Certification Body

Scheme for Cyber Security Management System Basic Technical Criteria (Level 1)

ISO 27001:2022 – Information Security Management Systems

AWARDS &
RECOGNITIONS

See how brands like yours secure their IoT products with Payatu.

Code of Impartiality

PAYATU is committed to impartiality in carrying out management systems auditing and certification activities.

To this effect, PAYATU shall not provide certification if its relationship with client organization poses an unacceptable threat to impartiality. PAYATU shall take action to respond to any threats to its impartiality arising from the actions of other persons, bodies or organizations.

To ensure impartiality, PAYATU shall not:

Certify another certification body for its management system certification activities.

Offer or provide management system consultancy.

Certify a management system on which a client has received management system consultancy or internal audits, where the relationship between the consultancy organization and PAYATU poses an unacceptable threat to the impartiality of the certification body.

Conduct internal audit of clients certified by PAYATU, for a minimum of two years following the completion of the internal audits.

Conduct Internal audit of clients certified by PAYATU

Be marketed or offered as linked with the activities of an organization that provides management system consultancy

Outsource audits to management system consultancy organizations

Assign individuals including those in managerial capacity to audit or certification activities of those management system where they have provided management system consultancy within 2 years

The following points further elaborate the impartiality policy of PAYATU:

PAYATU shall not state or imply that certification would be simpler, easier, faster or less expensive.

PAYATU or its employees shall not interfere or participate in decision process of management system issues.

PAYATU & its employees shall not participate in preparation and procurement of manuals, guides, Formats and procedures.

PAYATU shall not provide specific and detailed advice or training on design, implementation and maintenance of management systems subject to certification.

There shall be no pressure of any kind (Financial, Trade, Administrative, Competitive, Moral and other) over PAYATU and the personnel regarding the execution of its obligations as a Certification Body.

When certain relations create unacceptable impartiality threat, then the certification shall not be conducted.

When potential impartiality threat arises PAYATU eliminates it or decreases it. This process is also controlled by the committee of interested parties by holding a meeting at least annually.

PAYATU shall not allow any pressure from other certification bodies to influence the certification process in the organization. If other certification body declines to provide service for client and the client requests the same service form PAYATU than PAYATU shall investigate the reasons for declining, before performing any other certification activities for the respective client.

PAYATU shall not allow pressure from clients and/or consultancy organizations.

Audit Process

The Audit Process has two key stages:

1. Application Stage

2. Audit Stage

Application Stage

The client fills in a form that gives us basic information about their organization, people involved and operation processes.

Based upon the information provided, we furnish proposal to client. We furnish the proposal with complete details like costing, methodology, requirements, and accreditation scope, timescales, terms & conditions and general requirements.
The audit criteria shall be as outlined in the ISO standard as applicable (e.g.. ISO 27001:2022) and any other documents. If the client requires explanation of how these standards apply to their certification program, the same shall be provided by certification committee. This shall be published in the publicly accessible information.

Following client’s acceptance of our proposal, an agreement is signed between the client and PAYATU.

Post agreement, a detailed audit plan is created by PAYATU and shared with client. The idea is that the audit plan/schedule is agreed upon by PAYATU as well as the client.

Audit Stage

Stage 1

Audit Management system documentation received from the client to determine adequacy with respect to the relevant standard.

Compile a report / observations based on the study of the quality documentation and discuss the same with client.

Client shall remove the inadequacies of the above steps and prepares the quality documentation to demonstrate the compliance.

Conduct a pre-audit which will be a detailed, on-site audit of the client’s implemented documented system against the company’s working practices and the appropriate quality standard.

Stage 2

Stage-2 audit will be an assessment audit, which will be carried out after stage-1 audit’s inadequacies have been removed and the organization is all set to demonstrate the compliance to the selected international standard.

At the close of the stage-2 audit, the Lead Auditor will leave his/her recommendation with the client organization. If any non-conformances are raised, they will be discussed at the earliest opportunity.

