Audit processes

Intake and independence

Noordbeek Certification only carries out assignments for ISO 27001, NEN 7510, or ISO 27001 and NEN 7510 together, in relation to certification.

For related assurance engagements for NEN 7512 and 7513, please refer to Noordbeek B.V.

We do not carry out internal audits at certification clients of Noordbeek Certification.

To determine the number of audit days, we follow the guidelines in the ISO 27006 and NCS 7510 standards. This number is based on the number of FTEs in your organization and the relevant aspects mentioned in these standards that can influence the audit time calculation.

Definition of NEN 7510 Cluster B and Cluster Z Clients

A healthcare institution is a Cluster Z client. This includes a legal entity that provides healthcare on a commercial basis, as well as an organizational structure of natural persons who provide or commission healthcare on a commercial basis, as well as a natural person who commissions care on a commercial basis, and a solo healthcare provider.

A processor of personal health information is a Cluster B client. These are Dutch and foreign processor of personal health information with Dutch healthcare clients, other than healthcare institutions, where personal health information is processed, and processors other than healthcare institutions that act as controllers of personal health information.

On-site or remote audit

If less than 70% of the audit time is spent on-site, Noordbeek Certification will substantiate the balance between on-site and remote audits via video sessions based on a risk analysis. This will be documented in the audit plan. The following factors are considered in the risk analysis:

Available infrastructure of the certification body and the client;
Sector in which the client operates;
Type(s) of audit(s) during the certification cycle, from initial audit to recertification audit;
Competence of the certification body and client personnel involved in the remote audit;
Previously demonstrated performance of remote audits for the client;
Scope of the certification.

Audits will not be conducted remotely if the risk analysis identifies unacceptable risks to the effectiveness of the audit process. The risk analysis will be reviewed throughout the certification cycle to ensure its continued suitability.

Communication during the Audit

During the audit, the audit team will periodically review the progress of the audit and exchange information. The team leader will reassign work to audit team members as needed and periodically communicate the audit's progress and any concerns to the client.

If the available audit information indicates that the audit objectives are unattainable or suggests the presence of a direct and significant risk (e.g., safety), the team leader will report this to the client and, if possible, to Noordbeek Certification to determine appropriate action. Such action may include reconfirming or amending the audit plan, changes to the audit objectives or scope, or termination of the audit. The team leader will report the results of the action taken to Noordbeek Certification.

The team leader will work with the client to review the need for changes to the audit scope as they become apparent as the on-site audit activities progress and report these to Noordbeek Certification.

Use of videoconferencing software for the audit

If remote audit techniques, such as interactive web-based collaboration, web meetings, teleconferencing, and/or electronic verification of your processes, are used to communicate with your organization, these activities will be identified in the audit plan.

Noordbeek Certification will consult with you in advance about which videoconferencing method is most suitable for you.

Initial certification audit, Stage 1

The planning of Noordbeek Certification shall ensure that the objectives of Stage 1 can be met and the client shall be informed of any ‘on site’ activities during Stage 1.

The objectives of Stage 1 are to:

review the client’s management system documented information;
evaluate the client’s site-specific conditions and to undertake discussions with the client’s personnel to determine the preparedness for Stage 2;
review the client’s status and understanding regarding requirements of the standard, in particular with respect to the identification of key performance or significant aspects, processes, objectives and operation of the management system;
obtain necessary information regarding the scope of the management system, including:
the client’s site(s);
processes and equipment used;
levels of controls established (particularly in case of multisite clients);
applicable statutory and regulatory requirements;
review the allocation of resources for Stage 2 and agree the details of Stage 2 with the client;
provide a focus for planning Stage 2 by gaining a sufficient understanding of the client’s management system and site operations in the context of the management system standard or other normative document;
evaluate if the internal audits and management reviews are being planned and performed, and that the level of implementation of the management system substantiates that the client is ready for Stage 2;
determine whether the audit team has the right competences to perform the Stage 2 certification audit;
In NEN 7510 certification: Verification of legality for processing personal health information.

