UKAS rejects ISO certification concerns
UK’s certification body says refreshed guidance is in place to cover the possibility of lapsed ISO certifications
The UK’s National Accreditation Service (UKAS) has responded to concerns that thousands of ISO data protection and compliance certifications are about to lapse because of delays and backlogs in the recertification process due to the Covid-19 coronavirus pandemic, saying that while it is true certifications may expire, provisions have been put in place to ensure continuity.
As previously reported, InfoSaaS, a supplier of security, data protection and business compliance services, had said that as the six-month “anniversary” of the UK’s lockdown approaches, thousands of businesses were at risk of having their certifications lapse because UKAS only provided for a six-month delay.
But UKAS said this was not accurate because, back in April, it had published a new policy on accreditation and conformity assessment during the pandemic, Technical Policy Statement (TPS) 73, which reflects the International Accreditation Forum (IAF) advice on certification. This has superseded the provisions of the guidance highlighted by InfoSaaS, TPS 62, which UKAS published four years ago.
It is correct that before the pandemic, under TPS 62 recertification, audit visits – which must happen every three years – could be delayed by up to six months due to extraordinary events or circumstances.
However, clause 4.6 of the refreshed guidance states: “Given the unprecedented nature of the coronavirus outbreak, and the uncertainty over the potential impact this will have on the imposed time restrictions relating to travel and social contact, it is anticipated that six months may not provide sufficient opportunities for certification bodies to conclude recertification audits.
“As a consequence, UKAS policy for this outbreak is that the decision on recertification must be made within three months of the lifting of restrictions (eg, travel) that were preventing the on-site audit taking place. However, if this timeframe exceeds 12 months, then the certificate should be withdrawn, and a new initial audit will be required.”
InfoSaaS co-founder Peter Rossi told Computer Weekly that while TPS 73 introduced some leeway, he remained concerned that the clock was still ticking on audit extensions, given that the maximum extension is 12 months.
“We may, as far as anyone knows, still be in the early stage of the pandemic,” he said. “Spanish flu caused disruption for over two years – business operations that are still disrupted now could yet worsen. As a result, even with the provisions of TPS 73, certifications could eventually begin to lapse.”
Rossi said he believed it was important that the potential for disruption was discussed and understood well in advance. “I would like to make it absolutely clear that we point no finger of blame at anyone for the situation, certainly not UKAS, and we welcome their clarity,” he added.
The full TPS 73 guidance on recertification can be downloaded here.
Read more about security compliance
- Thanks to the pandemic, the Financial Conduct Authority has extended the deadline for payment processors to meet the payment security standard.
- When it comes to security, buyers are prioritising solutions and services that address compliance issues, risk management and data protection.
- Security automation tools proved useful for two highly regulated fintech firms, that use them to protect cloud-native infrastructure and demonstrate their security to auditors.