Request a quote
en_GB EN
en_GB EN nl_NL NL de_DE DE

Audit processes

Intake and independence

DigiTrust B.V. conducts under accreditation (C618), audit and certification assignments for ISO 27001, NEN 7510 and ISO9001 (sectors 33 and 35).

DigiTrust B.V. does not conduct internal audits or consultancy work.

Indien u een audit door DigiTrust B.V. wil laten uitvoeren, moet u eerst een intake formulier invullen. In dit formulier vult u, naar waarheid, alle relevante informatie in over uw organisatie. Deze informatie wordt gebruikt voor de audittijd berekening. Voor het vaststellen van het aantal auditdagen volgen wij de richtlijnen in de standaarden ISO 27006, NCS 7510 en voor de ISO9001 en ISO14001 gebruiken we de IAF MD5. Het aantal auditdagen is gebaseerd op het aantal FTE in uw organisatie en de in deze standaarden genoemde relevante aspecten die invloed kunnen hebben op de audittijdberekening.

Voordat er een offerte wordt opgesteld, zullen er onpartijdigheidscontroles worden uitgevoerd. DigiTrust B.V. zal deze beoordeling conform de ISO27006 en ISO17065 regels uitvoeren.

 

Weigeren certificatie aanvraag

Uw aanvraag kan worden geweigerd indien:

  • ISO9001: uw aanvraag ligt buiten de geaccrediteerde sectoren (ICT sector 33 en 35 sector zakelijke dienstverlening/overig)
  • NEN7510: u bent een ICT dienstverlener en heeft geen verwerkers overeenkomst met een zorgverlener
  • Conflict met onze onpartijdigheid eisen

 

Audit Criteria

The audit criteria are used as a reference to determine the compliance of the Information Security Management System (ISMS), the Quality Management System (QMS) and the Environmental Management System (EMS). The applicable criteria for the assignment are:

  • The requirements from ISO 27001, NEN 7510, ISO9001; ISO14001
  • The defined processes and documentation of the ISMS based on the client's Declaration of Applicability (CoA);
  • The description of the scope, any exclusions relating to the ISO9001, ISO14001

 

Definitions and treatment of Critical- and Non-Critical deviations

A deviation is failure to meet a requirement. Here a distinction is made between:

Critical deviation

      This is a deviation that affects the management system's ability to achieve its intended results. A deviation can be classified as Critical in the following circumstances:

  • If there is serious doubt that there is effective process control, or that products or services will meet specified requirements;
  • A number of Non-Critical Abnormalities associated with same standard requirement or issue could demonstrate a systemic failure in the management system and thus constitute a Critical deviation;
  • The deviations are such that PDCA of the management system is no longer effective.

Non-critical deviation

This is a deviation that does not affect the management system's ability to achieve the intended results. However, the organisation's operating procedures do not conform to its own or standard requirements.

Conforming / Non conforming

Within the ISO27001 audit, the management measures are assessed against the specific standard requirements and own criteria. During the assessment of the control measures, the DigiTrust auditor's opinion may be that the implementation is compliant or non-compliant with the requirements of the standard and own requirements. A non-conforming assessment provides input on the operation of the management system (H4-H10) and will therefore be included as such by the auditor on the assessment of the operation of the management system.

Opportunity for improvement

During an audit, the auditor may identify an improvement opportunity on the management system. (i.e. not on control measures).

This then results in an Opportunity for Improvement (KVV). The DigiTrust auditor will objectively describe the improvement opportunity without giving substantive advice on HOW it can be addressed. This is the responsibility of the organisation. The DigiTrust auditor will always return to this CDR in a subsequent audit. This is to assess whether the organisation is effectively meeting the standard requirement of 'continuous improvement'. (H10)

Corrective Action Plan (CAP)

When discrepancies are found, the client will have to complete the DigiTrust corrective action plan (CAP) on the discrepancies found (not the 'not compliant' ones).

This will be reviewed by the DigiTrust B.V. lead auditor. The CAP will be assessed as to whether the proposed remediation, root cause analysis and improvements are acceptable. If they are not, the CAP will be rejected.

If Critical deviations are found, an additional audit will be landed to reassess Critical deviations.

If the DigiTrust B.V. lead auditor approves the CAP, a positive recommendation for certification or continuation of certification will be communicated to the Certification Manager. The latter will review the file and take the certification decision, for initial certification, continuation of current certification and Re-certification.

