Confidentiality

Confidentiality

Any information of client acquired/created by MQAS, during information gathering, audit or during certification process or otherwise shall be kept confidential and shall not be divulged to any third party. To this effect:

  • Personnel, including any committee members, contractors, personnel of external bodies or individuals acting on MQAS behalf, shall keep confidential all information obtained or created during the performance of the certification body’s activities except as required by law. This shall be applicable to all MQAS personnel and any outside organization to which MQAS may employ for a particular work to be carried out.
Awesome Image
  • All personnel of MQAS shall execute a Non Disclosure Agreement with MQAS.
  • Any outside organization working on behalf of MQAS shall execute NDA with MQAS for confidentiality for MQAS and the client, for which the outside organization has been engaged.
  • MQAS or the outside organization working on behalf of MQAS shall abide by security requirements of the clients.
  • MQAS shall ensure the safe handling and storage of confidential information.
  • MQAS shall not disclose any information to third party about client or individual without obtaining prior written permission. In case the information is required legally by a third party, the client or individual shall , unless regulated by law, be notified in advance.
  • Information received from other sources (Regulator, complaints) about the client, shall also be treated as confidential and shall be dealt with as per policy.
  • In case any hard copies of client records are collected for the purpose of audit, they will be kept in lock and key. They will be returned when there is no further need at the earliest.
  • In case soft copies of client records are collected, they will be stored in PCs that are secured by user id and password. They will be removed when there is no further need at the earliest.
  • Access to organizational records:
    • Before the certification audit, MQAS shall ask the client to report if any ISMS related information (such as ISMS records or information about design and effectiveness of controls) cannot be made available for review by the audit team because it contains confidential or sensitive information. MQAS shall determine whether the ISMS can be adequately audited in the absence of such information. If MQAS concludes that it is not possible to adequately audit the ISMS without reviewing the identified confidential or sensitive information, it shall advise the client that the certification audit cannot take place until appropriate access arrangements are granted.

Copyright © MQAS 2020. All rights reserved.

Created by: MQAS