Audit processes

Intake and independence

DigiTrust B.V. conducts audit and certification work under accreditation (C618), for ISO 27001, NEN 7510 and ISO9001 (sectors 33 and 35).

DigiTrust B.V. does not perform internal audits or consultancy work.

If you would like to have an audit conducted by DigiTrust B.V., you must first complete an intake form. Please complete this intake form truthfully, including all relevant information about your organisation. This information will be used to calculate the time for the audit. For determining the number of days for the audit, we follow the guidelines laid out in the standards ISO 27006 and NCS 7510. For ISO9001, we use the IAF MD5. The number of days for the audit is based on the number of FTEs in your organisation as well as the relevant aspects mentioned in these standards that may affect the calculation of the audit time. Impartiality checks will be carried out before an offer is made. DigiTrust B.V. carries out this assessment in accordance with the regulations set out in ISO27006 and ISO17065.


Audit criteria

The audit criteria are used as a reference for determining the compliance of the information security management system (ISMS) and the quality management system (QMS). The applicable criteria for the work to be done are as follows:

  • the requirements set out in ISO 27001, NEN 7510, ISO9001;
  • the defined ISMS processes and documentation based on the client’s declaration of applicability (DoA);
  • the description of the scope, any exclusions regarding ISO9001.


Definitions and handling of critical and non-critical deviations

A deviation refers to a failure to meet a requirement. A distinction is made here:

Critical deviations

      This are deviations that affect the management system’s ability to achieve its intended results. A deviation can be classified as critical in the following circumstances:

  • if there is serious doubt as to whether effective process controls are in place, or as to whether products or services will meet specified requirements;
  • a series of non-critical deviations related to the same standard requirement or issue could potentially demonstrate a systemic failure in the management system and therefore constitute a critical deviation;
  • the deviations are such that the PDCA method for the management system is no longer effective.

Non-critical deviations

This are deviations that do not affect the management system’s ability to achieve its intended results. However, the organisation’s work method does not conform to its own requirements or to standard requirements.


Corrective action plan (CAP)

If discrepancies are found, the client will be required to complete a corrective action plan (CAP). This will then be reviewed by the lead auditor from DigiTrust B.V. The CAP will be assessed as to whether the proposed corrective measures, cause analyses and improvements are acceptable. If this proves not to be the case, the CAP will be rejected.

If critical deviations are found, an additional audit will be initiated to reassess the critical deviations.

If the DigiTrust B.V. lead auditor approves the CAP, a positive recommendation for certification or continuation of certification will be communicated to the Certification Manager. It will review the file and make the decision on certification, for initial certifications, continuations of current certifications and recertifications.

If DigiTrust B.V. is unable to verify that corrections and corrective measures for a major critical deviation have been implemented within 6 months of the last day of phase 2, DigiTrust B.V. will conduct another phase 2 audit before certification is recommended. If there are any major changes within the organisation, a new phase 1 audit shall be carried out.


Initial certification audit, phase 1

The schedule prepared by DigiTrust B.V. will ensure that phase 1 objectives are met and that the client is informed of any ‘on site’ activities that need to be present during phase 1.

The objectives of phase 1 are as follows:

  • review the documented information for the client’s management system;
  • evaluate the client’s site-specific conditions and hold discussions with the client’s staff to determine readiness for phase 2;
  • assess the status and level of understanding of the client with regard to the standard requirements, in particular pertaining to the identification of the essential performance or significant aspects, processes, objectives and operation of the management system;
  • obtain the necessary information on the scope of the management system, including:
    • the client’s site(s);
    • processes and equipment used;
    • established control levels (especially in the case of a client with multiple sites);
    • applicable laws and regulations.
  • assess the allocation of funds for phase 2 and agree on the details of phase 2 with the client;
  • provide a focus for planning phase 2 by gaining sufficient understanding of the client’s management system and site operations in the context of the management system standard or other normative document;
  • agreements on the presence/activity of processes during phase 2;
  • evaluate whether internal audits and management reviews are planned or have already been carried out, and whether the implementation level of the management system demonstrates that the client is ready for phase 2;
  • determining whether the audit team includes the appropriate competences to conduct the phase 2 certification audit and whether any external experts are required;
  • Establishing the audit plan for phase 2.

Documented conclusions pertaining to the achievement of phase 1 objectives and readiness for phase 2 will be communicated to the client, including identification of any areas of concern that could be classified as a deviation during phase 2.

In determining the interval between phase 1 and phase 2, the needs of the client to solve the problems identified during phase 1 shall be taken into account. DigiTrust B.V. may also have to revise its arrangements and calculation for the phase 2 audit. If the problems identified affect the client’s management system, DigiTrust B.V. will consider the need to repeat phase 1 in whole or in part. The client will be informed that the results of phase 1 may lead to a postponement or cancellation of phase 2.

Initial certification audit, phase 2

The purpose of phase 2 is to evaluate the implementation, including effectiveness, of the client’s management system. Phase 2 takes place on-site or partially remotely at the client’s premises. It includes verification of the following at a minimum:

  • information and evidence of compliance with all requirements of the applicable management system standard or other normative documents;
  • performance monitoring, measurement, reporting and review following key performance objectives and targets (in line with expectations in the applicable management system standard or other normative document);
  • the capability of the client’s management system and its performance with regard to meeting applicable legal, regulatory and contractual requirements;
  • operational control of the client’s processes;
  • internal audit and management review;
  • management responsibility for client policies.

The audit team analyses all of the information and evidence collected during the phase 1 and phase 2 audits to assess the audit findings and agree on the conclusions for the audit.

