Certification Process

1. Application and Contract Review

The certification process begins with a formal application from the client organization.

This application defines the scope of certification, including applicable sites, processes, and services. Upon receipt, Ampcus Cyber conducts an Application Review to: 

• Independence of the audit process
• Objective and impartial
• Based on a complete review of audit evidence, corrective actions, and relevant information
• Documented for traceability and accountability

Following review, a Certification Agreement is executed, clearly outlining the audit scope, confidentiality obligations, impartiality commitments, timelines, and fees.

This ensures full transparency and understanding between the client and Ampcus Cyber prior to the commencement of certification activities. 

2. Stage 1 Audit – Readiness and Documentation Review

The Stage 1 Audit is conducted to assess the organization’s preparedness for certification and to evaluate the implementation of its management system documentation.

Key objectives include: 

• Reviewing the Information Security Management System (ISMS) documentation, including the Statement of Applicability, risk assessment, and risk treatment plan.
• Evaluating alignment with ISO/IEC 27001 requirements and legal or regulatory obligations.
• Assessing the adequacy of internal audits and management reviews.
• Identifying potential gaps that may affect the Stage 2 audit. 
  

A detailed Stage 1 Audit Report is prepared and shared with the client, summarizing readiness status, areas requiring improvement, and recommendations for proceeding to Stage 2.

This phase ensures that the client has established the necessary framework to support a successful certification audit. 

3. Stage 2 Audit – Implementation and Effectiveness Assessment

The Stage 2 Audit is the primary evaluation phase, conducted on-site to verify that the management system is effectively implemented and operational.

During this stage, Ampcus Cyber auditors: 

• Evaluate the effectiveness of implemented controls and processes.
• Verify compliance with ISO/IEC 27001 clauses and Annex A controls.
• Conduct interviews with employees and management to assess awareness and competence.
• Review evidence such as records, logs, and performance monitoring data.
• Observe day-to-day operations to ensure practical application of ISMS policies. 
  

Audit findings are classified as:

• Major Nonconformities: Serious failures impacting the system’s effectiveness.
• Minor Nonconformities: Isolated or limited deviations.
• Observations/Opportunities for Improvement: Potential enhancements to strengthen the system.

At the conclusion, a Closing Meeting is conducted to review all findings, clarify observations, and outline corrective action timelines.

The audit report, including all findings and conclusions, is provided to the client for review and response. 

4. Corrective Actions and Verification

Following the audit, the client organization must address identified nonconformities by submitting a Corrective Action Plan (CAP) within the agreed timeframe (typically 30 days).

The CAP must outline: 

• Root cause analysis of each nonconformity.
• Corrective and preventive actions.
• Responsible personnel and target dates for implementation. 
  

Ampcus Cyber reviews and verifies the adequacy and effectiveness of corrective actions, which may include document reviews, remote verification, or follow-up on-site visits.

Only after all major nonconformities are satisfactorily resolved does the process proceed to certification decision-making. 

5. Certification Decision

All certification decisions are made by Ampcus Cyber’s authorized Certification Decision Makers (CDM), who operates independently from the audit team to ensure impartiality. 

The CDM reviews: 

• Stage 1 and Stage 2 audit reports and findings
• Verification of corrective actions for identified nonconformities
• Results of surveillance or recertification activities, where applicable
• Relevant complaints or appeals related to the certified client
• Requests for changes to the scope of certification  
  

Based on this review, the CDM determines the applicable certification decision outcome in accordance with the certification process.

6. Surveillance Audits

Ampcus Cyber conducts annual surveillance audits to ensure the continued effectiveness of the certified management system.

These audits focus on: 

• Implementation of corrective and preventive actions.
• Achievement of information security objectives.
• Review of incidents, changes, and continual improvement initiatives.
• Verification that the ISMS continues to meet the requirements of ISO/IEC 27001. 
  

Surveillance audits maintain client accountability and reinforce the ongoing performance of certified systems.

7. Recertification Audits

Every three years, Ampcus Cyber conducts a Recertification Audit to confirm that the client’s management system remains effective and aligned with current standards and business requirements.

This audit covers the entire scope of certification and ensures that the ISMS continues to support organizational objectives and regulatory compliance.

Successful completion results in renewal of certification for another three-year cycle. 

8. Impartiality, Independence, and Confidentiality

Impartiality and independence are core principles of Ampcus Cyber’s certification philosophy.

We ensure that: 

• All personnel involved in audits and certification decisions are independent of consulting or advisory roles.
• An Impartiality Officer and Impartiality Committee continuously monitor all activities for conflicts of interest.
• Certification activities are conducted without bias, undue influence, or external pressure.

All client information, documents, and records are treated as confidential, accessible only to authorized personnel or regulatory authorities such as ANAB upon request.

This ensures that the integrity and trust of our certification services are upheld at all times. 

9. Record Management and Retention

Ampcus Cyber maintains detailed records for all certification activities to ensure transparency, traceability, and accountability.

Records include: 

• Audit plans, reports, and findings.
• Corrective action evidence and verification results.
• Certification decision documentation.
• Client communications and complaints. 
  

All records are securely stored in our controlled repository for a minimum period of seven (7) years, in compliance with ANAB and ISO requirements.

Access is strictly limited to authorized personnel to maintain data integrity and confidentiality. 

10. Continuous Improvement and Oversight

Ampcus Cyber continuously enhances its certification processes through:

• Internal audits and management reviews.
• Periodic auditor training and competence assessments.
• Feedback analysis from clients and stakeholders.
• Oversight by the Impartiality Committee to safeguard independence. 
  

These measures ensure that our certification services remain reliable, consistent, and aligned with international best practices.

Commitment to Excellence

Ampcus Cyber is dedicated to maintaining the highest standards of professionalism and integrity in all certification activities.
Our structured, impartial, and transparent certification process ensures that clients receive credible and internationally recognized certification outcomes.

By choosing Ampcus Cyber, organizations demonstrate their commitment to information security, regulatory compliance, and continual improvement - strengthening trust among customers, regulators, and business partners.