Schedule 2 - Certification Services

Revisions:
Date:	Author:	Description:
Oct 25, 2023	@Craig Wooldridge	First Version Published
Download PDF Here

Certification Services Requirements

The CB shall meet these requirements and such other Scheme requirements as IASME, or shall specify from time to time

Organisation
CR1.4	The Certifying Body shall ensure that all its Assessors have attended training that has been approved
CR1.5	The Certifying Body shall document and operate a quality assurance process, in accordance with the principles and guidance of ISO9001.

Certification Services
CR2.1	The Certifying Body shall work with IASME to have a consistent impartial process for awarding certificates to Organisations (including guidance for pass/fail guidelines) whose assessment or test has been successful against the Scheme Technical Standard.
CR2.2	The Certifying Body shall adhere to the Certification Process when carrying out certification, in accordance with the Scheme Documentation as stipulated by IASME.
CR2.3	The Certifying Body shall administer a consistent impartial process for providing appropriate feedback to an Organisation where assessment or testing has not been successful.
CR2.4	The Certifying Body shall work with IASME to develop a consistent process for recording and storing the results of its assessments and tests against the Scheme Technical Standard.
CR2.5	The Certifying Body shall have and document a complaints and appeals process for Organisations, including an escalation process allowing Organisations to raise complaints or appeals to IASME.
CR2.6	The Certifying Body shall work with IASME to design and develop a process for the consistent, impartial assessment of applicants to be a Scheme Assessor against the agreed Assessor Criteria, the process shall include providing guidance on pass or fail criteria.
CR2.7	The Certifying Body shall ensure that Assessors who are assessing information systems have an appropriate level of Maritime Cyber Security and Operational Technology competence as stipulated by IASME.
CR2.8	The Certifying Body shall ensure that the administration of Certification Services are delivered digitally.
CR2.9	The Certifying Body shall provide Organisations with standardised terms and conditions for the provision of Certification Services ensuring that the language is tailored appropriately to audience segments.
CR2.10	The Certifying Body shall work with IASME to design for Organisations a standardised, personalised report, considering audience segmentation, advising (should they fail) on how they can address any outstanding issues to improve their security ("Feedback Report").
CR2.11	The Certifying Body shall provide each Organisation which fails a certification with a Feedback Report.
CR2.12	The Certifying Body shall request that Organisations complete a standardised customer satisfaction survey after it has undergone assessment and/or certification.
CR2.13	The Certifying Body shall implement and maintain a process for identifying and addressing any conflicts of interest, however arising, in relation to the provision of Scheme Services.
CR2.14	The Certifying Body and their Assessors shall adhere to the principles and guidance of ISO/IEC 27002:2013 when carrying out Certification Services.
CR2.15	The Certifying Body should perform a spot check on an Organisation's usage of the relevant Certification Mark, immediately after the Organisation's renewal of certification date, should an Organisation choose to not renew.

Branding
CR3.1	The Certifying Body shall supervise the use of the Scheme Certification Marks by Organisations in accordance with the relevant Certification Mark Regulations.

Marketing and Communications
CR5.1	The Certifying Body shall ensure that the language and content of its website are aligned and consistent with the Scheme Website (including not making any misleading statements or misrepresentations of its role in and/or of the operation of the Scheme),
CR5.2	The Certifying Body shall take account of audience segmentation in developing marketing and promotional activities and events, including location and timing.
CR5.3	The Certifying Body shall present marketing and promotional material in diverse formats with language and level pitched appropriately for the relevant audience and aligned with HMG's audience messaging strategy.

Audit
CR6.2	The Certifying Body shall allow IASME to perform ad-hoc audits to assess whether the Certifying Body is meeting the requirements as set out in the Supplier Agreement.

1 Service Standards: The Scheme Supplier shall perform its obligations, at all times:

1.1 in compliance with the Security Policy;

1.2 in accordance with the Quality Plans;

1.3 in accordance with the Scheme Documentation;

1.4 subject to Clause 1.3 (Order of precedence) in accordance with the Proposal;

1.5 by adequate numbers of appropriately experienced, knowledgeable, qualified, professional and trained personnel, by reference to their role and level of responsibility;

1.6 with all due care, skill and diligence;

1.7 in a good, safe and professional manner;

1.8 in a manner not likely to be injurious to health or to cause damage to property or the environment;

1.9 in compliance with all applicable Laws, guidance and consents, and so as not to prejudice renewal of any consents,

1.10 where, in relation to a matter, there is no express obligation or standard imposed on IASME under this Agreement, and insofar as to do so does not conflict with any express provision of this Agreement, in accordance with Good Industry Practice;

(together, the "Service Standards").

2 Scheme improvements: The CB shall have an ongoing obligation throughout the Term:

2.1 to identify new or potential improvements to the Scheme, the Certification Services and the Scheme Services;

2.2 to notify those improvements to IASME; and

3 Changes to the Scheme: Notwithstanding Clause 7.3 (Scheme improvements), IASME shall have sole and absolute discretion to make changes to the Scheme.