REMOTE instead of ON-SITE: Possibilities of auditing in times of Corona
The Corona virus also poses new challenges for the TIC sector (Testing, Inspection & Certification). This applies in particular to existing certificates that may soon expire and should be maintained if an on-site audit is not feasible due to the current situation.
The remote audit: Auditing by video conference
One solution that makes it possible to carry out audits without the physical presence of the auditor is remote auditing. This is an audit method which is carried out interactively by means of a video conference. In this form, aspects are then queried and documents are examined which would also be part of an on-site audit.
We will continue to reliably be there for you
In view of the current situation, we offer audits via video conference in many cases. Below you will find services that are currently offered remotely or in modified form. If your test or certification is not listed there, please contact us. We will certainly find the best possible approach for your company.
„The auditing of our SCADA solution PROZA NET and communication gateway PROZA LKKU according to IEC 62443 2-4 was carried out by TÜViT in large parts as a remote audit. It worked smoothly and even accelerated the process.“ |
Stjepan Sučić, Business Director at KONČAR-KET |
We offer the following services, among others, remotely or in partially modified form:
ISO 27001:
GAP analyses and internal audits can generally be carried out remotely and thus continue to be offered without restrictions.
IT Grundschutz:
GAP analyses and internal audits can generally be carried out remotely. This currently also applies to IT Baseline Protection audits for certification by the BSI. If you have any further questions, our BSI-approved audit team leaders will be happy to help you.
alarm receiving centers (TSA | EN 50518)
Following the procedures of the German Accreditation Body (DAkkS), we have introduced a procedure that allows you to extend your existing certificate by 6 months. The basis for this is a two-stage process:
Stage 1:
a) Your documents will be reviewed as usual and changes to your data center operations will be evaluated.
b) A checklist is worked through with you via a WEB conference (remote audit). You may have to provide us with current pictures/recordings with your mobile phone.
c) The results of the document examination and the checklist are evaluated by the certification body and if the decision is positive, your certificate will automatically be extended by 6 months. This interim certificate is made available to you electronically.
Stage 2:
a) The on-site audit shall be completed and the audit report drawn up no later than 6 months later.
b) The audit report is the basis for the reissue of the certificate. This certificate is then provided in paper form and is valid for another 18 months (for TSI) or 6 months (for TSA).
The interim solution of the 2-stage procedure is carried out at no additional cost for you.
Document reviews are possible without restriction and can be carried out as planned. Furthermore, the following applies to:
Initial certifications:
a) Stage 2 audits can be conducted remotely as a web conference. Pandemic-related considerations must also be taken into account in particular.
b) All items that cannot be checked remotely or not to the satisfaction of the auditor must be made up for in a later on-site audit.
c) As soon as the overall situation allows it again, we plan the pending on-site audit in the order in which the web conferences were conducted.
d) A certification (Certificate & CAR) can only take place after the on-site audit.
Re-certifications:
a) Stage 2 audits can be conducted remotely as a web conference. Pandemic-related considerations must also be taken into account in particular. In addition, the provider must confirm to us that he has not made any changes of an infrastructural nature since the last inspection.
b) All items that cannot be checked remotely or not to the satisfaction of the auditor must be made up for in a later on-site audit.
c) Provided that a predominant part of the requirements was testable and did not reveal any critical non-conformances and the additionally mentioned conditions are fulfilled, the validity of the previous certificate and conformity assessment report may be extended by up to 6 months due to the current exceptional situation as an exception.
d) As soon as the overall situation allows it again, we plan the pending on-site audit in the order in which the web conferences were conducted.
e) The new certificate/CAR can only be issued after the on-site audit. The validity is based on the validity of the original certificate, not on the exceptionally extended validity.
Surveillance audits:
a) Stage 2 audits can be conducted remotely as a web conference. Pandemic-related considerations must also be taken into account in particular. In addition, the provider must confirm to us that he has not made any changes of an infrastructural nature since the last inspection.
b) Provided that a predominant part of the requirements was testable and did not result in critical non-conformances and the additionally mentioned conditions are fulfilled, we evaluate the monitoring as positive and carry out the certification. In this case a visit on site can be waived.
Change audits / amendments:
a) If the change can be sufficiently checked and evaluated remotely through a web conference, certification with regard to the change / supplement is also possible.
b) As soon as the overall situation allows it again, we plan the pending on-site audit in the order in which the web conferences were conducted.
During the web conference (Stage 2) for initial certification, re-certification or monitoring, the following additional questions related to the pandemic need to be clarified:
- Is there an impact assessment with regard to the pandemic?
- What measures has the TSP taken to maintain operations?
- What restrictions are there? Are some services not available?
- Have there been any customer complaints about the services?
- Can the TSP now and in the future confirm the fulfillment of all requirements from ETSI / eIDAS?
- When can an on-site audit take place from the point of view of the TSP?
Many of our cyber-security services, such as attacks on web applications, are usually already offered and carried out remotely. Consequently, there are no restrictions for customers.
If you are unsure whether the penetration test you require can be carried out at the moment, please feel free to contact us. We will then work out an individual solution with you and will certainly find the best possible approach for your company.
In the area of Common Criteria, we work with you to develop flexible and individual solutions. Please contact us. We will certainly find the best possible approach for your company.
An important prerequisite for the remote audit is the right hardware and software. What you need is a laptop or tablet with a stable Internet connection, a webcam, a headset and a conference tool, such as Skype for Business or Webex.