Certification Process

Granting a Certificate

Following the audit stage, once the corrective actions have been verified, the auditor recommends the certificate to the certification committee which comprises of three members. Upon verification (of the auditor’s report) and acceptance by the committee, the certificate is granted to the client within fifteen working days after verification of corrective actions.

Certification Activities

PAYATU is certified body to carry out the following types of management system certifications:

Scheme for Cyber Security Management System Basic Technical Criteria (Level 1)

ISO 27001:2022

Certifications Information

Information about certifications granted, suspended or withdrawn and the means to confirm the validity of a given certification shall be maintained. The certificate can be seen on the  www.iafcertsearch.org for ISO 27001:2022.

The certificate should be updated within 90 days from the date of release of certificate or from any updated information.

Key points to note here:

Certification decision is taken by person(s) different from those who carried out audit

Analysis of Stage 1 and Stage 2 audit findings is carried out

Verify satisfactory correction and corrective action for “major” nonconformities

Initial certification decision or decisions on renewing certification

Suspending a Certificate

PAYATU does not, in the normal course of events, suspend certified clients and will only do so under exceptional circumstances and on a case by case basis. Under suspension, the certification of a client’s management system is invalid until the suspension is lifted. Such suspension will be made clear on PAYATU’ client directory.

Examples of circumstances that may lead to suspension are not limited to the following:

The client’s certified management system or product has persistently or seriously failed to meet certification requirements.

The certificate holder does not allow surveillance or rectification audits to be conducted at the required facilities.

The certificate holder has voluntarily requested a suspension.

Failure to resolve issues that have resulted in the suspension in a time established by PAYATU may result in withdrawal or reduction in the scope of certification.

Maintaining a Certificate

Maintaining a certificate requires the following:

Surveillance Audits

Surveillance audits shall be on-site audits, but are not necessarily full system audits. These audits shall be scheduled at least once in a year. However, designated person shall document justification for approval for the delay in conducting the subsequent surveillance audits, if it is more than 12 months between two surveillances but simultaneously maintaining the yearly surveillance.

The surveillance audit shall cover the following areas:

Internal audits and management review

A review of actions taken on nonconformities identified during the previous audit

Effectiveness of the management system with regard to achieving the certified client’s objectives

Progress of planned activities aimed at continual improvement

Review of any changes, and

Use of marks and/or any other reference to certification

Treatment of complaints

The surveillance audit team shall conduct the audit and share the findings with the client. If there are any non-conformances found, the client organization would need to commit to close them at the earliest.

Re-Certification Audits

These audits are carried out to verify the effectiveness, improvement, and achievement of policies and objectives. These audits follow the Audit Process described in the earlier section and the Certification Process described above.These audits follow the Audit and Certification Process sections described in this document.

Special Audits

Those intermediate audits that are carried out in following scenarios:

For extensions of scope

Suspending, withdrawing or reducing scope of certification

Short notice audits in response to complaints or suspension

Appeal Handling Process

A client can send its appeal through e-mail, fax, or using traditional mail.

PAYATU has formed a committee that deals with appeals and complaints.

On receipt of an appeal, the committee gathers, evaluates, and verifies all necessary information to validate the appeal.

The appeal is recorded, acknowledged and communicated to the appellant by the committee.

The committee carries out investigation of the appeal taking into account results of previous similar appeals.

The committee then submits a report indicating the results of investigation and the actions to be taken as well as the reply to be sent to the client.

The final decision is made by the committee on the basis of the review of report received from committee /Nominee. In case the committee was previously involved in the certification decision related to appeal, the decision is taken by another nominated person who was not previously involved in the specific certification audit / decision process.

The committee tracks and records the actions taken and the appellant is kept informed by the committee on the progress till the appeal is resolved. At the end of appeal handling process, formal notice is given to the appellant by the committee.

The committee would ensures that appropriate correction and corrective actions are identified and implemented where required.

The committee ensures that submission, investigation and decision on appeals, shall not result in any discriminatory actions against the appellants.

