GUARDIAN ASSESSMENT · TRUST & COMPLIANCE
Impartiality Statement — Guardian’s Procedural Integrity Framework
This Statement documents Guardian Assessment Pvt. Ltd.’s impartiality framework — the operational implementation of ISO/IEC 17065:2012 Clause 4.2 (Management of Impartiality), against which we are accredited by UAF (accreditation 52605385601, valid until 05 May 2030). The framework comprises structural separations, fee disciplines, consultancy boundaries, cooling-off periods, threat identification procedures, and stakeholder oversight that together constitute the procedural integrity protecting every certification decision Guardian takes. This Statement is publicly available per ISO/IEC 17065 Clause 4.6 (Publicly Available Information) and is reviewed by UAF during annual surveillance audits.
Commitment
Guardian’s Commitment to Impartiality
Guardian Assessment Pvt. Ltd. operates as an ISO/IEC 17065-accredited product certification body. Impartiality is foundational to the validity of every certificate we issue. This Statement documents the structural, procedural, and operational measures by which Guardian identifies threats to impartiality, manages those threats, and maintains the procedural integrity that distinguishes accredited certification from any commercial relationship where the assessor’s revenue or interests depend on producing the outcome the buyer wanted.
The commitments documented in this Statement are not aspirational — they are operational requirements under our UAF accreditation, audited annually by UAF assessors during surveillance, and embedded in our scheme document GSA-PR-01, our internal procedures, and the Certification Agreements signed with every certified client. The Impartiality Programme is reviewed at least annually by Guardian’s Impartiality Committee and updated where threat-environment changes warrant revision. Material changes to this Statement are communicated to UAF and to certified clients in accordance with Cl. 8 (Management System Requirements).
Scope of This Statement
This Impartiality Statement applies to all activities Guardian conducts as a certification body — initial certification engagements, surveillance audits, change-driven re-evaluations, recertification engagements, and decisions on suspension, withdrawal or reinstatement. It applies across all Modules of the Guardian SecureApp™ scheme (Module A, Module B, Module C) and across all Levels (Level 1 Basic, Level 2 Advanced, Level 3 High-Risk / Critical).
The Statement also extends to Guardian’s standalone VAPT service in two specific respects: (1) the consultancy and remediation-guidance boundary applies equally — Guardian VAPT does not advise on remediation; (2) the 12-month cooling-off rule between Guardian VAPT and subsequent Guardian certification of the same product is the operational implementation of impartiality risk management for that boundary case. Section 3.7 below covers the cooling-off rule in detail.
Underlying Standard
This Statement implements ISO/IEC 17065:2012 Clause 4.2 (Management of Impartiality), which requires the certification body to identify, evaluate and manage threats to impartiality on an ongoing basis. Related clauses operationalised through this framework include: Clause 5 (Structural Requirements — independence and stakeholder oversight); Clause 7.6 (Certification Decision — decision-maker independence); and Clause 7.13 (Complaints and Appeals — recourse mechanisms). Readers researching the underlying standard can refer to /standards/iso-17065 for the ISO/IEC 17065 explainer.
Three-Way Procedural Separation
Evaluation Team / Reviewer / Decision Authority
The most consequential structural impartiality safeguard in any 17065-accredited certification scheme is the three-way procedural separation: the people who evaluate the product, the person who reviews that evaluation, and the person who decides certification are three distinct roles. The same individual cannot perform all three on the same engagement. This separation is required by ISO/IEC 17065 — particularly Clauses 7.4 (Evaluation), 7.5 (Review), and 7.6 (Certification Decision) — and operationalised in Guardian’s procedures.
