GUARDIAN SECUREAPP™ · CERTIFICATION CYCLE
Surveillance & Recertification — Maintaining Your Certification Through the Cycle
A Guardian SecureApp™ certificate is valid for a 3-year cycle — but the procurement-grade assurance signal it carries is maintained through ongoing surveillance, structured change notification, and disciplined cycle-end recertification. This page describes how the cycle actually works: what surveillance audits cover (lighter than the initial engagement; substantive enough to detect drift), when you must notify Guardian of product changes, the grounds and procedures for suspension or withdrawal where they arise, and what to expect at recertification when the cycle ends. Surveillance cadence and depth scale by Level — annual at Levels 1 and 2, semi-annual at Level 3 — reflecting the higher assurance signal Level 3 carries to the market.
The 3-Year Certification Cycle
How the Cycle Works End to End
A Guardian SecureApp™ certificate is granted for a 3-year cycle. The cycle starts on the certificate’s issue date (Year 0) and runs to its expiry date (Year 3). Through these three years, the certificate’s procurement-grade assurance signal is maintained by three intersecting mechanisms: scheduled surveillance audits at Level-appropriate cadence, the certified client’s obligations to notify Guardian of significant product changes, and Guardian’s ability to suspend or withdraw certification where the certified state is no longer demonstrably maintained. At cycle end, recertification — a fresh full evaluation — renews the certificate (or, where the criteria are no longer met, terminates it).
This 3-year cycle is the unit of certification. Mature certified clients treat the cycle as one continuous relationship rather than as discrete events: the initial engagement establishes the certificate; surveillance maintains it; change notification keeps Guardian aware of material developments; recertification renews it. Procurement teams reading the certificate know that what they are seeing is not just a point-in-time test from years ago — it is a continuously maintained signal, with the next confirming event always within months. This continuity is precisely what distinguishes accredited certification from a one-off security assessment.
The cycle structure is required by ISO/IEC 17065:2012, principally Clauses 7.9 (Surveillance), 7.10 (Changes affecting certification), and 7.11 (Termination, reduction, suspension or withdrawal of certification). These clauses define the procedural backbone within which Guardian operates the cycle; the operational specifics — cadence, scope, fees — are defined in our scheme document GSA-PR-01 and in the Certification Agreement signed at the start of each cycle. The remainder of this page describes the operational specifics.
Surveillance: What It Is and What It Is Not
The Lighter Audit That Maintains the Signal
Surveillance is the term ISO/IEC 17065 uses for the periodic audits Guardian conducts during the certification cycle to confirm that the certified state continues to be maintained. It is one of the most consequential differences between accredited certification and one-off assessment — and it is also one of the most commonly misunderstood. The most useful framing is what surveillance is, and what it is not.
What Surveillance Is
Surveillance is a structured audit conducted at Level-appropriate cadence (Section 3.3 below) that examines whether the certified product continues to meet the criteria against which it was originally certified. It includes documentation review, targeted technical re-verification of the most consequential controls, review of any material changes notified during the period, review of any incidents or near-misses, and verification that the certification mark is being used correctly. Surveillance produces a Surveillance Report that informs Guardian’s decision to maintain, suspend, or in serious cases withdraw the certificate.
Surveillance is conducted by Guardian’s evaluation team — typically including evaluators familiar with the product from the initial engagement, where capacity allows. Continuity of evaluator familiarity makes surveillance more efficient (less ramp-up time) and more substantive (the evaluators recognise drift more readily). Where the original team cannot be reused (personnel changes, capacity), new evaluators are briefed using the prior engagement’s Evaluation Report and any subsequent surveillance reports.
What Surveillance Is Not
Surveillance is not a full re-evaluation. It does not redo the depth of the initial Stage 4 technical evaluation; it does not re-test every ASVS requirement or every API Top 10 category from scratch. The substantive depth of testing is concentrated on the highest-risk controls and on areas where change has been notified or detected. This is by design — a full re-evaluation every six or twelve months would be disproportionate to the risk-based assurance the certificate represents and would be operationally unsustainable for both Guardian and certified clients.
