Certification Description

■ISO22301 Business Continuity Management System Certification

The International Organization for Standardization (ISO) is an independent, non-governmental organization that is the world's largest developer of voluntary international standards. ISO established the TC 223 Social Security Technical Committee to develop standards to protect society, including organizations, in the event of a natural disaster, a major terrorist attack, or a power grid outage.

ISO 22301:2012, published by the Technical Committee in 2012, is the first international standard for management systems to help ensure business continuity. ISO 22301 is the high-level standard for business continuity, and certification demonstrates that by complying with these rigorous practices, disruptive events can be prevented, mitigated, responded to, and recovered from.

■ISO22301 Certification Process

1, to accept the application;
2. Contract review;
Review of documents;
4. On-site audit;
5, the release of audit conclusions;
6, the certification decision;
7. It is recommended to approve the registration;
8. Issuance of Certificates.

■ISO22301 certification

1. Legal status certification documents (such as business license of enterprise legal person, legal person code certificate of public institution, legal person registration certificate of association, etc.), and a copy of organization code certificate with official seal. When it exists, it shall submit a copy of the business license and organization code certificate of the branch with the official seal;
2. List of temporary sites (such as the list of projects under construction by the construction organization, the temporary service points of the information security management system and the information technology service management system);
3. List of standards of applicable laws and regulations;
4. Obtain the administrative licensing documents stipulated by relevant laws and regulations (when applicable);
5. Business impact analysis report, risk assessment report and business continuity plan;
6. BCMS system documents, including: policies, objectives, scope, information maintained by the organization for process operation and communication, must provide: organization introduction, organization structure (organization chart), personnel situation and division of functions, process roadmap/process flow chart/process description (key process and special process should be clearly stated) and related process documents;
7. Application for Management System Certification

■ISO 2301 Certification

1. Identify and understand critical business processes within the organization and the impact of their disruption.
2. Enhance the organization's resilience, resilience and sustainable viability levels.
3. Have the advantage of outperforming less resilient competitors.
4. Communicate positive messages to media and stakeholders in response to crisis management.
5. Improve the insurer's impression of organizational risk management, thereby reducing premiums.
Meet the expectations of regulators, insurers, business partners and other key stakeholders.
7. Significantly reduce the financial impact in the event of accidents, damage or even disasters.
8. Increase the chances of survival for both the organization and its employees.
9. Maintain or even enhance reputation by demonstrating a professional approach to managing interruptions.
10. Timely and orderly response to events and business interruptions at acceptable pre-defined levels, such as contractual or agreed commitments, to ensure business continuity.
11. Encourage cross-team and cross-organizational coordination.
12. Demonstrate credible responsiveness through scenario walkthroughs.
13. Demonstrate management commitment to overall risk management with visible evidence.

■ZOHO

is a professional service organization that has been deeply involved in the IT information industry for many years.

has a number of senior academic management experts with more than 20 years of practical experience.

High-quality IT expert team services with a nationalized vision

Scope of Certification

Certification:GB/T 30146

Certification Scheme

1 Scope of application

This certification scheme is applicable to Shanghai Zhonghao Certification Co., Ltd. (hereinafter referred to as: ZOHO) to implement data security risk management certification, to meet the requirements of the third-party certification system, as a standard for providing certification services. If necessary, the relevant technical requirements shall be supplemented in the certification contract. This certification scheme shall be confirmed and adopted when the two parties sign the contract.

2 Authentication Mode

ZOHO first conducts an initial audit of the auditee's data security risk management, and after assessment, confirms whether the certification is approved; after passing the certification, it supervises the certified customer within the validity period of the certification certificate to confirm whether the certification requirements are continuously met.

3 Certification Process Flow Chart

4 Basic Conditions for Certification Applications

1. The certified customer has a clear legal status. The customer has an enterprise business license, a public institution legal person certificate, a social organization registration certificate, a non-enterprise legal person registration certificate, a party and government agency establishment document, etc., and can independently apply for certification. Other types of customers should be applied by qualified units;

2. When required by the state, local or industry, the certification client has the prescribed administrative license documents, and the scope of application for certification shall be within the scope approved by the legal status document and the administrative license document;

3. The certified customer has established a documented management system according to the corresponding business continuity management system standards, and has been running steadily for at least 3 months before the initial certification on-site audit, and has conducted a complete internal audit and management review, and is in normal production and operation status;

4. Certification customers promise to abide by the laws, regulations and other requirements of the country, promise to always abide by the relevant provisions of certification, bear the legal responsibilities related to certification, and have the obligation to assist the supervision and inspection of certification regulatory authorities, and provide relevant materials and information truthfully for inquiries and investigations of relevant matters;

