Audit processes
Intake and independence
Noordbeek Certification only carries out assignments for ISO 27001, NEN 7510, or ISO 27001 and NEN 7510 together, in relation to certification.
For related assurance engagements for NEN 7512 and 7513, please refer to Noordbeek B.V.
We do not carry out internal audits at certification clients of Noordbeek Certification.
To determine the number of audit days, we follow the guidelines in the ISO 27006 and NCS 7510 standards. This number is based on the number of FTEs in your organization and the relevant aspects mentioned in these standards that can influence the audit time calculation.
Initial certification audit, Stage 1
The planning of Noordbeek Certification shall ensure that the objectives of stage 1 can be met and the client shall be informed of any ‘on site’ activities during stage 1.
The objectives of stage 1 are to:
- review the client’s management system documented information;
- evaluate the client’s site-specific conditions and to undertake discussions with the client’s personnel to determine the preparedness for stage 2;
- review the client’s status and understanding regarding requirements of the standard, in particular with respect to the identification of key performance or significant aspects, processes, objectives and operation of the management system;
- obtain necessary information regarding the scope of the management system, including:
- the client’s site(s);
- processes and equipment used;
- levels of controls established (particularly in case of multisite clients);
- applicable statutory and regulatory requirements;
- review the allocation of resources for stage 2 and agree the details of stage 2 with the client;
- provide a focus for planning stage 2 by gaining a sufficient understanding of the client’s management system and site operations in the context of the management system standard or other normative document;
- evaluate if the internal audits and management reviews are being planned and performed, and that the level of implementation of the management system substantiates that the client is ready for stage 2.
- determine whether the audit team has the right competences to perform the stage 2 certification audit.
Documented conclusions with regard to fulfilment of the stage 1 objectives and the readiness for stage 2 shall be communicated to the client, including identification of any areas of concern that could be classified as a nonconformity during stage 2.
In determining the interval between stage 1 and stage 2, consideration shall be given to the needs of the client to resolve areas of concern identified during stage 1. Noordbeek Certification may also need to revise its arrangements for stage 2. If any significant changes which would impact the management system occur, Noordbeek Certification shall consider the need to repeat all or part of stage 1. The client shall be informed that the results of stage 1 may lead to postponement or cancellation of stage 2.
Initial certification audit, Stage 2
The purpose of stage 2 is to evaluate the implementation, including effectiveness, of the client’s management system. The stage 2 shall take place at the site(s) of the client. It shall include the auditing of at least the following:
- information and evidence about conformity to all requirements of the applicable management system standard or other normative documents;
- performance monitoring, measuring, reporting and reviewing against key performance objectives and targets (consistent with the expectations in the applicable management system standard or other normative document);
- the client’s management system ability and its performance regarding meeting of applicable statutory, regulatory and contractual requirements;
- operational control of the client’s processes;
- internal auditing and management review;
- management responsibility for the client’s policies.
The audit team shall analyse all information and audit evidence gathered during stage 1 and stage 2 to review the audit findings and agree on the audit conclusions.
Criteria
The audit criteria are used as a reference to determine the conformity of the Information System Management System (ISMS). The applicable criteria for the assignment are:
- The requirements from ISO 27001 and NEN 7510;
- The defined processes and documentation of the ISMS based on the client's Statement of Applicability (SoA).
Multi-site sampling
Where multi-site sampling is used for the audit of a client’s management system covering the same activity in various geographical locations, Noordbeek Certification shall develop a sampling programme to ensure proper audit of the management system. The rationale for the sampling plan shall be documented for each client.
Multi-site sampling is only allowed if:
- All the sites are covering the same activities;
- All sites are operating under the same ISMS, which is centrally administered and audited and subject to central management review;
- All sites are included within the client’s internal ISMS audit programme;
- All sites are included within the client’s ISMS management review programme.
If Noordbeek Certification wishes to use a sample-based approach a procedure should be followed to ensure the follow:
- The initial contract review identifies, to the greatest extent possible, the difference between sites such that an adequate level of sampling is determined;
- A representative number of sites have been sampled by Noordbeek Certification, taking into account:
- The results of internal audits of the head office and the sites;
- The results of management review;
- Variations in the size of the sites;
- Variations in the business purpose of the sites;
- Complexity of the information systems at the different sites;
- Variations in working practices;
- Variations in activities undertaken;
- Variations of design and operation of controls;
- Potential interaction with critical information systems or information systems processing sensitive information;
- Any differing legal requirements;
- Geographical and cultural aspects;
- Risk situation of the sites;
- Information security incidents at the specific sites;
- A representative sample is selected from all sites within the scope of the client’s ISMS; this selection shall be based upon judgmental choice to reflect the factors presented above as well as a random element;
- Every site included in the ISMS which is subject to significant risks is audited by Noordbeek Certification prior to certification;
- The audit programme has been designed in the light of the above requirements and covers representative samples of the scope of the ISMS certification within the three year period;
- In the case of a nonconformity being observed, either at the head office or at a single site, the corrective action procedure applies to the head office and all sites covered by the certificate.
The audit shall address the client’s head office activities to ensure that a single ISMS applies to all sites and delivers central management at the operational level. The audit shall address all the issues outlined above.
Definition and handling of major and minor nonconformities
A nonconformity is a non-fulfilment of a requirement. This can be:
- Major nonconformity
This is a nonconformity that affects the capability of the management system to achieve the intended results. A nonconformities could be classified as major in the following circumstances:- If there is a significant doubt that effective process control is in place, or that products or services will meet specified requirements;
- A number of minor nonconformities associated with the same requirement or issue could demonstrate a systemic failure and thus constitute a major nonconformity.
