Certification Description

■ISO29151 Public Cloud Personal Identifiable Information Protection Management System Certification

cloud technology have led to the rapid growth of the global cloud service market, and the popularity of cloud service applications at the individual and enterprise organization level is fast, and there is a large market prospect for cloud service applications in government and public facilities scenarios. While cloud technology drives the rapid growth of the market, the information security and data security risks arising from the characteristics of cloud services are increasingly concerned by the society and regulatory authorities. Whether IaaS, PaaS or SaaS, the compliance and trustworthiness of cloud services have become key considerations for customers.

Personally identifiable information (Personally identifiable information ,PII) refers to any information that can be used to identify a specific user, such as personal name, account and password, email, web browsing records, online shopping records, etc. ISO 27018 is aimed at the control of personally identifiable information in the cloud scenario. It provides control requirements and implementation guidelines for implementing measures to protect personally identifiable information, it is consistent with the privacy principles under the ISO/IEC29100 Privacy Framework and national regulations on personal data privacy.

ZOHO provide you with one-stop, comprehensive privacy information management and improvement services.

1. ISO29151 management system certification
2. ISO29151-specific assessment and gap analysis
3. ISO29151 standard interpretation training
4. ISO29151 internal auditor training

■ISO29151 Certification Process

1. Pre-assessment (optional)
2. Submit an application for certification
3. Sign the certification contract
4. Certification site audit
5. Issue certificates
6. Annual supervision and audit

■ISO29151 Certification

• Protect your personal information and data in the process of cloud services, reduce the risk of leakage
• Prove compliance for your cloud services business
• Deliver your better trust to your customers and partners
• To give you greater access to more orders and customers
• Improve your credibility and business image, making you more competitive in cloud services

■Certification Standards

ISO/IEC 29151:2019 Information technology-Security techniques-Practical rules for the protection of personally identifiable information (PII) for public cloud processors

■ZOHO

Is a professional service organization that has been deeply involved in the IT information industry for many years.

Has a number of senior academic management experts with more than 20 years of practical experience.

High-quality IT expert team services with a nationalized vision

Scope of Certification

Personal Identity Information Protection Certification Business Scope

certification standards: ISO/IEC 29151

Certification Scheme

1 Scope of application

This certification scheme is applicable to Shanghai Zhonghao Certification Co., Ltd. (hereinafter referred to as: ZOHO) to implement the information field management system certification, to meet the requirements of the third-party certification system, as a standard for providing certification services. If necessary, the relevant technical requirements shall be supplemented in the certification contract.

The information field management system certification catalogue and certification basis standards applicable to this certification scheme are shown in Annex 1.

This certification scheme does not apply to information technology service management system certification and information security management system certification, information technology service management system and information security management system certification scheme see "information technology service management system and information security management system certification implementation plan".

This certification scheme shall be confirmed and adopted when the two parties sign the contract.

2 Authentication Mode

ZOHO first conducts an initial audit of the audited party's data security risk management, and after assessment, confirms whether the certification is approved; after passing the certification, it supervises the certified customer within the validity period of the certification certificate to confirm whether the certification requirements are continuously met.

3 Certification Process Flow Chart

4 Basic Conditions for Certification Applications

a. Certified customers have a clear legal status, customers have a business license, institution legal person certificate, social organization registration certificate, non-enterprise legal person registration certificate, party and government organs to establish documents, etc., can independently apply for certification. Other types of customers should be applied by qualified units;

b. When required by the state, local or industry, the certification client shall have the prescribed administrative license documents, and the scope of application for certification shall be within the scope approved by the legal status documents and administrative license documents;

c. The certified customer has established a documented management system according to the corresponding business continuity management system standards, and has been running steadily for at least 3 months before the initial certification on-site audit, and has conducted a complete internal audit and management review, and is in normal production and operation status;

d. Certification customers promise to comply with the laws, regulations and other requirements of the country, promise to always comply with the relevant provisions of certification, bear the legal responsibilities related to certification, and have the obligation to assist the supervision and inspection of certification regulatory authorities, and provide relevant materials and information truthfully for inquiries and investigations of relevant matters;

e. The certified customer has not been ordered by the law enforcement and supervision department to suspend business for rectification, or has been included in the "list of serious illegal enterprises" in the national enterprise credit information publicity system, or has violated relevant national laws and regulations, falsely reported or concealed the information required for certification;

f. The certification customer shall explain to ZOHO the requirements for the qualification of the certification body or the background of the certification personnel, as well as the applicable laws and regulations related to the protection of state secrets or the maintenance of national security, and explain whether there are any management system documents or records that cannot be provided to the audit team for verification because they contain confidential or sensitive information.

