Security Policy
RG, maintains a unified security and records management policy to ensure that all certification data is handled in accordance with ISO/IEC 17024:2012. The purpose of this policy is to guarantee that information related to applications, examinations, certification decisions, surveillance, and recertification is properly documented, protected, and available when required. By applying strict controls, the certification body safeguards confidentiality, integrity, and availability of records while ensuring transparency and traceability in every decision.
This policy applies to all personnel, contractors, and committee members engaged in certification activities. Records include candidate applications, eligibility assessments, exam papers and results, certification approvals, complaints and appeals, and personnel competence files. All records, whether physical or electronic, are stored securely and access is restricted to authorized staff.
Information security measures combine electronic, physical, and procedural safeguards. Electronic records are protected through encryption, multi-factor authentication, and secure backups. Physical records are kept in locked storage with controlled access, while cybersecurity measures such as penetration testing and system updates are applied to prevent breaches. Availability is ensured through regular backups and, where legally permissible, a public registry of certified individuals to verify certification status. Retention periods are defined—candidate records are kept for ten years, examination records for five—and disposal is carried out securely by shredding or digital deletion, with a disposal log maintained for transparency.
RG reviews this policy annually or whenever regulatory changes occur. Staff are trained regularly to ensure compliance, and all amendments are documented. The organization is committed to verifying certification status upon request, publishing scheme information openly, and ensuring that all communications and promotional materials are accurate and not misleading. In this way, the policy provides a clear, concise framework for managing records and protecting data, fulfilling both accreditation requirements and the trust placed in the certification body.