We take pride in maintaining trusted accredited status for our ISO/IEC 27001 Information Security Management System certification service. Compliance for the following practices is ensured through maintenance of our rigorous internal controls and external audits by our accreditation bodies.
We review your company’s information security policies and meet with your leadership team to define the scope of the Stage 2 Audit.
We conduct a detailed inspection of your controls to determine whether sufficient evidence exists to provide recommendation for certification.
Our ISO Certification Body provides the certification decision for your ISMS.
You will receive a full report and, when appropriate, your ISMS certification seals.
Together we establish a reinspection plan for 2 years of surveillance audits and a recertification audit on the 3rd year to inspect your ISMS for continuous improvement towards ISO/IEC 27001 excellence.
As an ISO certification body, Decrypt Compliance allows clients use of our certification marks and logos subject to the following rules:
Achieve ISO 27001 certification with our comprehensive process, safeguarding information assets and demonstrating commitment to security.
Our certification decision authority conducts a comprehensive review of the entire audit record, including any corrective action plans, to verify conformance with ISO standards. Only upon satisfying all requirements is certification granted.
If the review finds audit issues or unresolved non-conformities, certification is refused until the client organization demonstrates full conformance. Exceeding remediation timeframes requires re-auditing.
Continued certification over the 3-year cycle requires successfully undergoing annual surveillance audits in years 2 and 3, plus recertification audits before expiration. Failure to meet these audit obligations or resolve identified non-conformities can prompt suspension.
Grounds for suspension include failure to resolve major non-conformities within allotted timelines, breaching agreements with Decrypt Compliance, or refusal to conduct required audits.
Suspended certifications are restored if an independent review verifies resolution of all outstanding issues, with confirmation by off-site or on-site assessment.
Decrypt Compliance can withdraw certification due to factors like failure to conduct audits, misrepresentation by the client, unresolved corrective actions, failed appeals of major non-conformities, or client request. Clients may request withdrawal of certification for any reason.
Additional certification scope requires formally submitting supporting documentation of eligibility to Decrypt Compliance. Our subsequent on-site audit determines if compliance covers the expanded scope. Additional contract terms may be applicable.
We may dictate scope reduction if an organization’s certification scope is no longer completely valid or applicable. However, reducing scope solely to preclude non-conformities is unacceptable.
At the core of Decrypt Compliance’s impartiality policy is our management’s commitment to maintaining independence, in fact and appearance, and removing threats to impartiality.
We define threats as any relationship that could compromise impartiality, whether based on ownership, governance, management, personnel, shared resources, finances, contracts, marketing partnerships, sales commissions, or other inducements.
Ongoing and annual reviews analyze impartiality risks from all prospects, clients, and associate personnel. The goal is to systematically identify, evaluate, resolve and monitor any potential conflicts of interest or threats to impartiality.
Additionally, our review process verifies that Decrypt Compliance does not perform audit services for clients where non-audit services have been performed and that ISO management consulting services are not performed that could impact independence as an ISO certification body.
Adherence to the impartiality policy is ensured through periodic management reviews, internal audits, automated monitoring tools, and formal risk assessments of certification processes.
As an accredited certification body, Decrypt Compliance complies fully with independence rules and standards established by the International Organization for Standardization (ISO), the American National Standards Institute (ANSI), and any relevant accreditation authorities.
For questions regarding audit decisions or to submit appeals, please contact our Appeals Board at appeals@decrypt.cpa.
To submit formal complaints against Decrypt Compliance or certified clients, please contact complaints@decrypt.cpa.
As an accredited ISO certification body, Decrypt Compliance complies fully with the standards and rules established by:
Feeling unsure about security compliance audits or curious how Decrypt Compliance can help? Check out our FAQs below to find answers to common questions. If you can’t find what you’re looking for, don’t hesitate to contact us directly!
The ISO/IEC 27001 certification process involves three stages:
Yes, but with specific guidelines. You must accurately represent your certification status, link the marks only to the certified standard, and properly advertise the scope and validity.
Decrypt Compliance adheres to standards set by ISO (including ISO 17021 and ISO 27006), ANSI, ANAB, and other relevant accreditation bodies.
Decrypt Compliance prioritizes independence and removes any threats to impartiality through conflict-of-interest reviews and adherence to relevant standards.
Certification can be withdrawn for repeated non-conformities or intentionally misleading information.
At Decrypt, safeguarding client confidentiality is a top priority. Our team follows rigorous protocols to secure all information shared with us in the course of our work. If we receive inquiries regarding your company's certification, we will reach out to you to obtain approval prior to disclosing this information on your behalf.
Have a question? Fill out the form below and we’ll be in touch soon.