Documented conclusions with regard to fulfilment of the Stage 1 objectives and the readiness for Stage 2 shall be communicated to the client, including identification of any areas of concern that could be classified as a deviation during Stage 2.

In determining the interval between Stage 1 and Stage 2, consideration shall be given to the needs of the client to resolve areas of concern identified during Stage 1. Noordbeek Certification may also need to revise its arrangements for Stage 2.

If any significant changes which would impact the management system occur, Noordbeek Certification shall consider the need to repeat all or part of Stage 1. The client shall be informed that the results of Stage 1 may lead to postponement or cancellation of Stage 2.

Initial certification audit, Stage 2

The purpose of Stage 2 is to evaluate the implementation, including effectiveness, of the client’s management system. The Stage 2 shall take place at the site(s) of the client. It shall include the auditing of at least the following:

information and evidence about conformity to all requirements of the applicable management system standard or other normative documents;
performance monitoring, measuring, reporting and reviewing against key performance objectives and targets (consistent with the expectations in the applicable management system standard or other normative document);
the client’s management system ability and its performance regarding meeting of applicable statutory, regulatory and contractual requirements;
operational control of the client’s processes;
internal auditing and management review;
management responsibility for the client’s policies.

The audit team shall analyse all information and audit evidence gathered during Stage 1 and Stage 2 to review the audit findings and agree on the audit conclusions.

Regarding NEN 7510 audits, Noordbeek Certification assesses whether the client is legally permitted to process personal health information (as defined in the GDPR) or has been legally permitted to do so in the six months prior to the start of the Stage 2 audit.

If it appears that a NEN 7510 audit is not legally permitted, it may not be conducted.

Criteria

The audit criteria are used as a reference to determine the conformity of the Information System Management System (ISMS). The applicable criteria for the assignment are:

The requirements from ISO 27001 and NEN 7510;
The defined processes and documentation of the ISMS based on the client's Statement of Applicability (SoA).

Multi-site sampling

Where multi-site sampling is used for the audit of a client’s management system covering the same activity in various geographical locations, Noordbeek Certification shall develop a sampling programme to ensure proper audit of the management system. The rationale for the sampling plan shall be documented for each client.

Multi-site sampling is only allowed if:

All the sites are covering the same activities;
All sites are operating under the same ISMS, which is centrally administered and audited and subject to central management review;
All sites are included within the client’s internal ISMS audit programme;
All sites are included within the client’s ISMS management review programme.

During the initial contract review, Noordbeek Certification identifies, to the extent possible, the differences between locations to ensure an adequate level of sampling is determined. This takes into account:

The results of internal audits of the head office and the sites;
The results of management review;
Variations in the size of the sites;
Variations in the business purpose of the sites;
Complexity of the information systems at the different sites;
Variations in working practices;
Variations in activities undertaken;
Variations of design and operation of controls;
Potential interaction with critical information systems or information systems processing sensitive information;
Any differing legal requirements;
Geographical and cultural aspects;
Risk situation of the sites;
Information security incidents at the specific sites.

A representative sample is selected from all sites within the scope of the client’s ISMS; this selection shall be based upon judgmental choice to reflect the factors presented above as well as a random element.

Every site included in the ISMS which is subject to significant risks is audited by Noordbeek Certification prior to certification.

The audit programme has been designed in the light of the above requirements and covers representative samples of the scope of the ISMS certification within the three year period.

In the case of a deviation being observed, either at the head office or at a single site, the corrective action procedure applies to the head office and all sites covered by the certificate.

The audit shall address the client’s head office activities to ensure that a single ISMS applies to all sites and delivers central management at the operational level. The audit shall address all the issues outlined above.

Definition and handling of major and minor deviations

A deviation is a non-fulfilment of a requirement. This can be:

Major deviation
This is a deviation that affects the capability of the management system to achieve the intended results. A deviation could be classified as major in the following circumstances:
- If there is a significant doubt that effective process control is in place, or that products or services will meet specified requirements;
- A number of minor deviations associated with the same requirement or issue could demonstrate a systemic failure and thus constitute a major deviation.
Minor deviation
This is a deviation that does not affect the capability of the management system to achieve the intended results;
Opportunity for improvement
This is a deviation that does not affect the ability of the management system to achieve its intended outcome and has no direct impact on risk mitigation.