5. Within one year, certified customers have not had any service quality accidents that seriously damage national security, social order, public interests and the legitimate rights and interests of relevant parties of certified customers, or have been included in the "list of seriously illegal enterprises" in the national enterprise credit information publicity system or in violation of relevant national laws and regulations, falsely reporting or concealing the information required for certification;

6. Certification customers promise to use certification certificates, certification marks and related information according to regulations after obtaining ZOHO certification, and shall not mislead the public into believing that their products or services have passed certification according to the contract and accept supervision according to regulations by using the words and symbols of management system certification certificates without authorization;

7. After obtaining ZOHO certification, the certification customer promises to inform ZOHO of the information on the changes of the management system and other matters that may affect the ability of the management system to continuously meet the requirements of the certification standards, generally including: major complaints from customers and related parties; Major accidents that occur or may seriously damage national security, social order, public interests and the legitimate rights and interests of relevant parties of the certification customer; changes in relevant conditions (including: legal status, production and operation status, organizational status or ownership change, compulsory certification or other qualification certificate change; changes in legal representative, top management and management representative; changes in the workplace of production, operation or service; changes in the scope of activities covered by the management system; major changes in the management system and important processes, etc.); other important conditions affecting the operation of the management system;

8. During the certification audit, the certification customer can provide the product/service/activity site related to the scope of the proposed certification and the business continuity management system drill activity site;

5 Audit Implementation

5.1 Audit Guidelines

certification parties is GB/T 30146 or ISO 22301. The audit criteria also include the policies, procedures, standards, laws and regulations, business continuity management business continuity management system requirements, contract requirements or industry specifications applicable to the audited party.

5.2 audit process

5.2.1 Initial certification audit

initial certification audit is implemented in two stages: the first stage and the second stage.

The purpose of the first-stage audit is to understand the basic information of the audited party, audit management system documents, identify any issues that cause concern and may be judged as non-conformities in the second-stage audit, and provide concerns for the second-stage audit.

audit is to evaluate the compliance and effectiveness of the auditees' management system implementation. The audit team analyzes all the information and evidence gathered during the Phase I and Phase II audits to form an audit conclusion.

5.2.1.1 First stage audit

audit team combines the management system operation objectives of the audited party and the professional characteristics of the system coverage activities, according to the management system documents provided by the audited party, the system operation process, the specific conditions of the operation place and site, and the planning and implementation of internal audit and management review, confirm the auditees' understanding and implementation of the standards, key points that have a significant impact on the achievement of business continuity objectives, compliance with relevant laws and regulations, and the scope and boundaries of the management system to determine the second-stage audit arrangements.

In the event of any significant change affecting the management system, ZOHO may repeat all or part of the first stage audit. The results of the Phase I audit may result in the postponement or cancellation of Phase II.

5.2.1.2 Phase II Audit

audit team shall conduct on-site evaluation of the implementation of the auditees' management system, including compliance and effectiveness. The second phase of the audit includes at least the following aspects:

a. Compliance with all requirements of applicable management system standards and other regulatory documents;

b. Monitoring, measuring, reporting and reviewing the performance of the business continuity management system based on key performance objectives and indicators;

c. Operational control of the auditees' processes;

d. Implementation of business impact analysis and risk assessment;

e. Establishment and implementation of business continuity procedures, rehearsal and testing, evaluation;

f. Implementation of internal audit and management review;

g. Implementation of management responsibilities, including management responsibilities for policies and objectives;

h. Planning and achievement of functional level objectives established to achieve the overall objectives;

I. Linkages between normative requirements, policies, applicable legal requirements, responsibilities, personnel capabilities, operations, procedures, performance data, and internal audit findings and conclusions.

If the certification customer cannot close the non-conformity within the specified time after the end of the second phase of the initial certification, ZOHO will conduct a second phase audit or not approve the certification.

5.2.2 Monitoring activities

5.2.2.1 Ways of monitoring activities

ZOHO adopts a combination of on-site supervision and audit and daily supervision (such as paying attention to information bulletins issued by relevant national departments, paying attention to information related to certified customers, daily tracking of information related to certified customers, reviewing certified customers and their operation instructions, and requiring certified customers to provide documents and records, etc.).

