CRO records these complaints, informs the complainant of the receipt, and advises on the required investigation within one month. The CRO initiates actions to resolve the issue and restore conformity to the Management System, aiming to close the complaint within three months unless specific reasons cause a delay. The results and actions taken are communicated to the concerned parties. The CRO is responsible for gathering and verifying all necessary information related to the complaints.

For complaints against Customers, the CRO may decide to:

  • Plan a visit or audit to ascertain the actions taken and ensure the effectiveness of the certified management system.

Complaints referred to management are examined fairly and reviewed by the CRO and any other necessary personnel, either separately or jointly. If a complaint is found irrelevant, the complainant may be asked to withdraw it. Complaints should be addressed within three months of receipt.

The resolution of complaints follows this process:

  • The team leader attempts to resolve the issue at the audit site. If unresolved, the CRO analyzes the matter and initiates corrective or preventive action. If the CRO cannot resolve the complaint, it is referred to the COO with all relevant information (including documentary evidence). If still unresolved, the matter is escalated to the Committee for Safeguarding Impartiality.

The CRO tracks and maintains records of all complaints and remedial actions related to the certification system and keeps the complainant informed about the progress and outcome.

The CRO identifies problems requiring actions to prevent recurrence and implements corrective actions (and preventive actions if needed), considering the nature and risk involved. These measures include:

  • Notification to appropriate authorities as required by regulation.

  • Restoring conformity to the certification system process.

  • Preventing recurrence.

  • Evaluating and mitigating any adverse incidents (including hazards, safety, and security) and their associated risks and impacts.

  • Ensuring satisfactory interaction with other components of the Management System.

  • Assessing the effectiveness of remedial/corrective actions taken.

For complaints relevant to the public interest, both the Customer and the complainant will be consulted. Information about the complaint and its resolution will be made available for public viewing if necessary. A formal notice of the conclusion of the complaint handling process will be provided to the complainant.

Appeals Handling Process 

An "appeal" refers to any written request for review against a decision made by Ignyte, considering the explanation provided by the Customer. This can occur during an audit at the Customer's premises or during any work by Ignyte. Ignyte has a documented process to receive, evaluate, and make decisions on appeals.

A description of the appeals-handling process is publicly accessible on the Ignyte website.

Ignyte is responsible for all decisions at every level of the appeals-handling process, ensuring that individuals involved in handling appeals are different from those who conducted the audits and made the certification decisions. The submission, investigation, and decision on appeals will not result in discriminatory actions against the appellant.

The appeals-handling process includes the following elements and methods:

  • An outline of the process for receiving, validating, and investigating the appeal and deciding on actions, considering the results of previous similar appeals.

  • Tracking and recording appeals, including actions undertaken to resolve them.

  • Ensuring appropriate corrections and corrective actions are taken.

Ignyte will acknowledge receipt of the appeal and provide the appellant with progress reports and the outcome. Decisions communicated to the appellant will be made by, or reviewed and approved by, individuals not previously involved in the subject of the appeal. Ignyte will formally notify the appellant when the appeals-handling process concludes.

Appeals can arise from:

  • Refusal of an audit by Ignyte.

  • Non-acceptance of the scope of certification.

  • Decisions related to misuse, suspension, withdrawal, cancellation, extending, or reducing the certification.

  • Failure to recommend certification by Ignyte.

  • Notifications by any third party/interested party against the grant of certification by Ignyte.

When an appeal is received, it is recorded and acknowledged by the CRO. The appeal should include all available documentary evidence. The CRO is responsible for gathering and verifying all necessary information related to the appeal.

Any appeals referred to management are examined fairly and reviewed by the CRO and other necessary personnel. If an appeal is found irrelevant, the appellant may be asked to withdraw it. The CRO will initiate actions to resolve appeals within three months.

The resolution of appeals follows this process:

  • The team leader attempts to resolve the issue at the audit site. If unresolved, the CRO takes up the matter. If the CRO cannot resolve the appeal, it is referred to the COO with all relevant information. If still unresolved, the Committee for Safeguarding Impartiality addresses the matter.

  • The CRO tracks and maintains records of all appeals and remedial actions related to the certification system, keeping the appellant updated on progress and outcomes.

  • The CRO identifies problems requiring actions to prevent recurrence, implementing corrective actions (and preventive actions if needed) based on the nature and risk involved. Measures include:

    • Restoring conformity to the certification system process.

    • Assessing the effectiveness of remedial/corrective actions taken.

A formal notice of the conclusion of the appeal handling process will be provided to the appellant.

Disputes Resolution 

Disputes indicate disagreements related to certification process decisions made during the audit, including the adequacy of documents. The team leader has the authority to address and resolve these disputes to ensure the audit is completed effectively.

If the team leader cannot resolve the dispute, it can be escalated to the CRO as an appeal. The CRO will handle the matter using the established appeal process.

The procedure for resolving disputes is as follows:

  • The team leader first attempts to resolve the issue on-site during the audit.

  • If the dispute remains unresolved, the CRO reviews the matter and initiates corrective or preventive actions as necessary.

  • Should the CRO be unable to resolve the dispute, the issue is escalated to the COO, who reviews all relevant information and documentary evidence.

  • If the dispute still cannot be resolved, it is referred to the Committee for Safeguarding Impartiality for a final decision.

Addressing All Appeals, Complaints, and Disputes at the Risk Management Level

A summary of appeals, complaints, and disputes is reviewed as part of the routine agenda in all Risk Management (RM) meetings to assess the adequacy of actions taken and suggest improvements.

During the resolution of any appeals, complaints, or disputes, this aspect will be reviewed, especially if a decision is made to refer the matter to the RM. If necessary, a special session will be convened.

When addressing an appeal, complaint, or dispute, at least two RM (Appeals Committee) members, two members from Ignyte, and a Customer representative, if applicable, must be present. None of these members should have any interest in the party making the appeal, complaint, or dispute. If an appellant submits a written objection to Ignyte against a specific member, this member will withdraw in favor of a substitute if the objections are found to be valid.

The decision of the RM Committee shall be final and binding on both parties. This decision will be communicated to the concerned parties and implemented accordingly.

Disclaimer

While this document aims to guide prospective and existing Customers of Ignyte, and every effort is made to ensure its content is accurate and up to date, it should not be considered comprehensive or definitive in its contents and applicability. Given that assessment audits, certification, and surveillance activities require auditors' judgment based on the specific facts and circumstances of each case, this document does not bind Ignyte regarding the scope, interpretation, or applicability of its certification activities.

Introduction
This document outlines the steps that customers must follow to achieve Information Security Management System (ISMS) certification. It includes essential procedures, the certification scheme, appeals process, and dispute resolution guidelines for all new applicants.
Scope
This process applies to customers seeking certification and to Ignyte Assurance LLC (Ignyte) support staff in North America. It adheres to Ignyte’s 17021-1 Quality Manual, the ISO 17021-1 standard, and applicable International Accreditation Service (IAS) mandatory requirements for Management Systems.