The steps towards achieving ISO/IEC 27001 certification are shown below :
The total fee will vary depending on the organisation's scope and size. Shown here is the general guideline:
|Fee Category||Detailed Fee|
|Initial Certification Fee||Adequacy Audit|
|Surveillance Fees||Surveillance 1|
The total audit fee includes the professional fee, the number of auditor and the required number of audit days. This will be determined based on client organization desired certification scope.
Fees shown are not inclusive of incidental cost which covers accommodation and travel (where applicable). These fees will be charged directly to the organisation.
Appeals & Complaints
The Client may, through the Complaints and Appeals Procedure request reconsideration of a decision made by CyberSecurity Malaysia. Appeals can be filed by any client organisation to CyberSecurity Malaysia and may be filed for reasons associated with:
- Rejection of application;
- Rejection of conducting audit; and
- Reconsideration of the suspension or withdrawal of certification.
Notification of the intention to appeal must be made in writing and received by CyberSecurity Malaysia within seven (7) business days from receipt of notification by CyberSecurity Malaysia, supported by relevant facts and data for consideration during the Complaints and Appeals Procedure. The minimum information required are:
- The name of the appellant;
- Contact details for the appellant;
- The application/audit/certification decision that is the subject of the appeal; and
- Description of the appeal.
If the required information cannot be supplied, the appeal is automatically rejected and a formal rejection letter is prepared and sent to the appellant.
All appeals are forwarded to CyberSecurity Malaysia and are put before the appeal's committee of CyberSecurity Malaysia. CyberSecurity Malaysia shall be required to submit evidence to support its decision to withhold, suspend or withdraw the Certificate.
Any appeals received are fully investigated, documented and appropriate follow-up action taken within ten (10) business days. The decision of the appeal's committee shall be final and binding on both the Client and CyberSecurity Malaysia. Once the decision regarding an appeal has been made, no counter-claim by either party in dispute can be made to amend or change this decision.
In instances where the appeal has been successful and the Certificate issued or reinstated, no claim can be made against CyberSecurity Malaysia for reimbursement of costs or any other losses incurred as a result of the withholding, suspension or withdrawal notification.
If a Client has cause to complain regarding the conduct of employees of CyberSecurity Malaysia, the complaint shall be made in writing, without delay, and addressed to the Scheme Manager. If the complaint is made against the Scheme Manager, the letter of complaint shall be addressed to the ISCB Head of Department of CyberSecurity Malaysia. The minimum information required are:
- The name of the complainant;
- Contact details for the complainant;
- The certification activity that is the subject of the complaint; and
- Description of the complaint.
If the required information cannot be supplied, the complaint is automatically rejected and a formal rejection letter is prepared and sent to the complainant.
Any complaints received are fully investigated, documented and appropriate follow-up action taken within ten (10) business days.