Certification Schemes Assessment Methodology (CSAM)
The Certification Schemes Assessment Methodology (CSAM) is an efficient methodology to assess and compare the quality and reliability of diverse certification schemes on the basis of factual criteria. It is focused on certification schemes related to data protection and data regulatory compliance, but can be adapted and extended to other categories of certification schemes. It takes into consideration different dimensions:
Requirements for Reliable Certification Scheme
For a certification scheme to be trustable and reliable, it must satisfy several key requirements:
- Legal validity: is it formally recognized by law? There is a fundamental difference between: (1) home-made criteria, (2) criteria developed by standardization body, and (3) criteria that have been formally and officially recognized by law or by the competent data protection authority as legally valid.
- Comprehensiveness: does it cover all obligations or does it face blind spots? It may be tempting for a certification scheme to focus only on part of the regulatory obligations. That can make the certification lighted to implement, but constitute a major weakness exposing companies to legal, financial and reputational risks. A good indication is the number of controls: the more comprehensive, the better to effectively reduce your risks.
- Applicability scope: is it applicable to all or only to specific data processing? A certification scheme may be recognized only for specific roles (i.e. only for data processors) and/or specific data processing activities. The more restricted is the scheme, the less you can use it as a common referential for all data processing, and the more costly it will be to handle heterogeneous requirements.
- Geographic scope: how globally recognized is the scheme? A certification scheme may be recognized: (1) only in a single country, (2) in a single continent, or (3) across several continents. The larger the geographic scope is, the better, as it will extend the recognition of your certification by a larger number of authorities.
- Compliance monitoring: does it require to have someone in charge of compliance? A certification provides information that a given target of evaluation was compliant with the criteria of the scheme at the time of the audit. Ensuring continuous compliance requires to have at least one person in charge of it. A reliable scheme shall require having such a person in charge in the organisation of the applicant.
- No customer lock-in: does it allow you to choose among diverse service providers? A certification scheme may be developed by a single company that sells services based on its scheme. It may be delivered by a few service providers or by a large ecosystem of service providers. A monopolistic position of the certification body constitutes a risk for the applicant in terms of quality of service, costs, and dependency.
- Documentation access: how accessible is the documentation? Preparing for certification requires accessing training, documentation and support. The lack of support or documentation may hinder the ability to adequately prepare a certification and will increase the risk of diverging interpretation between the auditors and their clients.
- Implementation support: how much support can you get? Preparing for certification may require external support. The lack of external support may hinder the ability to adequately prepare a certification.
The formal specification of the CSAM methodology is available in the Europrivacy community website: https://community.europrivacy.com.