Issuing a Certificate
This involves preparation and review of the certificate, certificate signatures by CEO and updating the registrar of firms. In absence of CEO can sign the certificate.
Certificates are issued to clients following initial audit, extension to accredited scope, triennial audit, upgrade on surveillance or change in company details (name, address etc).
The certificates will be numbered sequentially starting with SD followed by the Cyber Security Canada client code of Cyber Security Canada.
Cyber Security Canada prepares the certificate:
- No certificate will be issued unless Cyber Security Canada has evidence that all non-conforming notices raised have been closed out.
- Select the appropriate blank certificate(s) based on the standard as indicated on the audit report. Be sure to check for any changes indicated on Comment Sheets attached to audit report.
- Determine the certificate number for ACCREDITATION BODY accredited certificates by reviewing the Register of Approved Firms.
- Set the issue date to be the date of approval by certification committee chairman indicated on the Audit report review checklist. Set the expiration date to be three years later.
- The expiry date may vary from above for transfer cases, where the expiry date shall be the same as earlier certificate. Also refer to any specific instructions given by Scheme Manager w.r.t. expiry dates e.g. during transition to revised standard, the expiry of old standard may be pre-decided by the accreditation board.
- The initial registration date shall be the issue date for the first 3-year cycle. In the triennial case, the initial registration date shall be the issue date of first certificate issued. The certificate number shall continue to be the same. The scope shall be the same as in an earlier certificate.
- In case the client goes for a second cycle but not as triennial (i.e., a gap between expiry of first cycle and second initial date), the certificate shall be considered as fresh and initial registration date shall be the same as issue date. The earlier certificate shall not be considered. A new certificate number shall be awarded.
- On each certificate to be issued, fill in the client organization’s name, base office, address, standard (including issue year of standard), and scope, based on the information on the audit report. Be sure to check for any changes indicated on Comment Sheets included in the audit report.
- Have the Scheme Manager review the certificate for any errors. Submit the corrected and final certificate to CEO for his signature.
- Multiple sites each operating a common system with the same scope of certification shall have all the addresses on the same certificate. The client may request individual certificates. In such cases, each site is issued with its own certificate with the same certificate number and a suffix is added. The certificate number shall be I/001A, I/001B etc.
- In cases of groups of companies, the locations may have different scopes of certification or trading names, each is issued with respective names, addresses and scope. The certificate shall have the same certificate number with a suffix (as explained above).
- Clients may have integrated system where certificates for multiple standards are issued. In such cases, the ACCREDITATION BODY accredited certificate is issued as above. Rest of the certificates shall be issued by Cyber Security Canada using its own format and process. Necessary comment shall be added to the client file and client database for future reference/ use.
- In the event of issuing any revised certification documents, then the original certificate number will have a suffix of revision number, e.g. #######, for first revision. The expiry date of the certificate does not change and continues to be the same as the original. Issue date shall be the date of C.C. Chairman Approval. Initial Registration date shall be the same as original.
Client database is amended as per the database management process. The completed certificate with the audit report is reviewed by Scheme Manager for correctness and completeness of the certificate.
The certificate with all attachments like logo rules, cover letter etc. is submitted to the CEO for his signature. CEO has no authority to reject/ deny the issue of certificate. He may return the certificate to Chairman of Certification Committee clearly stating the reason for holding the issue. Chairman of Certification Committee shall review the reason and investigate on the same. However, if the Chairman has satisfied himself and re-sends the certificate to CEO for approval, CEO shall sign the certificate. A computer-generated signature may also be used. The above process can be carried out by the Scheme Manager in absence of CEO.
The signed certificate is sent to the client at his address or any other address he has specifically requested. The certificate shall not be issued to any other person without written approval from the client. The certificate docket shall contain at least the following
o Cover letter from Cyber Security Canada
o Rules accompanying the logo
o CD containing soft copy of the logos.
o Customer survey form
A copy of the certificate together with all other documents supporting the approval shall be placed in the client’s file or scanned in and stored on the doc server.
The client may request a change in certificate. This may be due to
- Change in ownership
- Change in name of the company
- Change in location
- Increase or decrease in scope (products, services offered etc.)
- Increase or decrease in locations (opening / closing of site etc.)
Client may request for change in certificate or reduction / expansion in scope to Scheme Manager Scheme Manager shall review the request and decide for a special audit if the next audit is not due in near future or if the next audit cannot be proposed. Scheme Manager also determines if the changed scope is within accreditation scope of Cyber Security Canada.
In case of a change in the name of the company or location without any change in management, the client shall submit government approval for the change. Where the management has changed, the details of required approval shall be submitted along with the request.
The duration for the special visit shall be decided by the Scheme Manager and communicated to the client. The lead auditor submits a descriptive report detailing the changes, justification for reduction/ expansion of scope and review of the impact of change in the scope (use of logos etc). Where expansion of scope is requested, compliance with QMS for the respective activities and impact on other processes is verified. In case the special visit is carried out as a part of routine surveillance, the descriptive report is added to the surveillance report.
The report is reviewed as detailed above. A new certificate is issued with the same expiry date on successful completion of the above process. Scheme Manager reviews the contract to determine change in contract w.r.t. duration for further visits etc.
This instruction covers suspension procedures through withdrawal or cancellation of the certification certificate and revision of the register of approved firms.
