ISO Assessment Operations

Emagine Compliance is committed to impartiality and with complying to ISO/IEC 17021:2015  for ISO/IEC 27001. The following disclosures demonstrate our commitment to impartiality, independence, and building trust with our customers and stakeholders in the work that we do.

Audit and Certification Process

Emagine Compliance offers certification services that fully comply with all relevant standards. Our process is clearly outlined for prospective customers, covering key stages of the audit and the certification journey, while also informing them of their rights and obligations during both the application process and post-certification activities.

General Requirements

Emagine conducts thorough impartiality reviews for all new and existing client engagements. To maintain independence, we prohibit certification services in these situations:

  • When the relationship compromises impartiality, including certification requests from Emagine subsidiaries
  • For other certification bodies
  • For organizations that received our management system consulting within the past two years
  • For clients using our internal audit services
  • Where management system consulting or internal audits create partiality concerns
  • Using consultants in certification activities within two years of their consulting work

Scoping and Planning

Before developing the audit plan, clients complete an assessment questionnaire covering:

  • Audit parameters and desired certification standards
  • Organizational scale, complexity and locations
  • Third-party relationships and outsourced functions
  • Prior consulting engagements
  • Past audit findings, when applicable
  • Preferred timing and project schedule

To prepare an effective audit plan, Emagine requires each certification applicant to complete an initial assessment covering:

  • Target certification scope and standards
  • Organization profile (size, locations, complexity)
  • External partnerships and service providers
  • Previous consulting relationships
  • Historical audit findings
  • Timeline preferences and scheduling needs

Based on the assessment, Emagine evaluates certification readiness. We proceed with certification contracts when:

  • Client information is sufficient for audit execution
  • Certification requirements are documented and acknowledged
  • All parties align on expectations
  • We’ve confirmed our capability to perform the audit
  • Scope, locations, and timing requirements are feasible
  • Records of these evaluations are maintained for verification.

If we decline an application, the prospect receives written notification within four weeks explaining our decision. For approved engagements, we use questionnaire responses to schedule audits and assign team members. New clients receive comprehensive information about:

  • Certification process
  • Maintenance audit requirements
  • Appeals and complaints procedures
  • Standard business terms

This information, along with contractual agreements for ISO certification services, is documented in the SOW

  • Upon signed agreement, clients receive planning documents including:
  • Detailed audit testing plan
  • Key dates and deadlines
  • Assigned audit team roster

Audit Management

Emagine’s standardized audit plan includes:

  • Detailed task assignments for team members
  • Scheduled interview and testing dates
  • Flexibility for timeline adjustments

Auditor Requirements:

  • Review organization’s management system documentation
  • Verify compliance with certification scope
  • Evaluate implementation effectiveness
  • Report findings and areas for improvement
  • The plan allows adequate preparation time while maintaining audit objectives.

Sampling

Emagine follows IAF MD-1 sampling methodology for multi-site assessments. Sample size and location requirements are determined based on site function and management system standards.

Non-Conformities

Audit teams promptly communicate nonconformities to client personnel. Clients must then:

  • Analyze and document issues
  • Develop corrective actions
  • Perform root cause analysis
  • Create remediation timeline
  • Provide evidence of fixes

Emagine reviews submitted corrective actions to determine if additional testing is needed. If required, clients receive notification of supplemental audit scope and timing. All retesting results are documented internally.

Audit Deliverables

Upon completing each audit stage (certification, surveillance, or recertification), Emagine provides comprehensive written reports. The lead auditor includes either a certification recommendation or detailed explanation for withholding certification. Reports undergo rigorous review by our certification decision maker, who evaluates:

1.         Nonconformity Resolution

  • Effectiveness of corrective actions
    • Evidence of systematic management standard failures
    • Impact on system performance capabilities
    • Verification of implemented fixes

2. Documentation Requirements

  • Completeness of audit evidence
    • Alignment with certification scope
    • Compliance with standards

Certificate Issuance Following approval from the decision maker, all certificates undergo Emagine’s quality assurance review. Final certificates are issued in accordance with relevant normative standards, ensuring the highest level of certification integrity.

Certification Cycles

Certifications are not a one-time event, but a continuous three-year cycle that follows the following cycle.

Initial Certifications

Stage 1 – Information gathering and analysis. Identification of nonconformities.

Stage 2 – Tests of operating effectiveness.

Stage 2 will be scheduled to be performed no less than one month and no more than nine months following the completion of Stage 1.

