EY CertifyPoint

Appeals

An appeal is a formal record of dissatisfaction by a client about the (process towards the) result of a certification or verification decision.

Upon receipt of an appeal, CertifyPoint will be responsible for all decisions at all levels of the appeals-handling process. The certification/verification body shall confirm that the persons engaged in the appeals-handling process are different from those who carried out the audits and made the certification/verification decisions.

Activities

1. Appeals may be received by every employee, by mail, fax, e-mail or orally. Appeals are required to be submitted in writing, to the attention of the director. 
2. Upon receipt of an appeal the management assistant will register the appeal in the Appeal register. Appeals will be supplied to the director. The director will as soon as possible (through the management assistant) send a letter or e-mail as confirmation of receipt and consideration to the appealing party. 
3. The director will have the background and/or cause of the appeal investigated by an employee or employees who is/are independent of the case in concern (and hence have not been involved with the certification or verification audit and the decision process) Within four weeks the findings will be reported to the director. 
4. The report will be used to develop recovering/corrective proceedings, which must include measures for recovery of certification or verification as soon as possible, prevention of repetition and the assessment of the effectiveness of the applied recovering/corrective measures. 
5. Within four weeks after confirmation of reception, the director will send the sender a letter with the proposed solution. 
6. In cases where application of the steps mentioned above does not lead to an acceptable solution or if the presented procedure is unacceptable for the appealing party or other parties involved, the director will report the appeal to the department of juridical matters (Juridische Zaken, or JZ). JZ acts as coordinator and composes an arbitration committee. The members of the arbitration committee will have to be accepted by both parties, by which the impartiality of the judgment can be guaranteed. The complainant formally presents his case, after which the arbitration committee will formulate a written declaration of the findings, decision, and motivation. This decision of CertifyPoint is binding for all parties. 
7. CertifyPoint maintains files and records of all appeals related to the certification and the verification, as well as recovery actions. Among other things, this is used for analysis during management reviews.

Complaints

Activities

1. Complaints may be received by every employee, by mail, fax, e-mail or orally. The employee is required to report the complaints to the management assistant. 
2. Upon receival of a complaint the management assistant will register the complaint in the complaint register. The complaint will be supplied to the director. The director will send (through the management assistant) a letter or e-mail as confirmation of receipt and consideration to the complaining party. Upon receipt of a complaint, the director will confirm whether the complaint relates to certification or verification activities that he is responsible for and, if so, will manage it. If the complaint relates to a certified client, then examination of the complaint will consider the effectiveness of the certified management system.
3. The director will have the background and/or cause of the complaint investigated by an employee or employees who is/are independent of the case in concern (and hence have not been involved with the certification or verification audit and the decision process). Within four weeks the findings will be reported to the director. 
4. The report will be used to develop recovering/corrective proceedings, which must include measures for recovery of certification or verification as soon as possible, prevention of repetition and the assessment of the effectiveness of the applied recovering/corrective measures. 
5. Within four weeks after confirmation of reception the director will send the sender a letter with the proposed solution. 
6. In case application of the steps mentioned above does not lead to an acceptable solution or if the presented procedure is unacceptable for the appealing party or other parties involved, the complainant will be offered the possibility to initiate an appeal. 
7. In discussion with the client involved, the complainant and CertifyPoint will be determined whether and to which degree the complaint and the selected solution will be made publicly known. 
8. CertifyPoint maintains files and records of all appeals related to the certification and the verification, as well as recovery actions. Among other things, this is used for analysis during management reviews

Confidentiality

Activities

1. EYCP is responsible for managing information obtained or created during the performance of certification activities.
2. EYCP shall inform client of any information that it intends to put in public domain. All other information, except for information that is made publicly accessible by the client, shall be considered confidential.
3. Except as required in ISO/IEC 17021, information about a particular certified client or individual shall not be disclosed to a third party without the written consent of the certified client or individual concerned.
4. When required by law or authorized by contractual arrangements (such as with the accreditation body) to release confidential information, the client or individual concerned shall, unless prohibited by law, be notified of the information provided.
5. Information about the client from sources other than the client (e.g. complaint, regulators) shall be treated as confidential.
6. Personnel, including any committee members, contractors, personnel of external bodies or individuals acting on the EYCP's behalf, shall keep confidential all information obtained or created during the performance of the EYCP's activities except as required by law.
7. The audit team members are required to sign a confidentiality statement before commencing the audit activities for particular client.