Surveillance is also not a recertification. Recertification (Section 3.7 below) is the cycle-end fresh evaluation that produces the next 3-year certificate. Surveillance maintains the current certificate; recertification renews it for the next cycle. The two activities are different in scope, depth, fees and outcome — Surveillance produces a maintenance decision; recertification produces a new certificate.
Finally, surveillance is not optional. It is a Certification Agreement obligation; missed or refused surveillance is grounds for suspension or withdrawal of certification. Surveillance scheduling is communicated by Guardian with appropriate lead time; certified clients are expected to make engineering and security personnel available as required. Where genuine scheduling conflicts arise (major release windows, regulatory audits, etc.), Guardian and the certified client can agree a rescheduled window — but surveillance cannot simply be skipped.
Why surveillance matters to procurement: Procurement teams reading a certificate are not just verifying that an evaluation happened at issue. They are verifying that the certificate has not gone stale — that the assurance signal is current. Surveillance is what makes ‘current’ meaningful. A certificate with a recent surveillance pass carries more procurement weight than a certificate whose last touchpoint was the original engagement two-and-a-half years ago. The continuous maintenance is the value, not the issuance.
Surveillance Cadence and Scope by Level
How Often, How Deep, by Level
Surveillance cadence and scope scale by Level — reflecting the higher assurance signal Level 3 carries and the correspondingly more substantive ongoing maintenance required to maintain it. The table below summarises cadence and indicative scope per Level. Detailed scoping of each surveillance audit is communicated to the certified client at scheduling time, typically 4–6 weeks before audit commencement.
| Level | Cadence | Indicative Duration | Indicative Scope |
|---|---|---|---|
Level 1 (Basic) | Annual (one audit per year) | 3–5 business days per audit | Documentation refresh review · Targeted re-verification of high-risk controls (authentication, session management, access control basics) · Review of any change notifications · Mark usage check |
Level 2 (Advanced) | Annual (one audit per year) | 5–8 business days per audit | Documentation review with deeper architecture confirmation · Multi-role authenticated re-verification of key flows · Review of change notifications and impact assessment · API gateway / configuration drift check · Sample-based re-test of select ASVS V2 / V4 / V8 / V9 controls · Mark usage check |
Level 3 (High-Risk / Critical) | Semi-annual (two audits per year) | 8–12 business days per audit | Comprehensive documentation refresh · Multi-role + chained-attack re-verification · Threat-model review for new threats and adversaries · Mandatory review of all major releases since last surveillance · Adversarial control re-test on highest-priority controls · Incident review (any breaches or near-misses) · API inventory drift check · Mark usage check |
These are typical scopes; specific surveillance scoping is risk-driven. Where a certified client’s engagement profile suggests heightened concern in a specific area — a recent breach, a major architecture change, an incident in a peer product — surveillance scope can be intensified for that audit. Where the engagement profile is stable and prior surveillance has been clean, scope can be calibrated accordingly. The principle is that surveillance is proportionate to maintained-state confidence: stable products produce smaller surveillance footprints; volatile or higher-risk profiles produce larger ones.
Stage 1 / Stage 2 Within Surveillance
Within each surveillance audit, the same Stage 1 / Stage 2 industry terminology used in the initial engagement applies in lighter form. Stage 1 of surveillance is documentation refresh review — confirming the architecture, data flow, threat model and authentication / authorisation design have not drifted from what was certified. Stage 2 of surveillance is the targeted technical re-verification — the specific tests selected for this surveillance scope. Where Stage 1 of surveillance reveals no material drift, Stage 2 typically focuses on the highest-risk controls; where Stage 1 reveals significant drift, Stage 2 widens correspondingly. The two-stage structure keeps surveillance proportionate.
