Insight Assurance LLC requires these written Terms & Conditions to address the requirements of certification body activities and accredited conformity assessment services.
1.1. Insight Assurance LLC provides independent conformity assessment services for the following relevant International Standards:
a) Information Security Management System – ISO/IEC 27001:2013
b) Any other Certification Standards that Insight Assurance LLC may offer certification for in the future.
2. General Conditions
2.1. The primary conditions for acquiring and retaining certification with Insight Assurance are that the applicant company agrees to and complies with the following procedures and rules:
a) The audited company is required to make available all information deemed necessary by Insight Assurance LLC to complete the relevant audit program.
b) Insight Assurance LLC, if not satisfied that all the requirements for certification are being met, will identify non-conformities and require the audited company to correct and take actions to prevent the recurrence of said non-conformities.
c) The registered company grants Insight Assurance LLC permission to publicize its certification status.
d) In the case of Major non-conformities, when the applicant company can demonstrate that the applicant company has taken actions to meet all the requirements, Insight Assurance LLC will arrange to repeat only the necessary parts of an audit that cannot be verified by the submission of documentary evidence.
e) If Insight Assurance LLC is unable to verify the implementation of correction and corrective actions for a Major non-conformity within six months of the date of the stage 2 audit, then Insight Assurance LLC is obliged by accreditation rules to repeat the stage 2 audit prior to certification.
f) If the applicant company fails to take corrective action within the specified time limit, it may be necessary for Insight Assurance LLC, at extra cost to the applicant company, to repeat the audit in full.
g) Identification of conformity will refer only to the site or sites audited and will only apply to the worded scope appearing on the certificate.
h) Fees must be paid within the timescales stated in the quotation. Certificates will not be issued until relevant fees have been paid in full.
i) For a registered company to demonstrate effective management reviews and internal audits, these activities are required to be carried out at least once per year by the registered company.
j) Failure to comply with these Terms & Conditions may result in legal action being taken against the company.
k) The registered company must allow Insight Assurance LLC to conduct ongoing surveillance audits in line with the planned arrangements stated in the proposal.
l) Certified clients must only use the certification marks in accordance with the Insight Assurance LLC rules for the use of certification marks;
m) Certified clients must inform Insight Assurance LLC within seven days of any serious incident that occurs within the scope of any certification held (such as a fatality, data breach, or significant incident), which may result in an extra, unscheduled audit by Insight Assurance LLC.
n) Certified clients must inform Insight Assurance LLC within seven days of notification of prosecution by a regulator within the scope of registration.
o) An audit day consists of 8 hours of audit activity.
p) A cancellation fee may be charged for visits booked and confirmed in writing that is canceled or postponed by the registered client within two weeks of the booked date. Insight Assurance LLC is responsible for and will retain authority for decisions relating to accredited certification, including the granting, maintaining, renewing, extending, reducing, suspending, and withdrawing of certification.
3.1. Insight Assurance LLC is responsible for ensuring that secrecy is maintained by its employees and its agents concerning all confidential information with which they may be acquainted because of their contacts with the company.
3.2. Where information is required to be disclosed to a third party, either by law or in the maintenance of certification (e.g., Accreditation Bodies), the client will be informed of the information provided as permitted by the law.
4.1. The client company will inform Insight Assurance LLC in writing and without delay of any intended changes relating to the following:
a) The legal, commercial, organizational status or ownership
b) Organization and management
c) Contact address and sites
d) Scope of operations under the certified management system
e) Major changes to the management system and processes
4.2. Insight Assurance LLC will determine whether the notified changes require any additional audit activity. Failure to notify Insight Assurance LLC may result in certificate suspension.
5. Application for Certification
5.1. Upon receipt of a completed application for quotation from an applicant company, a quotation outlining the audit criteria and fees will be submitted to the applicant company. Once the application for certification, suitably authorized by the applicant company and accompanied by the necessary fee payment, has been received by Insight Assurance LLC, the project will be allocated to an audit team. The audit team leader will be responsible for ensuring that the audit is carried out in accordance with Insight Assurance LLC procedures.
6.1. Fees are detailed in the quotation submitted to the applicant. All costs are based on the charge rate applicable at the time of quotation, and Insight Assurance LLC reserve the right to increase charges during the certification period. Such increases will be communicated to the client company in writing. Once an application for certification has been made, payment of the initial registration fees is required, and payment of ongoing registration fees is due as per the payment schedule within the quotation.
