The formal certification programme includes:
- a two-stage initial review
- surveillance reviews in the first and second years, and
- a recertification review in the third year prior to expiration of certification.
The determination of the certification programme and any subsequent adjustments will consider:
- the size of the client organisation
- the scope (target of evaluation)
- products and processes
- demonstrated level of effectiveness, and
- the results of any previous audits.
The certification programme will be based on the documented objective, scope and criteria.
The objective is:
- Evaluate compliance with POPIA and its regulations
- Evaluate compliance with contractual requirements, and / or
- Identification of areas for potential improvement.
DOCUMENTATION OF PROCESSING ACTIVITIES WITHIN SCOPE
The scope of certification (“Target of Evaluation” (ToE)) is a set of “processing activities”. It is up to the organisation that requires the certification to decide which processing activities are in scope. The first step towards the certification of processing activities will be preparing the documentation of the processing operations. (It is a requirement of the Protection of Personal Information Act that all processing operations are documented.)
TARGET OF EVALUATION
|Level 1: The organisation||Financial institution||Financial institution|
|Level 2: Functional/organisational unit||Compliance||HR Department|
|Level 3: Business process / functional application||AML / KYC (World check)||Recruitment (SAP-HR)|
|Level 4: IT infrastructure components||
SAAS Unix servers – Oracle DB
Windows server farm