Surveillance Anniversary
The first surveillance audit is typically scheduled to coincide with the first anniversary of certificate issue (or six months after issue at Level 3). Subsequent audits track on the same anniversary — the first scheduled surveillance becomes the cadence anchor. Where the certified client has multiple Guardian SecureApp™ certificates with different issue dates, surveillance audits may be combined into a single visit by mutual agreement, reducing logistics overhead while maintaining the per-certificate audit discipline.
Change Notification Obligations
When You Must Tell Guardian About Product Changes
During the certification cycle, the certified product is not frozen — engineering teams continue to ship, infrastructure evolves, integrations are added or retired. ISO/IEC 17065 Clause 7.10 requires the certification body to be notified of changes affecting the certification, and the Certification Agreement defines what that means in operational practice. The detailed obligations vary by Level.
Level 1 (Basic) — Notification-Only
At Level 1, change notification is notification-only. The certified client must inform Guardian of significant product changes (described below) within 30 calendar days of the change reaching production. Guardian’s Decision Authority assesses the notification but typically does not conduct change-driven re-evaluation outside the annual surveillance cycle — the change is recorded, factored into the next annual surveillance scope, and addressed there. Exceptions occur where the notified change is severe enough that the Decision Authority concludes routine surveillance is insufficient — these exceptions are rare at Level 1.
Level 2 (Advanced) — Notification with Decision Authority Assessment
At Level 2, change notification triggers Decision Authority assessment. The certified client must inform Guardian of significant changes within 14 calendar days of the change reaching production (or, for changes the certified client knows are coming, in advance with appropriate lead time). The Decision Authority assesses each notified change and decides whether routine surveillance suffices, whether targeted re-evaluation is warranted (a small focused engagement on the changed area), or whether the change is large enough that a full re-evaluation is required. The targeted re-evaluation path is the typical outcome at Level 2 — most changes can be assessed in a focused 1–3 week effort.
Level 3 (High-Risk / Critical) — Mandatory Re-Evaluation on Major Releases
At Level 3, the bar is higher. The certified client must inform Guardian of significant changes within 7 calendar days; for major releases (changes affecting authentication, authorisation, encryption, data handling boundaries, or material new functionality affecting the certified scope), mandatory re-evaluation is the default. Mandatory re-evaluation is not optional — it is required for the certificate to continue reflecting the new state. Where the certified client and Guardian disagree on whether a change qualifies as a major release, the matter is escalated to the Decision Authority for determination. Mandatory re-evaluation runs as a focused engagement, typically 2–6 weeks depending on scope.
What Counts as a ‘Significant Change’
Across all Levels, the following change types are considered significant and require notification:
- Material changes to authentication or authorisation mechanisms (new identity provider, new role model, new permission framework, MFA additions or removals)
- Material changes to data handling — new categories of personal or sensitive data processed, new geographic regions of data residency, new third parties with data access
- Material architectural changes — new microservices added to certified scope, services removed, fundamental shifts in deployment topology (cloud provider migrations, on-prem to cloud transitions, multi-region expansions)
- New integrations with external services or partner APIs that affect the certified surface, particularly where the new integration introduces new trust boundaries
- Security incidents — confirmed breaches, near-miss incidents that revealed exploitable vulnerabilities, regulatory inquiries, or notifications received from peers about systemic vulnerabilities affecting similar architectures
- Material legal or contractual changes — change of corporate ownership, scope of regulated activities, termination of insurance carrying material implications
- New regulations or standards adopted into the certified scope — particularly where the regulation imposes specific technical requirements
Below the ‘significant’ threshold, routine engineering changes — bug fixes, small feature additions that do not affect security boundaries, dependency updates of consequence — do not require notification. The line is judgment-based and is discussed at scoping at the start of each cycle. When in doubt, certified clients are encouraged to err toward notification rather than silence — Guardian’s assessment of a notified change as not warranting action carries no penalty, while a missed notification of a genuinely significant change can be grounds for suspension.