Role Definitions and Independence
| Role | Function | Independence Requirement |
|---|---|---|
Evaluation Team | Conducts the technical evaluation across Stage 3, Documentation Review, and Stage 4, Technical Evaluation. Composed of evaluators with the required Module + Level competencies. Issues findings and produces the Evaluation Report. | Cannot also be the Reviewer or Decision Authority for the same engagement. Cannot have provided consultancy on the certified product. Cannot have personnel, financial, or ownership relationships with the applicant. |
Reviewer | Verifies that the evaluation has been conducted correctly, completely and consistently with the documented methodology, the Review activity per Cl. 7.5. Does not redo the evaluation; verifies its procedural integrity. | Cannot also be the Evaluation Team or Decision Authority for the same engagement. Reviewer is appointed for procedural-integrity verification, not technical re-execution. |
Certification Decision Authority | Takes the final certification decision, Grant, Defer, or Refuse, per Cl. 7.6. Reviews the Evaluation Report, the reviewer’s confirmation, and the closure status of all findings before reaching a decision. | Cannot also be the Evaluation Team or Reviewer for the same engagement. Has no contact with the applicant during the engagement. Has no commercial-relationship visibility and does not see fee status during decision review. |
These role separations are not procedurally informal — they are documented, logged, and audited. UAF’s witness audits during accreditation surveillance verify that the separations are observed in practice on real engagements, not just in documented procedure. Where staffing constraints could otherwise compromise the separation, Guardian engages contracted independent evaluators or contracted Decision Authority personnel who satisfy the same independence requirements as employed staff. Contractor engagements are also subject to impartiality declarations and review by the Impartiality Committee.
Why This Separation Matters
In a private security assessment relationship, the same engineers who test a product typically also write the report and reach conclusions about it. There is no procedural separation between testing, verifying the testing, and deciding on its meaning. This produces decisions that are technically informed but procedurally informal — and procedurally informal decisions cannot carry the procurement-grade attestation weight that accredited certification carries.
Guardian’s three-way separation produces decisions that are both technically informed and procedurally formal. The Evaluation Team brings technical depth; the Reviewer brings methodology-integrity verification; the Decision Authority brings independent judgment that integrates evaluation evidence with contextual factors. The sum is a decision-making structure that procurement teams, regulators, and external auditors can rely on — not because Guardian asserts integrity, but because the structure produces it.
Committee
Stakeholder Oversight of the Impartiality Programme
Beyond the three-way procedural separation that operates on every individual engagement, Guardian maintains an Impartiality Committee that provides organisational-level oversight of the Impartiality Programme. The Committee’s role, composition, and operating discipline are described below. Together with the engagement-level separations, the Committee constitutes the structural oversight required under ISO/IEC 17065 Clause 5 (Structural Requirements).
Composition
The Impartiality Committee comprises three roles with stakeholder representation:
- An independent chair — drawn from outside Guardian’s operational management. The independent chair brings external perspective and the structural authority to challenge management decisions where impartiality concerns warrant. The chair is appointed for renewable defined terms with appointment criteria documented in Guardian’s governance procedures.
- A technical evaluator representative — a senior member of Guardian’s evaluation function who brings frontline visibility into how impartiality matters arise during real engagements. The evaluator representative ensures that operational realities encountered by evaluators are reflected in Committee deliberations rather than abstracted away.
- An operational management representative — a member of Guardian’s leadership accountable for the operational implementation of Committee decisions. The management representative ensures that Committee decisions are translated into procedural reality and that operational constraints are factored into Committee deliberations.
Names of Committee members are not published as a matter of practice (consistent with how most certification bodies treat Impartiality Committee membership), but membership is recorded in Guardian’s internal governance records and reviewed by UAF during accreditation surveillance. Stakeholders who require Committee membership disclosure for legitimate due-diligence purposes — regulators, large enterprise procurement reviewers, accreditation peer reviews — may request it through the Complaints and Appeals procedure or directly through Guardian’s leadership.
Mandate
The Impartiality Committee’s mandate covers:
- Annual review of the Impartiality Programme (this Statement and supporting procedures)
- Review and approval of the Impartiality Risk Register, including identified threats and management actions
- Review of impartiality declarations submitted by applicants and evaluators where the declarations raise concerns warranting Committee assessment
- Review of significant impartiality matters identified during engagements, surveillance audits, complaints investigations, or external feedback
- Authority to require amendment of procedures, suspension of engagements, or escalation to Guardian’s leadership where impartiality threats warrant action
- Recommendation to Guardian’s leadership on annual revisions to this Statement and to the supporting procedures
Operating Discipline
The Committee meets at least annually for the Programme review, and meets ad hoc when significant impartiality matters require attention between scheduled meetings. Meeting outcomes are recorded in formal minutes; decisions are documented with rationale; dissent is recorded where it occurs. Committee records form part of the evidence UAF reviews during accreditation surveillance and during reaccreditation assessment at cycle end. The Committee’s authority is real — its decisions bind operational practice — and its independence from day-to-day operational management is maintained through the independent-chair structure and through documented escalation paths to Guardian’s board-level oversight.