For major deviations, Noordbeek Certification must review, accept, and verify the correction and corrective actions before granting certification, expanding or reducing the scope of certification, renewing, suspending, or remedial action, or revoking certification.

For minor deviations, Noordbeek Certification must review and accept the client’s correction and corrective action plan.

The deadline for submitting the plan or the correction and corrective actions for a deviation is four weeks. After this period, Noordbeek Certification can review, accept, and verify the plan or the correction and corrective actions.

If Noordbeek Certification is not able to verify the implementation of corrections and corrective actions of any major deviation within 6 months after the last day of Stage 2, Noordbeek Certification shall conduct another Stage 2 prior to recommending certification.

Surveillance audit

Surveillance audits are on-site audits, but are not necessarily full system audits, and shall be planned together with the other surveillance activities so that Noordbeek Certification can maintain confidence that the client’s certified management system continues to fulfil requirements between recertification audits. Each surveillance for the relevant management system standard shall include:

internal audits and management review;
a review of actions taken on deviations identified during the previous audit;
complaints handling;
effectiveness of the management system with regard to achieving the certified client’s objectives and the intended results of the respective management system (s);
progress of planned activities aimed at continual improvement;
continuing operational control;
review of any changes;
use of marks and/or any other reference to certification.

Noordbeek Certification must assess, with regard to NEN 7510 surveillance audits, whether the client is legally entitled to process personal health information (as defined in the GDPR) or:

in the case of a first surveillance audit, whether the client has been legally entitled to process personal health information in the six-month period preceding the ‘effective date of the current certification cycle + 12 months’;
in the case of a second surveillance audit, whether the client has been legally entitled to process personal health information in the six-month period preceding the ‘effective date of the current certification cycle + 24 months’.

If it appears that the client is not legally entitled to a NEN 7510 certificate, the ‘Suspension, Revocation, or Restriction of the Scope of Certification’ procedure will be initiated.

Recertification

The purpose of the recertification audit is to confirm the continued conformity and effectiveness of the management system as a whole, and its continued relevance and applicability for the scope of certification. A recertification audit shall be planned and conducted to evaluate the continued fulfilment of all of the requirements of the relevant management system standard or other normative document. This shall be planned and conducted in due time to enable for timely renewal before the certificate expiry date.

The recertification activity shall include the review of previous surveillance audit reports and consider the performance of the management system over the most recent certification cycle.

Recertification audit activities may need to have a Stage 1 in situations where there have been significant changes to the management system, the organization, or the context in which the management system is operating (e.g. changes to legislation).

The recertification audit shall include an on-site audit that addresses the following:

the effectiveness of the management system in its entirety in the light of internal and external changes and its continued relevance and applicability to the scope of certification;
demonstrated commitment to maintain the effectiveness and improvement of the management system in order to enhance overall performance;
the effectiveness of the management system with regard to achieving the certified client’s objectives and the intended results of the respective management system (s).

In addition, for NEN 7510 recertification audits, Noordbeek Certification assesses whether the client is legally permitted to process personal health information (as defined in the GDPR) or has been legally permitted to do so in the six months preceding the expiration date of the current certification cycle.

For each major deviation, Noordbeek Certification sets deadlines for correction and corrective actions. These actions must be implemented and verified by the client before the certification expires.

Expiration date

When recertification activities are successfully completed prior to the expiry date of the existing certification, the expiry date of the new certification can be based on the expiry date of the existing certification. The issue date on a new certificate shall be on or after the recertification decision.

Not completing the recertification audit

If Noordbeek Certification has not completed the recertification audit or Noordbeek Certification is unable to verify the implementation of corrections and corrective actions for any major non-conformity prior to the expiry date of the certification, then recertification shall not be recommended and the validity of the certification shall not be extended. The client shall be informed and the consequences shall be explained.

