Embedded Files
1.為使所有內外部人員確實被告知且認可「保持公正性」為本公司最重要的經營原則,所有聘任人員及供應商應簽署已接受告知且已閱讀本文件之聲明。
To ensure that all internal and external personnel are fully informed of, and acknowledge, that "maintaining impartiality" is the organization's fundamental operating principle, all engaged personnel and suppliers shall sign a declaration confirming their notification and comprehension of this document.
2. 本公司的驗證費用為文件化資訊,不接受以驗證費用等威脅利用的手段違反本公司驗證之公正性。
The organization's certification fees are maintained as documented information, and any attempt to use certification fees or other means as leverage to compromise the impartiality of the certification process shall not be accepted.
3. 本公司僅依據稽核活動所獲得的符合性(或不符合性)客觀證據作驗證決定,不受其他利益或其他團體所影響。
The organization's certification decisions are made solely on the basis of objective evidence of conformity or nonconformity obtained from audit activities and shall not be influenced by any other interests or external parties.
4. 本公司已設定「驗證/稽核程序」相關規範以避免有相關弊端風險。
The organization has established documented procedures for certification and audit activities to prevent risks of malpractice.
5. 本公司已制定「CB-2-00041-風險評鑑內控作業程序」,將公正性之威脅納入風險評鑑作業,並將下列威脅來源納入重要參考指標:自我利益、自我審查、熟知(或信任)、恐嚇。威脅公正性之來源,亦可能來自於所有權、治理、管理、人員、共享資源、財務、合約、訓練、行銷, 以及給付新客戶介紹銷售佣金或其他誘因等。
The organization has established CB-2-00041-Process of Risk Assessment and Internal Control, incorporating threats to impartiality into the risk assessment process. The following sources of threat are considered as key reference factors: self-interest, self-review, familiarity (or trust), and intimidation. Sources of threats to impartiality may also arise from ownership, governance, management, personnel, shared resources, finances, contracts, training, marketing, as well as from the payment of sales commissions or other incentives for introducing new clients.
6. 為獲得驗證之誠信與可靠性的信心,本公司提供「CB-3-21101-管理系統驗證服務說明」、「CB-3-21103-驗證服務規範一覽表」,針對驗證稽核的服務過程供社會大眾了解。另外,客戶之驗證狀態之適當與及時的資訊亦將公告於網站上供社會大眾查詢。
To provide confidence in the integrity and reliability of certification, the organization makes available the documents CB-3-21101-Management System Certification Service and CB-3-21103-Certification Service Master List, which describe the certification and audit process and are accessible to the public. In addition, appropriate and timely information on the certification status of clients is published on the website and made available for public access.
7. 為獲得或維持驗證信心,本公司亦會公布非機密資訊之特定稽核結論於本公司網站。
To gain or maintain confidence in certification, the organization also publishes specific, non-confidential audit conclusions on its website.
8. 本公司的驗證稽核活動應公正執行,決不允許商業、財務或其他壓力危害到此公正性,並且應該在每年度的風險評鑑及內稽作業將相關利害關係人或影響公正性之風險納入評估。為達成此目的,本公司已成立「管理系統指導委員會」,代表不同方利害關係人,協助辨識相關風險。
Certification and audit activities of the organization shall be conducted impartially. Under no circumstances shall commercial, financial, or other pressures be permitted to compromise impartiality. Relevant stakeholders and risks affecting impartiality shall be included in the annual risk assessment and internal audit activities. To achieve this, the organization has established a Management System Steering Committee, representing different stakeholders, to assist in identifying relevant risks.
9. 接受本公司驗證服務的客戶如果發現稽核員與該公司有任何違反利益衝突的情況時(例如該稽核員2年內曾提供該公司顧問服務或內稽服務),應該主動告知本公司,並且驗證稽核活動時應主動採取迴避。如果本公司經檢舉(如抱怨或申訴)或主動發現客戶有前述應告知而未告知之利益衝突事項,本公司將進行相關調查。
If a client receiving certification services from the organization becomes aware of any conflict of interest involving an auditor (for example, if the auditor has provided consulting or internal audit services to the client within the past two years), the client shall promptly inform the organization. In such cases, the auditor shall be excluded from the certification audit activities. If the organization receives a report (such as a complaint or appeal) or independently identifies that a client has failed to disclose a conflict of interest as required, the organization shall conduct an appropriate investigation.
10. 本公司任何部門與職員任職期間皆不應對本公司的驗證客戶提供任何管理系統之內稽或顧問服務的服務。本公司如有任何稽核員曾為某客戶提供管理系統顧問服務,應迴避與其任何相關稽核活動至少二年。本公司已制定「CB-4-20309-工作倫理守則同意書」,所有同仁(包含稽核員或外聘稽核員)皆必須簽署,另外請所有參與案件的稽核員皆需簽署具結與該驗證客戶不存在任何的利益衝突,二年內不曾任職於申請驗證機構或提供顧問輔導等事項。如果本公司成員有相關利益衝突情況而未事先告知,則應該進行相關懲處,並且負擔相關損失。
No department or personnel of the organization shall provide management system internal audit or consulting services to any of its certification clients during their tenure. If any auditor has previously provided management system consulting services to a client, that auditor shall be excluded from all related audit activities for a minimum period of two years. The organization has established a CB-4-20309-Code of Ethics Agreement, which all personnel (including auditors and external auditors) are required to sign. In addition, all auditors assigned to a project shall sign a declaration confirming that no conflict of interest exists with the certification client, and that they have not been employed by the applicant organization or provided consulting services to it within the past two years. If any member of the organization is found to have a conflict of interest without prior disclosure, disciplinary measures shall be applied, and the individual shall be held responsible for any resulting losses.
