Meridian Cybersecurity wants to ensure that we and our clients use a process that is consistent, repeatable, and comprehensive. Our projects include the following;
Contract Initiation and Information Collection:
Our process begins with a great understanding of the clients’ needs and great documentation of the requirements. It is critical to us that our customers’ needs are well defined and documented, to avoid missed opportunities for exceeding our customers’ expectations. This process takes approximately 1 week to a month.
Stage 1: Identify the established core areas of the program.
- Business drivers
- Key stakeholders
- Core requirements
- Determine that the core management manual meets the requirements of the standard(s).
- Ensure that there is a well-defined scope.
- Ensure that there is a comprehensive risk assessment.
- Determine that there is a risk management plan.
- Ensure that stakeholders and management definitions are in place.
- Ensure that the organization has an appropriate understanding of the standard(s).
Stage 2: Detailed testing/reviews
- A detailed testing of the controls in accordance with the standard.
- Evidence gathering to show compliance with the controls.
- Comprehensive reviews of documentation, assignments, and accountabilities.
Certification:
- Review of the audit by the Meridian Cybersecurity Audit Committee/Review Board.
- Initial certification: Initial certification is for a period of three years.
Surveillance Audits:
Surveillance reviews are conducted a minimum of annually and allow us to continue to ensure that our customers continue to meet the standards. Re-certification in year three.
Other Certification Processes and Scope Reduction
Meridian Cybersecurity is responsible for and will retain authority for its decisions relating to Certification, including the granting, maintaining, renewing, extending, reducing, suspending or revoking of Certification.
After all the audit activities are concluded and there is a positive certification decision by the director of Meridian Cybersecurity, the certification will be granted to the client organization. It is the responsibility of the client organization to maintain its compliance and certification towards the relevant standards. Meridian Cybersecurity will perform periodic checks in terms surveillance audits to assess the continued compliance. Based upon the results of surveillance audits, Meridian Cybersecurity holds right to suspend or withdraw the certification.
Meridian Cybersecurity holds right to refuse the certification activities if: – the client organization does not qualify with Meridian Cybersecurity’ s client acceptance procedures – the client organization does not comply with the terms and agreements of Meridian Cybersecurity.
Meridian Cybersecurity will discuss the arrangements of recertification with the client. Upon positive re-certification decision, the certification SHALL be renewed. Furthermore, if during the 3-year certification cycle there are changes in scope of the certification i.e. reduction or expansion, this will be discussed with Meridian Cybersecurity team. Based upon certification requirements and the efforts required, Meridian Cybersecurity will assess the compliance of new scope (can be combined with next planned audit). On positive certification decision, Meridian Cybersecurity will re-issue the certificate with the updated scope. Following expiration of certification, Meridian Cybersecurity may restore certification within 6 months provided that the outstanding recertification activities are completed, otherwise at least a stage 2 SHALL be conducted before the certificate is restored.
There are certain scenarios which can lead to suspension or withdrawal of the certificate. Following are the example scenarios where Meridian Cybersecurity holds the authority to suspend or withdraw or revoke the certificate:
- The 3-year certification cycle expires and the client organization does not opt for recertification
- The 3-year certification cycle expires and the client organization does not facilitate the recertification in time
- The client does not facilitate the surveillance audit in time
- Major non-conformities are identified during surveillance audits and are not remediated within the allocated time
- Legitimate complaints are received against the client’s certification
- Client misuses the certification mark(s) or logo(s)
- Client does not comply with Meridian Cybersecurity terms and conditions
Complaints and Appeals
Policies related to our practices as a registrar including instructions for appeals or complaints can be viewed on our ISO Business Policy page.