Surveillance Findings and Outcomes
What Comes Out of Each Surveillance Audit
Each surveillance audit produces a Surveillance Report and one of three maintenance decisions from the Decision Authority. The mechanics parallel the initial engagement — same severity classification, same independent decision-making — but at lighter scope. Below is what surveillance produces and what each outcome means in operational terms.
The Surveillance Report
Each surveillance audit produces a confidential Surveillance Report delivered to the certified client. The report covers: the scope of this surveillance audit, the activities conducted (documentation review, technical re-verification, change-notification review, etc.), findings identified during the audit (with severity classification — Critical / High / Medium / Low / Informational, the same scheme used in the initial engagement), the closure status of any findings carried over from prior surveillance, and the Decision Authority’s maintenance decision on the certificate.
Findings handling during surveillance follows the same discipline as the initial engagement: progressive disclosure to the certified client during the audit, severity classification, one round of re-verification for corrective actions included in surveillance fees (additional rounds billed separately), Risk Treatment Plans for genuinely exceptional cases. Critical and High findings during surveillance must be addressed for the certificate to be maintained without conditions; Medium findings can in some cases be carried into the next surveillance window with documented mitigation; Low and Informational findings are recorded but typically do not affect the maintenance decision.
Three Maintenance Outcomes
| Outcome | Meaning | What Happens Next |
|---|---|---|
Maintain | Surveillance audit completes successfully. No Critical or High findings remain open at audit close, or any open findings are covered by accepted Risk Treatment Plans. Certificate continues unchanged. | Public Directory listing updated to reflect successful surveillance. Next surveillance scheduled. Certificate continues to its existing validity. |
Conditional Maintain | Surveillance reveals findings that must be addressed before unconditional maintenance. The certificate continues but is conditional on closure within a specified window — typically 30–90 days depending on severity. | Decision Authority issues conditional maintenance letter naming items to be addressed and timeline. On addressing, certificate becomes unconditional. On failure to address, suspension follows. |
Suspend | Surveillance reveals issues serious enough that the certificate cannot be maintained in its current form. Suspension is a formal interruption — the certificate is not valid for the suspension period. | Public Directory listing updated to reflect suspension. Mark Usage License is suspended; the certified client cannot continue to display the certification mark. Section 3.6 below describes the path to reinstatement or escalation to withdrawal. |
In practice, Maintain is by far the most common outcome. Certified clients who comply with change notification obligations and who continue to operate good security practice typically pass surveillance audits unconditionally. Conditional Maintain is the second most common, typically used for medium-severity findings that the certified client is already addressing or for documentation gaps that need closing. Suspend is rare and almost always traces back to either serious unaddressed findings or material undisclosed changes — both of which the certified client could have averted with timely notification.
Suspension, Withdrawal, and Reinstatement
When the Cycle Goes Off-Track
Suspension and withdrawal are the most consequential actions Guardian takes during a certification cycle. They are mandated by ISO/IEC 17065 Clause 7.11 to be available, documented, and applied where grounds exist — the certification system would not have integrity without them. They are also relatively rare in practice; most certified clients who comply with their Certification Agreement obligations move through their cycle without ever encountering them. The grounds, procedures and reinstatement paths are described below.
