The steps towards achieving ISO/IEC 27001 certification are shown below :
Enquiry and Quotation
Organisations should complete an application form to request for quotation. Kindly note that the quotation for audit days vary depending on the scope of certification, the size of the organisation, etc.
Submission of Application
Once the application is completed, organisations should forward it to the Certification Body (CB) for application review.
If there is a need to obtain more information about the organisation’s ISMS, or if there is a need to clarify some of the details contained in the application, then CB will contact the organisation to obtain the required additional information.
Stage 1 Audit
The purpose of Stage 1 Audit is to verify that the organisation’s management system is implemented and the organisation’s preparedness of Stage 2 audit. CB will review the organisation’s management system documented information and obtain the necessary information regarding the scope of management system.
Stage 2 Audit
Stage 2 audit evaluates the implementation, including effectiveness of the organisation’s ISMS. Where Non-conformities and Opportunities for Improvements are observed, the CB will formally document them. The organisation should provide an appropriate set of corrective actions to resolve the identified non-conformities.
All information and audit evidence gathered during Stage 1 and Stage 2 audits will be analysed in order to review the audit findings and agree on the audit conclusions. The CB will make the final decision after all non-conformities have been resolved
Surveillance audits are conducted periodically for the CB to maintain confidence that the organisation’s certified management system continues to fulfil the standard requirements.
Recertification audit will be conducted if the organisation wishes to renew its certification. The audit will evaluate the continued fulfilment of the relevant standard requirements.
The total fee will vary depending on the organisation's scope and size. Shown here is the general guideline:
|Fee Category||Detailed Fee|
|Initial Certification Fee||Adequacy Audit|
|Surveillance Fees||Surveillance 1|
The total audit fee includes the professional fee, the number of auditor and the required number of audit days. This will be determined based on client organization desired certification scope.
Fees shown are not inclusive of incidental cost which covers accommodation and travel (where applicable). These fees will be charged directly to the organisation.
Email us: csm27001[at]cybersecurity.my
Appeals & Complaints
The Client may, through the Complaints and Appeals Procedure request reconsideration of a decision made by CyberSecurity Malaysia. Appeals can be filed by any client organisation to CyberSecurity Malaysia and may be filed for reasons associated with:
- Rejection of application;
- Rejection of conducting audit; and
- Reconsideration of the suspension or withdrawal of certification.
Notification of the intention to appeal must be made in writing and received by CyberSecurity Malaysia within seven (7) business days from receipt of notification by CyberSecurity Malaysia, supported by relevant facts and data for consideration during the Complaints and Appeals Procedure. The minimum information required are:
- The name of the appellant;
- Contact details for the appellant;
- The application/audit/certification decision that is the subject of the appeal; and
- Description of the appeal.
If the required information cannot be supplied, the appeal is automatically rejected and a formal rejection letter is prepared and sent to the appellant.
All appeals are forwarded to CyberSecurity Malaysia and are put before the appeal's committee of CyberSecurity Malaysia. CyberSecurity Malaysia shall be required to submit evidence to support its decision to withhold, suspend or withdraw the Certificate.
Any appeals received are fully investigated, documented and appropriate follow-up action taken within ten (10) business days. The decision of the appeal's committee shall be final and binding on both the Client and CyberSecurity Malaysia. Once the decision regarding an appeal has been made, no counter-claim by either party in dispute can be made to amend or change this decision.
In instances where the appeal has been successful and the Certificate issued or reinstated, no claim can be made against CyberSecurity Malaysia for reimbursement of costs or any other losses incurred as a result of the withholding, suspension or withdrawal notification.
If a Client has cause to complain regarding the conduct of employees of CyberSecurity Malaysia, the complaint shall be made in writing, without delay, and addressed to the Scheme Manager. If the complaint is made against the Scheme Manager, the letter of complaint shall be addressed to the ISCB Head of Department of CyberSecurity Malaysia. The minimum information required are:
- The name of the complainant;
- Contact details for the complainant;
- The certification activity that is the subject of the complaint; and
- Description of the complaint.
If the required information cannot be supplied, the complaint is automatically rejected and a formal rejection letter is prepared and sent to the complainant.
Any complaints received are fully investigated, documented and appropriate follow-up action taken within ten (10) business days.