OUR ISO BUSINESS POLICY

Meridian Cybersecurity complies with ISO/IEC 17021-1:2015 and is accredited by the United Accreditation Foundation (UAF) which accredits certification bodies in the United States. The following disclosures are a component of our commitment to impartiality, independence, and the confidence of our clients and interested third parties in our certification services.

Audit and Certification Process

Meridian Cybersecurity wants to ensure that we and our clients use a process that is consistent, repeatable, and comprehensive.  Our projects include the following;

Contract Initiation and Information Collection:

Our process begins with a great understanding of the clients’ needs and great documentation of the requirements.  It is critical to us that our customers’ needs are well defined and documented, to avoid missed opportunities for exceeding our customers’ expectations.  This process takes approximately 1 week to a month.

Stage 1:  Identify the established core areas of the program.

  • Business drivers
  • Key stakeholders
  • Core requirements
  • Determine that the core management manual meets the requirements of the standard(s).
  • Ensure that there is a well-defined scope.
  • Ensure that there is a comprehensive risk assessment.
  • Determine that there is a risk management plan.
  • Ensure that stakeholders and management definitions are in place.
  • Ensure that the organization has an appropriate understanding of the standard(s).

Stage 2: Detailed testing/reviews

  • A detailed testing of the controls in accordance with the standard.
  • Evidence gathering to show compliance with the controls.
  • Comprehensive reviews of documentation, assignments, and accountabilities.

Certification:

  • Review of the audit by the Meridian Cybersecurity Audit Committee/Review Board.
  • Initial certification: Initial certification is for a period of three years.

Surveillance Audits:

Surveillance reviews are conducted a minimum of annually and allow us to continue to ensure that our customers continue to meet the standards. Re-certification in year three.

Other Certification Processes and Scope Reduction

Meridian Cybersecurity is responsible for and will retain authority for its decisions relating to Certification, including the granting, maintaining, renewing, extending, reducing, suspending or revoking of Certification.

After all the audit activities are concluded and there is a positive certification decision by the director of Meridian Cybersecurity, the certification will be granted to the client organization. It is the responsibility of the client organization to maintain its compliance and certification towards the relevant standards. Meridian Cybersecurity will perform periodic checks in terms surveillance audits to assess the continued compliance. Based upon the results of surveillance audits, Meridian Cybersecurity holds right to suspend or withdraw the certification.

Meridian Cybersecurity holds right to refuse the certification activities if: – the client organization does not qualify with Meridian Cybersecurity’ s client acceptance procedures – the client organization does not comply with the terms and agreements of Meridian Cybersecurity.

Meridian Cybersecurity will discuss the arrangements of recertification with the client. Upon positive re-certification decision, the certification SHALL be renewed. Furthermore, if during the 3-year certification cycle there are changes in scope of the certification i.e. reduction or expansion, this will be discussed with Meridian Cybersecurity team. Based upon certification requirements and the efforts required, Meridian Cybersecurity will assess the compliance of new scope (can be combined with next planned audit). On positive certification decision, Meridian Cybersecurity will re-issue the certificate with the updated scope. Following expiration of certification, Meridian Cybersecurity may restore certification within 6 months provided that the outstanding recertification activities are completed, otherwise at least a stage 2 SHALL be conducted before the certificate is restored.

There are certain scenarios which can lead to suspension or withdrawal of the certificate. Following are the example scenarios where Meridian Cybersecurity holds the authority to suspend or withdraw or revoke the certificate:

  • The 3-year certification cycle expires and the client organization does not opt for recertification
  • The 3-year certification cycle expires and the client organization does not facilitate the recertification in time
  • The client does not facilitate the surveillance audit in time
  • Major non-conformities are identified during surveillance audits and are not remediated within the allocated time
  • Legitimate complaints are received against the client’s certification
  • Client misuses the certification mark(s) or logo(s)
  • Client does not comply with Meridian Cybersecurity terms and conditions

Impartiality

The organizational structure and procedures of Meridian Cybersecurity demonstrate how the primary requirement of impartiality is fulfilled. Meridian demonstrates, by means of policies, procedures, and training how it deals with the pressures and other factors that can compromise or can reasonably be expected to compromise objectivity and which may arise from a wide variety of activities, relationships, and other circumstances as well as from various personal qualities and characteristics of Auditors that may be sources of bias.

Meridian has in place safeguards that mitigate or eliminate threats to impartiality.  Safeguards may include prohibitions, restrictions, disclosures, policies, procedures, practices, standards, rules, institutional arrangements, and environmental conditions.  These are regularly reviewed to ensure their continuing applicability.

It is noted that safeguards exist in the environment in which projects are performed or can be mandated by independent decision makers in response to threats posed by various activities, relationships, and other circumstances.

Our customers frequently have difficulties in determining whether they are truly ready for audits of their activities.  It is considered to be poor customer service (within our organization) to conduct a full audit for companies who are poorly prepared.  Meridian Cybersecurity LLC. typically likes to conduct multiple stages of audit to mitigate this concern.    Activities prior to audit, solely aimed at determining readiness for certification audit are usually considered to be STAGE 1 activities.  NOTE: the audit team does have the discretion to skip stage one audits for companies deemed ready.  These activities SHALL not result in the provision of recommendations or advice that would cause a conflict of interest and we MUST be able to confirm that such activities do not cause a conflict of interest and/or that they are not used to justify a reduction in the eventual certification audit duration.

