ISO Certification Services

 For the ISO standards, the certification process involves two stages:

• Stage 1 involves a readiness review during which the auditor will evaluate if the client has the key components of their information security management system (ISMS), privacy information management system (PIMS) or artificial intelligence management system (AIMS) in place.
• The Stage 2 audit involves working with clients and reviewing their evidence.

An ISO audit is a point-in-time review. During an ISO audit, we’re reviewing the client’s evidence as it is during the audit, instead of during a period of performance.

If any major nonconformities are discovered during the certification audit, the client must remediate them before a certificate can be issued.

The ISO certification operates on a three-year cycle. After the certification audit, the client must have surveillance audits conducted in years two and three. Prior to the certificate expiration date, the client must undergo a recertification audit. This audit must be completed with sufficient time to remediate any uncovered nonconformities before the original certificate expires.

In addition to the certification, surveillance, and recertification audits, the client must also conduct internal audits before each of the audits we conduct. For smaller organizations, internal audits are often conducted by third parties.

Additionally, management reviews must be conducted after each internal audit and before the client’s external audit.

After the certification audit, the audit report and the collected artifacts will feed the certification decision process. Any major nonconformities must be remediated prior to certification. If anything arises during the audit process where the client can’t or won’t remediate the identified nonconformities, we will not be able to grant certification.

Additionally, clients to need to participate in surveillance audits annually to maintain their certification for the three-year cycle. If clients don’t undergo surveillance audits, their certification will be suspended. The certificate can be restored after the client completes their surveillance audit and remediates any nonconformities.

Before the end of the three-year cycle, the client must undergo a recertification audit. This audit is very similar to the initial certification audit in that all clauses and controls are tested. This audit must be completed with enough time for the client to remediate any uncovered nonconformities. Failure to complete the recertification audit, or to remediate any nonconformities, will result in a certification gap.

At any point within the audit cycle, the client can withdraw from the certification. At that time, all certificates and certification marks shall be removed from any marketing, including signage, websites, etc. that might mislead the public into believing the client is still certified. Additionally, if it is determined that a certified client is making misleading statements about their certification, what the scope of their certification is, or generally misleading the public, Sensiba may withdraw their certification.

Due to client wishes, or because of continued nonconformities in given areas, we may reduce the scope of certification. Additionally, where a certified client adds additional products, services, or locations, it is possible to expand the scope of certification.

Upon certification, we will issue a mark or logo that can be added to the client’s marketing materials and websites. The certified client has our permission to utilize that mark as long as it isn’t altered in any way. The certified client is not allowed to use any other mark indicating that they are ISO certified. This includes the ISO logo, the ANAB logo, or the IAF logo.

Additionally, when referencing their certification status, the client must ensure they indicate that they are certified by Sensiba LLP. The certification mark or statements about certification shall not be misleading and shall not indicate that a product is certified. We are certifying a client’s management system, not a product or service.

Anyone wishing more information about our ISO-related offerings, as well as validating that a client claiming to be certified is, in fact, certified, can send an email to iso@sensiba.com. For complaints and appeals, please email complaints@sensiba.com with as much information as possible.

We endeavor to be as impartial as possible. We do not provide management systems consulting services. We do not provide ISMS/PIMS internal audits for clients that we certify. Additionally, we do not pay or receive payment for referrals. If you need to report anything related to impartiality with regard to our ISO program, please email complaints@sensiba.com.