Threats
Threats Guardian Identifies and Manages
ISO/IEC 17065 Clause 4.2 requires the certification body to identify threats to impartiality on an ongoing basis. Guardian maintains a documented Impartiality Risk Register that catalogues threat categories, evaluates their likelihood and impact, documents the management actions in place, and records residual risk after management. The Register is reviewed annually by the Impartiality Committee. The principal threat categories Guardian identifies are described below.
| Threat Category | What This Threat Is | Guardian’s Management |
|---|---|---|
Financial Threat | The risk that fee structures, pricing pressure, or commercial-relationship economics could influence certification decisions in favour of the applicant. | Fees are structured as work-based payments, payable regardless of outcome, Cl. 4.2. Decision Authority does not see fee status during decision review. Standardised pricing eliminates negotiated pricing as a vector. See Section 3.5. |
Personnel Threat | The risk that personnel relationships, including prior employment, family relationships, or friendships, between Guardian staff and applicant personnel could compromise objectivity. | Mandatory impartiality declarations from all evaluators, reviewers, and Decision Authority personnel for every engagement. Disclosed relationships trigger Committee assessment; precluding relationships result in personnel reassignment. |
Ownership Threat | The risk that ownership relationships, including investments, shareholdings, or parent-subsidiary structures, between Guardian or its personnel and applicants could compromise independence. | Mandatory ownership disclosures from Guardian’s leadership and from personnel involved in certification decisions. Material ownership relationships preclude engagement; minor relationships are documented and reviewed by Committee. |
Prior-Engagement Threat | The risk that prior consultancy, advisory, or VAPT engagements between Guardian and the applicant on the same product could compromise certification impartiality. | Guardian does not provide consultancy on certified products, Cl. 4.2 boundary. A 12-month cooling-off period applies between Guardian VAPT and certification of the same product. See Section 3.7. |
Competitive Threat | The risk that Guardian could be drawn into competitive dynamics between certified clients and their competitors through requests for differential treatment, intelligence-gathering, or scope manipulation. | Standardised scoping criteria, standardised pricing, and standardised evaluation methodology. The Confidentiality Policy at /confidentiality precludes intelligence-sharing across applicants. Competing clients receive symmetric treatment. |
Marketing / Promotional Threat | The risk that marketing arrangements, sponsorships, references, or testimonials could create commercial dependencies between Guardian and applicants. | Guardian does not solicit or accept sponsorship from applicants or certified clients. Reference and testimonial use requires explicit case-by-case approval and is not negotiated as part of certification engagements. |
Self-Review Threat | The risk that the same individuals who designed elements of the certification scheme also evaluate against those elements, reducing the external perspective that fresh evaluation provides. | Scheme document GSA-PR-01 development is separated from operational evaluation. Scheme review is conducted by a panel that includes external technical reviewers. Operational evaluators do not also own scheme development. |
Familiarity Threat | The risk that long-term certification relationships through multiple cycles with the same client could erode the freshness of evaluation perspective. | Evaluator rotation across engagements where capacity allows. Mandatory introduction of fresh evaluators on a defined cadence at recertification. Decision Authority continuity is managed separately to balance familiarity benefits with familiarity risks. |
These eight threat categories are not exhaustive — the Impartiality Risk Register also tracks emerging threat categories (regulatory changes, technology-environment shifts, market-structure changes) where they create new impartiality concerns. Annual Register review by the Impartiality Committee ensures that the Register evolves with the operational environment. Stakeholders aware of impartiality threats not addressed in this Statement are encouraged to raise them through the Complaints and Appeals procedure (Section 3.9 below).