Use of certification marks

Activities

1. The use of EY CertifyPoint's certification mark, possibly in combination with the accreditation mark of the Dutch Accreditation Council [Raad voor Accreditatie], requires the prior written permission of the Managing Director of EY CertifyPoint
2. The certification and accreditation marks may be used in letters and other documents to the extent that such documents relate to the certified activities. The same rules apply to the use of the certification and accreditation marks in digital documents, such as websites provided it is hyperlinked to (https://www.ey.com/certifypoint). The logo is not to be used in an individual email signature block.
3. The certification and accreditation marks may only be used in documents in combination with the certified organization's logo and/or name. The certification and accreditation marks may not draw more attention than the organization's logo or name. The logo may not be altered in any way except for size.
4. Certified organizations may use the certification and accreditation marks in promotional material if that material refers to at least some of the certified activities. Any misleading reference whatsoever must be avoided. Accordingly, it must be clear which activities do and which activities do not come under the scope of the Certification. Logos and marks may only be used until the certification is valid – upon suspension, expiration or withdrawal of certification, the marks/ logo may not be used in any way.
5. Certified organizations may use the certification and accreditation marks in letters. Proposals or offer letters, etc., that do not exclusively relate to certified activities may bear the certification and accreditation marks, provided that such documents clearly show which services are certified and which are not. This also holds true for the documents dispatched together with such documents. If the certification and accreditation marks are used in a proposal or offer, etc., that relates exclusively to activities beyond the certified scope, the following sentence must be included in the document unchanged: "EY CertifyPoint's Certification does not apply to the activities specified in [this letter]." The name of the document (proposal, offer, etc.) must be stated instead of "[this letter]".
6. The use of the certification and accreditation marks in business cards of staff of certified organizations is not permitted.
7. To the extent applicable to system Certification, the certification and accreditation marks may not be used on products or packaging of products, or on related products.
8. The use of the accreditation mark in reports and in Certificates of certified calibration and test laboratories and inspection institutions is excluded.
9. EY CertifyPoint will be entitled to check the use of the certification and accreditation marks at any time against the rules laid down in this section. The certified organization must render its co-operation in such checks.
10. The use of EY CertifyPoint's certification mark by organizations that do not have a valid EY CertifyPoint Certification qualifies as misuse. The use of the mark without permission by organizations with a valid Certification also qualifies as misuse. In the event of misuse, EY CertifyPoint will take the measures available to it, such as corrective action, revocation of the Certificate, publication of the violation or legal steps.
11. Certified organizations may not assign, sublicense or otherwise transfer any rights to use the Logo/ marks to any third party, and acknowledge and agree that any such attempted transfer would be void and unenforceable.
12. Upon termination of EY CertifyPoint's accreditation, the authorization to use the accreditation mark will end.

Learning about certification standards is the first step towards successful implementation of the related management systems and their successful integration in an organization. EY CertifyPoint delivers training courses based upon the learning needs of organizations or individuals. Participants are able to experience the real challenges and benefits of implementing and auditing management systems.

Our trainers are highly qualified professionals who are experienced not only with auditing the certification standards listed below, but also with implementing these standards, by participating in numerous EY consulting assignments for leading international organizations. We focus on keeping the business at the centre, identifying areas of redundancy, bottlenecks and potential efficiency gains by means of a systematic and independent certification approach against recognized certification standards such as:

