Certification Description

■ ISO27701 Privacy Information Management System Certification

privacy protection has been paid more and more attention by the society along with information security issues. Many countries around the world have successively issued various privacy laws and regulations, such as the GDPR of the European Union, the network security law of China, and the California Consumer Privacy Act (CCPA) of the United States. The regulatory trend on privacy is becoming more and more strict. Privacy protection has become the focus of the current society. Organizations will face multiple pressures from customers, investors and regulatory agencies, compliance and regulatory management of private information has become a new challenge for organizations around the world.

ISO 27701 is an extension of ISO 27001 and ISO 27002. It extends the privacy information management aspects of ISO 27001 and ISO 27002 to provide guidance for establishing, implementing, maintaining and continuously improving a privacy information management system (PIMS) within an organization.

ISO27701 standard is applicable to any organization, regardless of its size, industry or business type. ISO 27701 certification can be used to prove its privacy information management level, especially for e-commerce, social media, network platforms, airlines, hotels, catering companies, etc. Especially important, it will empower your credibility in the business field and make you more worthy of trust and trust.

■ As a professional certification body in the domestic IT field, ZOHOCERT provide you with one-stop, all-round information security enhancement services.

the ISO27701 management system certification
The ISO27701 special assessment and gap analysis.
Interpretation of ISO27701 Standards Training
ISO27701 internal auditor training

■ ISO 27701 certification process

1. Pre-assessment (optional)
2. Submit an application for certification
3. Sign the certification contract
4. Certification site audit
5. Issue certificates
6. Annual supervision and audit

■ Benefits of ISO 27701 Certification

-Protect the personal information and data of your employees, customers and stakeholders and reduce the risk of privacy breaches
certifying your compliance with the management of your privacy information
Deliver your better trust to your customers and partners
Many give you a greater opportunity to get more orders business and customers
Improve your credibility and business image, making you more competitive

■ Certification standards

ISO/IEC 27701:2019 Security techniques-ISO/IEC 27001 and ISO/IEC 27002-Extended requirements and guidelines for the management of private information

■ Characteristics and value of ZOHOCERT

Is a professional service organization that has been deeply involved in the IT information industry for many years.

Has a number of senior academic management experts with more than 20 years of practical experience.

High-quality IT expert team services with a nationalized vision

Scope of Certification

Privacy Information Management System Certification Business Scope

certification: ISO 27701

Certification Scheme

1 Scope of application

This certification scheme is applicable to Shanghai Zhonghao Certification Co., Ltd. (hereinafter referred to as: ZOHO) to implement the information field management system certification, to meet the requirements of the third-party certification system, as a standard for providing certification services. If necessary, the relevant technical requirements shall be supplemented in the certification contract.

The information field management system certification catalogue and certification basis standards applicable to this certification scheme are shown in Annex 1. This certification scheme does not apply to information technology service management system certification and information security management system certification, information technology service management system and information security management system certification scheme see "information technology service management system and information security management system certification implementation plan".

This certification scheme shall be confirmed and adopted when the two parties sign the contract.

2 Authentication Mode

ZOHO first audit the auditee's management system for the first time, after assessment, to confirm whether the certification is approved; after certification, in the validity period of the certificate of certification of the customer's management system to monitor, confirm whether continue to meet the certification requirements.

3 Certification Process Flow Chart

4 Basic Conditions for Certification Applications

a. Certified customers have clear legal status. Customers have business licenses, corporate certificates of public institutions, registration certificates of social organizations, registration certificates of non-corporate legal persons, establishment documents of party and government agencies, etc., and can apply for certification independently; other types of customers, Should be applied on behalf of qualified units;

B. When required by the state, local or industry, the certification customer has the prescribed administrative accreditation documents, and the scope of its application for certification shall be within the scope approved by the legal status documents and administrative accreditation documents;

c. Certified customers have established a documented management system according to the corresponding management system standards, and have been running steadily for at least 3 months before the initial certification on-site audit, and promise to continue to effectively operate the management system within the validity period of the certificate;

d. Certification customers promise to comply with the laws, regulations and other requirements of the country, promise to always comply with the relevant provisions of certification, bear the legal responsibilities related to certification, and have the obligation to assist the supervision and inspection of certification regulatory authorities, and provide relevant materials and information truthfully for inquiries and investigations of relevant matters;

e. The certified customer has not been ordered by the law enforcement and supervision department to suspend business for rectification, or has been included in the "list of serious illegal enterprises" in the national enterprise credit information publicity system, or has violated relevant national laws and regulations, falsely reported or concealed the information required for certification;

f. The certification customer shall explain to ZOHO the requirements for the qualification of the certification body or the background of the certification personnel, as well as the applicable laws and regulations related to the protection of state secrets or the maintenance of national security, and explain whether there are any management system documents or records that cannot be provided to the audit team for verification because they contain confidential or sensitive information.