The committee submits his report to Director Technical and the decision is communicated to the appellant.

The progress report shall be sent to the appellant and requests him for the feedback within fifteen days. If the appellant does not come back it means the appeal is resolved.

This shall be shown and discussed with impartiality committee.

Confidentiality is maintained throughout.

Complaint Handling Process

The complaint can be received by e-mail, fax, written, verbal. PAYATU shall only accept such complaints with proper identification of the person.PAYATU shall acknowledge the receipt of the complaint.

On receipt of complaint, the committee evaluates gathers and verifies all necessary information to validate the complaint. In case it is confirmed that the complaint relates to certification activities, the committee shall initiate investigation for the effectiveness of the certified management system.

Committee ensures that the persons engaged in complaints handling process are different from those who carried out audits and made the certification decisions.

If the complaint is about certified clients, it is communicated to the concerned client at an appropriate time. The complaint is recorded, acknowledged and communicated to the complainant by the committee.

Complaints are investigated by the committee for deciding actions to be taken in response to the complaint.

In case the complaint is against the certified client, the investigation shall consider the effectiveness of certified management system and any actions required are decided by the committee.

The committee implements the actions decided and track the actions taken till its completion. The committee also ensures that corrections and appropriate corrective actions are implemented and completed where required.

Whenever possible, the committee communicates the progress on the actions to the complainant and at the end of complaint closure; formal notice is given to the complainant.

The above activities of complaint handling process are subjected to requirement for confidentiality as it relates to the complainant and to the subject of the complaint.

The progress report is sent to the complainant and requests him for the feedback within fifteen days. If the complainant does not come back it means the complaint is resolved.

The committee determines, together with client and complainant, whether and, if so to what extent, the subject of the complaint and its resolution shall be made public.

Corrective actions as required are dealt with as per procedure (Corrective and Preventive Action).

The progress report is shown and discussed with impartiality committee.

Confidentiality shall be maintained throughout.

This shall be shown and discuss with committee of interested parties.

Certification Documents

The detailed audit report shall be provided to the client organization only and it shall not be publicly accessible.

The certificate of accreditation shall be issued to the client organization after successful compliance of the requirements of relevant management system. The effective date of granting, expanding or reducing the scope of certific

PAYATU can keep the original certification date on the certificate when a certificate lapses for a period of time provided that:

The current certification cycle start and expiry date are clearly indicated.

The last certification cycle expiry date be indicated along with the date of recertification audit.

The expiry date or recertification due date consistent with the recertification cycle.

The certificate shall have the following information, and this information shall be publicly available:

Unique identification no of certificate

Name of the organisation to be certified

Address of the organisation to be certified

Geographical locations of sites (in case of multiple sites)

Ref to quality management system

The scope of certification with respect to the type of activities, products and services as applicable at each site without being misleading or ambiguous (in case of 27001, the statement of applicability version number is also provided).

The name, address and certification mark of PAYATU; other marks (e.g. accreditation symbol, client’s logo) may be used provided they are not misleading or ambiguous.

Any other information required by the standard and/or other normative document used for certification.

In case of ISO 27001:2022, if there is any change in statement of applicability that requires change in the coverage of the controls then a process for issue of new certificate needs to be initiated. In the event of issuing any revised certification documents, a means to distinguish the revised documents from any prior obsolete documents.
PAYATU shall provide certification documents by any means it chooses. It may be in form of post or courier or by hand.

Certification and Use of Mark

PAYATU shall have legally enforceable arrangement for the following with certified clients-

Customer shall be authorized to only use the Certification Mark (where the PAYATU/NABCB/IAF logo is embedded) corresponding to the applicable Management System Certification standard.

Customer may only refer to the Certification, including use of the Certification Mark, provided he holds a valid Certificate of Conformity. Reference to Certification and use of Certification Marks must not imply that the certification applies to activities or part of the organization that are outside the scope of certification.