Surveillance Audits

Surveillance audits verify ongoing compliance with ISO standards after initial certification. These periodic assessments ensure organizations maintain certification requirements and continue to meet the standard’s controls and objectives throughout their certification period. Need to take place no more than 12 months from the previous audit.

Recertification Audits

At the end of 3 years this audit is completed and is similar to the detail and intensity of the initial certification. It’s a review of operating effectiveness, processes and commitment to continual improvement.

STAGE 1

Stage 1 evaluates your management system framework. Emagine typically conducts portions of Stage 1 at client locations, beginning with an opening meeting to align audit objectives. Our comprehensive review process includes:

Framework Evaluation

  • Reviews management system documentation
  • Assesses site conditions and operational environment
  • Evaluates standard requirements comprehension
  • Examines key processes and performance indicators

Information Gathering

  • Documents system scope and processes
  • Reviews regulatory compliance requirements
  • Maps operational risks and controls
  • Evaluates resource requirements for Stage 2

Readiness Assessment

  • Verifies internal audit processes
  • Confirms management review procedures
  • Determines Stage 2 preparation status

Results Communication

The Stage 1 assessment concludes with:

  • Documented findings and potential nonconformities
  • Stage 2 timeline planning
  • Formal closing meeting
  • Detailed readiness evaluation

The interval between Stage 1 and Stage 2 is determined collaboratively based on organizational readiness and assessment findings.

STAGE 2

Emagine conducts comprehensive testing through either on-site or remote assessment to verify:

  • Framework implementation
  • Control design effectiveness
  • Operational compliance
  • Management system performance

Each standard undergoes thorough evaluation against specific requirements to confirm both compliance and operational effectiveness.

  • Results Communication Upon completion, our audit team:
  • Conducts detailed closing meeting
  • Presents conformity findings
  • Addresses client questions
  • Reviews identified issues

Certification Decision Process:

Our team analyzes evidence from both stages to prepare certification recommendations. The decision package includes:

  • Detailed audit report
  • Nonconformity analysis and remediation status
  • Application information verification
  • Formal recommendation with conditions or observations

Timeline Commitments

  • Certification decision provided within 4 weeks of Stage 2 completion
  • Major nonconformities must be resolved within 6 months
  • Unresolved major findings require additional Stage 2 assessment

Final certification recommendations consider audit findings, conclusions, and relevant external information, ensuring a comprehensive evaluation of your management system.

Impartiality

Impartiality is a fundamental principle of Emagine Compliance’s certification services. Both our organization and our employees maintain complete independence from clients, ensuring that certification decisions are based solely on objective criteria, free from bias or prejudice. In line with requirements in ISO/IEC 17021:2015, Emagine Compliance has created an impartiality policy and review process for our certification services.

Policy

It is the policy of Emagine Compliance to have impartiality be a fundamental principle of our certification services. It is the policy of Emagine Compliance to undertake its conformity assessments impartially. Emagine Compliance will be responsible for ensuring its assessment activities are impartial. Emagine Compliance shall not allow commercial, financial or other pressures to compromise its impartiality.

Both our organization and our employees shall maintain complete independence from clients, ensuring that certification decisions are based solely on objective criteria, free from bias or prejudice.

Emagine Compliance understands the importance of carrying out our activities impartially, managing conflicts of interests and ensuring objectivity. Emagine Compliance recognizes the importance of impartiality in safeguarding the credibility of our assessment processes and ensuring that our decisions are evidence based and objective.

It is the policy of Emagine Compliance to have a clear process to identify, analyze, evaluate, treat, monitor and document all potential risks related to conflict of interests. Any threats to impartiality shall be documented and Emagine Compliance will demonstrate how these risks were eliminated or minimized. If there is a relationship that poses an unacceptable threat to impartiality, then it is the policy of Emagine Compliance to not provide certification services

The top management of Emagine Compliance is committed to ensuring the adherence of this policy and reviewing residual risks to its organization and its activities to ensure they are at acceptable levels.

It is the policy of Emagine Compliance to identify and consult with appropriate interested parties as necessary to advise on matters affecting impartiality, including openness and public perception.

It is the policy of Emagine Compliance to adhere to the following as they are seen as unacceptable activities in ensuring impartiality.