If DigiTrust B.V. is unable to verify the implementation of corrections and corrective actions of a major Critical deviation within 6 months of the last day of Stage 2, DigiTrust B.V. will perform another Stage 2 before certification is recommended. If there are major changes at the organisation, a new Stage 1 should be performed.

 

Initial certification audit, phase 1

The planning of DigiTrust B.V. will ensure that the objectives of phase 1 will be met and the client will be informed of any 'on site' activities to be present during phase 1.

The objectives of phase 1 are:

  • Review the documented information of the client's management system;
  • evaluate the client's site-specific conditions and hold discussions with the client's staff to determine readiness for phase 2;
  • Assess the status and understanding of the client with regard to the requirements of the standard, in particular with regard to the identification of essential performance or significant aspects, processes, objectives and operation of the management system;
  • Obtain the necessary information on the scope of the management system, including:
    • the client's site(s);
    • processes and equipment used;
    • established control levels (especially in the case of a client with multiple sites);
    • applicable laws and regulations.
  • Assess the allocation of funds for phase 2 and agree the details of phase 2 with the client;
  • Provide a focus for planning phase 2 by gaining sufficient understanding of the client's management system and site operations in the context of the management system standard or other normative document;
  • agreements on the presence/activity of processes during phase 2;
  • evaluating whether internal audits and management reviews are planned or have already been carried out, and whether the implementation level of the management system substantiates that the client is ready for phase 2;
  • determining whether the audit team contains the right competences to conduct the Stage 2 certification audit and whether any external experts are required;
  • Establishing the audit plan for phase 2.

Documented conclusions regarding the achievement of Phase 1 objectives and readiness for Phase 2 should be communicated to the client, including identification of any areas of concern that may be classified as a deviation during Phase 2.

When determining the interval between phase 1 and phase 2, the client's needs to be taken into account to resolve the issues identified during phase 1. DigiTrust B.V. may also need to review its arrangements and calculation for phase 2. If the problems identified affect the client's management system, DigiTrust B.V. will consider the need to repeat Phase 1 in whole or in part. The client will be informed that the results of phase 1 may lead to the postponement or cancellation of phase 2.

Initial certification audit, phase 2

The purpose of phase 2 is to evaluate the implementation, including effectiveness, of the client's management system. Phase 2 takes place on-site or partly remote at the client's premises. It includes auditing at least the following:

  • information and evidence of compliance with all requirements of the applicable management system standard or other normative documents;
  • performance monitoring, measurement, reporting and review against key performance objectives and targets (in line with expectations in the applicable management system standard or other normative document);
  • The capability of the client's management system and its performance with regard to meeting applicable legal, regulatory and contractual requirements;
  • operational control of the client's processes;
  • internal audit and management review;
  • management responsibility for client policies.

The audit team analyses all information and audit evidence collected during phase 1 and phase 2 to assess the audit findings and agree on the audit conclusions.

 

Onderhouden van uw certificering

Control audits

Surveillance audits are on-site audits, but are not necessarily full system audits, and should be scheduled in conjunction with the other surveillance activities so that DigiTrust B.V. can maintain confidence that the client's certified management system remains compliant between recertification audits. Each surveillance for the relevant management system standard includes:

  • internal audits and management review;
  • A review of actions taken on non-conformities identified during the previous audit;
  • complaint handling;
  • effectiveness of the management system with regard to achieving the certified client's objectives and the intended results of the relevant management system(s);
  • progress of planned activities aimed at continuous improvement;
  • continuous operational control;
  • assessment of any changes;
  • use of trademarks and/or any other reference to certification.

Recertification

The purpose of the recertification audit is to confirm the ongoing conformity and effectiveness of the management system as a whole, and its continued relevance and applicability to the scope of certification. A recertification audit should be planned and conducted to evaluate the continued fulfilment of all requirements of the relevant management system standard or other normative document. This should be planned and conducted in a timely manner to allow timely renewal before the expiry date of the certificate.

The recertification activity includes the review of previous audit reports of the monitoring and performance of the management system during the most recent certification cycle.

Recertification audit activities may need to have a stage 1 in situations where there have been significant changes to the management system, the organisation or the context in which the management system operates (e.g. changes in legislation).