The Certification Mark shall be used on Customer’s letters, documents and other promotional material. For Management System Certification Schemes, the Certification Mark must not be used in any way that may be interpreted as denoting product conformity. Accordingly the Certification Mark must not be shown on a product or product packaging, samples of products or test certificates for products.

Certification mark of PAYATU shall not be permitted to be applied to lab tests, calibration or inspection reports.

The Certification Mark shall only be shown in standard size and design. Standard size and design may be obtained from PAYATU on request. The Certification Mark must never be shown as larger than Customer’s own logo, but the Certification Mark must always be shown in its entirety.

In case of suspension or withdrawal of a certificate the Customer shall discontinue its use of all advertising matter containing a reference to Certification.

In case of incorrect reference to Certification status or misleading use of certification documents or marks, PAYATU shall request corrective actions, suspension or withdrawal of certificate, publication of the transgression or, if necessary, legal action.

Customer shall abide by the above aspects with respect of use of the Certification Mark.

Customer shall not use certification in a manner that would bring PAYATU and or/certification system into disrepute and loose public trust.

It is required that the customer shall not make or permit any statement with respect to its certification, which is misleading. Also the client shall not allow or use the use of certification document or any part of it which is misleading

In case of reduction of the scope of certification, the client shall modify the communication media matters like advertising etc. appropriately

The management system certified by PAYATU shall not be used by its clients in such a way which implies that PAYATU has certified a product (including service) or process. At the same time, the client shall not give any impression in any manner that certification applies to activities that are outside the scope of certification.

Confidentiality

Any information of client acquired/created by PAYATU, during information gathering, audit or during certification process or otherwise shall be kept confidential and shall not be divulged to any third party. To this effect:

Personnel, including any committee members, contractors, personnel of external bodies or individuals acting on PAYATU behalf, shall keep confidential all information obtained or created during the performance of the certification body’s activities except as required by law. This shall be applicable to all PAYATU personnel and any outside organization to which PAYATU may employ for a particular work to be carried out.

All personnel of PAYATU shall execute a Non Disclosure Agreement with PAYATU.

Any outside organization working on behalf of PAYATU shall execute NDA with PAYATU for confidentiality for PAYATU and the client, for which the outside organization has been engaged.

PAYATU or the outside organization working on behalf of PAYATU shall abide by security requirements of the clients.

PAYATU shall ensure the safe handling and storage of confidential information.

PAYATU shall not disclose any information to third party about client or individual without obtaining prior written permission. In case the information is required legally by a third party, the client or individual shall , unless regulated by law, be notified in advance.

Information received from other sources (Regulator, complaints) about the client, shall also be treated as confidential and shall be dealt with as per policy.

In case any hard copies of client records are collected for the purpose of audit, they will be kept in lock and key. They will be returned when there is no further need at the earliest.

In case soft copies of client records are collected, they will be stored in PCs that are secured by user id and password. They will be removed when there is no further need at the earliest.

Access to organizational records:

- Before the certification audit, PAYATU shall ask the client to report if any ISMS related information (such as ISMS records or information about design and effectiveness of controls) cannot be made available for review by the audit team because it contains confidential or sensitive information. PAYATU shall determine whether the ISMS can be adequately audited in the absence of such information. If PAYATU concludes that it is not possible to adequately audit the ISMS without reviewing the identified confidential or sensitive information, it shall advise the client that the certification audit cannot take place until appropriate access arrangements are granted

Notice

Notice of changes by PAYATU

PAYATU shall provide its certified clients due notice of any changes to its requirements for certification.

PAYATU shall verify that each certified client complies with the new requirements.

Notice of Changes by Clients

PAYATU shall have legal agreement to ensure that certified client informs PAYATU of any condition which is contrary to conditions/information prevailing at the time of certification. These changes may affect the efficacy of the management system to fulfil the requirement of certification. These changes may be of following nature:

Change of address of organisation/site

Change in organisation structure, key personal (technical, managerial)

Change in ownership or legal status of organisation

Major changes in scope, processes, technology, and management system

Legal, commercial, organizational status or ownership.

