Scroll Top

CERTIFICATION LIFECYCLE MANAGEMENT

CERTIFICATION LIFECYCLE MANAGEMENT

GCAI Certification – Process & Lifecycle (ISO/IEC 27001)

We make certification decisions that are impartial, evidence-based, and consistent. This page explains, in plain language, how certification works from the first application to ongoing maintenance, including the rules for suspension, withdrawal, and appeals.

1) Apply & Contract

What you send us

  • Basic organization details, scope to be certified, sites (on-site/remote), headcount, process overview, and contact persons.

What we do

  • Confirm eligibility and scope.
  • Determine audit time and competence needs (incl. multi-site sampling where relevant).
  • Identify any legal/regulatory considerations.
  • Issue a proposal & contract. Once accepted, we confirm your audit program and target dates.

Tip for clients: Share significant changes (mergers, acquisitions, site changes, major tech changes) as soon as they arise—this can affect planning and scope.

2) Stage 1 Audit – Readiness Assessment

Purpose: Check readiness for Stage 2 and confirm scope, sites, and audit plan.

What we look at

  • ISMS documentation (policy, risk assessment & treatment, SoA, procedures, records).
  • Scope boundaries, interfaces, and applicable Annex A controls.
  • Internal audit & management review status.
  • Any gaps that could become nonconformities in Stage 2.

Output you receive

  • A Stage-1 report with readiness status, gaps (if any), and a confirmed Stage-2 plan.

3) Stage 2 Audit – Certification Audit

Purpose: Verify full implementation and effectiveness of the ISMS against ISO/IEC 27001.

How we audit

  • On-site or hybrid audit across in-scope sites and functions.
  • Interviews, observation, sampling of processes/records, verification of risk treatment, control operation, monitoring, and improvement.

Nonconformity handling

  • Major NCs: must be corrected and verified before certification.
  • Minor NCs: corrective action plan with defined dates; effectiveness verified at surveillance.

Output you receive

  • A final audit report with findings and recommendations for decision.

4) Independent Certification Decision

  • Per ISO/IEC 17021-1, the decision maker is independent of the audit team.
  • Decision considers: audit evidence, closure of major NCs, adequacy of plans for minor NCs, complaints/impartiality risks, and scope fit.
  • If approved, you receive an ISO/IEC 27001 certificate (3-year cycle) with your certified scope and sites.

5) Surveillance Audits (Years 1 & 2)

Frequency: At least once per calendar year.

Focus areas

  • Closure/effectiveness of previous NCs.
  • Key ISMS processes: risk management, incident handling, change management, access control, supplier management, internal audit & management review.
  • Complaints, improvement activities, and any organizational/technology changes.
  • Correct use of certification marks and public claims.

What to expect

  • We start planning ~ 1 month in advance.
  • After the audit, you’ll receive a surveillance report. Any NCs require corrective actions within agreed timelines.

6) Recertification Audit (Year 3)

When: Planned to complete before certificate expiry.

Scope: A comprehensive review of long-term effectiveness and continual improvement over the cycle, including evolving risks and changes.

Outcomes

  • Successful recertification renews the 3-year cycle.
  • If not completed before expiry, the certificate lapses. Depending on elapsed time and risk, restoration within 6 months may be possible or a full Stage 1+2 may be required.

7) Special Audits (as needed)

Triggered by:

  • Serious complaints, security incidents, or market concerns.
  • Significant organizational changes (new sites, restructuring, outsourcing/insourcing, major tech/platform change).
  • Scope expansion requests.
  • Follow-up during suspension to verify corrective actions.

These may be short-notice and targeted to the issue; they confirm ongoing conformity and appropriate scoping.

8) Multi-Site Certifications

  • We apply sampling per IAF guidance (e.g., IAF MD 1) and verify central control and site implementation.
  • NCs at sampled sites may be raised against the entire multi-site scope if systemic.

9) Transfers from Another Certification Body

  • We verify the current certificate’s validity, any outstanding NCs, complaint history, and the previous cycle status.
  • Based on the review, we either continue the existing cycle or define additional audit activities before transfer completion.

Certification Status Rules (Grant, Refuse, Maintain, Suspend, Restore, Withdraw, Change Scope)

Grant / Maintain / Renew

We grant/maintain/renew certification when:

  • Major NCs are closed; minor NCs have approved plans.
  • Audit objectives are met and the ISMS is effective for the certified scope.
  • Ongoing obligations (surveillance access, fees, impartiality safeguards) are met.

Refusal of Certification

We may refuse certification if:

  • Major NCs remain unresolved.
  • Application information is false/misleading.
  • There are unacceptable impartiality/conflict-of-interest risks.

Suspension of Certification

We may suspend certification when:

  • Major NCs are not closed by agreed dates.
  • Surveillance audits are missed or access is denied.
  • Certification mark/logo is misused or public claims are misleading.
  • Fees are unpaid or contract terms are breached.

Effect of suspension: You must cease all certification claims and logo usage until restored. Suspension is time-limited; failure to resolve leads to withdrawal.

Restoring Certification

Possible when:

  • Corrective actions are implemented and verified (often via special audit).
  • All contractual and financial obligations are met.

Withdrawal of Certification

Applied when:

  • Suspension conditions aren’t resolved within the allowed timeframe.
  • The client requests withdrawal or ceases certified operations.
  • Major integrity breaches occur.

Scope Expansion / Reduction

  • Expansion: Requires evaluation of the new activities/sites (often via special or next scheduled audit), competence review, and audit-time adjustment.
  • Reduction: Applied when parts of the scope are no longer implemented or repeatedly nonconforming; reductions are reflected on the certificate and public listings.

What We Expect From Certified Clients

  • Maintain conformity with the standard and notify us promptly of significant changes (scope, sites, structure, technology, outsourcing).
  • Provide access to sites, records, and personnel for audits (including remote/hybrid where agreed).
  • Use the GCAI Certification Mark correctly (see “Certificate & Logo Usage Policy”).
  • Address nonconformities within agreed timelines.

Governance, Impartiality & Records

  • Decision makers are independent of audit teams (17021-1).
  • Impartiality risks are monitored by our Impartiality Committee; conflicts are identified and controlled.
  • Certification records (audits, decisions, NC closures, complaints) are confidentially retained for at least two certification cycles and may be reviewed by the accreditation body.

Appeals & Complaints

If you disagree with a decision or wish to raise a concern:

  • Appeals (clients): Submit in writing within 30 days of the decision. We acknowledge in 5 working days and an independent Appeals Committee issues a binding decision within 30 working days (or with justified extension).
  • Complaints (any stakeholder): Acknowledge in 3 working days; investigated by independent personnel; formal response typically within 30 working days.
  • See full Appeals & Complaints Process (link) for steps, timelines, and escalation to the Impartiality Committee.