Impartiality and Other Related Inquiries

Introduction

For any organization regardless of their size or industry sector, ISO/IEC 27001 provides a strong foundation for a comprehensive information and cybersecurity strategy. The standard outlines a leading practice ISMS framework to mitigate risks and safeguard business-critical data through identification, analysis and actionable controls. An accredited ISO 27001 certification demonstrates that you have the processes and controls in place to protect your organization’s information – and that of your customers – against an increasingly complex threat landscape. Aprio's experienced team guides clients through each stage of the ISO 27001 certification process. This enables clients to identify possible risks and greatly increase their overall security posture. Certification serves as evidence that data protection and information security are important to your organization and that you can react to the many unexpected cybersecurity threats.

Aprio management understands the importance of impartiality and potential conflicts of interests in carrying out its management system certification activities. Aprio has defined and adheres to an Impartiality Policy which holds our ISO Practice to a high standard of impartiality and management of potential conflicts of interest. Aprio has a compliance program based on its Code of Conduct to help ensure that integrity is applied to all its activities worldwide in accordance with leading practices. We arrange training activities for our personnel to facilitate awareness of these codes. In order to identify and control the aspects that may affect our impartiality, and which may create a conflict of interest on our management systems certification activities, a risk assessment is performed and reviewed at least annually. Aprio evaluates the risks to impartiality and independence prior to accepting any new client engagement. All Aprio personnel (internal or external) are aware of and responsible for revealing any situation known to them that can present them or Aprio with a conflict of interest. An Annual Independence and Restricted Entity Declaration is required to be completed by all Aprio employees.

Aprio does not:

1. Allow commercial, financial, or other pressures on internal or external personnel or any committee members to compromise its impartiality;
2. Give proposals to and to certify the management system of any other certification body;
3. Offer or provide management system implementation consultancy;
4. Offer and carry out internal audit services to its certified clients; or
5. Outsource audits to a management system consultancy organization.

Aprio’s management systems certification activities are not offered or marketed as linked with the activities of an organization that provides management system consultancy. The certification activities cannot be offered as a part of any consultancy services.

The policies and procedures under which Aprio operates and the administration of these policies are nondiscriminatory. The services of Aprio are available to all applicants whose activities fall within the scope of the operations. Aprio can decline to accept an application or maintain a contract for certification from a client when fundamental or demonstrated reasons exist. Access to the certification process shall not be conditional upon the size of the client or membership of any association or group, nor shall certification be conditional upon the number of certifications already issued.

Any client can make an appeal about a decision made by Aprio. Submission, investigation, and decision on appeals shall not result in any discriminatory actions against the appellant.

Aprio operates under and complies with the independence requirements established by the American Institute of Certified Public Accountants, ISO/IEC 17021:2015, ISO/IEC 27006:2015, and ISO/IEC 17020:2012 and has developed this impartiality policy and supporting procedures to ensure ongoing compliance.

 

Certification Decision

Certification decisions are taken by the personnel who have no direct financial pressure on them and have been qualified to make the certification decision. Certification decisions are not outsourced to another company.

Aprio’s certification decision maker will perform a comprehensive review of the audit file and any corrective action plans and supporting evidence upon completion of the initial certification, recertification, or certification transfer audit process. The review will verify that the Company’s management system is in conformance with the applicable ISO standard and non-conformities have been properly addressed. Following confirmation that any necessary corrective actions have been appropriately ad- dressed, the findings and recommendations made in the Audit Report are subject to an internal review process prior to certification being granted. Upon successful completion of this review, Aprio grants the certification.

Aprio will help to ensure that the persons or committees that make the decisions for granting or refusing certification, expanding, or reducing the scope of certification, suspending, or restoring certification, withdrawing certification or renewing certification are different from those who carried out the audits. The individual(s) appointed to conduct the certification decision will have appropriate competence. Once the client organization has met the requirements for Aprio certification for compliance with the relevant standard(s), the client organization will be issued with the appropriate certificate(s) and/or scopes of certification. Details of the certification may be made publicly available.

 

Maintaining Certification

Aprio shall maintain certification based on demonstration that the client continues to satisfy the requirements of the management system standard via completion of annual surveillance audits in years two and three, with a recertification audit to be completed prior to the expiration of the certification. Aprio’s certification decision maker may suspend or withdraw the Company’s certification if the required audits are not performed or if open non-conformities have not been properly addressed.

 

Short Notice Audits

It may be necessary for Aprio to conduct audits of certified clients at short notice or unannounced to investigate complaints, or in response to changes, or as follow up on suspended clients. In such cases, Aprio shall describe and make known in advance to the client the conditions (e.g. detailed description of the unplanned audit; the normative requirements for certification; documents describing the rights and duties of certified

clients, including requirements, when making reference to its certification in communication of any kind; client need to comply with certification requirements and make all necessary arrangements for the conduct of the audits, including making provisions, where applicable, to accommodate the presence of observers (e.g. accreditation assessors or trainee auditor)) under which such audits will be conducted.

 

Scope Change

Any changes required to the client organization’s scope of certification can be processed in conjunction with the ongoing audit program. If the client organization wishes to change or add to the systems against which it already holds certification, or wishes to add more sites into the scope of certification, the scope can be changed with consideration for additional audit procedures which may be required depending on the status of the certification cycle.