  • Emagine Compliance shall not certify other certification bodies
  • Emagine Compliance is a legal entity solely focused on conformity assessments and therefore shall not provide consultancy services.
  • Emagine Compliance will not provide conformity assessments to any organization where it, or any personnel, has performed an internal audit function for a minimum of two years following audit completion.
  • Emagine Compliance will not provide conformity assessments to any organization where it has received consultancy from an organization that Emagine Compliance or one of its personnel has a relationship with for a minimum of two years following consultancy.
  • Emagine Compliance shall not outsource audits to a consultancy organization.
  • Emagine Compliance will not market or link itself to a consultancy organization.

Monitoring and Reviewing

Emagine Compliance shall exercise proper control of ownership and shall take action to deal with potential conflicts of interests that could impact our ability to be impartial. We do this through the following activities:

  • Conducting conflict of interest assessments for each assessment.
  • Having an internal employee disclosure and attestation process.
  • Having procedures in place for mitigating identified impartiality risks.
  • Having procedures in place that ensure process consistency, regardless of client.
  • Regular reviewing and updating our policies and procedures.

Suspensions

Emagine maintains the authority to suspend, withdraw, or reduce certification scope when justified by substantial evidence. This ensures the ongoing integrity of our certification program and compliance with management system standards.

Emagine Compliance will suspend certified customers who fail to meet the conditions of their certification. During the suspension period, the client’s certification is considered invalid. Emagine Compliance will also verify that suspension status to any public inquires made to us.

Suspension becomes necessary in several situations. When an organization’s management system consistently fails to meet certification requirements or demonstrates serious compliance issues, we must take action. Similarly, if a certified client prevents the completion of required surveillance or recertification audits within mandatory timeframes, suspension may be warranted. We also honor voluntary suspension requests from our certified clients.

During a suspension period, which is determined by our certification decision maker, the certification becomes temporarily invalid. Organizations have the opportunity to address the suspension triggers and request reinstatement. This process involves a comprehensive surveillance-style audit to verify that all issues have been properly resolved. Our audit team provides detailed recommendations to both the client and certification decision maker regarding reinstatement.

If an organization fails to address suspension causes within the established timeframe, Emagine may need to withdraw the certification or reduce its scope. Scope reduction specifically excludes areas where persistent or serious certification requirements aren’t met, while maintaining certification for compliant operations. Any scope modifications align with applicable ISO standards.

In cases of complete certification withdrawal, our engagement terms require organizations to cease using all certification-related advertising materials. Emagine maintains transparency by accurately communicating certification status – whether suspended, withdrawn, or reduced – to any inquiring parties.

This structured approach to certification status changes protects the validity of our certification program while ensuring clear communication with all stakeholders.

Appeals

Customers have the right to appeal any disputed issues regarding their certification if they believe the assigned team has not adequately resolved the matter.

At Emagine, we maintain a structured and impartial appeals process for our certification decisions. Clients can submit formal appeals through multiple channels – email, mail. Each submission should detail the appeal reason, date, and include relevant supporting evidence. Upon receipt, we will investigate the issue and address it fairly and promptly, keeping the complainant informed of the progress and outcome.

To ensure complete objectivity, our compliance team manages all appeals independently from the original audit team and certification decision makers. This separation guarantees that those handling appeals weren’t involved in the original decisions being challenged. We strictly maintain this independence to prevent any potential conflicts of interest or discriminatory actions against appellants.

Our comprehensive appeals process follows a structured pathway:

  1. Our team documents the appeal receipt and appellant information
  2. We promptly contact the appellant to confirm receipt and explain our appeals process
  3. A thorough due diligence investigation begins, managed by our compliance team
  4. Independent reviewers evaluate all gathered evidence and documentation
  5. Final decisions are made by individuals with no prior involvement in the disputed matter

Resolution timelines vary based on complexity and required investigation depth. We maintain regular communication with appellants, providing at least monthly progress updates throughout the process.

If an appellant disagrees with our final decision, they retain the right to escalate their appeal to our accreditation body. All appeals processes are transparently documented and accessible through Emagine’s website.

This systematic approach ensures fair, thorough, and independent review of all certification-related appeals while maintaining clear communication throughout the process.

Complaints

Emagine Compliance takes complaints against itself or its clients very seriously. Emagine maintains a robust complaint management system designed to address concerns fairly and thoroughly. Clients can submit formal complaints through multiple channels – email, mail- including the reason for the complaint, submission date, and supporting evidence.