Grounds for Suspension
Suspension is a formal interruption of certificate validity. Grounds include:
- Failed surveillance — Critical or High findings that cannot be closed within agreed windows, or accumulated findings that collectively indicate the certified state is no longer maintained
- Material undisclosed change — discovery during surveillance or otherwise that significant product changes occurred without notification per Section 3.4 obligations
- Mark misuse — display of the certification mark in misleading contexts, on uncertified products, or with claims of broader scope than the certificate covers, where corrective action requested by Guardian is not taken
- Fee non-payment — non-payment of surveillance or other agreed fees beyond contractually-defined cure periods
- Refused or repeatedly missed surveillance — the certified client’s failure to make personnel available or to grant access required for surveillance, beyond reasonable scheduling accommodation
- Findings from complaints or appeals — where investigation of a complaint or appeal yields evidence that suspension is warranted
- Substantial breach incident — confirmed serious security breach affecting the certified product, where Guardian’s review concludes that continued certification without remediation is inconsistent with the certified state
Procedure for Suspension
Guardian’s procedure follows ISO/IEC 17065 requirements. Where grounds for suspension are identified, the certified client is notified in writing with the specific grounds and an opportunity to respond before suspension takes effect. The response window is typically 14 calendar days at Level 1 and 2; for Level 3 and for serious-grounds cases, urgent procedures may apply with shorter windows. Where the certified client’s response addresses the grounds satisfactorily, suspension does not proceed. Where it does not, the Decision Authority confirms the suspension, and the Public Directory listing is updated within one business day. The Mark Usage License is suspended in parallel — the certified client must cease displaying the certification mark on the product while suspension is active.
Reinstatement After Suspension
Suspension is — in most cases — recoverable. The certified client addresses the grounds (closes findings, notifies and remediates undisclosed changes, corrects mark misuse, pays outstanding fees, etc.) and submits a reinstatement request to Guardian. Guardian conducts a reinstatement review — typically a focused activity confirming that grounds have been addressed — and the Decision Authority decides whether to lift suspension. On reinstatement, the certificate continues to its original expiry; suspension does not extend cycle length. The Public Directory listing is updated to reflect reinstatement; the Mark Usage License is reactivated. Suspended certificates that are not reinstated within a reasonable period (typically 90–180 days, defined in the Certification Agreement) escalate to withdrawal.
Withdrawal
Withdrawal is the formal termination of certification. It is the more serious step beyond suspension and is reached either through escalation from prolonged unresolved suspension or directly where grounds are sufficiently severe (for example, fundamental and unaddressable failures of the certified state, or evidence of intentional misrepresentation in the original engagement). Withdrawal is permanent for the current cycle — the certificate is terminated; the certified client cannot continue to display the mark; the Public Directory listing is updated to reflect withdrawal. Reapplication for a future certificate is not precluded but is treated as a fresh application, including a new initial engagement.
Voluntary Withdrawal
Certified clients may also voluntarily withdraw their certification — for example, where the certified product is being retired from market, where the certified client is restructuring and the product no longer fits the certified scope, or where commercial drivers have changed. Voluntary withdrawal is a contractual right under the Certification Agreement; it requires written notice to Guardian, settlement of any fees for work performed up to the withdrawal date, and surrender of the certificate. The Public Directory listing is updated to reflect voluntary withdrawal — distinct from suspension or involuntary withdrawal in its labelling, recognising the different procedural origin.
Recertification at Cycle End
Renewing Certification for the Next Cycle
The 3-year cycle ends with recertification — a fresh full evaluation that, where successful, produces the next 3-year certificate. Recertification is not a renewal in the casual sense; it is a re-evaluation engagement. The five-stage structure described on /process/stages applies — Application, Application Review, Stage 1 Documentation Review, Stage 2 Technical Evaluation, and Decision — with the same independent Decision Authority, the same severity classification, the same certificate issuance mechanics. The differences are practical rather than procedural.
Timing
Recertification is best initiated 4–6 months before certificate expiry. This window allows for the engagement to complete (4–18 weeks depending on Level) with adequate buffer for findings remediation. Certified clients who initiate recertification too late risk certificate lapse — the certificate expires at its scheduled date regardless of recertification engagement progress. Lapsed certificates are removed from the Public Directory; reinstatement requires either rapid completion of the in-progress engagement (where possible) or reapplication. Mature certified clients calendar recertification initiation 6 months before expiry to absorb engineering capacity variability.