 

Suspending, Withdrawing, and Reducing the Scope of Certification

In the event that an applicant organization fails to comply with the requirements of the relevant standard/audit requirements, or in the event that a certified organization fails to comply with these conditions of certification (including prompt payment of fees) or is unable to maintain compliance with the relevant certification standard, Aprio may:

1. Refuse certification;
2. Suspend certification;
3. Reduce the scope of certification; or
4. Withdraw certification and related services.

 

Aprio will withdraw or suspend certification in cases when, for example:

• the client's certified management system has persistently or seriously failed to meet certification requirements, including requirements for the effectiveness of the management system;
• the certified client does not allow surveillance or recertification audits to be conducted at the required frequencies; or
• the certified client has voluntarily requested a suspension.

Under suspension, the client's management system certification is temporarily invalid. Such decisions and the grounds for them will be communicated to the organization in writing. When an organization’s certification is suspended or refused, the organization shall, for the period of suspension or refusal:

1. Withdraw and cease to use any advertising or promotional material that promotes or advertises the fact that the organization is certified;
2. Ensure that all copies of certificates and scopes of certification are removed from areas of public display; and
3. Cease to use the certification mark on stationery and other documents including media and packaging that are circulated to existing and potential clients, or in the public domain.

The organization shall advise Aprio, in writing, of actions taken with respect to the requirements as listed above. Aprio shall likewise advise the organization, in writing, of the certification processes that will need to be completed to restore certification. Please be aware that during the period of suspension the organization is required to continue to pay all fees levied by Aprio.

Aprio will restore the suspended certification if the issue that has resulted in the suspension has been resolved. Failure to resolve the issues that have resulted in the suspension in a time established by Aprio will result in withdrawal or reduction of the scope of certification. Aprio will restore a certification that has been placed on suspension once all outstanding issues have been closed and verified as such through off-site or on-site review.

 

Scope Expansion or Reduction

At the request of the Company through an application process, Aprio will request and review documentation supporting the additional scope. Upon completion of the review, an audit will be performed to determine conformance of the Company’s additional scope with the applicable ISO standard. This process may require an addendum to the contract and/or additional fees.

Aprio will reduce the client's scope of certification to exclude the parts not meeting the requirements when the client has persistently or seriously failed to meet the certification requirements for those parts of the scope of certification. Any such reduction will be in line with the requirements of the standard used for certification.

When an organization’s scope of certification is reduced, Aprio shall issue revised certificates and scopes of certification as appropriate and the certified organization shall:

1. Return all superseded certificates;
2. Ensure that use of the certification mark is adjusted to reflect the reduced scope of certification;
3. Ensure that all advertising and promotional activities and materials are adjusted to reflect the reduced scope of certification; and
4. Pay any fees that are applicable for the facilitation of this activity.

 

Use of Aprio's Logo

Aprio monitors the use of its name and logo to help ensure compliance with its contractual agreement, ISO 17021:2015, and ISO 27006:2015. As an accredited certification body, Aprio has developed a trademarked logo that demonstrates its certified clients’ conformance with the relevant ISO standards. The rules associated with the use of its name and logo regarding ISO certifications are documented in the terms and conditions of our engagement letter and again upon successful certification for its clients.

After an organization is granted certification by Aprio, it may become eligible to use appropriate Aprio and other specified certification marks to promote the fact that the organization is certified. Certified organizations may use the Aprio certification marks or other marks that it facilitates subject to compliance with the following conditions:

1. The certification marks or other marks that it facilitates may be used on correspondence, advertising and promotional material in conjunction with the certified organization’s name or emblem, and shall not be used in connection with goods, services, activities or locations not covered by the scope of certification;
2. Certification marks shall not be applied to laboratory test, calibration or inspection reports, as such reports are deemed to be products in this context;
3. The certification marks or other marks that it facilitates shall only be reproduced in the approved style and colors;
4. The certification marks or other marks that it facilitates shall not be used in any manner that implies approval of a product or service;
5. On notification in writing, the certified organization shall discontinue any use of the mark that is unacceptable to the PIC IAS (and/or its nominee) and any form of statement used in conjunction with the mark that may be misleading. The certified organization shall also undertake any other action requested by the PIC IAS (and/or its nominee) with regard to unacceptable use of the mark; and
6. Upon termination of certification, the certified organization undertakes to immediately discontinue use of the mark/s. Use of the marks is not to be reinitiated unless certification is fully reinstated.

 

Appeals and Complaints

Aprio is responsible for all decisions at all levels of the appeals and complaints handling process and will help to ensure that the persons engaged in the appeals and complaints handling process are different from those who carried out the audits and made the certification decisions. Submission, investigation, and decision on appeals and complaints will not result in any discriminatory actions against the appellant or the complainant. Aprio will help to ensure that the final decision communication to the appellant and the complainant will be made by and/or reviewed and approved by an individual(s) who not previously involved in the subject of the appeal or complaint. At the end of the appeals and complaints handling process Aprio will give formal notice to the appellant and the complainant.

Appeals against certification decisions made by Aprio, and complaints against the service provided by Aprio, may be raised with Powell Jones, ISO Practice Leader at Aprio.