Which certifications or audits do you need?
Benefits of certification by an accredited certification body
Why should you have us certify or audit you?
Every organisation has its own culture. In line with our credo "closer to you", we take this into account and communicate openly, directly and as equals – always with the focus on YOUR organisation.
Appropriateness is a cornerstone of any audit. We engage individually with you and your specific requirements and factor this into each audit. Only in this way can sustainable results be achieved.
Quality begins with the very first contact. That is why both the quality of the audit and the quality of the processes around it are of the utmost importance to us, for efficient and reliable collaboration.
We say what we do, and we do what we say.
It's that simple.
Submit an enquiry and complete the basic data sheet as the basis for preparing the quotation. Optionally, arrange a short introductory meeting via video call at short notice.
After the order is placed: coordination of the next steps including scheduling, optional introductory meeting with the auditor(s).
Remotely or on site, our auditors carry out the audit in accordance with the requirements and as equals with you.
Handover of the audit documents, e.g. audit report, evidence documents for the BSI and, where applicable, the certificate / declaration of conformity.
What our clients say
FAQ – Your key questions answered
What certification and audit services have in common is that they are both examinations of management systems. For this reason, the terms "audit" and "certification" are often used synonymously. However, certifications and audits differ in fundamental respects that are not always easy to tell apart and that can also make a qualitative difference. To do justice to this, we have decided to distinguish between certification and auditing in our service portfolio.
Certification services may only be performed by a body accredited by an accreditation body such as the German Accreditation Body (Deutsche Akkreditierungsstelle GmbH, DAkkS). As a body accredited by DAkkS, we may only examine and certify in those areas for which we hold accreditation. These include, for example, ISO/IEC 27001, DIN EN ISO 9001 and the IT Security Catalogue pursuant to Section 11 (1a) EnWG. These restrictions ensure that certifications are carried out with the highest level of expertise and in accordance with a uniform, international procedure. With certifications you receive a certificate from us and, if desired, a seal confirming successful certification.
Audits are services that do not necessarily require DAkkS accreditation to perform and sign off. These include, for example, audits pursuant to Section 39 BSIG (new version), ISO 27001 based on IT-Grundschutz, or SMGWA to BSI TR-03109-6. Audits pursuant to Section 39 BSIG (new version) may only be carried out by selected parties, including auditors (Wirtschaftsprüfer) or bodies accredited by DAkkS, such as RSM Certification GmbH. Audits for ISO 27001 based on IT-Grundschutz and SMGWA audits to BSI TR-03109-6 require appropriately qualified auditors. RSM Certification GmbH employs auditors who have the suitable competencies and recognition by the BSI.
In addition, there are standards such as ISO/IEC 27017 or ISO/IEC 27018 against which certification is not possible, as they are only valid in conjunction with an existing certificate. We can therefore only carry out conformity assessments here.
We operate internationally. As a conformity assessment body accredited by DAkkS, our certificates are recognised worldwide, since accreditation is also based on uniform international requirements.
As a body accredited by DAkkS, we are not permitted to act in an advisory capacity, as this would compromise our impartiality and independence.
Auditing integrated management systems is one of our core competencies. We are accredited by DAkkS for ISO/IEC 17021. The ISO/IEC 17021 family of standards includes a wide range of management standards for which a certification audit can be carried out. These include, among others: Information Security Management System (ISO/IEC 27001), Quality Management System (ISO 9001), Environmental Management System (ISO 14001) and Energy Management System (ISO 50001). The key feature and advantage of these standards is their uniform structure, which makes it easier to audit several standards at the same time. The document IAF MD 11 ("Mandatory Document for the Application of ISO/IEC 17021-1 for Audits of Integrated Management Systems") must be taken into account accordingly when calculating the audit scope and conducting the audit. Beyond this, audits of the IT Security Catalogue pursuant to Section 11 (1a) EnWG, ISO/IEC 27001 and BSI TR-03109-6 can also be combined.
In exceptional cases, unforeseen events may make adjustments necessary. Our credo here is: if you bring the flexibility to counteract this, then we will do our part. In principle, no more than six months may elapse between a Stage 1 and Stage 2 audit in an initial certification. We therefore always try to discuss the optimal time interval between the Stage 1 and Stage 2 audit with our clients in advance. If material weaknesses are identified during a Stage 2 audit or a recertification, such that a certificate cannot be issued, the auditors involved will discuss this directly with you. This also includes a schedule setting out by when the weaknesses must be remedied in order to complete the audit. Here, too, a maximum period of six months applies in order to stay within the permissible timeframe of the procedure.
We carry out certificate transfers. According to IAF MD 2:2023, a certificate transfer is: "[…] the recognition of an existing and valid management system certification, granted by one accredited certification body, by another accredited certification body for the purpose of issuing its own certification." IAF MD 2 sets out the minimum requirements to be met in the course of such a transfer. We adhere strictly to these requirements in order to ensure a seamless transfer of your certificate.
A conformity assessment without certification is possible, but whether such an approach makes sense can only be assessed on a case-by-case basis. Alternatively, a competently conducted internal audit of the conformity of your ISMS may be a more sensible route. We would be happy to help you find the right path – simply get in touch with us.
A matrix certification is also referred to as a "multi-site certification" and can be applied to organisations that operate a central management system across several sites, controlled from their head office, and wish to have it certified. The requirements for such audits are explained in detail, in particular in the document IAF MD 1. This is the binding IAF document for the auditing and certification of management systems in organisations with multiple sites. See also our blog post on IAF MD 1. RSM Certification GmbH does carry out matrix certifications.