Fee Impartiality
Why Fees Cannot Influence Decisions
ISO/IEC 17065 Clause 4.2 explicitly addresses fee handling — fee structures must not influence certification decisions. This is one of the most consequential structural impartiality safeguards in accredited certification, distinguishing it fundamentally from any commercial assessment relationship where the assessor’s revenue depends on producing the outcome the buyer wanted. Guardian’s operational implementation of fee impartiality has four components.
Fee-for-Work, Not Fee-for-Outcome
All fees are payable for work performed, regardless of outcome. Engagement fees are payable for the evaluation work conducted, whether the certification decision is Grant, Defer, or Refuse. Surveillance fees are payable for the surveillance audit work, whether the maintenance decision is Maintain, Conditional Maintain, or Suspend. There is no refund mechanism for unfavourable outcomes; there is no premium for favourable outcomes. Fees compensate Guardian’s evaluator capacity and procedural infrastructure; outcomes are determined separately by evaluation evidence.
Decision Authority Insulation
The Certification Decision Authority does not see fee status during decision review. The Decision Authority’s decision packet — the Evaluation Report, the reviewer’s confirmation, the closure status of all findings — does not include commercial-relationship information. The Authority decides on evaluation evidence; the commercial relationship is operationally insulated from the decision. This insulation is procedurally documented and audited by UAF during witness audits.
Standardised Pricing
Pricing is standardised across applicants for equivalent scope at equivalent Level. Guardian does not offer discretionary discounting beyond operational efficiency adjustments — combined surveillance bundling, multi-product coordinated scoping, recertification operational-familiarity discounts. The reasoning is impartiality-driven: discretionary commercial discounting could create pressure on certification decisions inconsistent with Cl. 4.2. Pricing transparency and consistency are themselves impartiality safeguards. The full fee structure is at /process/fees.
Late Payment Handling
Late payment beyond cure periods defined in the Certification Agreement may be grounds for suspension per ISO/IEC 17065 Cl. 7.11 procedures. Critically, late payment does not affect the certification decision in any direction — the Decision Authority cannot grant a certificate to motivate fee payment, and cannot withhold a certificate to pressure fee payment. Guardian’s recourse to non-payment is the formal suspension and withdrawal procedure, not fee-driven decision pressure. The procedure is documented, applied consistently, and audited.
The boundary in concrete terms: An applicant who pays promptly and remediates findings well will move through their cycle smoothly because the engagement is well-managed — not because Guardian gives them favourable treatment. An applicant who disputes fees while the engagement is active does not have their certification decision affected by the dispute — the decision is made on evaluation evidence by an independent Decision Authority procedurally insulated from the commercial relationship. This is engineered structural integrity, not aspiration.
Remediation-Guidance Boundary
Why Guardian Does Not Advise on Fixing Findings
ISO/IEC 17065 Clause 4.2 prohibits a certification body from providing consultancy that creates an impartiality threat — particularly consultancy on the same products the body certifies. Guardian’s operational implementation of this boundary is straightforward: Guardian does not advise on remediation. Findings are issued; the certified client remediates; Guardian re-verifies. The boundary applies equally during initial certification engagements, during surveillance audits, during change-driven re-evaluations, and during the standalone Guardian VAPT service.
What This Boundary Means in Practice
During Stage 4 Technical Evaluation of a certification engagement, Guardian’s evaluators identify and document findings — issue description, evidence, severity, standards mapping. They do not provide guidance on how to fix the findings. They do not recommend specific corrective actions. They do not produce remediation plans. They do not review applicant-proposed remediation approaches before remediation is implemented. Where applicants ask ‘how should we fix this?’, the evaluator’s response is to confirm receipt of the question and confirm that Guardian does not provide remediation guidance — and to suggest that applicants engage independent security consultants or rely on internal engineering capability.
This boundary applies equally to VAPT engagements. Guardian VAPT is technical findings reporting; we do not provide remediation guidance as part of VAPT just as we do not provide it as part of certification. The discipline is consistent across services; that consistency is itself an impartiality safeguard, ensuring that no class of Guardian engagement could be structured to provide consultancy benefits that subsequent engagements could not be impartial about.
