ISO 22301: Scheme Background

CyberSecurity Malaysia Business Continuity Management System Audit and Certification (ISO 22301) Scheme

The ISO 22301 Scheme is driven under the 11th Malaysia Plan (Rancangan Malaysia Ke 11), which focuses on National Certification and Compliance Programme. This is parallel to the national requirement towards creating a resilient Critical National Information Infrastructure (CNII). The scheme is based on the ISO 22301 international standard for organization that envisions for resiliency. It helps to plan an effective business continuity management to protect against, reduce the likelihood of, and ensure business recovers from disruptive incidents.

At present, the global business atmosphere and conditions are becoming more turbulent and sometime unpredictable. As Malaysia is focusing on building a knowledge-based economy and becoming more dependent on IT in the information age, the need to ensure business continuity in the event of crisis or disaster becomes more important than ever. Hence, organizations desiring to stay competitive and successful must be well protected, through heightened resiliency so it could remain profitably in the event of any fatal business disruption.

Having the certification does not only ensure readiness to deliver services and promises in the event of business disruption, but also provides assurance to business partners and customers while uniting the business into cohesive organization.

1. Enhanced Organizational Resilience:
   ISO 22301 certification helps organizations identify potential threats and the impacts they could have on operations. By implementing a robust Business Continuity Management System (BCMS), companies can develop effective response strategies to minimize disruption, ensuring continuity of critical business functions during emergencies.
   
   
2. Improved Risk Management:
   The certification process involves comprehensive risk assessments and the development of mitigation strategies. This proactive approach to risk management helps organizations better understand their vulnerabilities and establish controls to address them, reducing the likelihood and impact of disruptive incidents.
   
   
3. Increased Customer Confidence and Trust:
   Certification demonstrates a commitment to maintaining high standards of business continuity, which can enhance the trust and confidence of customers, partners, and stakeholders. Knowing that an organization has a certified BCMS in place can be a significant differentiator in competitive markets.
   
   
4. Regulatory Compliance and Legal Benefits:
   ISO 22301 certification can help organizations comply with legal, regulatory, and contractual requirements related to business continuity. By aligning with internationally recognized standards, companies can avoid potential fines, legal issues, and reputational damage associated with non-compliance. 5. Operational Efficiency and Cost Savings: Implementing ISO 22301 helps organizations streamline their business continuity processes and improve overall operational efficiency. By having well-defined procedures and plans in place, companies can reduce downtime, minimize recovery time, and manage resources more effectively, leading to potential cost savings in the long run.

Impartiality Policy

CyberSecurity Malaysia undertakes to manage impartiality and to ensure that certification activities undertaken are conducted in an impartial manner. We do not permit commercial, financial or other pressures to compromise its commitment to impartiality.

The credibility, integrity and objectivity of a certification is fundamental to our client’s needs and for those that subsequently rely on it. We commit to ensure that any threats to the impartiality and confidentiality in the certification activities are managed robustly and pro-actively.

We practice impartiality and monitors this closely through an impartiality committee made up of members representing key interested parties. We also commit to identify and assess risks in related certification activities which may result in a conflict of interest or pose a threat to impartiality. The risk assessment covers possible sources of conflict of interests, regardless of their origin.

1. INTRODUCTION

These Terms of Service have been structured in accordance with the applicable requirements of the accreditation bodies. These Codes apply also to certification outside accredited schemes.

2. SCOPE

CyberSecurity Malaysia provides services to persons, firms or companies (each a “Client”). CyberSecurity Malaysia may provide its services directly or, in its absolute discretion, through (a) its own employees, (b) any affiliated company or (c) any other person or organisation, as may be entrusted by CyberSecurity Malaysia. Where part of the work is subcontracted to others, CyberSecurity Malaysia retains full responsibility for granting, maintaining, extending, reducing, suspending or withdrawing certification and for ensuring that properly documented agreements are in place.