g. The certification customer submits the application materials to CQM in accordance with the requirements of "Zhonghao Logo Management System Certification Application" and the corresponding annex;

h. Certification Customers promise to use certification certificates, certification marks and related information according to regulations after obtaining ZOHO certification, and shall not mislead the public into thinking that their products or services have passed the certification by using the words and symbols of the management system certification certificate without authorization. Pay the certification fee according to the contract and accept the supervision according to the regulations;

I. The certified customer promises to inform ZOHO of the information on the changes of the management system and other matters that may affect the ability of the management system to continuously meet the requirements of the certification standards according to ZOHO requirements after obtaining the certification, generally including: the major complaints from the customer and relevant parties; The products and services provided are listed in the "blacklist" by the law enforcement and supervision departments; Major accidents related to the management system occur; Changes in relevant circumstances (including: legal status, production and operation status, change of organization or ownership, change of qualification certificate; change of legal representative, top management and management representative; change of service workplace; change of scope of activities covered by management system; major change of management system and important process, etc.); other important situations affecting the operation of management system;

j. During the certification audit, the certification customer is able to provide products/services/activities related to the scope of the proposed certification.

5 Audit Implementation

5.1 Audit Guidelines

certification parties is as follows:

a. Certification basis standards (see Annex 1);

B. Audit criteria also include procedures, standards, laws and regulations, codes of practice, contractual requirements or industry norms applicable to the audited party.

5.2 audit process

5.2.1 Initial certification audit

Usually, the initial certification audit is implemented in two stages: the first stage and the second stage.

5.2.1.1 First stage audit

audit team, in combination with the professional characteristics of the auditees' management system coverage activities, confirms the auditees' understanding of the standard and the degree of implementation, the key points that have an important impact on the realization of the goal, the compliance of relevant laws and regulations and the scope of the management system according to the management system documents, system operation process, operation place and site conditions provided by the auditees, review whether the allocation of resources required for the second-stage audit and the degree of implementation of the management system can prove that it is ready for the second-stage audit, and agree with the applicant on the details of the second-stage audit to determine the second-stage audit arrangements.

the results of the Phase 1 audit may result in the postponement or cancellation of the Phase 2 audit.

5.2.1.2 Phase II Audit

audit team shall conduct on-site evaluation of the implementation of the auditees' management system, including compliance and effectiveness. The second phase of the audit includes at least the following aspects:

a. Compliance with all requirements of applicable management system standards and other regulatory documents;

b. Monitoring, measurement, reporting and review of performance based on key performance objectives and indicators;

c. aspects of the management system and performance relating to compliance with the law;

d. Operational control of the auditees' processes;

e. Implementation of management responsibilities, including policy-specific management responsibilities;

f. The planning and realization of the functional level objectives established to achieve the overall objectives;

g. Linkages between normative requirements, policies, performance objectives and targets, applicable legal requirements, responsibilities, personnel capabilities, operations, procedures, performance data and internal audit findings and conclusions.

5.2.2 Monitoring activities

5.2.2.1 Manner of oversight activities

ZOHO adopts a combination of on-site supervision and audit and daily supervision (such as paying attention to the quality information bulletin issued by relevant national departments, paying attention to the information of relevant parties of certified customers, daily tracking of relevant information of certified customers, reviewing certified customers and their operation instructions, and requiring certified customers to provide documents and records, etc.).

5.2.2.2 Contents of post-certification supervision and audit

a. System maintenance and any changes (e. g. resources, processes, organizational structure, identified critical control points, etc.);

b. Customer complaints;

c. the scope of the change;

d. Effectiveness of management system implementation;

e. Progress of activities planned for continuous improvement;

f. Measures and effects taken in response to non-conformances identified in the previous audit;

g. the use of certificates and marks and/or any other reference to qualification;

h. Other selected ranges as appropriate.