6.2. Additional fees will be charged for additional work not included in the scope of the original quotation and for any extra, unscheduled visits required due to reported incidents or non-compliances being identified in the continuing adequacy and/or implementation of the relevant management system. Unless otherwise stated, fees quoted include travel and expenses associated with the audit/surveillance activities.
6.3. Insight Assurance LLC reserves the right to charge late-payment charges. All fees are subject to local taxes in the country concerned at the appropriate rates.
7. Initial Audit
7.1. Conformity assessment audits are based on sampling within a Management System and are therefore not a guarantee of 100% conformity with standard requirements. The initial audit of an applicant company’s management system is conducted over two stages:
a) Stage 1 – The objectives of this are to audit the applicant’s management system documentation; evaluate the location and site-specific conditions and determine readiness for the stage 2 audit; establish the applicant’s understanding of the requirements of the standard, with respect to the identification of key performance or significant aspects, processes, objectives, and operation of the management system; to discuss and agree on the scope of the management system, processes and location(s) and related statutory and regulatory aspects (where applicable) and associated risks, etc.; to plan the Stage 2 audit and establish planning arrangements for internal audit and management review and the general readiness for the Stage 2 audit.
b) Stage 2 – the objectives are to assess the implementation (including effectiveness) of the applicant’s management system through the audit of the information and objective evidence about conformity to all requirements of the applicable management system standard or other normative documents; assess performance monitoring, measuring, reporting and reviewing against key performance objectives and targets; evaluate the applicant’s management system and performance as regards legal compliance, operational control of processes, internal auditing, and management review and policies; links between the normative requirements, policy, performance objectives and targets (consistent with the expectations in the applicable management system standard or another normative document), any applicable legal requirements, responsibilities, the competence of personnel, operations, procedures, performance data, and internal audit findings and conclusions. All records produced for the implementation and operation of the appropriate management system are required to be readily available for inspection by the audit team. The applicant company is required to ensure that Insight Assurance LLC is advised of the name of the Management Representative who has authority and responsibility for maintaining the Management System. This individual is required to maintain contact with Insight Assurance LLC. Any change to this designated person must be confirmed to Insight Assurance LLC in writing.
8. Certification Decision
8.1. When the responsible decision makers of Insight Assurance LLC are confident that the company meets all the requirements for certification following a thorough review of the audit report(s) and associated objective evidence, the applicant is entered on the Insight Assurance LLC certification directory and a registration number and certificate issued. Certificates issued will remain the property of Insight Assurance LLC and are required to be returned to Insight Assurance LLC upon request.
9.1. Periodic surveillance visits are required to be conducted to confirm the following:
a) The certified management system has continued to fulfill requirements between recertification audits
b) Ensure internal audits and management reviews have been performed to program.
c) Review actions are taken on nonconformities identified during the previous audit.
d) Evaluate treatment of complaints.
e) Evaluate the continued effectiveness of the management system regarding achieving objectives.
f) Evaluate the management system and performance as regards legal compliance.
g) Review the progress of planned activities aimed at continual improvement.
h) Ensure continuing operational control and review of any changes since the last visit.
9.2. The certificate holder is required to allow Insight Assurance LLC the right of access for surveillance purposes, and Insight Assurance LLC will reserve the right to make unannounced visits as required. The certificate holder will be informed of the results of all surveillance. First surveillance visits will be conducted no later than 12 months after the certificate issue date and at least once per calendar year thereafter.
10. Renewal of Registration
10.1. Regardless of the frequency of the Surveillance routine, a certification cycle runs for a three-year period from the date of the certificate decision, with a full re-audit to be completed within three years of the last date of the stage 2 audit and every three years thereafter. Failure to submit for re-audit prior to the expiry date will result in a period during which the company’s registration will deem to have expired. Insight Assurance LLC client companies will be subject to re-audit prior to the expiry of the certificate. Six months prior to the expiry date, a new quotation will be submitted covering the new three-year cycle. Typically, the days allocated for a three-year re-audit will be approximately the same as the initial stage 2 audit.
11. Extension/Reduction of Certification Scope
11.1. Extending the scope of registration to cover new products/processes/locations requires registered companies to complete and return a new application for a quotation. This will allow Insight Assurance LLC to determine whether additional audit time is needed to cover the changes required. The application procedure outlined in clause 5 of these Terms & Conditions will be followed, and an audit will be carried out on the areas not previously covered.
