Certification Road Map Process
Initial Audit and Certification
Upon acceptance of the application, KSQA conducts a two-staged initial audit which will consist of Stage 1 and Stage 2 audit.
Stage 1 is performed to evaluate submitted documentation against the requirements of the management system standard. The internal audits, management review meetings, and other requirements will also be reviewed in accordance with the standard.
If any areas of concern are identified during the Stage 1 audit, the concerns are communicated to the client at the conclusion of Stage 1 and any necessary time to allow adequate correction is determined.
The maximum time allowed between Stage 1 and Stage 2 audit is three (3) months.
The Stage 2 audit is to gather objective evidence to substantiate the effective implementation of the management system to form the conclusion on whether or not to grant the certification.
Where KSQA cannot verify and close out all the corrective actions for addressing the findings raised during the Stage 2 audit within six (6) months, another Stage 2 audit will be conducted. As long as the client can close the findings from Stage 2 then KSQA will grant certification.
Surveillance Activities
KSQA conducts onsite or remote surveillance audits at planned intervals to maintain the confidence that the certified management system continues to fulfill the cybersecurity certification roadmap requirements.
The first surveillance audit is conducted within twelve (12) months from the date of the certification decision.
Surveillance audits are not necessarily full system audits; thus surveillance audits are generally one-third of the time as the initial audit.
There are a total of two Surveillance audits prior to the Recertification Audit.
Recertification
Prior to the expiration of the certification, the certified client will indicate to KSQA their intention to continue with the certification and KSQA will then provide a new quotation for recertification.
The recertification audit is conducted to evaluate the fulfillment of the requirements of the certification.
KSQA will ensure the decisions for renewing certifications are prior to the certificate expiring.
If KSQA has not completed the recertification audit or is unable to verify the implementation of corrections and corrective actions for MAJOR non-conformities prior to the expiry date of the certification, then recertification will not be recommended.
KSQA may restore certification within six (6) months following the expiration of certification, provided that the outstanding recertification activities are completed. The effective date on the new certification is on or after the recertification decision by Technical Reviewer and the expiry date is based on prior certification cycle.
Special Audits
KSQA shall in response to a request by a certified client for modification of the scope of certification, review the request and determine any audit activity necessary to decide whether or not the modification may be granted.
When necessary, KSQA may conduct short notice audits for its certified clients in response to complaints, changes affecting the system, or as follow up on suspended certified clients.
Suspending, Withdrawing or Reducing the Scope of Certification
KSQA will suspend, modify (extend or reduce scope), or withdraw the certification if the certified client violates his/her certification contractual or financial obligations with KSQA. Below are some of the reason a KSQA may suspend certification:
- the certified client has persistently or seriously failed to meet requirements;
- financial requirements not met;
- the certified client has requested to voluntarily suspended;
- the required surveillance or recertification audit not performed at the prescribed frequency.
While under suspension, the certified client’s certificate is temporarily invalid. During this time the client cannot promote the certification. Additionally, KSQA will also make it known through the KSQA website that the certificate status is “suspended”.
Suspension can last up to a maximum of six months. The client must resolve the issues or the suspension will result in the withdrawal or reduction of the scope.
Clients must notify their customers of their reduced or withdrawn certification. KSQA will remove the certified company from its list of certified companies. The client may appeal to any actions through the appeal process.
Appeals
KSQA follows a procedure to resolve disputes/appeals with their clients or third parties regarding its actions and decisions around the certification roadmaps. KSQA takes every reasonable effort to resolve all appeals and disputes related to its activities. We are responsible for all decisions at all levels of the handling of appeals.
Personnel involved in the appeal process are not part of the audit or certification decisions.
The submission, investigation and decision will not result in any discriminatory actions against the person filing the appeal.
When an appeal is received, KSQA will acknowledge the receipt of the appeal and provide progress reports to the appellant and the final outcome.
The disputes/appeals include the following elements and methods:
- Receiving, validating and investigation. Actions are taken related to appeal, considering previous similar situations;
- logging and retaining all appeals, including the actions to resolve;
- ensuring that if required any appropriate corrections and corrective actions are taken
When KSQA receives an appeal, KSQA is responsible to collect & verify all information to allow the appeal to be validated.
The final outcome and decisions are communicated to the appellant by, or reviewed and approved by, personnel not involved in the subject of the appeal.
KSQA gives the appellant formal notification of the end of the appeal process.
Complaints
KSQA is responsible for all IT certification roadmap 2023 decisions at all levels of the complaints-handling process. All formal complaints related to the certification roadmap activities of KSQA or if the complaint involves a certified client, the complaint can be emailed to contact@ksqa.org or click on the here to be directed to our “Contact Us” page.
The submission, investigation and decision will not result in any discriminatory actions against the person filing the appeal.
Upon receiving the complaint, KSQA will confirm if the complaint relates to certification activities that KSQA is responsible for. If KSQA is responsible and involves a certified client, then KSQA will examine the complaint & determine the effectiveness of the certified management system.
If determined to be a valid complaint about a certified client, KSQA will inform the client at the appropriate time.
The process for receiving, evaluating, and decisions on complaints is documented in a documented procedure. The process is subject to KSQA requirements for confidentiality related to the complainant and the subject of the complaint.