Management at all levels will be accountable and SHALL ensure a commitment to impartiality.

These audit requirements apply to all audits conducted by Meridian Cybersecurity and anyone working on behalf of our organization.  We do provide second- and third-party audits according to a variety of standards and regulations outside of the scope of ISO 27006 and ISO 17021.  Some of these audits do not have official audit requirements or certifications; this standard is used, to ensure that we maintain an effective audit program.  In no case, should any of our auditors tell any customer that they would be compliant with any standard, other than the standard he or she is auditing against. There are multiple reasons for this requirement, but the primary one is that until and unless we conduct that specific audit, it is likely that we will miss key components.

Meridian Cybersecurity is a service organization and we believe in adding value during certification audits and surveillance visits, e.g. by identifying opportunities for improvement, as they become evident during the audit.  Representatives of Meridian Cybersecurity MUST NOT recommend specific solutions in these cases.

No representative of Meridian Cybersecurity SHALL provide internal information security reviews of the client’s ISMS subject to certification. We MUST, in all cases, be independent from the body or bodies (including any individuals) which provide the internal ISMS audit.  As our executive team has interest in other companies that do provide such services, we must ensure that we maintain this independence.

Certification Status

The certification status of our clients may be obtained using our Certificate and Client Directory. This directory allows for verification of our certification clients and certification status.

Suspension Policy

There are certain scenarios which can lead to suspension or withdrawal of the certificate. Following are the example scenarios where Meridian Cybersecurity holds authority to suspend or withdraw or revoke the certificate:

  1. The 3-year certification cycle expires and the client organization does not opt for recertification
  2. The 3-year certification cycle expires, and the client organization does not facilitate the recertification in time
  3. The client does not facilitate the surveillance audit in time
  4. Major non-conformities are identified during surveillance audits and are not remediated within the allocated time
  5. Legitimate complaints are received against the client’s certification
  6. Client misuses the certification mark(s) or logo(s)
  7. Client does not comply with Meridian Cybersecurity terms and conditions

Appeals Process

Meridian Cybersecurity has implemented a process to receive, evaluate and make decisions on appeals.

Meridian Cybersecurity shall be responsible for all decisions at all levels of the appeals-handling process. Meridian shall ensure that the persons engaged in the appeals-handling process are different from those who carried out the audits and made the certification decisions.

Submission, investigation and decision on appeals shall not result in any discriminatory actions against the appellant.

The appeals-handling process shall include at least the following elements and methods:

  • An outline of the process for receiving, validating and investigating the appeal, and for deciding what
  • Actions need to be taken in response to it, taking into account the results of previous similar appeals;
  • Tracking and recording appeals, including actions undertaken to resolve them;
  • Ensuring that any appropriate correction and corrective action are taken.

Meridian representatives receiving the appeal shall be responsible for gathering and verifying all necessary information to validate the appeal.

Meridian shall acknowledge receipt of the appeal and shall provide the appellant with progress reports and the result of the appeal.

The decision to be communicated to the appellant shall be made by, or reviewed and approved by, individual(s) not previously involved in the subject of the appeal.

Meridian shall give formal notice to the appellant of the end of the appeals-handling process.

Appeals may be submitted using this form.

Complaints

Meridian Cybersecurity shall be responsible for all decisions at all levels of the complaints-handling process.

Submission, investigation and decision on complaints shall not result in any discriminatory actions against the complainant.

Upon receipt of a complaint, Meridian Cybersecurity shall confirm whether the complaint relates to certification activities that it is responsible for and, if so, shall deal with it. If the complaint relates to a certified client, then examination of the complaint shall consider the effectiveness of the certified management system.

Any valid complaint about a certified client shall also be referred by Meridian Cybersecurity to the certified client in question at an appropriate time.

Meridian Cybersecurity has a documented process to receive, evaluate and make decisions on complaints. This process shall be subject to requirements for confidentiality, as it relates to the complainant and to the subject of the complaint.

The complaints-handling process shall include at least the following elements and methods:

  • An outline of the process for receiving, validating, investigating the complaint, and for deciding what actions need to be taken in response to it;
  • Tracking and recording complaints, including actions undertaken in response to them;
  • Ensuring that any appropriate correction and corrective action are taken.

Meridian Cybersecurity receiving the complaint shall be responsible for gathering and verifying all necessary information to validate the complaint.

Whenever possible, Meridian Cybersecurity shall acknowledge receipt of the complaint, and shall provide the complainant with progress reports and the result of the complaint.

The decision to be communicated to the complainant shall be made by, or reviewed and approved by, individual(s) not previously involved in the subject of the complaint.

Whenever possible, Meridian Cybersecurity shall give formal notice of the end of the complaints-handling process to the complainant.

Meridian Cybersecurity shall determine, together with the certified client and the complainant, whether and, if so to what extent, the subject of the complaint and its resolution shall be made public.

Complaints may submitted using this form.

Certification Marketing Guidelines

All certified clients are required to adhere to our Certification Marketing Guidelines.

Interested? Let’s work together.

 

Get in Touch