Scheme Updates Adopted at Recertification
Recertification engagements use the version of GSA-PR-01 and the OWASP standards current at recertification. Where Guardian has adopted new OWASP versions during the certified client’s previous cycle (a new ASVS version, a new OWASP API Top 10 edition, a new general OWASP Top 10), the recertification engagement applies the new versions. Where Guardian has updated GSA-PR-01 itself, the new procedure applies. This is what keeps cycles current with the standards landscape — recertification is the formal moment when scheme drift is addressed.
Operational Familiarity Discount
Where the recertification engagement is for the same product certified in the prior cycle (no major scope changes, same Module + Level configuration), Guardian’s evaluation team retains operational familiarity with the product. This makes recertification more efficient than initial certification — Stage 1 Documentation Review is typically faster (the team already knows the architecture); Stage 2 Technical Evaluation can concentrate on changes since the last full evaluation rather than testing from scratch. This operational familiarity is reflected in pricing — recertification fees are typically 60–80% of the initial certification fees for equivalent scope. Where the product has materially changed (new modules added, Level upgraded, major architectural transition), recertification is priced closer to initial-engagement levels.
What If Recertification Is Not Pursued
Recertification is not mandatory — certified clients may choose not to recertify, in which case the certificate simply expires at its scheduled date. The Public Directory listing transitions from active to expired status. The certified client cannot continue to display the certification mark on the product after expiry. Reapplication at a future date is supported and would be treated as a fresh application. Some clients deliberately recertify late — accepting a brief expiry-and-reissuance gap — for commercial reasons; others recertify on schedule to avoid any procurement-visible status interruption.
Indicative Pricing for Surveillance and Recertification
What the Cycle Costs Beyond Initial Certification
Surveillance and recertification fees are defined in the Certification Agreement at the start of each cycle. They are scoped to the Level and Module(s) certified, and they are payable for the work performed regardless of the maintenance decision (per ISO/IEC 17065 Clause 4.2 — fees do not influence the certification decision). Indicative ranges are below; exact fees are quoted at scoping and confirmed in the Certification Agreement.
| Activity | Indicative Annual Fee Range | Notes |
|---|---|---|
Level 1 Surveillance | USD 600 onwards (annual) | One audit per year. Indicative for small organisations with single-environment, single-stack scope. Combined-cycle bundling available where multiple Level 1 certificates are held. |
Level 2 Surveillance | USD 1,200 onwards (annual) | One audit per year, deeper scope than Level 1. |
Level 3 Surveillance | USD 1,800 onwards (per audit; semi-annual) | Two audits per year. Aggregate annual surveillance investment substantially higher than Levels 1 and 2. |
Targeted Re-Evaluation (Level 2) | USD 800 onwards (per re-evaluation) | Where Decision Authority assesses notified changes warrant focused re-evaluation rather than next-surveillance assessment. |
Mandatory Re-Evaluation (Level 3) | Quoted per release | Scope and fee depend on the release’s affect-on-certified-state. |
Recertification (Equivalent Scope) | 60–80% of initial certification fees | Operational familiarity discount applies where the same product is recertified at the same Module + Level. Materially-changed scope priced closer to initial. |
These figures are indicative for small organisations on standard scope. Larger or more complex products carry higher fees; combined-module engagements run higher than single-Module. Detailed fee structure is at /process/fees.
Locked disclosure: Fees do not influence certification decisions, surveillance maintenance decisions, or recertification decisions (ISO/IEC 17065 Clause 4.2 — impartiality requirement). Surveillance and recertification fees are payable for work performed regardless of outcome.
Common Questions About the Cycle
Operational Questions Certified Clients Ask Most
Below are short, in-body answers to the questions certified clients ask most often during the cycle. The full FAQ block (Section 4 below) covers a wider set in greater depth.
‘When does my first surveillance audit happen?’
