CSM27001: How to Apply

The steps towards achieving ISO/IEC 27001 certification are shown below :

Application
Organisations should complete an application form and provide relevant supporting information to request for quotation. Kindly note that the quotation for audit days will vary depending on the scope of certification, the size of the organisation, complexity of the scope etc.

Application Review
The application will be reviewed by Certification Body (CB) to ensure information about the organisation and its management system is sufficient and the CB has the competence and ability to perform the certification activity. Based on this review, the CB will either accept or decline the application.

Stage 1 Audit
The purpose of Stage 1 Audit is to verify that the organisation’s management system is implemented and the organisation’s preparedness of Stage 2 audit. CB will review the organisation’s management system documented information and obtain the necessary information regarding the scope of management system.

Stage 2 Audit
Stage 2 audit evaluates the implementation, including effectiveness of the organisation’s ISMS. Where Non-conformities and Opportunities for Improvements are observed, the CB will formally document them. The organisation should provide an appropriate set of corrective actions to resolve the identified non-conformities.

Certification Decision
All information and audit evidence gathered during Stage 1 and Stage 2 audits will be analysed in order to review the audit findings and agree on the audit conclusions. The CB will make the final decision after all non-conformities have been resolved. The decision include granting or refusing certification, expanding or reducing the scope of certification.

Surveillance/Recertification
Surveillance audits are conducted periodically for the CB to maintain confidence that the organisation’s certified management system continues to fulfil the standard requirements. 

Recertification audit will be conducted if the organisation wishes to renew its certification. The purpose of the recertification audit is to confirm the continued conformity and effectiveness of the management system, and its continued relevance and applicability for the scope of certification.

The total audit fee includes the professional fee, the number of auditor and the required number of audit days. This will be determined based on client organization desired certification scope.

Click here to download the CSM27001 Application Form

Email us: This email address is being protected from spambots. You need JavaScript enabled to view it.

Appeals

The Client may, through the Complaints and Appeals Procedure request reconsideration of a decision made by CyberSecurity Malaysia. Appeals can be filed by any client organisation to CyberSecurity Malaysia and may be filed for reasons associated with:

• Rejection of application;
• Rejection of conducting audit; and
• Reconsideration of the suspension or withdrawal of certification.

Notification of the intention to appeal must be made in writing and received by CyberSecurity Malaysia within seven (7) business days from receipt of notification by CyberSecurity Malaysia, supported by relevant facts and data for consideration during the Complaints and Appeals Procedure. The minimum information required are:

• The name of the appellant;
• Contact details for the appellant;
• The application/audit/certification decision that is the subject of the appeal; and
• Description of the appeal.

If the required information cannot be supplied, the appeal is automatically rejected and a formal rejection letter is prepared and sent to the appellant.

All appeals are forwarded to CyberSecurity Malaysia and are put before the appeal's committee of CyberSecurity Malaysia. CyberSecurity Malaysia shall be required to submit evidence to support its decision to withhold, suspend or withdraw the Certificate.

Any appeals received are fully investigated, documented and appropriate follow-up action taken within ten (10) business days. The decision of the appeal's committee shall be final and binding on both the Client and CyberSecurity Malaysia. Once the decision regarding an appeal has been made, no counter-claim by either party in dispute can be made to amend or change this decision.

In instances where the appeal has been successful and the Certificate issued or reinstated, no claim can be made against CyberSecurity Malaysia for reimbursement of costs or any other losses incurred as a result of the withholding, suspension or withdrawal notification.

Complaints

If a Client has cause to complain regarding the conduct of employees of CyberSecurity Malaysia, the complaint shall be made in writing, without delay, and addressed to the Scheme Manager. If the complaint is made against the Scheme Manager, the letter of complaint shall be addressed to the ISCB Head of Department of CyberSecurity Malaysia. The minimum information required are:

• The name of the complainant;
• Contact details for the complainant;
• The certification activity that is the subject of the complaint; and
• Description of the complaint.

If the required information cannot be supplied, the complaint is automatically rejected and a formal rejection letter is prepared and sent to the complainant.

Any complaints received are fully investigated, documented and appropriate follow-up action taken within ten (10) business days.