Restoring certification

Following expiration of certification, Noordbeek Certification can restore certification within 6 months provided that the outstanding recertification activities are completed, otherwise at least a Stage 2 shall be conducted. The effective date on the certificate shall be on or after the recertification decision and the expiry date shall be based on prior certification cycle.

Special audits

If necessary, Noordbeek Certification can carry out a special audit, whether or not as an audit in two stages.

Expanding scope

Following an application to extend the scope of a certification already granted, Noordbeek Certification will conduct an assessment of the application and determine any audit activities necessary to decide whether or not the extension can be granted. This can be performed in combination with a surveillance audit.

Short-notice audits

It may be necessary for Noordbeek Certification to conduct short-term or unannounced audits of certified clients to investigate complaints, or in response to changes, or as a follow-up to suspended clients.

In such cases:

Noordbeek Certification describes and announces in advance to the certified clients the conditions under which such audits will be carried out;
Noordbeek Certification will take extra care in the assignment of the audit team due to the lack of the possibility for the client to object to audit team members.

Suspending, withdrawing or reducing the scope of certification

If Noordbeek Certification finds a deviation that may lead to suspension, withdrawal or restriction, the client will be contacted. If consultation does not lead to a solution, the Certification Committee will be informed. This committee can decide to suspend, withdraw or restrict.

Noordbeek Certification suspends certification in cases where, for example:

The client's certified management system has persistently or seriously failed to meet the certification requirements, including requirements for the effectiveness of the management system;
The certified client does not allow surveillance audits or recertification audits to be performed with the required frequencies;
The certified client has voluntarily requested a suspension.

In the event of suspension, the certification of the client's management system is temporarily invalid.

Noordbeek Certification reinstates the suspended certification when the issue that led to the suspension has been resolved. Failure to resolve the issues that led to the suspension within a time set by Noordbeek Certification will lead to withdrawal or reduction of the scope of certification. (Note: In most cases, the suspension would not exceed six months.)

Noordbeek Certification will limit the scope of certification to exclude those parts that do not meet the requirements, when the certified client has persistently or seriously failed to meet the certification requirements for those parts of the scope of certification. Such a reduction must be in accordance with the requirements of the standard used for certification.

Legality of NEN-7510 certification activities

The following rules apply to NEN 7510 certification:

If, during a first surveillance audit, it is determined that the Cluster B organization has not legally processed personal health information in the six-month period preceding the ‘effective date of the current certification cycle +12 months’, the organization’s certificate will be revoked as of the ‘effective date of the current certification cycle +12 months’;
If, during a second surveillance audit, it is determined that the Cluster B organization has not legally processed personal health information in the six-month period preceding the ‘effective date of the current certification cycle +24 months’, the organization’s certificate will be revoked as of the ‘effective date of the current certification cycle +24 months’;
If, during a recertification audit, it is determined that the Cluster B organization has not been legally permitted to process personal health information in the six-month period preceding the ‘expiry date of the current certification cycle’, the organization’s certificate will be revoked as of the ‘expiry date of the current certification cycle’.

If, after the certificate has been revoked, the organization regains legality to process personal health information, an extension audit must be performed, or, if the organization does not hold an ISO 27001 certificate, at least a Stage 2 audit must be performed.

Alternatively, instead of revocation, Noordbeek Certification may decide to suspend the certificate for a period of up to six months. According to ISO 17001, this is always temporary. If the client meets the requirements again, the certificate will be reactivated. If the Cluster B organization can demonstrate its legality for processing personal health information during the suspension period with a demonstrable agreement, the certification can be reinstated.

If the Cluster B organization does not demonstrate its legality for processing personal health information after six months from the date of suspension, the certification will be revoked.

Noordbeek Certification will reduce the scope of certification to exclude non-compliant components if the certified client has persistently or seriously failed to meet the certification requirements for those parts of the certification scope. Such a reduction must be consistent with the requirements of the standard used for certification.