Certification Procedures

1. Audit Process

1. Pre-certification Activities: Involves the application process where Zertia collects necessary information from the applicant, including the scope of certification, organizational details, outsourced processes, and any consultancy provided.
2. Application Review: Zertia reviews the application to ensure all required information is complete and prepares for the audit program.
3. Audit Planning: This includes determining audit objectives, scope, criteria, selecting the audit team, and creating an audit plan.
4. Initial Certification Audit: Zertia’s experienced audit team conducts a stage 1 audit to review the client’s management system documentation, site conditions, and preparedness for stage 2. The audit client will receive an audit report with any findings that need to be addressed during subsequent stages. During stage 2, the audit team will assess conformity of the management system with applicable requirements, including evaluation of the management system’s implementation and effectiveness.
   Any nonconformities must be addressed through corrective action before a certificate can be issued.
5. Surveillance and Recertification: The certification is valid for three years, with surveillance audits occurring every six to twelve months to monitor compliance and address nonconformities. Recertification will take place three months before the certificate’s expiration, initiating a new certification cycle.

2. Processes for Granting, Refusing, Maintaining, Renewing, Suspending, Restoring or Withdrawing Certification or Expanding or Reducing the Scope of Certification

Granting Certification

To be recommended for certification, all nonconformities must be addressed through appropriate corrective action within the allotted time frame. For major nonconformities Zertia will verify that corrective actions have been implemented. If implementation of corrections and corrective actions for major nonconformities cannot be verified within 6 months after the last day of stage 2, another stage 2 audit must take place prior to recommending certification.

For minor nonconformities Zertia reviews if a corrective action plan has been established. Effectiveness of corrective actions will be verified during subsequent audits.

A certificate is issued after a complete review of the audit file to ensure that there is sufficient evidence to support a certification decision. Client must be in good financial standing with Zertia before a certificate can be issued.

Certification can be refused if there is insufficient evidence of the management system meeting the audit criteria, if the client is not in good financial standing with Zertia, or if any contractual arrangements are not honored.

Maintaining Certification

The certification is valid for three years, with surveillance audits occurring every six to twelve months to monitor compliance and address nonconformities. Recertification will take place three months before the certificate’s expiration, initiating a new certification cycle.

Suspending Certification

Reason	Action
Not effectively addressing a major nonconformity	Immediate suspension after the term for addressing the major nonconformity at its second occurrence has ended.
A complete system break-down	Discuss with client the option for voluntary suspension. Immediate suspension after detection.
Not responding with corrective actions within the allotted timeframe	For a major NC: Immediate suspension. For a minor NC: Certification Manager and Lead Auditor review; warning letter with possible extension.
Violations of the rules for the use of Zertia’s or the accreditation body’s marks and logos	Certification Coordinator sends letter requesting immediate correction within a reasonable timeframe.
Not responding to complaints or not addressing valid complaints	Immediate suspension after the term for addressing complaints has passed.
Not responding to communication regarding audit scheduling	Certification suspended at the next anniversary of certification decision.
Not cooperating in the scheduling or planning of audits	Certification suspended at the next anniversary of certification decision.
The client requests suspension	As agreed between Zertia and the client.
Non-payment within established payment terms	Warning letter sent. Extension may be granted by the Certification Manager.

Re-instating Certification

Certification will be re-instated after the issue that triggered the suspension has been resolved. The rest of the audit program including the dates recertification is due will not change.

Certification can be restored within 6 months after expiration date provided that outstanding recertification activities are completed. If that does not occur, certification may be withdrawn, and a full initial certification audit may be necessary.

Withdrawing Certification

Certification will be withdrawn if the client fails to address the established actions within the allotted timeframe. Suspension must not exceed six months. After six months of suspension the certification is withdrawn.

Certification Manager decides on withdrawal and notifies client. Withdrawn certifications may not be re-instated. If the client wishes to continue they will have to re-apply and a new audit program will be established.

Reducing the Scope of Certification

If certain parts of the management system persistently or seriously fail to meet the certification requirements the scope may be reduced to exclude those parts. A new certificate must be issued with the new scope, and clients must return or provide a written declaration that the original certificate has been destroyed.

Expanding Scope of Certification

Client may require a scope extension to include other products, services, processes or sites. Scope extensions are usually dealt with during annual surveillance or recertification audits, unless the client requires an immediate extension.

3. Types of Management System Certifications

• ISO/IEC 42001:2023 — Information technology – Artificial intelligence – Management System
• ISO/IEC 27001:2022 — Information security, cybersecurity and privacy protection – Information security management systems – Requirements
• ISO/IEC 27701:2025 — Information security, cybersecurity and privacy protection – Privacy information management systems – Requirements and guidance

4. Processes for Handling Requests for Information, Complaints and Appeals

The following information may be provided upon request via support@zertia.ai:

• Geographical areas in which Zertia operates.
• Status of a given certification.
• The name, related normative document, scope and geographical location for a specific certified client.

Complaints

Complaints may be received from clients or other interested parties and typically relate to the conduct of Zertia personnel or subcontractors, or the way certain activities are performed.

Complaints can be submitted by: email to support@zertia.ai, or verbally by telephone to a Zertia associate.

All complaints will be investigated and appropriate action taken. Complainant will receive a resolution or progress report within one month, and every month thereafter until the complaint is resolved.

Appeals

A certification client may not agree with a certification decision or a decision to suspend, withdraw or reduce the scope of certification. Zertia is responsible for all decisions at all levels of the appeals-handling process. All personnel engaged in the appeals-handling process are different from those who carried out the audits.

Appeals must be submitted in writing by email to support@zertia.ai and include:

• Audit client, audit scope, audit date(s), audit reference number
• Point of contact name, email and phone number
• Reason and justification for the appeal
• Any supporting information

Appellant will receive a progress report one month after the appeal is received, and every month thereafter until resolution. All resolutions are final.