Why This Matters Structurally
If Guardian advised on remediation, every subsequent re-verification, surveillance audit, or recertification would be evaluating the applicant’s implementation of Guardian’s own advice. Even where the advice was independent and the implementation was applicant-driven, the structural relationship — provider advised, provider evaluates — would create an impartiality threat that procedural separation alone could not fully resolve. The boundary prevents the threat from arising rather than relying on procedural compensations.
The boundary also clarifies role boundaries with independent security consultants. Guardian is the certification body; security consultants are advisors. Where applicants need both certification (Guardian) and remediation guidance (consultants), they engage both — and the consultants who advise on remediation cannot also be the body that certifies. Many large certification engagements involve a consultant providing pre-engagement security review and remediation guidance, alongside a certification body conducting the formal evaluation. The two functions are complementary; they are appropriately separated.
Where the Boundary Does Not Apply
Procedural questions during engagements — clarification of finding scope, request for additional reproduction evidence, clarification of standards-mapping rationale, clarification of severity classification — are not consultancy and are not bounded. Guardian’s evaluators answer procedural questions to the extent needed for the applicant to understand the finding. The boundary is between explaining what the finding is (within scope) and advising how to fix it (outside scope). The line is judgment-based but consistently applied; evaluators are trained on the distinction.
Cooling-Off Period
Between Guardian VAPT and Subsequent Certification
Guardian Assessment Pvt. Ltd. cannot accept an application for Guardian SecureApp™ certification of a product within 12 months of completing a VAPT engagement on the same product. The 12 months is calculated from the date of the Technical Findings Report (or the final re-verification confirmation, whichever is later) to the date of the certification application. This rule is the operational implementation of impartiality risk management for the prior-engagement threat category (Section 3.4 above) when the prior engagement is Guardian’s own VAPT service.
Why the Cooling-Off Period Exists
Even where Guardian VAPT is conducted with rigorous separation — no remediation guidance, no advisory beyond findings reporting (Section 3.6 above) — the structural relationship between provider and product creates an impartiality concern that procedural separation alone cannot fully resolve. The 12-month cooling-off allows the relationship between Guardian and the product to reset before certification can proceed without compromising the certification’s procurement-grade integrity.
The rule is not based on a specific threat that surfaces in any particular Guardian VAPT engagement; it is a structural safeguard applied uniformly to all VAPT engagements. Uniform application is itself an impartiality discipline — case-by-case judgments about whether a specific VAPT-then-certification sequence creates impartiality threat would themselves create impartiality concerns (the judgment becoming the vector for influence). The uniform 12-month rule eliminates that judgment-based vector entirely.
What the Rule Covers and What It Does Not
The 12-month rule applies to:
- Guardian VAPT engagement on Product X, followed by Guardian SecureApp™ certification application for Product X — the canonical case the rule governs.
- Guardian VAPT engagement on Product X (where Product X is part of a broader platform), followed by Guardian SecureApp™ certification application for the broader platform that includes Product X — the rule applies to the certification scope that overlaps the VAPT scope.
The rule does not apply to:
- Guardian VAPT on Product X followed by Guardian SecureApp™ certification of a separate Product Y — different products are independent engagements.
- Guardian SecureApp™ certification preceding subsequent Guardian VAPT — the impartiality concern flows in one direction (VAPT first, certification second). Existing certified clients should not engage Guardian VAPT during their certification cycle, but this is an operational and Mark Usage matter rather than the cooling-off rule’s domain. Where existing certified clients want supplementary technical testing, this is discussed with the Decision Authority for guidance.
- VAPT engagements with non-Guardian providers followed by Guardian certification — the rule applies only to Guardian’s own prior VAPT engagements. Where applicants want pre-certification VAPT followed by Guardian certification within a tight timeline, engaging non-Guardian VAPT providers is the appropriate path.
After the Cooling-Off Period
Once the 12-month cooling-off period expires, the applicant is free to apply for Guardian SecureApp™ certification of the same product. The prior VAPT engagement is not held against the application — application review proceeds normally per Cl. 7.3. The certification engagement, if approved, runs through the standard five-stage structure described on /process/stages. The full operational detail of the cooling-off period — including alternative paths within the period, planning implications, and FAQs — is documented at /services/vapt Section 3.6. This Statement reinforces the rule as the principal disclosure of how Guardian manages the prior-engagement impartiality threat.
