Certification assurance services  

KPMG Audit Plc provide formal certification against ISO/IEC 27001:2013 (Information Security Management Systems).

We maintain a register of current certifications, which can be verified by contacting us at certificationservices@kpmg.co.uk

 

Management of impartiality

KPMG Audit Plc understands the importance of impartiality in conducting certification activities, managing any conflicts of interest and ensuring objectivity.

KPMG Audit Plc follows the principles set out in ISO/IEC 17021:2015 and has appointed an independent Impartiality Committee to ensure its certification services are executed with impartiality both in perception and fact, to provide confidence in the competence of management and staff, and to avoid conflicts of interest.

Appeals

If you are a client of KPMG Audit Plc and have a dispute concerning your certification that you have been unable to resolve through your Engagement Leader or Engagement Manager, you may appeal via the Complaints Process .

 

Complaints

KPMG Audit Plc takes complaints against itself and its clients seriously. Complaints about KPMG Audit Plc should be submitted via the Complaints Process . We will ensure we fully understand your concerns and deal with the complaint fairly and promptly. You will be kept informed of progress and we will reply as soon as the complaint has been fully investigated.

 

Audit Processes

KPMG Audit Plc conduct audits according to ISO/IEC 17021:2015 which includes application, planning, initial certification and certification maintenance phases. The client shall determine the desired scope of the audit and supply the relevant requested information, KPMG Audit Plc shall determine whether the management system is auditable. KPMG Audit Plc will develop a detailed audit programme to outline the activities required to determine the management system’s conformity to the certification standard. The audit programme includes an initial certification, surveillance audits in the first and second years following an initial certification decision and a recertification audit in the third year prior to expiration. The first surveillance audit shall be conducted no later than 12 months following the initial certification and will be conducted once a calendar a year excluding recertification years.

KPMG Audit Plc will determine the time required for the audit, based on a number of factors such as complexity of the management system, prior audit results, regulatory context, the size and number of client sites and any risks of the organisation’s products or processes. KPMG Audit Plc will establish the audit scope, criteria and objectives after discussion with the client. The audit objectives will include the determination of the conformity of the client’s management system with audit criteria and the audit scope will define the extent and the boundaries of the audit. Resourcing for the audit team will be determined by KPMG Audit Plc and will be impartial and have the competence required to achieve the objectives of the audit.

KPMG Audit Plc will draw up an audit plan which is appropriate for the objectives and scope of the audit. An agenda will be agreed and communicated for the audit. An initial certification is composed of two stages – stage 1 and stage 2. Stage 1 is a review and evaluation of the management system and documentation, this stage also allows KPMG Audit Plc to obtain necessary information such as the levels of controls established. This allows KPMG Audit Plc to raise any concerns for particular areas relevant for the audit. The stage 2 audit is an onsite audit to evaluate the implementation and effectiveness of the management system. Any audit findings will be reviewed against the audit objectives and criteria and conclusions from the audit conclusions will be agreed upon by the audit team. A written report from the audit will be provided to the client, opportunities for improvement will be identified but specific solutions will not be recommended.

Process for management of certificates

Granting and refusing certification

KPMG Audit Plc will be provided the audit report by the audit team and any corrective actions related to non-conformities taken by the client. The audit team will also provide a recommendation as to whether or not to grant certification, along with any conditions or observations.

KPMG Audit Plc as the certification body will verify the implementation of any corrections and corrective actions of any major non-conformity within six months after the last day of stage 2. If this is not verifiable then another stage 2 audit shall be carried out prior to recommending certification.

Maintaining and renewing certification

KPMG Audit Plc will maintain certification based on demonstration that the client continues to satisfy the requirements of the management system standard in regular surveillance audits.

KPMG Audit Plc will make a decision on renewing certification based on the results of a recertification audit, along with the results of the review of the system over the period of certification.

Suspending, withdrawing, restoring or changing the scope of certification

The certification will be suspended in cases when the management system has persistently or seriously failed to meet requirements. Certification can also be suspended when the client does not allow surveillance or recertification audits to be conducted at the required frequencies. Under suspension, the certification is temporarily invalid. Certification can be restored if corrective actions are put in place effectively and the certification requirements are met.

Withdrawal of the certification can occur in cases where necessary action has not been taken by the client to remediate issues leading to a suspension. A certificate can also be withdrawn without prior suspension and for the non-payment of fees.

The certification scope will be reduced to exclude parts that are not meeting the requirements in cases where the management system persistently or seriously fails to meet the certification requirements.

Use of KPMG Audit Plc Marks and Logos

Certified clients are authorised to use KPMG Audit Plc certification marks and logos, as communicated by KPMG Audit Plc at the time of certification.

All marks and logos must be used in a way as to enable them to be traced back to KPMG Audit Plc. Marks and logos shall not be used on products or product packaging. Clients shall not state or imply that a product, process or service is certified.

Further detailed rules regarding the use of marks and logos are provided to clients.