ISO/IEC 27001 Certification - Confidentiality

AARC-360 shall be responsible for the management of all information obtained or created during the performance of certification activities at all levels of its structure, including committees and external bodies or individuals acting on its behalf.  AARC-360 shall inform the Client, in advance, of the information it intends to place in the public domain. All other information, except for information that is made publicly accessible by the Client, shall be considered confidential.  Except as required by ISO/IEC 17021, information about the Client or individual shall not be disclosed to a third party without the written consent of the Client or individual concerned.  When AARC-360 is required by law or authorized by contractual arrangements (such as with the accreditation body) to release confidential information, the Client or individual concerned shall, unless prohibited by law, be notified of the information provided.  Information about the Client from sources other than the Client (e.g. complainant, regulators) shall be treated as confidential, consistent with AARC-360’s policy.  Personnel, including any committee members, contractors, personnel of external bodies or individuals acting on AARC-360’s behalf, shall keep confidential all information obtained or created during the performance of AARC-360’s activities except as required by law.  AARC-360 has processes and where applicable equipment and facilities that ensure the secure handling of confidential information.

AARC-360 shall provide information and update the Client on the following: