INFORMATION SECURITY ASSURANCE

PRODUCT TECHNICAL NOTIFICATION – BUSINESS CONTINUTY

PTN-BC 2022-02

ACTION REQUIRED FOLLOWING UKAS ASSESSMENT

Audience: All ISO 223010 auditors, sales and operations staff involved in ISO 22301 audits.

It was identified during the last UKAS BCMS audit that clarification was required regarding contract and
contracting arrangements with certification clients - reference to the UKAS accredited entity and
adherence to SGS terms and conditions (specifically in respect of mandatory criteria such as access to
site for accreditation witnessing).

The current accreditation requirements are as follows:

EA-2/13:2019, section 5.1.2 states that:

“Individual locations of the CAB may offer conformity assessment activities to the local market only on
behalf of the accredited CAB. The certificates and reports issued under the accreditation awarded by
the FAB shall contain the name and address of the accredited legal entity without reference to the
name or the logo of any local CAB. The quotations, contracts, certificates and reports issued shall
not create any confusion as to the legal entity of the CAB which holds the accreditation.”

The following wording is mandatory in all proposals:

“By signing this document, we apply for assessment by SGS <<affiliate designation>> on behalf of
SGS United Kingdom the Accredited Legal Entity for UKAS Accredited Certification.”

ISO/IEC 17021-1, clause 5.1.2 requires:

“5.1.2 Certification agreement

The certification body shall have a legally enforceable agreement with each client for the provision
of certification activities in accordance with the relevant requirements of this part of ISO/IEC 17021.
In addition, where there are multiple offices of a certification body or multiple sites of a client, the
certification body shall ensure there is a legally enforceable agreement between the certification body
granting certification and the client that covers all the sites within the scope of the certification.”

Procedure GSP.01 Pre-Certification Activities defines clearly the processes in place to comply
with these requirements and includes reference to the documents that shall be provided as part
of the proposal (either as documentation within the proposal pack or by link to the relevant sgs.com
links) and uploaded into CertIQ for each contract - SGS Code of Practice, Conditions for
Certification Services and Rules Governing the use of SGS Certification Mark.

Internal distribution only Page 1 of 1

Actions Required from all auditors and staff involves in ISO 22301 audits
1. Revisit procedure GSP.01 Pre-certification Audits and ensure that proposals, contracts and
other contractual documents are uploaded into CertIQ for each certification client/certificate,
including contract reviews.

2. Review Best Practice Webinars 5 and 6 (November 2021 and February 2022), available in
Knowledge Document Management System (sharepoint.com), with focus on the sections
related with contractual requirements with clients.

3. Acknowledge the reception of this PTN – communicated in the GLOBAL.KN.InfoSec.Technical

ISO 22301 channel in Teams - and the review of the above mentioned GSP and Best Practice
Webinars material.

Issued: Paula Costa – Global Technical Manager - Information Security Assurance

Date: 19/08/2022

Internal distribution only Page 1 of 1