CyberSecurity Malaysia will notify its clients of any changes to the requirements for certification within a reasonable timeframe.

3. CONFIDENTIALITY

CyberSecurity Malaysia maintains confidentiality at all levels of its organisation concerning information obtained in the course of its business. No information will be disclosed to any third party unless in response to legal process or required by an accreditation body as part of the accreditation process. The client's name, location, scope of certification and contact numbers may be entered into relevant directories. 

CyberSecurity Malaysia protects your personal data, the data collected by CyberSecurity Malaysia in this form will not be used for any other purpose than the purpose it was collected unless consented by you ,will not sell,transfer, share with a third party, will not retain for longer period than necessary, will take necessary measures to protect your personal data.

4. ORGANISATIONAL STRUCTURE

A copy of the organisation chart of CyberSecurity Malaysia, showing the responsibility and reporting structure of the organisation, and documentation identifying the legal status of CyberSecurity Malaysia are available on request.

5. APPLICATION FOR CERTIFICATION

On receipt of a completed Inquiry Form (provide by CyberSecurity Malaysia upon request), a quotation is sent to the Client outlining the costs of the services together with an acceptance sheet. Once the acceptance sheet is returned, together with any due payments and controlled copies of relevant documentation and samples, the project will be allocated to an auditor who will be responsible for ensuring that the services are carried out in accordance with the procedures of CyberSecurity Malaysia.

6. CLIENT'S OBLIGATIONS

In order to obtain and retain certification, the Client shall comply with the following procedures and rules:

1. the Client shall make available to CyberSecurity Malaysia all documents, samples of products, drawings, specifications and other information required by CyberSecurity Malaysia to complete the assessment programme and shall appoint a designated person who is authorised to maintain contact with CyberSecurity Malaysia;
2. CyberSecurity Malaysia, if not satisfied that all certification requirements are met, shall inform the Client of those aspects in which the application has failed;
3. when the Client can show that remedial action has been taken by it, within the time limit specified by CyberSecurity Malaysia, to meet all the requirements, CyberSecurity Malaysia will arrange, at additional cost to the Client, to repeat only the necessary parts of the assessment;
4. if the Client fails to take acceptable remedial action within the specified time limit it may be necessary for CyberSecurity Malaysia, at additional cost, to repeat the assessment in full;
5. identification of conformity shall refer only to the sites or products assessed as specified in the Certificate and Assessment Schedule (if any) or other attachments which may accompany the Certificate.

7. ISSUANCE OF CERTIFICATE

When CyberSecurity Malaysia is satisfied that the Client meets all the certification requirements, it will inform the Client and issue a Certificate. The Certificate shall remain the property of CyberSecurity Malaysia and may only be copied or reproduced for the benefit of a third party if the word “copy” is marked thereon.

The Certificate will be published at ISO 22301 Certified Organization and will remain valid unless surveillance reveals that the management system of the Client no longer meet the standards, norms or regulations.

8. CERTIFICATION MARKS

Upon issuance of a Certificate, CyberSecurity Malaysia may also authorise the Client to use a designated certification mark. A Client’s right to use any such mark is contingent on maintaining a valid Certificate in respect of the certified management system or products and compliance with the regulations governing the use of the mark issued by CyberSecurity Malaysia. A Client who has been authorised to use the mark of an accrediting body must also comply with the rules governing the mark of such body. Improper use of such a mark is non-conformity with certification requirements and could result in suspension of certification.

9. SURVEILLANCE

Periodic surveillances shall be carried out and shall cover aspects of the management system, documentation, manufacturing and distributing processes and products, depending on the type of certification services provided, at the discretion of the nominated auditor. The Client shall give access to all sites or products for surveillance purposes whenever deemed necessary and CyberSecurity Malaysia shall reserve the right to make unannounced visits as required.Periodic surveillances shall be carried out and shall cover aspects of the management system, documentation, manufacturing and distributing processes and products, depending on the type of certification services provided, at the discretion of the nominated auditor.