• ISO 9001 - Quality Management System
• ISO 14001 - Environment Management System
• ISO/IEC 20000-1 - IT Service Management System
• ISO 21500 - Project Management System
• ISO 22301 - Business Continuity Management System
• ISO/IEC 27001 - Information Security Management System
• ISO/IEC 27017 - Cloud Security Controls
• ISO/IEC 27018 - Protection of Personally Identifiable Information in Cloud
• OHSAS 18001 - Occupational Health and Safety Management System
• ISO 50001 - Energy Management
• ISO 37001 - Anti Bribery Management System
• ISO 45001 - Occupational Health and Safety Management System
• World Lottery Association (WLA) assessments
• CSA STAR certification
• NEN 7510 - Health Information Security Management System
• Hébergeur de Données de Santé (HDS)
• Multi-Layer Cloud Security (MTCS - Singapore)
• eIDAS - Trust Services and eID
• GDPR assessment
• Integrated approach with ISAE3402, SOC and other attestation reports
• ISO/IEC 27701:2019 - Privacy Information Management System (Unaccredited)

Learn from our professionals

At EY CertifyPoint, we do not just provide our participants with plain knowledge on the certification standards, but also:

• Enable our participants to experience the real challenges and benefits of auditing and implementation.
• Provide our course participants with a wider understanding of practical challenges related to the tasks associated with the certification standards. 
• Provide our participants with the ability to assess the underlying management system.
• Enrich our participants’ knowledge, by exposing them to actual case studies and practical examples from previous implementations and audits of the certification Standards. 
• Provide our participants with a helpful toolkit to support their organization with understanding and implementing the certification standards.

Courses offered by EY CertifyPoint

EY CertifyPoint provides four- and five-day courses for several standards. The courses are designed in order to help participants develop the essential skills to implement (and/or audit) a Management System that meets the requirements of each of the ISO standards.

EY CertifyPoint currently offers courses for the following ISO Standards. Click on the standards for more information:

• ISO 9001 — Quality Management Lead Implementer/Lead Auditor (4 to 5 day course)
  ISO 9001 specifies the basic requirements for a quality management system (QMS) that an organization must fulfil to demonstrate its ability to consistently provide products (which include services) that enhance customer satisfaction and meet applicable statutory and regulatory requirements. The standard is based on a number of quality management principles including a strong customer focus, the motivation and implication of top management, the process approach and continual improvement.
• ISO 14001 — Environment Management Lead Implementer/Lead Auditor (4 to 5 day course)
  ISO 14001 sets the standards for an environmental management system that helps meet legal requirements and improve environmental performance and sustainability. It specifies the requirements related to an environmental policy (which includes a commitment to prevent pollution), planning, management review, legal compliance, training, improvement and operational controls.
• ISO/IEC 20000 — IT Service Management Lead Implementer/Lead Auditor (4 to 5 day course)
  ISO 20000 is a standard for quality management specifically focused around IT service management. The standard specifies four key processes related to 1) service delivery — service level, availability and capacity management; 2) relationship — interfaces between the service provider and customers and suppliers; 3) resolution — prevention or resolution of incidents; and 4) controls — managing changes, assets and configurations.
• ISO 22301 — Business Continuity Management Lead Implementer/Lead Auditor (4 to 5 day course)
  ISO 22301 is a standard that helps organizations be better prepared to handle disruptions to its business operations in order to recover from disruptive incidents when they arise. The standard specifies security requirements for disaster recovery preparedness and business continuity management systems. It specifies what is needed to plan, establish, implement, operate, monitor, review, maintain and continually improve a documented management system.
• ISO/IEC 27001 — Information Security Management Lead implementer/Lead auditor (4 to 5 day course)
  ISO 27001 is a standard that helps organizations manage the security of assets such as financial information, intellectual property, employee details or information entrusted to an organization by third parties. It specifies the requirements for establishing, implementing, operating, monitoring, reviewing, maintaining and improving a documented Information Security Management System (ISMS), using a continual improvement approach. It provides the foundation for third-party audits and is meant to “harmonize” with other management standards, such as ISO 9001.
• ISO 50001 — Energy Management Lead Implementer/Lead Auditor (4 to 5 day training)
  The ISO 50001 standard sets the requirements that help organizations design an Energy Management System by developing a policy for a more efficient use of energy, setting targets and objectives that help fulfill the policy and overall to continually improve their energy management. This standard is applicable to any organization, in any sector in a way that it makes it easy to be integrated with other management systems.
  
