What Will Happen to My ISO Certificate During a Global Pandemic?

David Forman, Managing Principal, Coalfire ISO, Inc.

As the coronavirus outbreak continues and safety concerns relating to travel and large group meetings increase globally, Coalfire ISO (“CFISO”) has been monitoring the effects of this crisis on both its customers and its employees. As a certification body, CFISO maintains accreditation with both the ANSI National Accreditation Board (ANAB) and the United Kingdom Accreditation Service (UKAS). Both governing bodies have been proactive in their responses to this developing worldwide event and have issued guidance to certification bodies referenced below.

As a response to these notices, CFISO will be taking the following steps in accordance with IAF ID 3 effective immediately for all certified or applicant organizations with planned audits to be executed through December 31, 2020.

  • At the discretion of either/both the appointed Lead Auditor or the organization under review by CFISO, the option to revise the walkthrough activities from an onsite assessment to a remote audit via the use of web-conferencing (incl. video, phone, screensharing) technologies is now permissible.
  • For surveillance audits, certificate continuance deadlines will be extended to the end of the 2020 calendar year should both normal audit procedures and remote auditing options be rejected as communicated by the certified organization. If a continuance decision is still not awarded by CFISO as of December 31, 2020, suspension procedures in accordance with the binding certificate agreement between the certified organization and CFISO will be enforced.
  • For recertification audits and when both normal or remote auditing procedures are not possible, certificates will be granted a one-time extension for a period of six months in accordance with ANAB Heads Up 448 when a legally-enforceable contract between CFISO and the certified organization is in place.
  • For any audit program where onsite time is unable to be met in accordance with accreditation standards, such as ISO/IEC 27006 and IAF MD 5, during this period, CFISO may revise its multi-year audit program during subsequent reviews to account for additional onsite auditor time and physical site sampling requirements per IAF MD 1.

To participate in these revised audit procedures, we ask the certified or applicant organization to contact the appointed Lead Auditor for your engagement and provide written confirmation of the request for a remote audit via the use of technologies described above while citing justifications directly related to the coronavirus outbreak.

Please be aware that we have also extended these same allowances to our CFISO staff understanding that the coronavirus and its effects could have similar consequences for our employees. While an applicant or certified organization may choose to proceed with onsite audit activities, the audit team at the discretion of the appointed Lead Auditor will still retain the option to modify the audit plan and execute these activities remotely.

At the core of this bulletin, we want to communicate a message of safety and solidarity recognizing that there are still large amounts of information that is unknown pertaining to the extent of this global event. Our wish for all of our customers and staff is to alleviate concerns relating to certificate programs during this difficult time and to continue to anticipate the needs of our interested parties as we learn more.

If there are any questions with regards to the content of this communication, please contact your appointed Lead Auditor or myself at David.Forman@coalfire.com.

David Forman


David Forman — Managing Principal, Coalfire ISO, Inc.

Recent Posts

Post Topics



Accounting Agency AICPA Assessment assessments ASV audit AWS AWS Certified Cloud Practitioner AWS Certs AWS Summit bitcoin Black Hat Black Hat 2017 blockchain Blueborne Breach BSides BSidesLV Burp BYOD California Consumer Privacy Act careers CCPA Chertoff CISO cloud CMMC CoalfireOne Compliance Covid-19 credit cards C-Store Culture Cyber cyber attacks Cyber Engineering cyber incident Cyber Risk cyber threats cyberchrime cyberinsurance cybersecurity danger Dangers Data DDoS DevOps DevSecOps DFARS DFARS 7012 diacap diarmf Digital Forensics DoD DRG DSS e-banking Education encryption engineering ePHI Equifax Europe EU-US Privacy Shield federal FedRAMP financial services FISMA Foglight forensics Gartner Report GDPR Google Cloud NEXT '18 government GRC hack hacker hacking Halloween Health Healthcare heartbleed Higher Education HIMSS HIPAA HITECH HITRUST HITRUST CSF Horror Incident Response interview IoT ISO IT JAB JSON keylogging Kubernetes Vulnerability labs LAN law firms leadership legal legislation merchant mobile NESA News NH-ISAC NIST NIST 800-171 NIST SP 800-171 NotPetya NRF NYCCR O365 OCR of P2PE PA DSS PA-DSS password passwords Payments PCI PCI DSS penetration Penetration Testing pentesting Petya/NotPetya PHI Phishing Phising policy POODLE PowerShell Presidential Executive Order Privacy program Ransomware Retail Risk RSA RSA 2019 Safe Harbor Scanning Scans scary security security. SOC SOC 2 social social engineering Spectre Splunk Spooky Spraying Attack SSAE State Stories Story test Testing theft Virtualization Visa vulnerability Vulnerability management web Wifi women XSS