Skip to main content

Certification Process
At NDB Controls

Talk About My ISO Certification
About the Process

NDB Controls CB

As a trusted ISO/IEC 27001 certification body, NDB Controls is committed to delivering transparent, impartial, and rigorous certification services. Our approach ensures that organizations achieve and maintain compliance with international information security standards in a consistent and credible manner.
Key elements of our certification processes & policies

Audit Process

Best practices, ensuring thorough evaluation of an organization's Information Security Management System (ISMS) against the ISO/IEC 27001 standard
Explore - Audit Process

Certification Decisions

Our decisions are made impartially by qualified personnel not involved in the audit process
Explore - Certification Decisions

Management Systems & Certification Schemes

Audit and certifications for organizations that implement ISMS frameworks
Explore - Management Systems

Use of NDB Controls’ Name & Certification Mark

Once certified, clients may use the NDB Controls certification mark
Explore - Certification Decisions

Requests for Information, Complaints, and Appeals

We encourage open communication and transparency in all our dealings
Explore - Certification Decisions

Policy on Impartiality

NDB Controls operates impartial as a credible certification body
Explore - Policy on Impartiality

The Audit Process

Our audit process follows internationally recognized best practices, ensuring thorough evaluation of an organization's Information Security Management System (ISMS) against the ISO/IEC 27001 standard.
Audit Process Stages

Stage 1

Audit Readiness & Documentation Review
This initial stage focuses on assessing your organization’s preparedness for the full certification audit. It includes:
  • A review of ISMS documentation, including policies, risk assessments, and procedures.
  • An evaluation of the scope of the management system.
  • An assessment of legal and regulatory requirements.
  • Identification of any areas of concern that may impact Stage 2.

This stage may be conducted remotely or onsite.

Stage 2

Audit Implementation & Effectiveness

The Stage 2 audit verifies the practical implementation and effectiveness of your ISMS. It includes:

  • Onsite assessment across relevant departments and locations.
  • Interviews with staff to evaluate awareness and responsibility.
  • Evaluation of evidence to confirm risk treatment measures and operational controls are functioning as intended.
  • Review of monitoring, measurement, internal audit, and management review activities.

At the conclusion, a detailed audit report is prepared, and any nonconformities must be addressed before certification can be granted.

Stage 3

Surveillance Audits
Surveillance audits are conducted annually (usually in years 2 and 3 of the certification cycle) to ensure the ongoing conformity and performance of the ISMS. These are more limited in scope than the initial audit but are essential for maintaining certification.

Stage 4

Recertification Audit
Before the end of the three-year certification cycle, a full recertification audit is conducted to reassess the entire management system. This ensures continued compliance and identifies opportunities for improvement.

Certification Decisions

Managing Certification Status

Granting Certification

Certification is granted after successful completion of the Stage 2 audit and closure of any identified nonconformities. The decision is based on a comprehensive review of audit findings, conducted by an independent certification panel.

Refusing Certification

We may refuse certification in cases where:
  • There are unresolved major nonconformities.
  • The organization fails to demonstrate adequate implementation of ISO/IEC 27001.
  • There is insufficient evidence of conformity. A detailed explanation is always provided, along with the opportunity to reapply.

Maintaining Certification

Certification is maintained through regular surveillance audits and continued compliance with ISO/IEC 27001 requirements. Clients must:
  • Maintain their ISMS effectively.
  • Address nonconformities in a timely manner.
  • Cooperate with scheduled audits.

Renewing Certification

A recertification audit is required every three years to renew certification. This involves a full system review and confirmation of ongoing compliance.

Suspending Certification

Suspension may be imposed due to:
  • Failure to address nonconformities.
  • Non-cooperation during audits.
  • Misuse of the certification mark.
  • Non-payment of fees.

During suspension, the certification is temporarily invalid and cannot be used for promotional purposes.

Withdrawing Certification

Withdrawal occurs when:
  • Issues that led to suspension are not resolved within a specified timeframe.
  • The client voluntarily terminates the certification.
  • There is evidence of intentional misrepresentation or fraud. Upon withdrawal, the organization must cease use of all certification materials and marks.

Restoring Certification

Certification may be restored following suspension if the organization takes corrective action within the permitted timeframe and demonstrates conformity during a follow-up audit.

Scope Expansion or Reduction

Clients may request to expand their certification scope to cover additional sites, functions, or services. This requires a scope extension audit. Conversely, scope reduction may be required if certain processes or sites are no longer compliant or operational.

Certification Decisions

Granting, Refusing, Maintaining, Renewing, Suspending, Withdrawing, Restoring, and Scope Changes
At every stage, our decisions are made impartially by qualified personnel not involved in the audit process.

Management Systems &
Certification Schemes Offered

Providing Certification For

ISO/IEC 27001 Information Security Management Systems

We audit and certify organizations that implement ISMS frameworks in alignment with ISO/IEC 27001, helping them secure information assets, manage risk, and ensure regulatory compliance.

Additional Schemes

As we expand our services, we may introduce other management system certifications within the domains of:

Cybersecurity
Risk Management
Business Continuity (ISO 22301)
Privacy Information Management (ISO/IEC 27701)
Details of additional schemes will be published as they become available.

Use of NDB Controls’
Name and Certification Mark

Proper Use

  • The mark must only be used in connection with the certified scope.

  • It must not be used on products or product packaging.

  • It must not imply product certification or endorsement by NDB Controls.

Conditions of Use

  • Use of the logo is permitted only while certification is valid and in good standing.

  • Clients must adhere to our Logo Usage Policy, provided upon certification

  • Any misuse will be subject to investigation and corrective action.

Misuse & Consequences

Improper use may result in:

  • Suspension or withdrawal of certification.
  • Public notice of misuse.
  • Legal action in cases of deliberate misrepresentation.

Request for Information, Complaints, & Appeals

Open communication & transparency in all our dealings
Our complaints and appeals processes are designed to ensure objectivity, transparency, and resolution in a timely manner.

Requests for Information

  • Clients and stakeholders may request information about certification status or procedures by contacting our office via email or the contact form.

  • All reasonable requests are answered promptly and transparently.

Complaints

  • Any individual may submit a complaint regarding our services or the behavior of certified organizations.

  • Complaints must be submitted in writing and will be acknowledged, investigated, and resolved within a defined timeframe.

  • We maintain confidentiality and fairness throughout the process.

Appeals

  • Clients may appeal certification decisions (such as refusal, suspension, or withdrawal).

  • Appeals must be lodged in writing within a specified period after the decision.

  • Appeals are reviewed by an independent body not involved in the original audit or decision.

Policy on Impartiality

Impartiality is fundamental to our operations and credibility as a certification body
NDB Controls maintains an impartial stance by:
Ensuring all certification decisions are based exclusively on objective audit evidence.
Avoiding any relationships that may compromise our independence.
Monitoring and mitigating potential conflicts of interest.
Maintaining a dedicated Impartiality Committee to oversee policies and procedures.
Ensuring staff, auditors, and decision-makers are free from undue influence.
We take all necessary steps to uphold our reputation as a trustworthy, unbiased certification authority.

Talk With An ISO 27001 Expert

Investors & customers demanding compliance? We got you.
Book My Consultation

Get Started With NDB Today

Expert guidance for navigating every phase of the ISO 27001 certification process with ease, from initial assessment to final compliance and beyond.
  • Results to get your company ISO compliant
  • Expert aduit guidance through each phase
  • High compliance and audit success rate
Talk With a Compliance Expert