5.2.2.2 Contents of post-certification supervision and audit

a. any changes (e. g. resources, processes, organizational structure, identified critical control points, etc.);

b. Ongoing operational control of the achievement of business continuity objectives;

c. Internal audit and management review;

d. Handling of complaints;

e. Effectiveness of the implementation of the management system;

f. Site status of business continuity management activities related to the scope of certification;

g. Progress of activities planned for continuous improvement;

h. Measures and effects taken in response to non-conformities identified in the previous audit;

I. the use of certificates and marks and/or any other reference to qualification. Certified customers should keep all complaint records and provide certification bodies when required.

ZOHO re-evaluates the certified customer management system based on the above information to confirm whether it continues to meet the certification requirements. When supervising the audit, if the certification customer does not close the non-conformity on time, it may lead to the suspension or revocation of the certification certificate.

5.2.2.3 Frequency of supervision and audit

During the validity period of the certificate, the certified customer shall be subject to a supervisory audit, which shall be conducted at least once every calendar year (except for the year in which recertification is due). The first supervisory audit after the initial certification/recertification shall be carried out within 12 months from the date of the certification decision; thereafter, the supervisory audit shall be carried out at least once every calendar year (except the year in which recertification is to be carried out), and the time interval between the two supervisory audits shall not exceed 15 months.

If the certification certificate is suspended due to the failure of the certified customer to carry out the supervision audit within the specified time, after the resumption of the supervision audit, the next audit time shall be calculated according to the originally planned time.

shall increase the frequency of supervision or arrange the audit with short notice in advance:

a. the certified customer has made significant changes to the management system;

b. There is sufficient information to indicate that the certified customer has undergone changes in the organization, production process, etc. that affect its certification basis;

c. When the business interruption accident occurs to the certified customer or the complaint about the operation effect of the relevant management system is not handled;

d. Other considerations.

5.2.3 Re-certification

certified customers apply for recertification at least three months before the expiration of the certificate. The purpose of the recertification audit is to verify the overall continuing conformity and effectiveness of the organization's management system as a whole, and the continuing relevance and suitability of the scope of certification. The procedures and requirements for recertification audit shall be implemented according to Article 5.2.1.

will arrange special audit or arrange recertification audit with certified customers in advance when it is found that the certified customers have significant changes that seriously affect the operation of the management system, or when the complaint analysis and other information of certified customers show that certified customers no longer meet the certification requirements. A one-stage audit is usually not performed during recertification, but a first-stage audit may be required when there are significant changes in the management system of the certified client and the internal and external operating environment of the certified client.

the re-certification audit, the certification customer shall accept the ZOHO on-site audit before the expiration of the current certification certificate, and close the non-conformity issued by the audit team within the specified time. Otherwise, if ZOHO cannot make a certification decision within 6 months after the expiration of the original certification certificate due to the certification customer, the re-certification audit will be invalid.

5.2.4 Special Audit

5.2.4.1 Audit to expand the scope of certification

For certified customers, ZOHO reviews the application to expand the scope of certification and determines the audit activities required for the decision to expand, which can be carried out at the same time as the supervisory audit.

5.2.4.2 Review with short notice

audits that require short notice to certified customers in order to investigate complaints, respond to changes or follow up on suspended certified customers.

the certified customer is found to be inconsistent by the national administrative department, ZOHO will conduct a special audit of the certified customer. If the certified customer does not accept special audit, the certificate will be suspended.

5.3

audit team shall communicate with the audited party before the on-site audit to confirm the audit arrangement and explain the agenda of the first and last meetings. The audit team conducts the audit in accordance with the schedule in the audit plan, and collects and verifies relevant information on a sample basis through appropriate methods such as consulting the documents and records of the audited party, interviewing with the personnel in the process and activities, observing the product and service formation process and activities, forming audit findings and confirming non-conformities.

During the audit process, the audit team communicates with the audited party in a timely manner, informs the audit process, confirms the audit evidence, and resolves differences. When the audit findings indicate that the purpose of the audit cannot be achieved, the reasons shall be explained and follow-up measures shall be agreed. If it is necessary to change the purpose and scope of the audit or terminate the audit, it shall be implemented after review and approval by the audit dispatching agency.

audit team leader shall communicate the information of the on-site audit with the audited party, ask the audited party to confirm the problems found and the non-conformance report, and agree on the arrangement of follow-up measures for non-conformance and confirm the audit conclusion. The audit team shall prepare the audit report and submit it to the audited party.

the audit report belongs to ZOHO, if there is any change in the audit follow-up activities (including ZOHO's certification decision period), ZOHO will provide the audit report to the audited party again. The audited party shall properly keep the audit report, non-conformity report and its correction materials and other corresponding materials.

Certification Fees

Certificate Sample

Certification Mark