At Level 1 and Level 2, on or near the first anniversary of certificate issue. At Level 3, semi-annually starting roughly six months after issue. Specific scheduling is communicated 4–6 weeks in advance, allowing time for the certified client to prepare documentation refresh and identify the engineering personnel who will participate.
‘What documentation do I need for surveillance?’
Updated versions of the original certification documentation — the architecture diagram, the data flow diagram (Levels 2 and 3), the threat model (Levels 2 and 3), the authentication / authorisation summary. Where these have not changed since the prior submission, that is itself a useful confirmation. Where they have changed, the updated versions become the surveillance baseline.
‘Can my certification scope change during the cycle?’
Yes. Scope expansion (adding modules, adding products, upgrading Level) requires a new engagement — typically scoped as an engagement for the new scope rather than a modification to the existing one. Scope reduction (retiring modules, removing certified features) is handled through a Scope Reduction notification per the Certification Agreement; the Public Scope Statement is updated and the Public Directory reflects the change. Both directions of scope change are formal procedures, not informal.
‘What happens to my mark during suspension?’
The Mark Usage License is suspended in parallel with certificate suspension — you must cease displaying the Guardian SecureApp™ mark on the product while suspended. This is not a discretionary delay; mark display during suspension is mark misuse and can compound to grounds for withdrawal. On reinstatement, the Mark Usage License is reactivated and display can resume.
‘How do I prepare my team for surveillance?’
Identify the engineering and security personnel who will be points of contact for the audit (typically the same personnel who participated in the initial engagement, where staffing has continued). Schedule them to be available during the surveillance window. Have updated documentation ready. Review any change notifications submitted during the period to ensure the surveillance team has full context. Substantively, surveillance is not an event certified clients should fear — it is a structured maintenance activity where prepared certified clients move through efficiently.
Frequently Asked Questions
Common Surveillance & Recertification Questions, Answered
Three years. The certificate is valid for a 3-year cycle from issue date. During the cycle, surveillance audits maintain the certificate (annual at Levels 1 and 2; semi-annual at Level 3); recertification at cycle end renews it (or, where the criteria are no longer met, terminates it). The 3-year cycle is the unit of certification — initial engagement, surveillance, change notification, and recertification together produce the continuous procurement-grade assurance signal.
Surveillance is the structured periodic audit Guardian conducts during the cycle to confirm that the certified product continues to meet certification criteria. It is lighter than the initial Stage 4 evaluation — it does not redo every test from scratch — but substantive enough to detect drift, regression, or material change. It includes documentation review, targeted technical re-verification, change notification review, and mark usage check. Required by ISO/IEC 17065 Clause 7.9.
Annual at Level 1 and Level 2 (one audit per year). Semi-annual at Level 3 (two audits per year). The cadence reflects the higher assurance signal Level 3 carries. The first surveillance audit is typically scheduled to coincide with the first anniversary of certificate issue; subsequent audits track on the same anniversary.
You must notify Guardian. The notification window is 30 days at Level 1, 14 days at Level 2, and 7 days at Level 3. Significant changes — affecting authentication, authorisation, data handling, architecture, or material new functionality — trigger Decision Authority assessment. At Level 1, change is typically addressed at next surveillance. At Level 2, targeted re-evaluation is common. At Level 3, mandatory re-evaluation on major releases is the default. Show-All FAQs (in ‘See all FAQs’ expansion)
No. Recertification requires a fresh engagement — Application, Application Review, Stage 1 Documentation Review, Stage 2 Technical Evaluation, and Decision. The same five-stage structure as initial certification, with the same independent Decision Authority, the same severity classification, and the same certificate issuance mechanics. Recertification is best initiated 4–6 months before certificate expiry to allow for the engagement to complete with adequate buffer.