The Client shall give access to all sites or products for surveillance purposes whenever deemed necessary and CyberSecurity Malaysia shall reserve the right to make unannounced visits as required.The Client shall maintain a register recording all customer complaints and safety-related incidents reported by an enforcing authority or users relating to those covered by the Certificate and make this available to CyberSecurity Malaysia on request.

The Client shall be informed of the results of each surveillance visit.

10. RENEWAL OF CERTIFICATION

Clients wishing to revalidate Certificates approaching the end of their cycles shall apply under the procedure set forth in Clause 5. Clients are generally informed of the requirement for renewal of the certification during the pre-renewal visit which is the last surveillance visit of each cycle.

11. EXTENSION OF CERTIFICATION

In order to extend the scope of a Certificate to cover additional sites or processes, Client shall complete a new Inquiry Form. The application procedure outlined in Clause 5 will be followed and an assessment will be carried out on those areas/processes not previously covered. The cost of extending the scope of certification will be based on the nature and programme of work.In order to extend the scope of a Certificate to cover additional sites or processes, Client shall complete a new Inquiry Form. The application procedure outlined in Clause 5 will be followed and an assessment will be carried out on those areas/processes not previously covered. The cost of extending the scope of certification will be based on the nature and programme of work.

Following a successful assessment an amended Certificate or Assessment Schedule, as the case may be, will be issued covering those aspects covered by the extended Certificate. Although the original Certificate will normally remain in force, it may be necessary in some instances to issue a new Certificate. In such cases the Client must return the superseded Certificate to CyberSecurity Malaysia.

12. SYSTEM/PROCESS MODIFICATION

The Client shall inform CyberSecurity Malaysia, in writing, of any intended modification to the management system or process which may affect compliance with the standards, norms or regulations. CyberSecurity Malaysia will determine whether the notified changes require additional assessment. Failure to notify CyberSecurity Malaysia of any intended modification may result in suspension of the Certificate.

13. PUBLICITY BY CLIENT

In compliance with the applicable Regulations governing the relevant mark(s), a Client may render public that its relevant management system or products have been certified and may print the relevant certification mark on stationery and publicity materials relating to the scope of certification.In compliance with the applicable Regulations governing the relevant mark(s), a Client may render public that its relevant management system or products have been certified and may print the relevant certification mark on stationery and publicity materials relating to the scope of certification.

In any case, the Client shall ensure that its announcements and advertising material do not create confusion or could otherwise mislead third parties about certified and non-certified systems, products or sites.

14. MISUSE OF CERTIFICATE AND CERTIFICATION MARK

CyberSecurity Malaysia shall take suitable action, at the expense of the Client, to deal with incorrect or misleading references to certification or use of Certificates and certification marks. These include suspension or withdrawal of Certificate, legal action and/or publication of the transgression.

15. SUSPENSION OF CERTIFICATE

A Certificate may be suspended by CyberSecurity Malaysia for a limited period in cases such as the following:

1. if a Corrective Action Request has not been satisfactorily complied with within the designated time limit; or
2. if a case of misuse as described in Clause 14 is not corrected by suitable retractions or other appropriate remedial measures by the Client; or
3. a certified client organisation ceases to supply the product, process or service or some part of it (which is the subject matter of the certification) for an extended period of time, exceeding two (2) months; or
4. a certified client organisation is not allowing to conduct surveillance or re-certification audits in the required time frame.

CyberSecurity Malaysia will confirm in writing to the Client the suspension of a Certificate. At the same time, CyberSecurity Malaysia shall indicate under which conditions the suspension will be removed. At the end of the suspension period, an investigation will be carried out to determine whether the indicated conditions for reinstating the Certificate have been fulfilled. On fulfilment of these conditions the suspension shall be lifted and the Client notified of the Certificate reinstatement. If the conditions are not fulfilled the Certificate shall be withdrawn.

All costs incurred by CyberSecurity Malaysia in suspending and reinstating a Certificate will be charged to the Client.