11.2. Reductions to a scope of registration, it is mandatory that Insight Assurance LLC is advised immediately of changes in organization or products, i.e., closure of sites or removal of products previously supplied under the original scope on the certificate. Upon review and acceptance of the information, Insight Assurance LLC will determine the actions needed to process the scope reduction and will notify if an additional audit and a change to the worded scope are required. The cost of this reduction in the scope of the certificate will be based on the nature and programming of the audit if required, or administration costs for a new certificate.
12. Publicity by Registered Companies
12.1. A certified company has the right to publicize the fact that the management system it utilizes has been certified by an accredited certification body and can apply the relevant marks to stationery and promotional material relating to the scope of certification as detailed on the certificate. Certification marks must not be applied to products or primary packaging or displayed in any way that is ambiguous as to the scope of the certification. Any statement about certification made on product packaging will in no way imply the product itself is certified by Insight Assurance LLC and will include the brand name of the certified client, the type of management system and standard, and the name of Insight Assurance LLC. In every case, the registered company is required to ensure that no confusion arises between certified and non-certified products/processes and activities in its publications and advertising. The company is forbidden to make any claim that could mislead purchasers to believe that a product/process or activity is covered by certification when, in fact, it is not.
13. Misuse of Certificates
13.1. Insight Assurance LLC takes all reasonable precautions to control the use of the certificates issued. Incorrect references to the scope of certificates or incorrect use of the certificate are prohibited and will be dealt with by suitable actions, which could include suspension or withdrawal of certificates, legal action, and/or publication of the transgression.
14. Suspension of a Certificate
14.1. A certificate may be suspended for a limited time in cases of:
a) Widespread failure by a registered company to effectively implement Management System requirements.
b) Failure to permit Insight Assurance LLC to conduct recertification or surveillance audits at the required frequencies.
c) Failure to accept the presence of accreditation body auditors attending an audit to be conducted by Insight Assurance LLC.
d) Failure to notify Insight Assurance LLC of significant changes to the registered company.
e) Misuse of certification marks.
f) Misrepresentation/misuse of the certificate.
g) Falsification and/or fabrication of records of implementation.
h) Failure to respond to Corrective Action Requests within 30 days of the date of issue.
i) Non-payment of certification fees owed to Insight Assurance LLC.
j) Expiry of a certificate after the 3-year registration period has elapsed.
k) Request from the client for voluntary suspension.
14.2. If suspended, the company is required to immediately cease to identify the coverage of any certificate under suspension. Insight Assurance LLC is required to notify in writing an official suspension of certificate to the company; this notification will indicate the conditions that will allow the removal of the suspension. At the end of the suspension period, or earlier if suitable responses have been submitted by the suspended client, an investigation will be undertaken to determine whether the required conditions for removal of suspension have been followed. If the conditions have been satisfied, the certificate will be reinstated; if the conditions have not been satisfied, the certificate is required to be withdrawn.
14.3. The suspended company will be liable for any reasonable costs associated with suspension and subsequent reinstatement of the certificate, and these will be charged to the registered company.
15. Withdraw of a Certificate
15.1. A certificate may only be withdrawn if the company does not meet the required conditions raised on suspension of the certificate Intention to withdraw a certificate will be notified to the company in writing seven days before the proposed withdrawal date, and the company does have the right of appeal against this decision. Insight Assurance LLC is not liable to reimburse any audit fees paid, and Insight Assurance LLC will publish the withdrawal of the certificate. Reinstatement of ‘withdrawn’ certificates may require a full initial audit to be conducted and, where appropriate, fees to be paid in advance.
15.2. Withdrawal of the certificate will require that all promotional materials endorsed with the Insight Assurance LLC certification logos must be withdrawn from use immediately and any continued use of marks on company publicity and stationery material will be in contravention of the intellectual property rights of the owners of the marks.
16. Cancellation of a Certificate
16.1. A certificate may be canceled if:
a) The company does not wish to renew the certificate.
b) The company goes out of business.
c) The company does not respond to correspondence from Insight Assurance LLC.
16.2. Insight Assurance LLC is not liable to reimburse any audit fees paid, and Insight Assurance LLC will publish a notification of the cancellation of the certificate. Cancellation of the certificate will require that all promotional materials endorsed with the Insight Assurance LLC certification logos must be withdrawn from use immediately, and any continued use of marks on company publicity and stationery material will be in contravention of the intellectual property rights of the owners of the marks.