  Learning how to design, implement and audit an ISO 50001 Management System is one solution to confirm organizations’ compliance (to the EU Energy Efficiency Directive) but also to develop a framework that improves energy savings.
• ISO 37001 — Anti-bribery Management Lead Implementer/Lead Auditor (4 to 5 day training)
  ISO 37001 is the standard that helps organizations design a series of measures for preventing, detecting and addressing bribery. These measures include adopting an anti-bribery policy, appointing a person to oversee anti-bribery compliance, employee training, risk assessments and due diligence on projects and business associates, implementing financial and commercial controls, and instituting reporting and investigation procedures. This standard is applicable to any organization from any sector (either public, or private), in a way that it makes it easy to be integrated with other management systems. It can be adapted to the size and nature of each organization and to the bribery risk it faces.
  
  Through this training you will have a chance to learn how to design, implement and audit an ISO 37001 Management System to help reduce the risk of bribery, as well as learning how to address bribery where it does occur.
• ISO/IEC 27017 — Information technology — Security techniques (Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors) Lead Implementer/Lead Auditor (2 to 4 day training)*
  The ISO 27017 Standard gives guidelines for information security controls applicable to the provision and use of cloud services by providing implementation guidance for relevant ISO/IEC 27002 controls and additional controls specifically related to cloud services. This ISO Standard provides controls and implementation guidance applicable to both cloud service providers and cloud service customers.
  
  Note: a good understanding of Information Security Management System based on ISO27001 standard is required for a stand-alone course on this topic
• ISO/IEC 27018 — Information technology — Security techniques (Code of practice for information security controls based on ISO/IEC 27002 for cloud services) Lead Implementer/Lead Auditor (2 to 4 day training)*
  ISO/IEC 27018 supports organizations with defining objectives, procedures, controls and guidelines for measures to protect Personally Identifiable Information (PII) in accordance with the privacy principles of ISO/IEC 29100 for the public cloud computing environment.
  This standard specifies guidelines based on ISO/IEC 27002, taking into consideration the regulatory requirements for the protection of PII which might be applicable within the context of the information security risk environment(s) of a public cloud service provider.
  ISO/IEC 27018 is applicable to any organization from any sector (either public, or private), which provides information processing services as PII processor via cloud computing under contract to other organizations.
• SS 584:2015+C1:2016 — Specification for multi-tiered cloud computing security (MTCS) Lead Implementer/Lead Auditor (2 to 4 day training)*
  The Singapore Standard SS 584: 2015 Specification for multi-tiered cloud computing security, commonly known as MTCS, is the world’s first cloud security standard that covers multiple tiers of cloud security developed under the Information Technology Standards Committee (ITSC) for Cloud Service Providers (CSPs) in Singapore. The standard builds on recognized international standard, such as ISO 27001, with the added enhancement to provide Cloud Service Users with a mechanism to benchmark and tier the capabilities of Cloud Service Providers against a set of minimum baseline security requirements. This benefits the Cloud Service Users by providing assurance to the users that the provider meets accepted minimum baseline security requirements for each tier. Cloud Service Providers benefit from having a mechanism to demonstrate the security of their offerings.
• ISO 45001 — Occupational Health and Safety Management Lead Implementer/Lead Auditor (4 to 5 day training)
  The ISO 45001 standard, Occupational health and safety management systems – Requirements with guidance for use, is the world’s first International Standard for occupational health and safety (OH&S). It provides a framework to increase safety, reduce workplace risks and enhance health and well-being at work, enabling an organization to proactively improve its OH&S performance. ISO 45001 enables organizations to put in place an occupational health and safety (OH&S) management system. This will help them manage their OH&S risks and improve their OH&S performance by developing and implementing effective policies and objectives.

*Note: a good understanding of Information Security Management System based on ISO27001 standard is required for a stand-alone course on this topic.

Note: The ISO 27017, ISO 27018 and MTCS trainings can be combined in a 4 to 5 day training event.