UAF Audit
How the Programme Is Maintained and Verified
This Statement is not a static document — it is the public face of an operational Programme that is monitored, maintained, and externally verified on an ongoing basis. The monitoring and verification activities described below produce the ongoing assurance that the Programme is operationally real, not just procedurally documented.
Internal Monitoring
Guardian’s internal monitoring activities include: per-engagement impartiality declaration review (every evaluator, reviewer, and Decision Authority personnel submits a declaration before engaging on each certification engagement); ongoing impartiality awareness training for all certification personnel; quarterly review by the Impartiality Committee of any impartiality matters that surfaced during the period; annual full review of the Impartiality Risk Register by the Committee; and continuous logging of impartiality-relevant decisions and actions for traceability.
UAF Surveillance Audits
UAF — Guardian’s accreditation body — audits the Impartiality Programme during annual accreditation surveillance. Surveillance audits cover documentation review (this Statement, supporting procedures, the Impartiality Risk Register, declaration records, Committee minutes), interviews with certification personnel, and witness audits where UAF assessors observe Guardian conducting actual certification work. Witness audits verify that the impartiality safeguards described in this Statement are observed in practice on real engagements — the strongest form of external verification accreditation can provide.
Reaccreditation Assessment
At the end of each accreditation cycle (Guardian’s current cycle runs to 05 May 2030), reaccreditation includes comprehensive reassessment of the Impartiality Programme as part of the broader 17065 reassessment. Continued accreditation depends on continued demonstrated compliance with Cl. 4.2 and the related impartiality requirements.
External Feedback Channels
In addition to UAF’s surveillance, Guardian receives external feedback on the Impartiality Programme through the Complaints and Appeals procedure (Section 3.9 below) and through the public-disclosure-driven scrutiny that comes from publishing this Statement. Complaints relating to impartiality are taken seriously and trigger Committee investigation. Where investigation reveals weaknesses in the Programme, this Statement and the supporting procedures are updated and the changes communicated.
Public Updates
Material changes to this Statement are dated and versioned. The Document Header at the top of this page records the current version and issuance date. Prior versions are archived and available on request. Stakeholders who have referenced this Statement in their procurement processes or audit programmes can verify the current version and confirm any material changes since their last reference.
Impartiality Concern
Recourse for Stakeholders
Stakeholders who become aware of impartiality concerns relating to Guardian’s certification activities — actual or apparent — are encouraged to raise them. Recourse is structured, accessible, and not subject to retaliation. The available paths are described below.
Through the Complaints and Appeals Procedure
Guardian operates a documented Complaints and Appeals procedure under ISO/IEC 17065 Clause 7.13, accessible at /complaints-appeals. Impartiality concerns are an explicit category of complaint that the procedure handles, with investigation conducted by personnel independent of the matter complained about and with structured escalation to the Impartiality Committee where investigation reveals concerns warranting Committee attention. The procedure is available to:
- Applicants and certified clients raising concerns about engagements that affect them
- Third parties — competitors of certified clients, end-users of certified products, peer certification bodies, accreditation bodies, regulators — raising concerns about Guardian’s certification activities
- Members of the public raising concerns about specific Guardian decisions or about the Programme generally
There is no fee for raising a complaint. Complaints can be raised pseudonymously where the complainant prefers, with appropriate procedural adjustments to verify substance without identifying the complainant.
Through Direct Contact with the Impartiality Committee Chair
For impartiality concerns that the complainant believes warrant direct attention from the Impartiality Committee — bypassing operational management — the complainant may request that their complaint be routed directly to the independent chair of the Impartiality Committee. This route is appropriate where the concern relates to operational management itself, where the standard Complaints procedure would create a conflict of interest, or where the concern’s sensitivity warrants direct senior attention. Requests for direct chair routing are submitted through /complaints-appeals with appropriate flagging.
Through UAF
Guardian is accredited by UAF, and UAF maintains its own complaints and feedback procedures relating to accredited certification bodies. Stakeholders who wish to raise impartiality concerns directly with UAF — for example, where the concern is that Guardian’s internal complaints handling itself is inadequate — may contact UAF at uafaccreditation.org. UAF is a member of the IAF, and IAF maintains additional escalation paths for accreditation-body-level concerns. Information on raising concerns through UAF and IAF is at our /accreditation page.