Upon receipt, we will investigate the issue and address it fairly and promptly, keeping the complainant informed of the progress and outcome. Our commitment to impartiality means that complaint investigations are handled by team members who weren’t involved in the original audit or certification decisions. This independence ensures objective evaluation without any discriminatory actions against the complainant. When complaints involve certified clients, we carefully assess the effectiveness of their management system and engage with them appropriately during the resolution process.

Our complaint handling process follows a structured yet flexible approach. Upon receipt, our team documents the complaint details and promptly contacts the complainant to confirm receipt and explain our resolution process. The investigation is overseen by our independent team member, who gather and evaluate all relevant evidence to make informed decisions about necessary actions.

Resolution timelines vary based on the complexity and scope of the investigation required. We maintain regular communication throughout the process, providing monthly progress updates at minimum. All final decisions are reviewed and approved by individuals who weren’t involved in the original matter under dispute.

Throughout the process, we maintain detailed documentation of all evidence and decision-making factors. Once resolved, we provide formal notification to the complainant, marking the conclusion of the complaint handling process. Our complete complaint handling procedures are transparently available on Emagine’s website, demonstrating our commitment to accountability and continuous improvement.

Any complaint against Emagine Compliance or its customers will remain confidential unless disclosure is mandated by law.

Certification Branding and Marking Guidelines

All certified clients must comply with Emagine Compliance’s Branding Guidelines

This guide provides general information to organizations that have obtained an information security management system certification regarding the authorized marketing of the certification and the use of the Emagine Compliance certification mark (the “Mark”). These requirements were previously agreed upon as a condition of our acceptance of the assessment. Please contact your Emagine Compliance representative if you have questions or concerns. The ISO, Emagine Compliance, Inc (“Emagine”), and Accreditation Body (ANAB) symbols and logos are all legal TradeMarks requiring adherence to the rules of usage as described herein and as may be amended from time to time, under legal terms, and referred to herein as Mark or Marks.

Emagine Compliance, Inc. does not provide, indicate or imply permission for clients to use the International Organization for Standardization logo or permission to incorporate the ISO logo into any customized logo or display. The ISO logo may only be displayed with express written permission from the International Organization for Standardization. Further details regarding absolute restriction on use of ISO logos or wording can be found at ISO.org/ISO-name-and-logo. An extract of the information found therein is at the bottom of this document. The Accreditation Bodies (ANAB, UKAS, etc.) Mark may not be used in isolation from the Emagine Compliance, Inc. mark. The Accreditation Bodies (ANAB) Mark must always remain attached to the Emagine Compliance, Inc. Mark as provided and must follow ANAB’s guidance per their PR 1018 document “Policy on use of ANAB Accreditation Symbols and Claims of Accreditation Status.”

  • The certified organization shall conform to the reasonable and mutually agreed requirements of Emagine when making reference to its certification status in communication media such as the Internet, brochures, advertising, or other documents. The reference must include identification of the certified client; the type of management system and the applicable standard; and the certification body (Emagine) issuing the certificate.
  • The certified organization shall not make or permit any misleading statements regarding its certification. Furthermore, the certified organization shall not use or permit the use of a certification document, or any part thereof, in a misleading manner
  • The certified organization shall, upon suspension or withdrawal of its certification, discontinue its use of all advertising matter that contains a reference to ISO 27001 certification and/or includes a mark.
  • The certified organization shall amend all relevant advertising material when the scope of certification has been modified.
  • The certified organization shall not allow reference to its information security management system certification to be used in such a way as to imply that Emagine certifies a product, service, or process.
  • The certified organization shall not imply that the certification applies to activities that are outside the scope of registration.
  • The certified organization shall not use its certification in such a manner that would bring Emagine and/or the certification system into disrepute or cause loss of public trust
  • The certified organization shall use the mark only in reference to the information security management system certified by Emagine.
  • The Certified organization shall not use the certification in such a manner to be applied to laboratory test, calibration, or inspection reports.
  • The certified organization acknowledges that Emagine has the right to suspend or withdraw certification if it finds that the Certified organization has purposefully made incorrect references to the certification status or misleading use of certification documents, marks, or audit reports.
  • The mark is a service mark of Emagine. The mark shall only be used during periods of active certification. The mark may not be used in connection with any product or service that was not within the scope of the certification review, or in any manner that is likely to cause confusion among customers, or in any manner that disparages or discredits Emagine.
  • The mark will be provided in one (1) approved forms (shown below). The certified organization may use any version of the mark during periods of active certification. The certified organization shall not modify the form or color of any mark provided by Emagine.