Yes — typically 60–80% of initial certification fees for equivalent scope, reflecting Guardian’s operational familiarity with the product. Where the product has materially changed (new modules added, Level upgraded, major architectural transitions), recertification is priced closer to initial-engagement levels. Specific recertification fees are quoted in the Recertification Quote provided ahead of engagement.
Missing a scheduled surveillance audit is a Certification Agreement breach. Guardian will reschedule once where reasonable scheduling conflicts arise; repeated or refused surveillance is grounds for suspension and ultimately withdrawal. If a genuine conflict prevents a scheduled audit, contact Guardian early to agree a rescheduled window — surveillance cannot simply be skipped or quietly postponed.
Grounds for suspension include: failed surveillance with unaddressed Critical or High findings; material undisclosed product changes; mark misuse with unaddressed corrective action; fee non-payment beyond cure periods; refused or repeatedly missed surveillance; serious complaints findings; substantial breach incidents. Suspension follows ISO/IEC 17065 Clause 7.11 procedures including written notification, opportunity to respond, and Decision Authority confirmation.
In most cases, yes. Address the grounds (close findings, notify and remediate undisclosed changes, correct mark misuse, settle fees), submit a reinstatement request, and Guardian conducts a focused reinstatement review. On confirmation, suspension is lifted and the certificate continues to its original expiry. Suspended certificates not reinstated within 90–180 days (per Certification Agreement) escalate to withdrawal.
Suspension is a recoverable interruption — the certificate is not valid for the suspension period, but the certified client can address grounds and seek reinstatement. Withdrawal is permanent termination of the current cycle’s certification — the certificate is terminated; reapplication is treated as a fresh application. Withdrawal is reached through escalation from prolonged unresolved suspension or directly where grounds are sufficiently severe.
Where a certified client chooses to terminate certification — for example, the certified product is being retired, scope no longer fits, commercial drivers have changed. Voluntary withdrawal requires written notice, settlement of any fees for work performed, and surrender of the certificate. The Public Directory listing is updated to reflect voluntary withdrawal — distinct from involuntary withdrawal in its labelling.
Yes. The Mark Usage License is suspended in parallel with the certificate. You must cease displaying the Guardian SecureApp™ mark on the product while suspended. Continued mark display during suspension is mark misuse and compounds to additional grounds. On reinstatement, the Mark Usage License is reactivated and display can resume.
Recertification engagements use the version of GSA-PR-01 and the OWASP standards current at recertification — not the versions used at initial certification. Where Guardian has adopted new OWASP versions during your previous cycle (a new ASVS version, new OWASP API Top 10 edition), recertification applies the new versions. This is what keeps cycles current with the standards landscape.
Yes. Recertification is an opportunity to upgrade Level (e.g., from Level 2 to Level 3 if regulatory drivers have intensified) or to downgrade Level (where Level 3 was over-specified initially and Level 2 is genuinely proportionate). Level change at recertification is scoped at the recertification scoping conversation. Pricing and engagement scope reflect the new Level.
Both are significant events requiring notification. Material legal or contractual changes — change of corporate ownership, scope of regulated activities, etc. — are explicitly covered in change notification obligations (Section 3.4). Guardian’s Decision Authority assesses the impact on certification; in some cases the certificate transfers without disruption (where the certified product continues unchanged under new ownership); in others a fresh engagement is appropriate (where ownership change implies material structural change).
In Guardian’s Public Directory at /directory. The directory is updated in real time per ISO/IEC 17065 Clause 7.8 to reflect all status changes — successful surveillance, conditional maintenance, suspension, withdrawal, expiry. The directory is the single authoritative public record of Guardian SecureApp™ certifications. Your customers, regulators and auditors can verify your certificate’s current status directly through the directory.
Ready to Get Started?
Apply for Certification
Submit a formal application. Initial response within 5 working days.
Apply NowRequest a Quote
Tell us about your product. Indicative quote within 3 to 5 working days.
Get a QuoteTalk to Our Team
Specific question or regulatory driver to discuss?
Contact Us