This document specifies activities in relation to this conformity assessment scheme to enable consistent management and expected outcomes. This document should be read in conjunction with the linked references contained within each section. If there are conflicting instructions, please notify the scheme owner or raise an issue on this repo.
The purpose of this conformity assessment scheme is to demonstrat that specified requirements relating to a product, process,system, person or body are fulfilled. A detailed overview of conformity assessment may be found in this document
Assessment of scheme against IAF MD25 Requirements
Formal enagements with a client must have a legally enforceable agreement. Please contact the accredited conformity assessment body for a copy of the agreement. Please note that confidentiality rules may apply as per Confidentiality Policy
This scheme is dependent on the legal and requlatory requirements specific to the jurisdiction and context.
This is a global scheme intended to apply within different jurisdictions and contexts.
Scheme description and purpose are found in the README
The following standards are used to set out the requirements used in the scheme.
- CAN/CIOSC 103-1 Digital Trust and Identity Part 1: Fundamentals
- CAN/CIOSC 103-2 Digital Trust and Identity Part 2: Healthcare
An organization can review the applicability of requirements due to the size or complexity of the organization, the management model it adopts, the range of the organization`s activities and the nature of the risks and opportunities it encounters.
An organization may assess the requirements in conjunction with a selected trust framework. Depending on the trust framework, it may affect how the requirements are interpreted and the effort to assess the requirements.
Organization may exclude specific requirements that are deemed not applicable or out of scope of the organization's mandate.
Exclusions should be confirmed before preparing the quotation and verified at the initial assessment.
All exclusions must be reflected in assessment and resulting certification.
The lead auditor should:
- communicate the relevant parts of the assessment engagement, including the risks and opportunities
- define objectives, scope and criteria, for each asssessment
- agree on audit methods
Objects of conformity are used to select and specify the requirements to be assessed.
In determining the audit time (duration and/or effort), among other things, the following aspects are considered before proceeding:
- the requirements of the relevant management system standard;
- complexity of the client and its management system;
- technological and regulatory context;
- any outsourcing of any activities included in the scope of the management system;
- the results of any prior audits;
- size and number of sites, their geographical locations and multi-site considerations;
- the risks associated with the products, processes or activities of the organization;
- whether audits are combined, joint or integrated.
Assessment duration estimate is based on an agreed timeline with the client. Duration estimates should consider factors, such as:
- Client schedule availablity and constraints
- Resource avaialability and contstraints
- Risks
- ...
Assessment effort estimate is based on full-time-equivaltants (FTEs). Assessment effort should consider factors, such as:
- Scope of assessment
- Degree of assesment
- Risks
Factors which may increase assessment duration and effort
- Logistics that may involving more than one geographical location where efforts are carried out.
- Multiple languages requiring interpreters or preventing individual auditors from working independently
- Outsourced functions or processes
- Highly complex processes or high number of unique activities
Factors which may reduce assessment duration and effort
- Maturity of management system
- Prior knowledge of management system (e.g. already certified to another standard)
- Client preparedness
- Level of automation
Details on Staged Audits
Details on Audit Methods
Details on Audit and Certification Roles
Details on Evidence and Evaluation
Potential risks and/or assurance level requirements may impact the duration and effort of the assessment.
The scope of the CIOSC accredition is granted by different accreditation bodies listed at the following link:
| Function | Requirements |
|---|---|
| Lead Assessor | Prior public sector engagements |
| Function | Requirements |
|---|---|
| Lead Assessor | Related sector engagements |
| Certificate Prefix | Description |
|---|---|
| PS-CC-LEV | Public Sector Services, ISO Country Code, Level of Government |
| RS-CC-SEC | Regulated Programs, ISO Country Code, Sector |
The certification process as defined by the accredited conformity assessment body. Details are in the Certificate Policy
The expected outcome is public confidence that the organization conforms to the applicable requirements of the standards and is delivery a program and/or service having integrity. In particular, that the organization:
- has established a program and management system that is suitable and appropriate for its certification scope
- instills confidence in its stakelholders and clients,
- demonstrates alignment with the relevant statutory and regulatory requirements
- ensures that the management system meets program objectives
- is managing, supporting and monitoring processes to achieve the expected outcomes
- aims to prevent nonconformities and has processes in place to improve.
Please see References