17. Appeals and Disputes
17.1. In the event of certificate withdrawal or if a client company does not accept a non-conformity or recommendation for registration, the company has the right to appeal. Should the company intend to appeal then, they should refer to the Complaint & Appeal Handling procedure of Insight Assurance LLC. Insight Assurance LLC must receive notification of the intent to appeal within seven days of the company’s receipt of the intention of withdrawal notice from Insight Assurance LLC or the date of the audit.
17.2. The appellant must submit a formally documented substantiation for the appeal to Insight Assurance LLC within fourteen days of the receipt of the intention of withdrawal notice or the date of the audit.
17.3. All client company appeals will be initially reviewed by the appointed certificate decision maker(s) and the Insight Assurance LLC audit staff responsible for the recommendation to withdraw the certificate or identification of the non-conformity – who must provide evidence to support their recommendation.
17.4. Should the appointed decision maker reject the appeal, then it will have passed to the certification decision committee. Should the committee concur with the decision maker(s) finding, then the committee, drawn from the independent members of the impartiality committee, is required to consider the appeal. The appellant will be advised of the names of the appeals committee, and the appellant has the right to dispute the members of the appeals committee by formal notification of their dispute. This dispute will be reviewed by the chairman of the committee or, if the chairman is a member of the appeals committee, by the vice-chairman. The result of the appeals committee review will be notified to the company.
17.5. The decision of the appeals committee is final and will be binding on both parties. Once the decision on the appeal has been made, no counterclaim by either party can be made to amend or change the decision. In instances where the appeal has been successful, the certificate is reinstated, or the non-conformity is removed, no claim can be made against Insight Assurance LLC for reimbursement of costs or any other losses incurred because of the initial withdrawal or identified non-conformity. Submission, investigation, and decision on appeals will not result in any discriminatory actions against the appellant.
18.1. Should a client company have any reason to complain regarding the conduct of Insight Assurance LLC employees, then the complaint should be made in writing to Insight Assurance LLC. Complainants will receive an acknowledgment of receipt immediately, and the complaint will be investigated and decided upon within a maximum of 30 days from initial receipt.
18.2. Should Insight Assurance LLC receive a complaint by a user of a registered client indicating that a certified client no longer complies with Insight Assurance LLC requirements, then it may be necessary to either initiate withdrawal of certification or conduct a full re-audit of the client at extra cost to the client.
18.3. All certified clients are required to make available when requested, records of all complaints and corrective actions taken in accordance with the management system standards or other normative documents.
19. Directory of Certified Companies
19.1. Insight Assurance LLC maintains a directory of all certified companies, including the name, relevant normative document, scope, and geographical location (e.g., city and country) for each certified client (or the geographic location of the headquarters and any sites within the scope of a multi-site certification). This is published and made available upon request to both certified and non-certified companies and members of the public.
20. Accreditation Body Visits
20.1. Insight Assurance LLC clients are required, where an accreditation body so nominates a need to accept the presence of officers of the Accreditation Body attending an audit to be conducted by Insight Assurance LLC. An accreditation body may, without any or with limited time notice to Insight Assurance LLC, request a witnessed audit take place; in agreeing to these terms and conditions, the client consents to this. Attendance by accreditation officers will in no way affect the certification decision-making process of the Insight Assurance LLC Lead Auditor.
21. Auditors in Training
21.1. When appropriate and on request, Insight Assurance LLC clients will make available to auditors in training the opportunity to witness audit procedures by attending the certification body audit and when appropriate, participate in the audit activities.
22.1. Insight Assurance LLC auditors carry out an evaluation of conformity against a standard, which in respect of the time allocated, can only be considered as a snapshot of the activities of the audited company and not an exhaustive evaluation. At no point does Insight Assurance LLC hold itself up, purport or profess to be a regulatory authority or expert consultant within the areas audited and can only operate within the general working knowledge of the field involved as defined by the scope of activity. Insight Assurance LLC holds itself removed from any responsibility or liability to the audited company for any implications or actions resulting from legislative/regulatory non-compliance on behalf of the audited company, including any actions taken after the audit resulting in legal or financial failures of the audited company.
23. Geograhical Areas
23.1. Insight Assurance LLC currently serves Africa, Asia, Australia/Oceania, Europe, North America and South America. Please contact us at ISO@insightassurance.com