Certification

The Austrian Computer Society OCG certifies Information Security Management Systems according to ISO/IEC 27001:2013. The certification process outlined below will be specially adapted to the needs of the customer.

Information stage

  • Customer contacts OCG and expresses interest
  • OCG delivers application form and additional information on the certification procedure
  • Customer and OCG meet for the first time to define the area which will be certified
    • Company information, sectoral classification, first meeting with contact person
    • Company sites, HR, systems and processes within the scope
    • Overview of the existing ISMS
    • Certification procedures and first cost estimate

Application stage

  • Customer submits application form to the OCG
  • OCG carries out a feasibility check
  • OCG submits offer
  • Customer places an order
  • Contract is signed 

Audit stage

  • Pre-audit (upon request)
    • Evaluation of ISMS maturity level also on site (necessary processes, policies and documentation)
    • Compilation of a question catalogue to attribute existing documents and processes to each chapter/control of the standard and to estimate the current level of compliance (gap analysis)
  • Stage I Audit
    • Audit of management system documentation of the customer
    • Gaps are identified and deadlines to close them are agreed upon
    • Audit report is drawn up
    • Decision whether the prerequisites for the Stage II Audit are fulfilled
    • Date for Stage II Audit is set
  • Stage II Audit
    • Stage II Audit at the customer on site
    • Conformity check of customer ISMS with ISO/IEC 27001
    • Gaps are identified and deadlines to close them are agreed upon
    • Audit report is drawn up

Certification

  • Certification decision by the OCG Certification Committee
  • Upon positive decision the certification document is issued

Continuous surveillance and changes to the certified client

  • As long as certification is maintained, continuous surveillance activities shall be carried out to ensure that the client fulfills the requirements of the Standard:
    • Any complaints of parties concerned or third parties shall be investigated
    • Correct use of the certification mark or logo is monitored (eg on the client's website or in publications)
    • Information of the client about changes relating the scope, the client's name, physical locations, etc. will be considered and adapted to the certification where necessary
    • If the certification bodies deems it necessary, a short-notice audit can be conducted for special reasons
  • The scope of certification shall be reduced or expanded following changes to the client; in that case a new certificate shall be issued stating the new scoope of certification.
  • The certification body shall suspend certification if there are doubts concerning the effectiveness of the client's certified management system.

Surveillance audits and re-certification

  • Surveillance audits (smaller audit scope) will take place each year after the certification
  • Three years after the certification the OCG will submit an offer for re-certification (start of a new 3-year cycle)

The Certificate

Upon successful certification the company will receive an ISO/IEC 27001 Certificate issued on behalf of the Austrian Computer Society OCG. This certificate is valid for three years and carries the certification sign of the OCG (see top of the page) and the certification logo of Akkreditierung Austria for the certification body of the OCG. After a 3-year period a re-certification audit will extend the validity of the certificate for another 3 years. 

Impartiality and handling of complaints and appeals

As certification body the OCG must be impartial and objective. Therefore, the Impartiality Committee was established which deals with the following issues:

  • Assessing the impartiality of prospective clients of the OCG prior to an offer; assessing the internal processes of the certification body
  • Assessing the impartiality of all persons (especially auditors) involved in the certification processes
  • Handling of third-party complaints about clients or the certification body as such
  • Handling of client appeals against decisions of the certification body