16. WITHDRAWAL OF CERTIFICATE

A Certificate may be withdrawn if (i) the Client takes inadequate measures in case of suspension; (ii) the certified process (service) do not conform to the standards, norms or regulations or are no longer offered; or (iii) CyberSecurity Malaysia terminates its contract with the Client. In any of these cases, CyberSecurity Malaysia has the right to withdraw the Certificate by informing the Client in writing.

The Client may give notice of appeal (see Clause 19).

In cases of withdrawal, no reimbursement of assessment fees shall be given and withdrawal of the Certificate shall be published by CyberSecurity Malaysia and notified to the appropriate accreditation body, if any.

17. CANCELLATION OF CERTIFICATE

A Certificate will be cancelled if (i) the Client advises CyberSecurity Malaysia in writing that it does not wish to renew the Certificate or goes out of business, (ii) the Client no longer offers the process (service) or (iii) the Client does not timely commence application for renewal.

In cases of cancellation no reimbursement of assessment fees shall be given and cancellation of the Certificate shall be published by CyberSecurity Malaysia and notified to the appropriate accreditation body, if any.

18. RECOGNITION OF ACCREDITED ORGANISATIONS

CyberSecurity Malaysia, in its absolute discretion, generally recognises the certificates issued by other accredited organisations where this does not compromise the integrity of information security management system certification scheme.

19. APPEALS

The Client may, through the Complaints and Appeals Procedure request reconsideration of a decision made by CyberSecurity Malaysia. Appeals can be filed by any client organisation to CyberSecurity Malaysia and may be filed for reasons associated with:

1. Rejection of application;
2. Rejection of conducting audit; and
3. Reconsideration of the suspension or withdrawal of certification. 

Notification of the intention to appeal must be made in writing and received by CyberSecurity Malaysia within seven (7) business days from receipt of notification by CyberSecurity Malaysia, supported by relevant facts and data for consideration during the Complaints and Appeals Procedure. The minimum information required are:

1. The name of the appellant;
2. Contact details for the appellant;
3. The application/audit/certification decision that is the subject of the appeal; and
4. Description of the appeal.

If the required information cannot be supplied, the appeal is automatically rejected and a formal rejection letter is prepared and sent to the appellant. 

All appeals are forwarded to CyberSecurity Malaysia and are put before the appeal’s committee of CyberSecurity Malaysia. CyberSecurity Malaysia shall be required to submit evidence to support its decision to withhold, suspend or withdraw the Certificate.

Any appeals received are fully investigated, documented and appropriate follow-up action taken within ten (10) business days. The decision of the appeal's committee shall be final and binding on both the Client and CyberSecurity Malaysia. Once the decision regarding an appeal has been made, no counter-claim by either party in dispute can be made to amend or change this decision.

In instances where the appeal has been successful and the Certificate issued or reinstated, no claim can be made against CyberSecurity Malaysia for reimbursement of costs or any other losses incurred as a result of the withholding, suspension or withdrawal notification.

20. COMPLAINTS

Any complaint regarding the certification activities of CyberSecurity Malaysia or relating to a certified client shall be made in writing, without delay, and addressed to the Scheme Manager. If the complaint is made against the Scheme Manager, the letter of complaint shall be addressed to the ISCB Head of Department of CyberSecurity Malaysia.
The minimum information required are:

1. The name of the complainant;
2. Contact details for the complainant;
3. The certification activity that is the subject of the complaint; and
4. Description of the complaint.

If the required information cannot be supplied, the complaint is automatically rejected and a formal rejection letter is prepared and sent to the complainant. 
Any complaints received are fully investigated, documented and appropriate follow-up action taken within ten (10) business days.

CYBERSECURITY MALAYSIA RESERVES THE RIGHT TO ADD TO, DELETE OR CHANGE THESE TERMS OF SERVICE WITHOUT PRIOR NOTIFICATION.