g. The certification customer submits the application materials to ZOHO in accordance with the requirements of the Application for Certification of Zhonghao Logo Management System and the corresponding annex;

h. Certification Customers promise to use certification certificates, certification marks and related information according to regulations after obtaining ZOHO certification, and shall not mislead the public into thinking that their products or services have passed the certification by using the words and symbols of the management system certification certificate without authorization. Pay the certification fee according to the contract and accept the supervision according to the regulations;

I. The certified customer promises to inform CQM of the information on the change of the management system and other matters that may affect the ability of the management system to continuously meet the requirements of the certification standard according to ZOHO requirements after obtaining the certification of Fangyuan, generally including: the customer and relevant parties have major complaints; the products and services provided are listed in the "blacklist" by the law enforcement and supervision departments; major accidents related to the management system occur; changes (including: legal status, production and operation status, change of organization or ownership, change of qualification certificate; change of legal representative, top management and management representative; change of service workplace; change of scope of activities covered by management system; major change of management system and important process, etc.); other important situations affecting the operation of management system;

j. During the certification audit, the certification customer is able to provide products/services/activities related to the scope of the proposed certification.

5 Audit Implementation

5.1 Audit Guidelines

certification parties is as follows:

a. Certification basis standards (see Annex 1);

b. Audit criteria also include procedures, standards, laws and regulations, codes of practice, contractual requirements or industry norms applicable to the audited party.

5.2 audit process

5.2.1 Initial certification audit

initial certification audit is implemented in two stages: the first stage and the second stage.

5.2.1.1 First stage audit

audit team, in combination with the professional characteristics of the auditees' management system coverage activities, confirms the auditees' understanding of the standard and the degree of implementation, the key points that have an important impact on the realization of the goal, the compliance of relevant laws and regulations and the scope of the management system according to the management system documents, system operation process, operation place and site conditions provided by the auditees, review whether the allocation of resources required for the second-stage audit and the degree of implementation of the management system can prove that it is ready for the second-stage audit, and agree with the applicant on the details of the second-stage audit to determine the second-stage audit arrangements.

the results of the Phase 1 audit may result in the postponement or cancellation of the Phase 2 audit.

5.2.1.2 Phase II Audit

audit team shall conduct on-site evaluation of the implementation of the auditees' management system, including compliance and effectiveness. The second phase of the audit includes at least the following aspects:

a. Compliance with all requirements of applicable management system standards and other regulatory documents;

b. Monitoring, measurement, reporting and review of performance based on key performance objectives and indicators;

c. aspects of the management system and performance relating to compliance with the law;

d. Operational control of the auditees' processes;

e. Implementation of management responsibilities, including policy-specific management responsibilities;

f. The planning and realization of the functional level objectives established to achieve the overall objectives;

g. Normative requirements, policies, performance targets and indicators, applicable legal requirements, responsibilities, personnel capabilities, operations, procedures, performance data and the link between internal audit findings and conclusions.

5.2.2 Monitoring activities

5.2.2.1 Ways of monitoring activities

ZOHO adopts a combination of on-site supervision and audit and daily supervision (such as paying attention to the quality information bulletin issued by relevant national departments, paying attention to the information of relevant parties of certified customers, daily tracking of relevant information of certified customers, reviewing certified customers and their operation instructions, and requiring certified customers to provide documents and records, etc.).

5.2.2.2 Contents of post-certification supervision and audit

a. System maintenance and any changes (e. g. resources, processes, organizational structure, identified critical control points, etc.);

b. Customer complaints;

c. the scope of the change;

d. Effectiveness of management system implementation;

e. Progress of activities planned for continuous improvement;

f. Measures and effects taken in response to non-conformities identified in the previous audit;

g. the use of certificates and marks and/or any other reference to qualification;

h. Other selected ranges as appropriate. Certified customers should keep all complaint records and provide them to ZOHO when needed. Based on the above information, ZOHO will re-evaluate the certified customer management system to confirm whether it continuously meets the certification requirements. For the certified organizations that have passed the supervision and audit, the decision to maintain their certification qualifications will be made; otherwise, the suspension or revocation of certification disposal will be made. During the supervision audit, if the certification customer does not close the non-conformity as required, it may lead to the suspension of the certification certificate.