- Minor nonconformity
This is a nonconformity that does not affect the capability of the management system to achieve the intended results
For any major nonconformities, Noordbeek Certification has to review, accept and verify the correction and corrective actions before granting certification, expanding or reducing the scope of certification, renewing, suspending or restoring, or withdrawing of certification. For any minor nonconformities, Noordbeek Certification has to review and accept the client’s plan for correction and corrective action.
If Noordbeek Certification is not able to verify the implementation of corrections and corrective actions of any major nonconformity within 6 months after the last day of Stage 2, Noordbeek Certification shall conduct another Stage 2 prior to recommending certification.
Surveillance audit
Surveillance audits are on-site audits, but are not necessarily full system audits, and shall be planned together with the other surveillance activities so that Noordbeek Certification can maintain confidence that the client’s certified management system continues to fulfil requirements between recertification audits. Each surveillance for the relevant management system standard shall include:
- internal audits and management review;
- a review of actions taken on nonconformities identified during the previous audit;
- complaints handling;
- effectiveness of the management system with regard to achieving the certified client’s objectives and the intended results of the respective management system (s);
- progress of planned activities aimed at continual improvement;
- continuing operational control;
- review of any changes;
- use of marks and/or any other reference to certification.
Recertification
The purpose of the recertification audit is to confirm the continued conformity and effectiveness of the management system as a whole, and its continued relevance and applicability for the scope of certification. A recertification audit shall be planned and conducted to evaluate the continued fulfilment of all of the requirements of the relevant management system standard or other normative document. This shall be planned and conducted in due time to enable for timely renewal before the certificate expiry date.
The recertification activity shall include the review of previous surveillance audit reports and consider the performance of the management system over the most recent certification cycle.
Recertification audit activities may need to have a stage 1 in situations where there have been significant changes to the management system, the organization, or the context in which the management system is operating (e.g. changes to legislation).
The recertification audit shall include an on-site audit that addresses the following:
- the effectiveness of the management system in its entirety in the light of internal and external changes and its continued relevance and applicability to the scope of certification;
- demonstrated commitment to maintain the effectiveness and improvement of the management system in order to enhance overall performance;
- the effectiveness of the management system with regard to achieving the certified client’s objectives and the intended results of the respective management system (s).
Expiration date
For any major nonconformity, Noordbeek Certification shall define time limits for correction and corrective actions. These actions shall be implemented and verified prior to the expiration of certification.
When recertification activities are successfully completed prior to the expiry date of the existing certification, the expiry date of the new certification can be based on the expiry date of the existing certification. The issue date on a new certificate shall be on or after the recertification decision.
Not completing the recertification audit
If the client has not completed the recertification audit or Noordbeek Certification is unable to verify the implementation of corrections and corrective actions for any major non-conformity prior to the expiry date of the certification, then recertification shall not be recommended and the validity of the certification shall not be extended. The client shall be informed and the consequences shall be explained.
Restoring certification
Following expiration of certification, Noordbeek Certification can restore certification within 6 months provided that the outstanding recertification activities are completed, otherwise at least a stage 2 shall be conducted. The effective date on the certificate shall be on or after the recertification decision and the expiry date shall be based on prior certification cycle.
Special audits
If necessary, Noordbeek Certification can carry out a special audit, whether or not as an audit in two phases.
Expanding scope
Following an application to extend the scope of a certification already granted, Noordbeek Certification will conduct an assessment of the application and determine any audit activities necessary to decide whether or not the extension can be granted. This can be performed in combination with a surveillance audit.
Short-notice audits
It may be necessary for Noordbeek Certification to conduct short-term or unannounced audits of certified clients to investigate complaints, or in response to changes, or as a follow-up to suspended clients.
In such cases:
- Noordbeek Certification describes and announces in advance to the certified clients the conditions under which such audits will be carried out;
- Noordbeek Certification will take extra care in the assignment of the audit team due to the lack of the possibility for the client to object to audit team members.
Suspending, withdrawing or reducing the scope of certification
If Noordbeek Certification finds a deviation that may lead to suspension, withdrawal or restriction, the client will be contacted. If consultation does not lead to a solution, the Certification Committee will be informed. This committee can decide to suspend, withdraw or restrict.
Noordbeek Certification suspends certification in cases where, for example:
- The client's certified management system has persistently or seriously failed to meet the certification requirements, including requirements for the effectiveness of the management system;
- The certified client does not allow surveillance audits or recertification audits to be performed with the required frequencies;
- The certified client has voluntarily requested a suspension.
In the event of suspension, the certification of the client's management system is temporarily invalid.
Noordbeek Certification reinstates the suspended certification when the issue that led to the suspension has been resolved. Failure to resolve the issues that led to the suspension within a time set by Noordbeek Certification will lead to withdrawal or reduction of the scope of certification. (Note: In most cases, the suspension would not exceed six months.)
Noordbeek Certification will limit the scope of certification to exclude those parts that do not meet the requirements, when the certified client has persistently or seriously failed to meet the certification requirements for those parts of the scope of certification. Such a reduction must be in accordance with the requirements of the standard used for certification.
Termination of NEN-7510 certification activities
If a client has a NEN 7510 certificate, but no longer processes health information, surveillance audits or recertification audits may no longer be carried out for NEN 7510. In this situation, the Certification Committee may decide to terminate the work of Noordbeek Certification for NEN 7510.