KPMG Certification BV is rendering certification services which will allow you to showcase your excellence in Information Security Management, GDPR Compliance, e-Archiving Trust Services and/or Asset Management. 

Currently, KPMG Certification BV is accredited by BELAC, the Belgian Accreditation Body, to certify organizations to ISO 27001.

KPMG Certification BV is also issuing certificates for GDPR Compliance, e-Archiving Trust Services and Asset Management Systems (ISO 55001). After meeting the necessary requirements, a KPMG certification will be granted which not only showcases your compliance with the relevant ISO requirements but also allows you several benefits, such as the use of KPMG Marks and Logos.  All certifications are continuously reviewed to ensure all requirements are met and will be renewed in case of expiration when compliance is guaranteed. Our team maintains a register of all current certifications, which can be verified by contacting us at certificationservices@kpmg.be.

KPMG also offers you the possibility for combining ISO 27001 certification with Digital Assurance Reporting, including SOC2 reporting, Cybersecurity, and GDPR Attestation. The integration of the ISO 27001 certification with SOC2 reporting, Cybersecurity, GDPR and ISO27701 Attestation allows us to perform the audit in a more efficient manner (“multi-purpose testing”) and enables us to pass on these cost savings and reduction in number of audit days to you. In addition, this can significantly reduce the burden on your internal resources.

If you have one or multiple management systems that are certified by another (non-KPMG) body and need internal audit resources, our team can help you with its broad range of skilled auditors with expertise in the area of both information security, GDPR Compliance, e-Archiving Trust Services, and asset management.

Divider image of KPMG Certification services

   

Divider image of KPMG Certification services

   

Impartiality, appeals and complaints

Management of impartiality

KPMG Certification BV understands the importance of impartiality in conducting certification activities, managing any conflicts of interest, and ensuring objectivity.

KPMG Certification BV follows the principles set out in ISO/IEC 17021:2015 and ISO/IEC 17065:2012 to ensure its certification services are executed with impartiality both in perception and fact, to provide confidence in the competence of management and staff, and to avoid conflicts of interest.

Appeals

If you’re a client of KPMG Certification BV and have a dispute concerning your certification that you’ve been unable to resolve through your Engagement Partner or Lead Auditor, you may appeal via email to Yann Dekeyser or write to him at KPMG Certification BV, Luchthaven Brussel Nationaal 1K, 1930 Zaventem, Belgium stating clearly that it is in relation to Certification Services.

Complaints

KPMG Certification BV takes complaints against itself and its clients seriously. Complaints about KPMG Certification BV should be submitted via email to Yann Dekeyser or write to him at KPMG Certification BV, Luchthaven Brussel Nationaal 1K, 1930 Zaventem, Belgium. We will ensure we fully understand your concerns and deal with the complaint fairly and promptly. You will be kept informed of progress and we will reply as soon as the complaint has been fully investigated.

Divider image of KPMG Certification services

   

Audit Processes

For certification of management systems


KPMG Certification BV conducts audits of management systems according to ISO/IEC 17021:2015 which includes application, planning, initial certification, and certification maintenance phases.

The client shall determine the desired scope of the audit and supply the relevant requested information, KPMG Certification BV shall determine whether the management system is auditable. KPMG Certification BV will develop a detailed audit program to outline the activities required to determine the management system’s conformity to the certification standard. The audit program includes an initial certification, surveillance audits in the first and second years following an initial certification decision and a recertification audit in the third year prior to expiration. The first surveillance audit shall be conducted no later than 12 months following the initial certification and will be conducted once a year excluding recertification years.

KPMG Certification BV will determine the time required for the audit, based on several factors such as complexity of the management system, prior audit results, regulatory context, the size and number of client sites and any risks of the organization’s products or processes. KPMG Certification BV will establish the audit scope, criteria and objectives after discussion with the client. The audit objectives will include the determination of the conformity of the client’s management system with audit criteria and the audit scope will define the extent and the boundaries of the audit. Resourcing for the audit team will be determined by KPMG Certification BV and will be impartial and have the competence required to achieve the objectives of the audit.

KPMG Certification BV will draw up an audit plan which is appropriate for the objectives and scope of the audit. An agenda will be agreed and communicated for the audit. An initial certification is composed of two stages – stage 1 and stage 2. Stage 1 is a review and evaluation of the management system and documentation, this stage also allows KPMG Certification BV to obtain necessary information such as the levels of controls established. This allows KPMG Certification BV to raise any concerns for areas relevant for the audit. The stage 2 audit is an onsite audit to evaluate the implementation and effectiveness of the management system. Any audit findings will be reviewed against the audit objectives and criteria and conclusions from the audit conclusions will be agreed upon by the audit team. A written report from the audit will be provided to the client, opportunities for improvement will be identified but specific solutions will not be recommended.

For certification of e-Archiving Trust Services


KPMG Certification BV conducts audits of Services according to ISO/IEC17065:2012, which includes application, planning, initial certification and certification maintenance phases. These phases are described in detail in section 7 of the BE eArchiving Certification Scheme of the FPS Economy and in section 6 of the KPMG Certification Scheme for services relating to long term preservation of digital signatures or general data using digital signature techniques. 

KPMG Certification BV will determine the time required for the audit based on several factors such as the number of e-Archiving and archival profiles, the nature of the services rendered (scanning and/or long-term preservation), the complexity of the related data and processes, the size and number of sites, the possibility to rely on other related certificates and/or attestation reports.

Divider image of KPMG Certification services

   

Process for management of certificates

For management systems

Granting and refusing certification

KPMG Certification BV will be provided the audit report by the audit team and any corrective actions related to non-conformities taken by the client. The audit team will also provide a recommendation as to whether or not to grant certification, along with any conditions or observations.

KPMG Certification BV as the certification body will verify the implementation of any corrections and corrective actions of any major non-conformity within six months after the last day of stage 2. If this is not verifiable then another stage 2 audit shall be carried out prior to recommending certification.

Maintaining and renewing certification

KPMG Certification BV will maintain certification based on demonstration that the client continues to satisfy the requirements of the management system standard in regular surveillance audits.

KPMG Certification BV will decide on renewing certification based on the results of a recertification audit, along with the results of the review of the system over the period of certification.

Suspending, withdrawing, restoring or changing the scope of certification

The certification will be suspended in cases when the management system has persistently or seriously failed to meet requirements. Certification can also be suspended when the client does not allow surveillance or recertification audits to be conducted at the required frequencies. Under suspension, the certification is temporarily invalid. Certification can be restored if corrective actions are put in place effectively and the certification requirements are met.

Withdrawal of the certification can occur in cases where necessary action has not been taken by the client to remediate issues leading to a suspension. A certificate can also be withdrawn without prior suspension and for the non-payment of fees.

The certification scope will be reduced to exclude parts that are not meeting the requirements in cases where the management system persistently or seriously fails to meet the certification requirements.

For e-Archiving Trust Services

This process is described in detail in section 7 of the BE eArchiving Certification Scheme of the FPS Economy and in section 6 of the KPMG Certification Scheme for services relating to long term preservation of digital signatures or general data using digital signature techniques. 

Divider image of KPMG Certification services

   

Use of KPMG Certification BV Marks and Logos


Certified clients are authorized to use KPMG Certification BV certification marks and logos, as communicated by KPMG Certification BV at the time of certification.

All marks and logos must be used in a way as to enable them to be traced back to KPMG Certification BV. Marks and logos shall not be used on products or product packaging. Clients shall not state or imply that a product, process or service is certified.

Further detailed rules regarding the use of marks and logos are provided to clients.