Certification:
Management system certification / Voluntary assessment
Basis of certification:
TUV SUD South Asia Pvt. Ltd.-NABCB Accreditation
Standard owner:
ISO - International Organization for Standardization
WHAT DOES THE ISO/IEC 27701 STANDARD DEFINE?
- ISO/IEC 27001 specifies requirements and provides guidance for establishing, implementing, maintaining and continually improving a Privacy Information Management System (PIMS) in the form of an extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy management within the context of the organization.
- This standard specifies PIMS-related requirements and provides guidance for PII (Personally Idenfiable Information) controllers and PII processors holding responsibility and accountability for PII processing.
What do “Certification” or the issue of a certification mark according to ISO/IEC 27701 by TÜV SÜD South Asia Pvt. Ltd. mean?
- The customer has submitted to voluntary assessment (audit) according to defined criteria (certification standard).
- A certificate and/or the authorization to use a certification mark are only issued if the assessment (audit) does not reveal any major nonconformities with the requirements of the relevant standard.
- Certificates and/or certification marks are valid for a restricted period of time. Interested parties can check the validity of individual certificates in the certificate database.
- To maintain certificate validity, the certificate holder must complete and successfully pass annual surveillance assessments (audits).
- Certificate of ISO/IEC 27701 shall be always considered valid in conjunction with ISO/IEC 27001 certificate validity.
HOW IS THE ASSESSMENT/AUDIT PERFORMED?
Independent and qualified experts (auditors) apply the following auditing techniques:
- Document review:
- Review the system documentation prepared by the client.
- Evaluates the organization location, number of sites and site-specific conditions.
- To review client’s status & understanding regarding requirements of standard.
- To collect, evaluate & verify the information regarding scope, management review, processes and interactions, objectives of the organization, related statutory and regulatory aspects, internal audits, performance data and risk associated.
- To review the allocation of resources for conformation assessment / audit and agree with the client on the details of the audit.
- To ensure appropriate planning by gaining sufficient understanding of the client’s management system and site operations in the context of possible significant aspects.
- This audit shall identify concerns that could affect the subsequent conformation assessment / audit.
- On-site audit:
- System effectiveness with respect to documentation
- Criticality & Number of deviations
- Complaints handling mechanism
- Management commitment
- Complete failure of an element of the standard
- Effect of deviations observed on the control effectiveness
WHAT IS BEYOND THE SCOPE OF CERTIFICATION ACCORDING TO THE ISO/IEC 27701 STANDARD?
- Applies to all management-system certifications: This certification does not constitute product certification. Certification thus does not provide any direct statements on the quality of a product or service of the certified customer.
- Certification according to ISO/IEC 27701 does not mean that the company manufactures products or provides services of higher quality.
- Certification according to ISO/IEC 27701 does not mean that a company's privacy information security controls/ information / data cannot be lost, cannot be unlawfully altered or can be accessed at the right time, even though these are key objectives of the privacy information management system.
- A certification does not confirm that the technical and organizational measures taken by the company for protecting privacy information are functioning without errors.