ISO 17065 and the Standard for Certification Bodies
There is no substitute for a competent and impartial auditor in terms of compliance, security, and correct operations. Organizations that can assess and certify technologies and organizations are essential for ensuring accountability and standards of excellence in place, applying to systems that store sensitive data. To modify a common saying, “who watches the auditors?” That’s where ISO 10765 comes in.
This article will cover this ISO document and what it means for assessors and auditors in any industry.
What Is ISO 17065?
ISO 17065 (also known as ISO/IEC 17065) is a standard released by the International Organization for Standardization to impart a common set of standards and practices for organizations that provide assessments and certifications.
As an ISO publication, it isn’t technically required by any industry. However, it provides a set of practices and standards that promote a high standard of competence for companies that certify “products, services, or processes.”
What do those standards apply to?
- Products: This document helps assessors certify actual products resulting from complex processes that meet a specific, final standard.
- Services: Additionally, this document helps organizations assess and certify services and intangible goods that typically include a temporary/subscription product or ongoing activity.
- Processes: Finally, this document supports certification of processes–interrelated activities that lead to producing a product or service or any system that takes inputs to produce output.
This last standard is of most interest in cybersecurity, where auditors are regularly responsible for assessing and authorizing businesses and agencies based on their overall IT and data security processes.
What Are the Requirements for ISO 17065?
ISO 10765 focuses on ensuring that an organization maintains well-regulated and well-documented assessment standards predicated on their relevant industry and their relation to the product, service, or process they certify. Additionally, there is ample attention paid to impartiality and accountability.
Under ISO 17065, an organization must be a legal entity such that it may be held accountable and legally liable for certification activities.
- Certification Agreements: Organizations must have a legally enforceable agreement with their client, which includes requirements for the assessing organization to fulfill pre-set certification requirements. The agreement may not allow the certification organization to fall into disrepute due to the product or service assessed. The client must maintain complete copies of all agreements and record all complaints against the certifying organization. Finally, certifying organizations must only display any licenses or certificates in accordance with their industry and the agreement.
- Impartiality: All certification activities must be completely impartial. Assessing organizations must manage internal risks against impartiality, including relationship management, demonstrating how the organization eliminates partiality and proof that the organization is not under the same legal entity as the client assessed.
- Liability: The certifying organization should have financial arrangements, like insurance, to cover liabilities. It must also demonstrate that it has the resources to accomplish the certification tasks dictated by the certification agreement.
- Non-Discrimination: An organization must implement and maintain measures that ensure services are provided without discrimination, that services are available to all applicants within the scope of the organization’s operations, and that it can provide reasons for declining service.
- Confidentiality and Publicly Available Information: Certification bodies must operate under legally enforceable measures to ensure that client information remains private. Conversely, upon request, the organization must provide information about its certification schemes, certification measures and processes, and procedures for handling complaints.
- Organizational Structure: Organizations must document their organizational structure. This includes identifying the board or group with the overall authority of the organization and specific areas of interest like operations, policies, financial activities, certification Activities, evaluations, impartiality measures, agreement management, resource management, and complaint management.
- Safeguarding Impartiality: The certifying body must have mechanisms to protect impartiality. This mechanism will form the basis for policies related to impartiality, outside corrupting influences (like commercial activities), and transparency around certification operations.
- Personnel: Certifying bodies must have sufficient personnel to cover operations and certification schemes. They must be trained and competent at their certifying and assessment functions, pledge to maintain client information confidentiality and limit their assessments to their narrow scope of application.
- Evaluation Resources: If the certifying body uses internal resources for assessment, it must follow ISO requirements for testing (ISO 17025), inspection (ISO 17020), and management system auditing (ISO 17021). If utilizing outsourced resources, it may only do so to organizations that meet the same ISO requirements. Additionally, the certifying body must ensure that the outsourced assessment is confidential, impartial, and sufficiently credible based on ISO standards.
Organizations must use one or more certification schemes to cover the relative certification. This scheme must be coupled with process surveillance and apply to the requirements under which the clients’ products, services, or processes are created and maintained.
- Application of Certification: To apply their certification scheme, the certifying body must obtain all necessary information from their client, including the object under scrutiny, standards around certification in the industry, all related outsourced processes, and relevant information related to the client’s business.
- Application Review: The certifying body must review the information collected from the client to ensure that it is complete, sufficient, within the scope of certification, and within the capabilities of the certifying body to assess.
- Evaluation: The certifying body must plan to evaluate the provided data based on the certification scheme and applicable industry standards, with relevant confidentiality and impartiality controls in place.
- Assessment Review: At least one person will be assigned to review all information related to that evaluation. Recommendations will be made for certification.
- Certification: The certifying body will make its decision, carried out by an individual or group not part of the evaluation or assessment groups.
- Documentation: The certifying body must provide the client with documentation surrounding its decision, including contact information, the date of certification, and the scope of certification.
- Directory of Certified Products: The certifying body must maintain an inventory of certified objects, including product IDs, standards for certification, and client identification.
- Surveillance: The certification body must establish, document, and implement surveillance measures when required by the certification scheme.
- Changes: If the certification scheme changes, the certification body will communicate those changes with their client, with relevant contractual adjustments and a re-working of the evaluation, review, decision, and certification processes.
- Termination of Certification: If the client is not in compliance with certification requirements, the certifying body, under the guidance of industry regulations, may provide continuance of certification under remediation and surveillance, suspension of certification, or withdrawal of certification.
- Record keeping: Certifying bodies must maintain records of certification processes, evaluations, and complaints.
- Complaints and Appeals: Bodies must have documented processes in place to receive and make decisions regarding complaints and appeals.
Management System Requirements
Per ISO 17065, certification bodies will have management systems to ensure consistent evaluations and fulfillment of ISO requirements. These management systems may operate under two options:
- Option A: An organization demonstrates a management system that addresses process documentation, document control, record control, management review, internal audits, corrective actions, and preventative actions.
- Option B: An organization already has established its maintenance of a management system in line with ISO 9001.
Get On Top of ISO Certifications with Continuum GRC
Continuum GRC is cloud-based, always available and plugged into our team of experts. We provide risk management and compliance support for every major regulation and compliance framework on the market, including:
- NIST 800-53
- DFARS NIST 800-171
- SOC 1, SOC 2, SOC 3
- PCI DSS 4.0
- IRS 1075
- COSO SOX
- ISO 27000 Series
- ISO 9000 Series
And more. We are the only FedRAMP and StateRAMP Authorized compliance and risk management solution worldwide.
Continuum GRC is a proactive cyber security®, and the only FedRAMP and StateRAMP Authorized cybersecurity audit platform worldwide. Call 1-888-896-6207 to discuss your organization’s cybersecurity needs and find out how we can help your organization protect its systems and ensure compliance.