11. 本公司不得將任何稽核外包給管理系統顧問組織。本公司不應驗證另一驗證機構之品質管理系統。
The organization shall not outsource any audit activities to management system consulting organizations. The organization shall not certify the management system of another certification body.
12. 本公司之任何行銷活動及報價,皆不應與任何管理系統顧問組織的活動連結。如有任何管理顧問組織陳述或暗示,如果採用本公司驗證將更為簡單、容易、快速或省錢,本公司應立即採行措施以改正此不適當的連結或陳述。本公司亦不應宣稱或暗示,如果採用任一指定之顧問組織,驗證將更為簡單、容易、快速或省錢。
Marketing activities and quotations of the organization shall not be linked to the activities of any management system consulting organization. If any management consulting organization states or implies that using the organization’s certification would be simpler, easier, faster, or less costly, the organization shall take immediate action to correct such inappropriate links or statements. The organization shall also not claim or imply that certification will be simpler, easier, faster, or less costly if any specific consulting organization is used.
13. 本公司應針對任何來自內外部人員、機構或組織所造成對公司公正性造成的任何威脅,採取積極回應措施,且決不允許商業、財務或其他壓力危害到公正性。
The organization shall take effective measures to address any threats to impartiality arising from internal or external persons, bodies, or organizations, and shall not permit commercial, financial, or other pressures to compromise impartiality.
14. 本公司已制定「風險評鑑」及「內部稽核」相關程序,針對高風險項目或是內部稽核時發現有缺失項目進行相關後續矯正作業的追蹤,並且邀請高階管理代表進行管理審查會議,確認相關的風險事項評估與後續處理結果。確保公司各部門及內外部人員能夠識別、記錄並公佈已知的任何可能陷入利益衝突之狀況,以鑑別所造成的公正性威脅,並且排除降低各種利益衝突之可能性。
The organization has established documented procedures for risk assessment and internal audits to track follow-up corrective actions for high-risk items or deficiencies identified during internal audits. Senior management representatives are involved in management review meetings to confirm the evaluation of identified risks and the effectiveness of subsequent actions. The organization shall ensure that all departments, as well as internal and external personnel, are able to identify, record, and disclose any known situations that may lead to conflicts of interest, in order to determine threats to impartiality and to eliminate or minimize the likelihood of such conflicts.
15.利益衝突 Conflict of interest (ISO/IEC 27006-1:2024, 5.2.1)
本公司可執行下列工作,而不被視為諮詢或有潛在的利益衝突:
The organization may perform the following activities without these being considered as consultancy or creating a potential conflict of interest:
以講師身份安排及參與訓練課程,惟此等課程與資訊安全管理有關、或有關於管理系統或稽核,本公司只限於提供可公開取得的一般資訊及建議;即,不須提供與下款b所述規定相互抵觸之對客戶的特定建議;
Training – arranging and participating as lecturers in training courses, provided that when such courses relate to information security management, management systems, or auditing, the organization confines itself to the provision of publicly available generic information and advice; i.e. no client-specific advice shall be given that would contravene b) below.;根據要求,提供或發佈驗證機構對驗證稽核標準的解釋資訊;
Interpretation of standards – making available or publishing, upon request, information describing the certification body’s interpretation of certification audit requirements.完全為決定驗證稽核是否就緒的稽核前活動;但該活動不應造成提供與本條相互抵觸的意見或建議,並且本公司應確認該活動不會與此等要求抵觸,且不會被作為減列最終驗證稽核時間的理由;
Pre-audit activities – conducting activities prior to audit solely to determine readiness for a certification audit; such activities shall not result in recommendations or advice that would contravene this clause, and the certification body shall confirm that such activities do not conflict with these requirements and are not used to justify a reduction in the eventual certification audit duration;根據非認證範圍之標準或規章而執行之第二或第三者稽核;
Second- and third-party audits – performing second- or third-party audits according to standards or regulations other than those within the scope of accreditation;增加驗證稽核及追查訪查時的價值;例如在稽核時對發現的事項,指出改善的機會,但不提供特定的解決建議。
Adding value during audits – adding value during certification audits and surveillance visits, for example, by identifying opportunities for improvement as they become evident, without providing specific solutions.
16. 本公司不應根據驗證提供客戶ISMS內部資訊安全審查。再者,本公司應獨立於提供ISMS內部稽核機構(包括任何個人)之外。
The organization shall not provide internal information security reviews of a client’s ISMS that is subject to certification. Furthermore, the organization shall be independent from any body or individual that provides internal ISMS audits to the client.
愛台灣驗證股份有限公司 執行長 葛皇濱
AiTC CEO Gabriel Ger
上網公告日期:2025.09.18 / 文件修訂日期:2025.09.18 / 文件版本:1.2
Page updated
Report abuse