Certified customers should keep all complaint records and provide them to ZOHO when required. Based on the above information, ZOHO will re-evaluate the certified customer management system to confirm whether it continuously meets the certification requirements. For the certified organizations that have passed the supervision and audit, the decision to maintain their certification qualifications will be made; otherwise, the suspension or revocation of certification disposal will be made.

supervision audit, if the certification customer does not close the non-conformity as required, it may lead to the suspension of the certification certificate.

5.2.2.3 Frequency of supervision and audit

During the validity period of the certificate, the certified customer shall be subject to a supervisory audit. The first supervisory audit after the initial certification and recertification shall be carried out within 12 months from the date of the certification decision, and the subsequent supervisory audit shall be carried out at least once every calendar year (except the year in which recertification shall be carried out) and the maximum time interval from the previous supervisory audit shall not exceed 15 months.

If the certification certificate is suspended due to the failure of the certified customer to carry out the supervision audit within the specified time, after the resumption of the supervision audit, the next audit time shall be calculated according to the originally planned time.

shall increase the frequency of supervision or arrange the audit with short notice in advance:

a. The certified customer has made major changes to the management system or has major problems;

b. There is sufficient information to show that the certified customer has changed the organization, management system and other changes that affect the certification basis;

c. Certified customers have major accidents related to the management system;

d. Other considerations.

5.2.3 Re-certification

Certified customers must apply for recertification at least three months before the expiration of the certificate. The purpose of the recertification audit is to verify the overall continuing conformity and effectiveness of the organization's management system as a whole, and the continuing relevance and suitability of the scope of certification.

will arrange special audit or arrange recertification audit with certified customers in advance when it is found that the certified customers have significant changes that seriously affect the operation of the management system, or when the complaint analysis and other information of certified customers show that certified customers no longer meet the certification requirements. The recertification audit also needs to focus on the performance of the management system during the certification cycle, including access to previous supervisory audit reports.

For multi-site or combined audit certification, the recertification audit should ensure that the on-site audit has sufficient coverage to provide confidence in the management system certification.

a phase audit may not normally be conducted during recertification, a phase one audit may be required when there are significant changes in the certified client's management system and the certified client's internal and external operating environment. During the re-certification audit, the certification customer shall accept the ZOHO audit before the expiration of the current certification certificate, and close the non-conformity issued by the audit team within the specified time. Otherwise, if ZOHO cannot make a certification decision within 6 months after the expiration of the original certification certificate due to the certification customer, the re-certification audit will be invalid.

5.2.4 Special Audit

5.2.4.1 Audit to expand the scope of certification

For certified customers, ZOHO reviews the application to expand the scope of certification and determines the audit activities required for the decision to expand, which can be carried out at the same time as the supervisory audit.

5.2.4.2 Review with short notice

audits that require short notice to certified customers in order to investigate complaints, respond to changes, or follow up on suspended certified customers.

1. Explain to the certified customer and make them aware in advance of the conditions under which such audits will be carried out;

2. Assign experienced auditors to form an audit team.

5.3

audit team shall communicate with the audited party before the on-site audit to confirm the audit arrangement and explain the agenda of the first and last meetings. The audit team shall carry out the audit according to the schedule in the audit plan, collect and verify the relevant information on a sample basis through appropriate methods such as consulting the documents and records of the audited party, interviewing with the post personnel of the process and activities, and observing the service formation process and activities. If necessary, the audit team shall conduct technical tests to form audit findings and confirm the audit situation.

During the audit process, the audit team communicates with the audited party in a timely manner, informs the audit process, confirms the audit evidence, and resolves differences. When the audit findings indicate that the purpose of the audit cannot be achieved, the reasons shall be explained and follow-up measures shall be agreed. If it is necessary to change the purpose and scope of the audit or terminate the audit, it shall be implemented after review and approval by the audit dispatching agency.

audit team leader shall communicate the information of the on-site audit with the audited party, ask the audited party to confirm the problems found and the non-conformance report, and agree on the arrangement of follow-up measures for non-conformance and confirm the audit conclusion. The audit team shall prepare the audit report and submit it to the audited party.

the audit report belongs to ZOHO, if there is any change in the audit follow-up activities (including ZOHO's certification decision period), ZOHO will provide the audit report to the audited party again. The audited party shall properly keep the audit report, non-conformity report and its correction materials and other corresponding materials.

Certification Fees

Certificate Sample

Certification Mark