Impartiality Policy

At the core of Decrypt Compliance’s impartiality policy is our management’s commitment to maintaining independence, in fact and appearance, and removing threats to impartiality.

We define threats as any relationship that could compromise impartiality, whether based on ownership, governance, management, personnel, shared resources, finances, contracts, marketing partnerships, sales commissions, or other inducements.

Ongoing and annual reviews analyze impartiality risks from all prospects, clients, and associate personnel. The goal is to systematically identify, evaluate, resolve and monitor any potential conflicts of interest or threats to impartiality.

Additionally, our review process verifies that Decrypt Compliance does not perform audit services for clients where non-audit services have been performed and that ISO management consulting services are not performed that could impact independence as an ISO certification body. 

Adherence to the impartiality policy is ensured through periodic management reviews, internal audits, automated monitoring tools, and formal risk assessments of certification processes.

As an accredited certification body, Decrypt Compliance complies fully with independence rules and standards established by the International Organization for Standardization (ISO), the American National Standards Institute (ANSI), and any relevant accreditation authorities.

Certificate Decision Process

Decrypt Compliance uses rigorous decision-making processes for granting, refusing, maintaining, renewing, expanding, reducing, suspending or withdrawing ISO certifications, as defined below:

Granting Certification: Our certification decision authority conducts a comprehensive review of the entire audit record, including any corrective action plans, to verify conformance with ISO standards. Only upon satisfying all requirements is certification granted.

Refusing/Withholding Certification: If the review finds audit issues or unresolved non-conformities, certification is refused until the client organization demonstrates full conformance. Exceeding remediation timeframes requires re-auditing.

Maintaining Certification: Continued certification over the 3-year cycle requires successfully undergoing annual surveillance audits in years 2 and 3, plus recertification audits before expiration. Failure to meet these audit obligations or resolve identified non-conformities can prompt suspension.

Suspending Certification: Grounds for suspension include failure to resolve major non-conformities within allotted timelines, breaching agreements with Decrypt Compliance, or refusal to conduct required audits.

Restoring from Suspension: Suspended certifications are restored if an independent review verifies resolution of all outstanding issues, with confirmation by off-site or on-site assessment.

Withdrawing Certification: Decrypt Compliance can withdraw certification due to factors like failure to conduct audits, misrepresentation by the client, unresolved corrective actions, failed appeals of major non-conformities, or client request.

Expanding Certification Scope: Additional certification scope requires formally submitting supporting documentation of eligibility to Decrypt Compliance. Our subsequent on-site audit determines if compliance covers the expanded scope. Additional contract terms may be applicable.

Reducing Certification Scope: We may dictate scope reduction if an organization’s certification scope is no longer completely valid or applicable. However, reducing scope solely to preclude non-conformities is unacceptable.

Use of Certification Marks and Logos

As an ISO certification body, Decrypt Compliance allows clients use of our certification marks and logos subject to the rules outlined below:

  • Clients must accurately convey certification status, without misrepresenting scope or maturity level
  • Certification marks link only to the management system and standard certified
  • Advertising must properly qualify certification scope and current active status
  • Suspended or withdrawn certification immediately prohibits further use of certification marks
  • Any use of marks that risks undermining public trust or Decrypt Compliance is strictly prohibited
  • Client shall not modify the form or color of any mark or logo provided

Appeals and Complaints

For questions regarding audit decisions or to submit appeals, please contact our Appeals Board at appeals@decrypt.cpa.

To submit formal complaints against Decrypt Compliance or certified clients, please contact complaints@decrypt.cpa.

Accreditation and Standards Compliance

As an accredited ISO certification body, Decrypt Compliance complies fully with the standards and rules established by:

  • International Organization for Standardization (ISO)
  • ISO 17021 – Requirements for management system certification bodies
  • ISO 27006 – Requirements for bodies providing audit & certification of information security management systems
  • American National Standards Institute (ANSI)
  • ANSI National Accreditation Board (ANAB)
  • Any other relevant accreditation authorities