Control audits

Control audits are conducted on-site, but do not necessarily represent full system audits, and are to be scheduled in conjunction with the other control activities so that DigiTrust B.V. is able to maintain confidence that the client’s certified management system remains compliant between recertification audits. Each time the relevant management system standard is monitored, the process includes:

  • internal audits and management review;
  • a review of actions taken on instances of non-conformity identified during the previous audit;
  • complaint handling;
  • effectiveness of the management system with regard to achieving the certified client’s objectives and the intended results of the relevant management system(s);
  • progress of planned activities aimed at continuous improvement;
  • continuous operational control;
  • assessment of any changes;
  • use of trademarks and/or any other reference to certification.


The purpose of the recertification audit is to confirm the ongoing conformity and effectiveness of the management system as a whole, and its continued relevance and applicability to the scope of certification. A recertification audit will be planned and conducted to evaluate the ongoing fulfilment of all requirements of the relevant management system standard or other normative document. This will be planned and carried out in a timely manner in order to allow for punctual renewal before the expiry date of the certificate.

The recertification activity includes the review of previous audit reports on the monitoring and performance of the management system during the most recent certification cycle.

Recertification audit activities may need to include a phase 1 in situations where there have been significant changes to the management system, the organisation or the context in which the management system operates (e.g. changes in legislation).

The recertification audit includes an on-site audit that covers the following:

  • the effectiveness of the management system as a whole in the light of internal and external changes and its continued relevance and applicability to the scope of certification;
  • a demonstrated commitment to maintaining the effectiveness and improvement of the management system to improve overall performance;
  • the effectiveness of the management system with regard to achieving the certified client’s objectives and the intended results of the relevant management system(s).

Where recertification activities have been successfully completed before the expiry date of the existing certification, the expiry date of the new certification may be based on the expiry date of the existing certification. The issue date of a new certificate falls on or after the decision on recertification.

Failure to complete recertification audit

If the client has not completed the recertification audit or DigiTrust B.V. is unable to verify the implementation of corrections and corrective actions for a major instance of non-conformity before the expiry date of the certification, recertification will not be recommended and validity of the certification will not be extended. The client will be informed and the consequences explained. If the client has resolved the issues, a new initial audit applies to the client.

Restoring a certification

After expiry of the certification, DigiTrust B.V. may restore certification within 6 months, provided that the outstanding recertification activities have been completed; otherwise a phase 2 must be carried out at a minimum. The effective date on the certificate is on or after the recertification decision and the expiry date must be based on a previous certification cycle.

Additional audit

An additional audit is required if a regular audit reveals that:

  • the people to be interviewed are not present at the agreed time;
  • the requested documentation cannot be delivered;
  • the scope proves to be more extensive than initially agreed.

An additional audit may also need to be scheduled for situations that could potentially affect the management system, such as profound changes in the organisation, in case of complaints concerning the service, and for following up on suspensions.

Expansion of scope

Following an application to extend the scope of a previously granted certification, DigiTrust B.V. shall carry out an assessment of the application and determine the audit activities. A record of this assessment will be retained and stored in the file. During the expansion of scope audit, the DigiTrust B.V. auditor will assess the management system with regard to the changed or added components. If the DigiTrust B.V. lead auditor provides a positive opinion here, the certification manager will make a decision. This audit can be conducted separately or in combination with a control audit.

Short-term audits

It may be necessary for DigiTrust B.V. to conduct a short-term or unannounced audit of certified clients in order to investigate complaints, or in response to changes, or to follow-up on clients under suspension.

In these cases:

  • DigiTrust B.V. will describe and disclose the conditions under which these audits are to be carried out to certified clients in advance;
  • DigiTrust B.V. will exercise additional care when assigning the audit team due to the lack of opportunity for the client to object to members of the audit team.

Suspension or restoration

If DigiTrust B.V. detects a deviation that could potentially lead to a suspension, withdrawal or restriction of the scope, the client will be contacted. If consultation does not lead to a solution, the DigiTrust Compliance team will be informed. This team may decide to proceed with a suspension, withdrawal or restriction.

DigiTrust B.V. shall suspend certification in cases where, for example:

  • critical deviations are not resolved or reduced to a non-critical deviation in a timely manner;
  • the organisation does not agree to audits being carried out with the required frequency;
  • the organisation voluntarily requests a suspension;
  • the client fails to meet its payment obligations.

Suspensions will be confirmed in writing, stating the conditions under which the suspension can be lifted again. In case of a suspension, the certification of the client’s management system shall be rendered temporarily invalid and no statements may be made regarding certification.

The duration of a suspension is for a maximum of six months.

Limitation of scope

DigiTrust B.V. will limit the scope of the certification to exclude those parts that do not meet the requirements if the client persistently or materially fails to meet the certification requirements for the relevant parts of the scope of the certification. This kind of a limitation is to correspond with the requirements of the standard used for certification. A limitation of scope will be confirmed in writing to the client, including conditions by which the scope can be extended again.


If the suspension is not resolved within the period specified by DigiTrust B.V. (maximum 6 months), the certificate shall be withdrawn. This will be confirmed in writing to the client. The organisation is then no longer allowed to communicate that the management system is certified by DigiTrust B.V. Clients can also decide to withdraw the certificate themselves, which is called a voluntary withdrawal.

Termination of NEN-7510 certification

If a client holds a NEN 7510 certificate but no longer processes personal health information, then no additional surveillance audits or recertification audits may be conducted for NEN 7510. In this situation, the certificate will be suspended on the date of birth +24 months/+36 months plus a maximum of 6 months. If the client is still not processing personal health information within this period, the certificate shall be withdrawn.