- Grounds for action are brought to the attention of the Scheme Manager, who reviews the information and decides whether to proceed. Either way, he / she issues a letter to the client via registered mail / courier advising them of the details of the grounds for action and the decision on whether to proceed.
- If the Scheme Manager decides to proceed, the client must reply to Cyber Security Canada within fourteen days of receipt of letter.
- If the Scheme Manager determines that the action or position contained in the client reply is satisfactory, he issues a letter stating this, and mails it to the client via registered mail.
- If actions are required, due dates must be set, and the Scheme Manager must review the actions at those times to ensure that they are effectively completed in order to prevent suspension or cancellation.
- If the client does not reply in fourteen days, if the reply is not satisfactory, or if the actions required are not effectively completed in the allowed time, the Scheme Manager determines whether to suspend or cancel certification.
- If the decision is made to cancel certification, the CEO is responsible for suspending the client or canceling the client from the Register of Approved Firms, advising the client by registered mail/ courier, and publicizing the cancellation, if necessary. CEO cannot over-rule the decision made by Committee.
The following reasons are considered grounds for suspension or cancellation:
- Major non-conformance(s) or effective corrective action not implemented within a specified time period.
- Improper use of the certificate, symbol or logo not remedied to the satisfaction of Cyber Security Canada
- Client ceases to supply products or service of the certified quality system for an extended period.
- Client’s certified management system persistently fails to meet any of the requirements for certification including requirements for the effectiveness of the management system.
- Client fails to meet financial obligations to Cyber Security Canada
- Client makes a formal request to withdraw certification.
- Infringement by the client of any contractual conditions between the client and Cyber Security Canada
- Client is unable or unwilling to ensure conformance to revisions of standards.
- The existence of a serious complaint, or many second- or third-party complaints, indicates that the quality management system is not being maintained.
- Client does not allow routine surveillance to be conducted at the required frequency
The suspension or cancellation can be initiated if the client does not allow the routine surveillance to be conducted at the required frequency. The routine surveillance is carried out not more than 12 months from the last audit. In case the audit is not done within 12 months (13 months in case of yearly surveillance), the certificate is suspended, and a letter is sent to the client requesting him to agree to the audit. In case of a delay up to 3 months (15 months from the last audit), the audit time shall be extended by 50% of the routine surveillance time (at least 1 day). Successful completion of the audit within 15 months shall not impact the certification.
In case the audit is not done within 15 months, the certificate is cancelled, and the client shall be considered as a fresh case for certification.
The above are for special conditions like strikes, natural calamities, business operations (case to case basis) etc.
Subject to actions by the client, the following steps will be taken leading to possible suspension or cancellation of the client’s certification:
- Unless a reply is received to the letter accompanying notification within 14 days, certification will be suspended, and a notification of suspension may be published at the discretion of Cyber Security Canada
- The client’s response to the accompanying letter will be reviewed and the proceedings may be put on hold while clarification is sought.
- Where mutually agreed-upon corrective action is to be implemented, a time period for implementation will be specified and a review of the corrective action undertaken at the appointed time. This may be the subject of a special surveillance visit or of review of submitted objective evidence, at the discretion of Cyber Security Canada Should the corrective action not be considered adequate or not be completed by the appointed time, certification will be automatically suspended.
- In the case of serious circumstances, Cyber Security Canada may invoke suspension during the period pending the implementation of corrective action.
- Where suspension has been invoked, unless otherwise specified, the client must advise Cyber Security Canada every 14 days of the current situation of corrective action. Failure to meet this requirement will result in cancellation of the client’s certification.
- Where suspension has been invoked due to failure to conduct surveillance audit, the client shall give justification for failure and offer a suitable date. An additional day shall be added to routine surveillance days. The date shall not be later than 15 months from the last audit. Failure to offer for audit within 15 months shall result in cancellation of certification.
- When corrective action to resolve the problem(s) taken by the client has been verified, certification will be resumed. The period of certification will not be revised to cover the period of suspension.
- Cancellation of certification will be invoked where, following suspension of certification, the client fails to respond to Cyber Security Canada communications within the 14-day grace period or fails to implement corrective action within the appointed time period.
- In extreme circumstances Cyber Security Canada may invoke the cancellation of certification with immediate effect without recourse to initial certification suspension.
- Cancellation of certification will require the client to assume the status of non-approval and return all certification documentation to Cyber Security Canada
- Use of certification documents, symbols, or logos by the client following certification cancellation may result in legal action being taken against the client.
- Re-approval after certification cancellation will be on the same basis, and follow the same process, as that of initial application for a new client. This will require a full assessment, with optional document review at the discretion of Cyber Security Canada
- The de-certification will be published as a separate list and will be available at the Cyber Security Canada office and made available upon request.
- The client has the right to appeal any decisions of Cyber Security Canada and a copy of the appeals procedures will be made available upon request.
- Scheme Manager shall remove the companies where the certificate has been cancelled. During suspension, suspension remark shall be placed in the registered of approved firms.
- The client files for all cancelled cases shall be archived for a period of 3 months and then destroyed
Cyber Security Canada shall wherever applicable reduce the scope of certification if during the time of routine surveillance audits/ Re approval or Renewal audits it finds that the certified client has continually / seriously failed to meet the certification requirements for those parts of the scope of certification. The reduction in scope will be approved by the Scheme Manager.