Non-Retaliation Commitment
Guardian commits to non-retaliation against complainants. Raising an impartiality concern — through any of the channels above — does not affect any current or future certification engagement, surveillance audit, or commercial relationship between Guardian and the complainant. Non-retaliation is a documented procedural commitment and is verified during UAF surveillance through review of complaints handling records.
Closing commitment: Impartiality is not a feature Guardian markets — it is the foundational integrity of every certificate we issue. The procedures and commitments described in this Statement exist because accredited certification has no value without them. Stakeholders are entitled to verify that the Statement is operationally real; we welcome that verification through any of the recourse channels described above. The procedural integrity Guardian provides is what distinguishes accredited certification from any commercial assessment, and protecting that integrity is what we are accredited to do.
Frequently Asked Questions
Common Questions, Answered
Clause 4.2 is the impartiality requirement of ISO/IEC 17065:2012, the international standard for product certification bodies. It requires Guardian to identify, evaluate and manage threats to impartiality on an ongoing basis. The clause matters because impartiality is the foundational integrity of accredited certification — what distinguishes a Guardian SecureApp™ certificate from any commercial assessment relationship where the assessor’s revenue or interests could depend on producing the outcome the buyer wanted. This Statement is Guardian’s documented operational implementation of Cl. 4.2.
An independent Certification Decision Authority — distinct from the Evaluation Team that performed the testing and from the Reviewer who verified the methodology. This three-way procedural separation is required by ISO/IEC 17065 Clauses 7.4, 7.5 and 7.6. The Decision Authority reviews the Evaluation Report and the reviewer’s confirmation, and reaches one of three outcomes: Grant, Defer, or Refuse. The Decision Authority does not see fee status during decision review and has no contact with the applicant during the engagement.
No. Per ISO/IEC 17065 Cl. 4.2, fees do not influence certification decisions in any direction. Fees are payable for work performed regardless of outcome — Grant, Defer, or Refuse. The Decision Authority does not see fee status during decision review. Pricing is standardised across applicants for equivalent scope. Late payment is handled through formal suspension procedures, not through decision pressure. The structural insulation of fee handling from decision-making is one of the most consequential features of accredited certification.
Guardian cannot accept an application for Guardian SecureApp™ certification of a product within 12 months of completing a VAPT engagement on the same product. The 12 months runs from the Technical Findings Report date (or final re-verification, whichever is later) to the certification application date. The rule manages the prior-engagement impartiality threat — even where Guardian VAPT is conducted with rigorous separation, the structural relationship between provider and product creates a concern that the cooling-off period allows to reset. The full operational detail is at /services/vapt Section 3.6.
No. Guardian issues findings; the certified client remediates; Guardian re-verifies. Guardian does not advise on how to fix specific findings — that would compromise impartiality (Cl. 4.2). The boundary applies equally during initial certification, surveillance audits, change-driven re-evaluations, recertification, and the standalone Guardian VAPT service. Where applicants need remediation guidance, that is appropriately engaged with independent security consultants or relies on internal engineering capability.
The Impartiality Committee is the organisational-level oversight body that governs Guardian’s Impartiality Programme. It comprises three roles: an independent chair (drawn from outside Guardian’s operational management), a technical evaluator representative (frontline visibility), and an operational management representative (implementation accountability). The Committee meets at least annually for Programme review and ad hoc when significant impartiality matters require attention. Its mandate covers Programme review, Risk Register oversight, impartiality declaration review where escalated, and authority to require procedural amendments.
No. Guardian does not provide consultancy on certified products — this is a direct prohibition under ISO/IEC 17065 Cl. 4.2 (separation of consultancy from certification). The boundary protects the integrity of certification: if Guardian advised on a product’s design or remediation and then certified that product, the structural relationship would create an impartiality threat that procedural separation could not fully resolve. Where you need consultancy, engage independent security consultants; where you need certification, engage Guardian (or another 17065-accredited certification body).