Change in scope of operations under the certified management system.

Information without request by public

Audit processes;

Certification process.

processes for granting, ref using, maintaining, renewing, suspending, restoring or withdrawing Certification or expanding or reducing the scope of certification;

types of management systems and certification schemes in which PAYATU operates;

the use of the PAYATU name and certification mark or logo

processes for handling requests for information, complaints and appeals;

policy on impartiality

The certification body shall provide upon request information about:

geographical areas in which it operates

the status of a given certification

the name, related normative document, scope and geographical location ( city and country) for a specific certified client

ISO Audit Policy

PAYATU ISO audit policy for Management of Extraordinary Events or Circumstances affecting Payatu Security Consulting Pvt. Ltd. (PAYATU) and Certified Organizations

1. Scope

This policy is applicable for management systems certification -for surveillance and recertification audits. This policy shall be applicable to management systems for which PAYATU is accredited.

2. Definition

Extraordinary event or circumstance: A circumstance beyond the control of PAYATU, commonly referred to as “Force Majeure” or “act of God”. Examples are war, strike, riot, political instability, geopolitical tension, terrorism, crime, pandemic, flooding, earthquake, other natural or man-made disasters.

During the extraordinary circumstances travel is not reasonable due to travel restrictions, safety reasons, closing of national borders etc and above all to the health of participants.

3. Policy

When the extra ordinary circumstance occurs (Such as case of COVID 19), PAYATU shall decide for certification activities for its clients taking in consideration –

Client’s operations are being carried out. The operations have not been stopped. The conditions prevailing because of COVID 19 shall be discussed with client. The client shall be communicated the plan for virtual audit in advance. PAYATU shall develop plans for carrying out certification activities as detailed below.

a. Surveillance Audits

Virtual audits shall be carried out. In case the certified organisation is not in a condition for audit due to conditions prevailing on account of COVID 19, the audit shall be carried out within 3 months of due date. (due date-Surveillance audits shall be conducted at least once a calendar year, except in recertification years. The date of the first surveillance audit following initial certification shall not be more than 12 months from the certification decision date.). The period of three (3) months is as per guidelines of NABCB – issue 01 March 2020. and same is modifiable so as to meet the mandatory requirement of accreditation body / apex organisation.

b. Recertification Audits

Virtual audits shall be carried out. In case the certified organisation is not in a condition for audit due to conditions prevailing on account situations mentioned under section “definition” above, the audit shall be carried out within 6 months of due date. The period of six (6) months is as per guidelines of IAF ID 3 and same is modifiable so as to meet the mandatory requirement of accreditation body / apex organisation.

It shall be kept in mind that if audits are being carried out at later date than due date because of extra ordinary circumstances, the next audit shall be done at due dates as per the audit cycle.

NABCB shall be informed of virtual audits

Deviations from the Audit and certification process of PAYATU shall be documented. It shall be kept in mind that total audit time shall not be reduced. However, planning time increase may be required.

Virtual audits shall be carried out using audio/ video and data sharing facility with ability to control, see, hear, question and intervene shall be used for covering audit sessions. PAYATU shall keep the evidences of invitations, opening and closing meeting and audit sessions by any means of session snapshot, recording etc., The records shall be kept for 2.5 years. The security and confidentiality of electronic or electronically-transmitted information/data shall be kept in view by PAYATU and the organization being audited. The following aspects shall be discussed with client for audit planning and carrying out audit.

c. The mail id and phone number of the auditees for sending electronic invitation. The auditees shall have the audio / video connectivity during the audit sessions and they shall be available for the audit as per audit plan.

d. There may be parallel sessions in the audit plan and client shall facilitate for these parallel sessions.

e. The client shall be able to show the required documents for audit like project documents, processes, document related to support functions etc. Client should be able to present soft files. Documents should be shared, as required in audit.

f. Client has no objection to record the session.