Integrated Management System Policy, Declaration of Impartiality

Effective from 24 September 2024

CCLab Ltd. and its Testing Laboratory "CCLab - The Agile Cybersecurity Laboratory" (hereinafter referred to as the "Laboratory" or "Laboratories"), operating as a separate organisational unit, strives to achieve the long-term satisfaction of its customers (Customers) as a reliable partner.

We provide a high level of quality service to help our customers (Clients) succeed in their business and protect the information they give us through our information security activities.

The primary task of the Laboratory is to provide our Customers (Clients) with test (assessment) results based on objective assessment methods. The Laboratory's accreditation area is a testing laboratory for the testing (evaluation) of software products. In addition to the accreditation field, the Laboratory's activities also include consultancy related to testing (evaluation), which is separated at the personnel level in our projects, while respecting the requirements of independence and impartiality.

As a consequence, the scope of the Lab's consultancy activities is strictly limited. Given that the Laboratories are required to carry out conformity assessments in an impartial and independent manner, the scope of the consultancy (scope) includes only the support provided in the preparation of the documents (so-called Developer Documents) required for the conformity assessment, as defined by the relevant standard. Thus, in the context of what is termed "consulting" in the field of cybersecurity, no employee of the Laboratory shall have been or be involved in the design, manufacture, installation, maintenance or marketing of a product under assessment by the Laboratory. The "consultancy" activity referred to in the CCLab and in the Laboratory's regulations and marketing material is therefore used only in the sense of preparing the documentation to be submitted by the client for the test (assessment), such as how to complete the complex and numerous data-requiring application documents (e.g. Common Criteria ST, Common Criteria ALC, ADV, AGD documentation, Implementation eXtra Information for Testing - IXIT and Implementation Conformance Statement - ICS, etc.).

Consequently, and given the fact that all data must be provided by the client in the course of the advisory activity, self-review as a possibility to compromise impartiality is excluded.

The service level of CCLab Ltd. and the Laboratory shall at all times comply with the applicable regulations, the requirements of the certifiers and the Customers (Clients).

In the course of our work, we regularly set quality and information security objectives, the achievement of which we continuously monitor.

Integrated management system (quality and information security) objectives:

  • our services should cover the needs agreed in advance with our Customers (Clients),
  • our services are completed within the time agreed with the Customer (Client) and at the most economically efficient cost,
  • to keep the business information of our Customers (our Customers) and the information they provide to us secure,
  • a continuous effort to identify and mitigate climate change-related conditions,
  • ongoing compliance with the standards that apply to us, successfully obtaining and maintaining accreditation from an external accreditation body,
  • continue to strive to achieve an average customer satisfaction rating of at least 4.5 on a scale of 5 in future projects,
  • to work impartially, independently and neutrally, free from outside influence (commercial, financial or other pressures), and on a strictly professional basis in the interests of our Clients,
  • the professional knowledge of colleagues in the laboratory is up-to-date and of high quality
  • effective cooperation with supervisory bodies, Certification Authorities, in particular, but not exclusively, for the purpose of proper implementation of the requirements of the relevant testing (assessment) scheme/system and verification/accreditation of its implementation.

To achieve the above integrated management system objectives:

  • continuous self-monitoring through internal audits, data analysis, corrective action and management reviews,
  • in the light of the non-compliances detected, we will designate the relevant departments with the appropriate powers to introduce corrective measures and improve our procedures,
  • we pay particular attention to the supporting systems and documentation that accompany our workflows,
  • the management is committed to the application of leading professional practices and to the quality of the tests (assessments) carried out for the Customer (Client), the accuracy and reliability of the test (assessment) results,
  • the management ensures that the Laboratory's staff are familiar with the principles and procedures of the integrated management system, the quality documentation and that they apply the quality policy and procedures in their work,
  • ensure that the staff of the Laboratory receive regular professional training,
  • in terms of security, we are constantly working to prevent unauthorised intrusion, hacking, unauthorised access to our systems, intentional or accidental mistakes, damage,
  • we develop plans and procedures to deal with any incidents that may occur, taking into account the specificities of the systems to be protected, bearing in mind business continuity requirements,
  • we ensure the physical protection of our infrastructure and assets with modern technical equipment and trained professionals,
  • we operate a system based on a complex risk assessment, the primary aim of which is to identify and assess potential sources of danger and threats. In the event of an imminent risk, we take immediate action to minimise or eliminate these risks,
  • we take measures to prevent hazards and real incidents from occurring,
  • we use advanced IT solutions to enhance security, with the help of our security experts,
  • we make it a priority to understand, comply with and enforce applicable laws, regulations and data protection laws,
  • we train and encourage our staff to ensure that they are always up to standard and meet the safety requirements of our partners and their own company,
  • we expect our suppliers and subcontractors to comply with our security policies, maintain objectivity, impartiality, loyalty to our company and work in a secure environment, both physically and IT-wise,
  • we are constantly looking for ways to introduce more efficient and reliable procedures and tools,
  • regular inspections and the continuous presence of the Laboratory Manager ensure that our security policy objectives are achieved and that the relevant instructions and procedures are fully complied with by all concerned,
  • management is committed to continuously improving the collaboration infrastructure and to providing state-of-the-art tools (which facilitate the effective work of the staff involved in the study (evaluation)),
  • the management ensures that an organisational structure and organisational processes are in place where personal roles, authorities and responsibilities are well defined,
  • the management ensures that the integrated management system is maintained in good working order even when changes to the integrated management system are planned and implemented,
  • management reminds colleagues of the importance of meeting customer, legal and other regulatory requirements,
  • management ensures that investigations and service provision are conducted impartially, independently and neutrally, without external influence, and does not allow commercial, financial or other pressures to compromise impartiality.

CCLab Ltd. Management is committed to enforcing compliance with the CIA (Confidentiality, Integrity, Availability) as follows:

  • employees in any CCLab department shall keep confidential information obtained during the conformity assessment procedures. CCLab Ltd. shall inform all persons entering into a legal relationship with it of the scope of the data to be treated as confidential, the rules of confidentiality and the consequences of any breach of confidentiality.
  • management shall ensure that information and data obtained by employees during conformity assessment procedures are protected against damage, destruction, deletion, alteration and unauthorised access and shall provide the necessary conditions for this by establishing an appropriate IT infrastructure.
  • CCLab Ltd. will not disclose any information, data or documents to any third party without a lawful court order or official request relating to CCLab Ltd., its employees and/or customers. Client proprietary data, information and documents may only be disclosed with the written permission of the client and within the scope and in the manner specified in the permission.
  • all employees are required to keep confidential information and business secrets that come to their knowledge in connection with their employment, both during and after their employment. They must also ensure that confidential information is not disclosed or made available to third parties.

The CEO of CCLab Ltd. declares that he is committed to ensuring that the operations of CCLab - The Agile Cybersecurity Laboratory comply with ISO 9001  , ISO/IEC 17025  , ISO/IEC TS 23532-1  , ISO/IEC 19896-1  , ISO/IEC 19896-3  and ISO/IEC 27001  . It is also committed to adhering to and enforcing the requirements of the standards and to continuously improving the effectiveness of the integrated management system.

Budapest, 24 September 2024.

Ferenc Tamás Molnár

CEO