All Guardian evaluators submit mandatory impartiality declarations before engaging on each certification engagement, disclosing any personnel relationships — prior employment, family relationships, friendships — with applicant personnel. Disclosed relationships trigger Impartiality Committee assessment. Material relationships preclude the evaluator from engaging on that specific engagement; minor relationships are documented and reviewed. The same discipline applies to Reviewers and Decision Authority personnel. The objective is to ensure that personnel relationships do not become vectors for impartiality compromise.
Raise it through the Complaints and Appeals procedure at /complaints-appeals. Impartiality concerns are an explicit category that the procedure handles, with investigation conducted by personnel independent of the matter complained about and structured escalation to the Impartiality Committee where investigation reveals concerns warranting Committee attention. There is no fee for raising a complaint. Complaints can be raised pseudonymously where preferred. Guardian commits to non-retaliation against complainants — a documented commitment verified during UAF surveillance.
No. Guardian does not solicit or accept sponsorship from applicants or certified clients. The marketing/promotional impartiality threat (Section 3.4) is managed by precluding the commercial dependencies that sponsorship arrangements create. Reference and testimonial use requires explicit case-by-case approval through documented procedures and is not negotiated as part of certification engagements. The discipline ensures that no marketing or commercial arrangement could create pressure on certification decisions.
Through annual surveillance audits that include documentation review (this Statement, supporting procedures, the Impartiality Risk Register, declaration records, Impartiality Committee minutes), interviews with certification personnel, and witness audits where UAF assessors observe Guardian conducting actual certification work. Witness audits verify that the impartiality safeguards described here are observed in practice on real engagements — the strongest form of external verification accreditation can provide. Reaccreditation at cycle end (next due 05 May 2030) includes comprehensive reassessment.
A documented internal register that catalogues threat categories Guardian identifies, evaluates their likelihood and impact, documents the management actions in place, and records residual risk after management. The Register is maintained by Guardian’s leadership and reviewed annually by the Impartiality Committee. Section 3.4 of this Statement summarises the principal threat categories captured in the Register. The Register itself is internal documentation reviewed by UAF during accreditation surveillance, not published publicly — but the threat categories addressed in the Register are summarised in this public Statement.
The Impartiality Committee’s authority is real — its decisions bind operational practice. Guardian’s leadership cannot informally override Committee decisions on impartiality matters. Where leadership disagrees with a Committee decision, the disagreement is escalated through documented governance channels with appropriate transparency. The Committee’s independence is maintained through the independent-chair structure and through the procedural authority documented in Guardian’s governance records. UAF surveillance reviews these governance records as part of accreditation oversight.
Both, in two specific respects. First, the consultancy and remediation-guidance boundary (Section 3.6) applies equally to VAPT — Guardian VAPT does not advise on remediation. Second, the 12-month cooling-off rule (Section 3.7) is the operational implementation of impartiality risk management for the VAPT-then-certification boundary case. The three-way procedural separation, the Impartiality Committee, and most other elements of this Statement are specific to certification engagements (because VAPT does not produce a certification decision). The Statement names the specific applicability boundaries explicitly.
Reviewed at least annually by the Impartiality Committee; updated when material changes to the Programme warrant. Material changes are versioned, dated, communicated to UAF, and communicated to certified clients in accordance with Cl. 8 (Management System Requirements). The Document Header at the top of the page records the current version and issuance date. Prior versions are archived and available on request — stakeholders who have referenced this Statement in procurement or audit processes can verify version-currency before re-referencing.
At UAF’s own directory at uafaccreditation.org. Guardian’s accreditation number is 52605385601, with valid period 06 May 2026 to 05 May 2030. UAF’s directory is the authoritative public record of Guardian’s accreditation; verifying through UAF directly is independent of any document Guardian produces. Our /accreditation page provides additional context on the accreditation framework, including UAF’s IAF MLA scope and how the layered accreditation system produces internationally recognised certification.
Ready to Get Started?
Apply for Certification
Submit a formal application. Initial response within 5 working days.
Apply NowRequest a Quote
Tell us about your product. Indicative quote within 3 to 5 working days.
Get a QuoteTalk to Our Team
Specific question or regulatory driver to discuss?
Contact Us