The recertification audit includes an on-site audit covering the following:

  • the effectiveness of the management system as a whole in the light of internal and external changes and its continued relevance and applicability to the scope of certification;
  • demonstrated commitment to maintaining the effectiveness and improvement of the management system to improve overall performance;
  • the effectiveness of the management system with regard to achieving the certified client's objectives and the intended results of the relevant management system(s).

Where recertification activities have been successfully completed before the expiry date of the existing certification, the expiry date of the new certification may be based on the expiry date of the existing certification. The issue date of a new certificate falls on or after the recertification decision.

Failure to complete recertification audit

If the client has not completed the recertification audit or DigiTrust B.V. is unable to verify the implementation of corrections and corrective actions for a major non-conformity before the expiry date of the certification, recertification will not be recommended and the validity of the certification will not be extended. The client will be informed and the consequences explained. If the client has resolved the issues, the client expires in a new initial audit.

Restore certification

After the expiry of the certification, DigiTrust B.V. may reinstate the certification within 6 months, provided the outstanding recertification activities have been completed, otherwise at least a stage 2 must be performed. The effective date on the certificate is on or after the re-certification decision and the expiry date must be based on a previous certification cycle.

Additional audit

An additional audit is required if a regular audit reveals that:

  • Persons to be interviewed are not present at the agreed time;
  • The requested documentation cannot be delivered;
  • The scope turns out to be more extensive than initially agreed.

An additional audit may also need to be scheduled for situations that may affect the management system, such as profound changes in the organisation, in case of complaints about the service, and for the follow-up of suspensions.

Expanding scope

DigiTrust B.V. will, following an application to extend the scope of an already granted certification, perform an assessment of the application and determine the audit activities. A record of these will be kept and stored in the file. During the scope extension audit, the DigiTrust B.V. auditor will assess the management system for the changed or added components. If the DigiTrust B.V. lead auditor gives a positive opinion on this, the certification manager will decide. This audit can be carried out separately or in combination with a control audit.

Short-term audits

It may be necessary for DigiTrust B.V. to conduct short-term or unannounced audits of certified principals to investigate complaints, or in response to changes, or as follow-up to suspended principals.

In such cases:

  • DigiTrust B.V. describes and discloses in advance to certified clients the conditions under which such audits will be carried out;
  • DigiTrust B.V. will take extra care when assigning the audit team due to the lack of opportunity for the client to object to audit team members.

Suspend or restore

If DigiTrust B.V. detects a deviation that could potentially lead to suspension, withdrawal or restriction of the scope, the client is contacted. If consultation does not lead to a solution, the DigiTrust Compliance team is informed. The latter may decide to proceed with suspension, withdrawal or limitation.

DigiTrust B.V. suspends certification in cases where, for example:

  • Critical deviations not resolved in time or reduced to a non-critical deviation;
  • The organisation does not agree to audits being carried out with the required frequency;
  • The organisation voluntarily requests a suspension;
  • The client fails to meet its payment obligations.

Suspensions shall be confirmed in writing, stating the conditions under which the suspension may be lifted. In case of suspension, the certification of the principal's management system is temporarily invalid and no statements may be made regarding the certification.

A suspension lasts for a maximum of six months.

Scope limitation

DigiTrust B.V. will limit the scope of certification to exclude those parts that do not meet the requirements if the client persistently or materially fails to meet the certification requirements for the relevant parts of the scope of certification. Such a limitation will be in line with the requirements of the standard used for certification. A scope limitation will be confirmed in writing to the client, including conditions by which the scope can be extended again.

Withdraw

If the suspension is not resolved within the period specified by DigiTrust B.V. (maximum 6mnds), the certificate will be withdrawn. This will be confirmed in writing to the client. The organisation is no longer allowed to communicate that the management system is certified by DigiTrust B.V. A client may also decide to withdraw the certificate itself, a so-called voluntary withdrawal.

Termination of your NEN-7510 certification

If a client holds a NEN 7510 certificate, but no longer processes personal health information, no more surveillance audits or recertification audits may be performed for NEN 7510. In this situation, the certificate is suspended on the date of birth +24mnd/+36mnd plus a maximum of 6 months. If within this period the client does not still process personal health information, the certificate will be revoked.

en_GBEN
nl_NLNL de_DEDE en_GBEN