5.2.2.3 Frequency of supervision and audit

During the validity period of the certificate, the certified customer shall be subject to a supervisory audit. The first supervisory audit after the initial certification and recertification shall be carried out within 12 months from the date of the certification decision, and the subsequent supervisory audit shall be carried out at least once every calendar year (except the year in which recertification shall be carried out) and the maximum time interval from the previous supervisory audit shall not exceed 15 months.

If the certification certificate is suspended due to the failure of the certified customer to carry out the supervision audit within the specified time, after the resumption of the supervision audit, the next audit time shall be calculated according to the originally planned time.

shall increase the frequency of supervision or arrange the audit with short notice in advance:

a. The certified customer has made major changes to the management system or has major problems;

b. There is sufficient information to show that the certified customer has changed the organization, management system and other changes that affect the certification basis;

c. Major accidents related to the management system of certified customers;

d. Other considerations.

5.2.3 Re-certification

Certified customers must apply for recertification at least three months before the expiration of the certificate. The purpose of the recertification audit is to verify the overall continuing conformity and effectiveness of the organization's management system as a whole, and the continuing relevance and suitability of the scope of certification.

will arrange special audit or arrange recertification audit with certified customers in advance when it is found that the certified customers have significant changes that seriously affect the operation of the management system, or when the complaint analysis and other information of certified customers show that certified customers no longer meet the certification requirements.

recertification audits also need to focus on the performance of the management system during the certification cycle, including access to previous supervisory audit reports.

For multi-site or combined audit certification, the recertification audit should ensure that the on-site audit has sufficient coverage to provide confidence in the management system certification.

one-stage audit is not usually performed during recertification, a first-stage audit may be required when there are significant changes in the management system of the certified client and the internal and external operating environment of the certified client.

the re-certification audit, the certification customer shall accept the ZOHO audit before the expiration of the current certification certificate, and close the non-conformity issued by the audit team within the specified time. Otherwise, if ZOHO cannot make a certification decision within 6 months after the expiration of the original certification certificate due to the certification customer, the re-certification audit will be invalid.

5.2.4 Special Audit

5.2.4.1 Audit to expand the scope of certification

For certified customers, ZOHO reviews the application to expand the scope of certification and determines the audit activities required for the decision to expand, which can be carried out at the same time as the supervisory audit.

5.2.4.2 Review with short notice

audits that require short notice to certified customers in order to investigate complaints, respond to changes, or follow up on suspended certified customers.

1. Explain to the certified customer and make them aware in advance of the conditions under which such audits will be carried out;

2. Assign experienced auditors to form an audit team.

5.3

audit team shall communicate with the audited party before the on-site audit to confirm the audit arrangement and explain the agenda of the first and last meetings.

audit team shall carry out the audit according to the schedule in the audit plan, collect and verify the relevant information by sampling through appropriate methods such as consulting the documents and records of the audited party, interviewing with the post personnel of the process and activities, and observing the service formation process and activities. If necessary, conduct technical tests to form audit findings and confirm the audit situation.

During the audit process, the audit team communicates with the audited party in a timely manner, informs the audit process, confirms the audit evidence, and resolves differences. When the audit findings indicate that the purpose of the audit cannot be achieved, the reasons shall be explained and follow-up measures shall be agreed. If it is necessary to change the purpose and scope of the audit or terminate the audit, it shall be implemented after review and approval by the audit dispatching agency.

audit team leader shall communicate the information of the on-site audit with the audited party, ask the audited party to confirm the problems found and the non-conformance report, and agree on the arrangement of follow-up measures for non-conformance and confirm the audit conclusion. The audit team shall prepare the audit report and submit it to the audited party.

the audit report belongs to ZOHO, if there is any change in the audit follow-up activities (including ZOHO's certification decision period), ZOHO will provide the audit report to the auditee again. The audited party shall properly keep the audit report, non-conformity report and its correction materials and other corresponding materials.

Certification Fees

Certificate Sample

Certification Mark