Impartiality and Other Related Inquiries
For any organization regardless of their size or industry sector, ISO/IEC 27001 provides a strong foundation for a comprehensive information and cybersecurity strategy. The standard outlines a leading practice ISMS framework to mitigate risks and safeguard business-critical data through identification, analysis and actionable controls. An accredited ISO 27001 certification demonstrates that you have the processes and controls in place to protect your organization’s information – and that of your customers – against an increasingly complex threat landscape. Aprio's experienced team guides clients through each stage of the ISO 27001 certification process. This enables clients to identify possible risks and greatly increase their overall security posture. Certification serves as evidence that data protection and information security are important to your organization and that you can react to the many unexpected cybersecurity threats.
Aprio management understands the importance of impartiality and potential conflicts of interests in carrying out its management system certification activities. Aprio has defined and adheres to an Impartiality Policy which holds our ISO Practice to a high standard of impartiality and management of potential conflicts of interest. Aprio has a compliance program based on its Code of Conduct to help ensure that integrity is applied to all its activities worldwide in accordance with leading practices. We arrange training activities for our personnel to facilitate awareness of these codes. In order to identify and control the aspects that may affect our impartiality, and which may create a conflict of interest on our management systems certification activities, a risk assessment is performed and reviewed at least annually. Aprio evaluates the risks to impartiality and independence prior to accepting any new client engagement. All Aprio personnel (internal or external) are aware of and responsible for revealing any situation known to them that can present them or Aprio with a conflict of interest. An Annual Independence and Restricted Entity Declaration is required to be completed by all Aprio employees.
Aprio does not:
- Allow commercial, financial, or other pressures on internal or external personnel or any committee members to compromise its impartiality;
- Give proposals to and to certify the management system of any other certification body;
- Offer or provide management system implementation consultancy;
- Offer and carry out internal audit services to its certified clients; or
- Outsource audits to a management system consultancy organization.
Aprio’s management systems certification activities are not offered or marketed as linked with the activities of an organization that provides management system consultancy. The certification activities cannot be offered as a part of any consultancy services.
The policies and procedures under which Aprio operates and the administration of these policies are nondiscriminatory. The services of Aprio are available to all applicants whose activities fall within the scope of the operations. Aprio can decline to accept an application or maintain a contract for certification from a client when fundamental or demonstrated reasons exist. Access to the certification process shall not be conditional upon the size of the client or membership of any association or group, nor shall certification be conditional upon the number of certifications already issued.
Any client can make an appeal about a decision made by Aprio. Submission, investigation, and decision on appeals shall not result in any discriminatory actions against the appellant.
Aprio operates under and complies with the independence requirements established by the American Institute of Certified Public Accountants, ISO/IEC 17021:2015, ISO/IEC 27006:2015, and ISO/IEC 17020:2012 and has developed this impartiality policy and supporting procedures to ensure ongoing compliance.
Certification decisions are taken by the personnel who have no direct financial pressure on them and have been qualified to make the certification decision. Certification decisions are not outsourced to another company.
Aprio’s certification decision maker will perform a comprehensive review of the audit file and any corrective action plans and supporting evidence upon completion of the initial certification, recertification, or certification transfer audit process. The review will verify that the Company’s management system is in conformance with the applicable ISO standard and non-conformities have been properly addressed. Upon successful completion of this review, Aprio grants the certification.
Aprio will help to ensure that the persons or committees that make the decisions for granting or refusing certification, expanding, or reducing the scope of certification, suspending, or restoring certification, withdrawing certification or renewing certification are different from those who carried out the audits. The individual(s) appointed to conduct the certification decision will have appropriate competence.
Aprio shall maintain certification based on demonstration that the client continues to satisfy the requirements of the management system standard via completion of annual surveillance audits in years two and three, with a recertification audit to be completed prior to the expiration of the certification. Aprio’s certification decision maker may suspend or withdraw the Company’s certification if the required audits are not performed or if open non-conformities have not been properly addressed.
Suspending, Withdrawing, and Reducing the Scope of Certification
Aprio will withdraw or suspend certification in cases when, for example:
- the client's certified management system has persistently or seriously failed to meet certification requirements, including requirements for the effectiveness of the management system;
- the certified client does not allow surveillance or recertification audits to be conducted at the required frequencies; or
- the certified client has voluntarily requested a suspension.
Under suspension, the client's management system certification is temporarily invalid. Aprio will restore the suspended certification if the issue that has resulted in the suspension has been resolved. Failure to resolve the issues that have resulted in the suspension in a time established by Aprio will result in withdrawal or reduction of the scope of certification. Aprio will restore a certification that has been placed on suspension once all outstanding issues have been closed and verified as such through off-site or on-site review.
Scope Expansion or Reduction
At the request of the Company through an application process, Aprio will request and review documentation supporting the additional scope. Upon completion of the review, an audit will be performed to determine conformance of the Company’s additional scope with the applicable ISO standard. This process may require an addendum to the contract and/or additional fees.
Aprio will reduce the client's scope of certification to exclude the parts not meeting the requirements, when the client has persistently or seriously failed to meet the certification requirements for those parts of the scope of certification. Any such reduction will be in line with the requirements of the standard used for certification.
Use of Aprio's Logo
Aprio monitors the use of its name and logo to help ensure compliance with its contractual agreement, ISO 17021:2015, and ISO 27006:2015. As an accredited certification body, Aprio has developed a trademarked logo that demonstrates its certified clients’ conformance with the relevant ISO standards. The rules associated with the use of its name and logo regarding ISO certifications are documented in the terms and conditions of our engagement letter and again upon successful certification for its clients.
Appeals and Complaints
Aprio is responsible for all decisions at all levels of the appeals and complaints handling process and will help to ensure that the persons engaged in the appeals and complaints handling process are different from those who carried out the audits and made the certification decisions. Submission, investigation, and decision on appeals and complaints will not result in any discriminatory actions against the appellant or the complainant. Aprio will help to ensure that the final decision communication to the appellant and the complainant will be made by and/or reviewed and approved by an individual(s) who not previously involved in the subject of the appeal or complaint. At the end of the appeals and complaints handling process Aprio will give formal notice to the appellant and the complainant.
Inquiries may be submitted directly to Aprio, regarding areas where we operate and certificate status for our certified clients by emailing firstname.lastname@example.org.