Orion light logo

Frequently Asked Questions

About Orion

Orion was incorporated in 2007 as a private company.

The two founding partners were involved in the auditing industry for over twenty years prior to starting Orion.  Given poor service standards in the industry and numerous clients requesting an alternative, more customer friendly experience, the partners decided to form Orion as a private, client focused business

The majority of Orion’s clients are North American based; however, we do service and have auditors available globally. Depending on the standard, Orion can offer remote audits resulting with no travel related expenditures.

To maintain our impartiality in our audit activities, Orion Assessment Services does not provide consulting services.  

There are some audit firms that offer consulting services but, in our opinion, you should avoid them because customers may question the creditability of your certification and whether or not your audit was conducted at “arms length”.

Orion Assessment Services is bound by our various corporate polices.  These policies govern out commitment to ensuring your information is safe and secure.

The starting for determining fees is typically based on the number of staff under the scope of certification.   Each standard has an audit time look up table based on the employee count. From here, various factors are reviewed to determine if the audit time can be justified down or up. The audit days are then multiplied by the day rate to give the audit fees. 

When reviewing fees, you need to review the overall “all in cost”.  Many of Orion competitors show a low day rate but add other items such as project management fees, certificate fees, administration fees, annual fees etc. 

If travel expenses are applicable, unlike our competitors, we do not mark up travel related expenses.

If you have an issue, you may submit an Dispute Resolution Request. 

Orion takes appeals, disputes and complaints very serious.   
All issues must be submitted through Orion’s Dispute Resolution Request form.  All issues will be reviewed by the  President, or designee, and Management Team for processing and resolution.  If the issue is time sensitive, Orion will make every effort to expedite the request.

NCR Appeal

If an Appeal related for an NCR, the President, or designee, and Certifier will review the evidence presented by the client.   Additional input may requested from the Auditor, as needed.

Agree with Appeal?

If the Certifier, the President, or designee, and the client agree that the NCR is not correct, the appeal can be addressed by expediting the appeal process to withdraw the NCR and close the appeal.  The client will be notified in writing of the decision.  

Do not Agree with Appeal?

The client would be notified of the decision and reason for the decision.  If the client does not agree with the decision, they may request that the issue be sent to an Appeals Committee for further review.   The Appeals Committee will inform the client in writing of the decision.  If the client still does not agree with the decision, they may take if to the appropriate accreditation body.

Complaint

The President shall determine whether the complaint relates to certification activities for which ORION is responsible, and if so, if the complaint is valid.  If the President determines that the complaint is not valid, the President will contact the party that identified the possible complaint and inform them the complaint has been rejected and the reason.

If the complaint is valid, Orion will investigate the complaint, determine the root cause and take the actions necessary to address the issue.  Orion will make every effort to notify the person that filed the complaint of the outcome.  In some cases, they may not be possible due to confidentiality requirements.

Full details for handling complaints are defined in Orion’s AP 01 Administrate Management procedure.

Certification

The best way to prepare for an audit is to ensure you have conducted your internal audit.  Refer to Orion’s guidance on preparing for an audit.

The Orion team is committed to helping you with your certification needs.  In some cases, Orion may be forced to suspend or withdrawal you certification status.  This would typically be due to a failure to comply with the conditions specified in the Certification Application.  Examples may include:

  • Failure to allow Orion to conduct an audit.
  • Not resolving Non-conformances within the given timeframe
  • Failure to meet any financial obligations.
  • Providing false or misleading information regarding your certification that may damage the reputation of Orion.
 
In any case, it this situation arises, Orion will communicate the issues work with you to resolve them, if possible.  Upon satisfactory resolution for suspended certificates, your certification status may be restored.

Your certification is typically defined by a legal entity, address, and scope statement.  Should you wish to change your scope, you will need to contact the Orion team and complete the Certificate Change Request form and email it to info@orioncan.com.  The Orion team will review the request, determine whether the change can be achieved and, inform you of the process.  Depending on the nature of the change, the Orion team may request additional information and possible need to conduct a special audit.  

 

Typically the biggest factor in determining how long it takes to get certified is how well the client is prepared.   It’s always best to do a very thorough internal audit to identify and resolve as many issues as you can prior to your external audit.  If issues are identified during your audit, it tends to slow down the certification process because the issues need to be addressed, reviewed and accepted by your auditor.

In terms of scheduling your audit, Orion recommends that you book your audit at least two months in advance.  The gives you time to prepare.

After your audit, if you do not have any issues or once the issues are closed, Orion can issue a certificate typically within 5 days of receiving the final report from the auditor. 

All certificates to ISO 27001:2013 must expire no later than October 31, 2025.  After April 30, 2024, all audits must be done to the 2022 version of the standard.

The standard has not been fully revised.  Key changes include:

  • The number of controls decreases from 114 controls in 14 clauses to 93 controls in 4 clauses.  11 new controls have been added, 24 controls are merged and 58 have been updated.
  • “Attribute” and “purpose” have now been added to the control structure in place of “objective”

 

For the purpose of upgrading, clients will need to remap their Statement of Applicability and demonstrate the new and changes control requirements have been identified and implemented.

Yes, provided you meet the eligibility criteria. 

Eligibility typically begins when you have a head office plus by 3 or more sites.  The eligibility criteria is defined in IAF MD 1.  (refer to the mandatory documents)

Keys points to note are:

  1. You must have a single management system
  2. A defined central function has to define, establish and control the management system
  3. A central management review must occur.
  4. All sites must undergo an internal audit
  5. The central function must collect and analyze data related to system changes, management review, complaints, corrective actions, internal audits, statutory and regulatory requirements.
 
There are some other considerations defined in IAF MD 1 that your Sales team will review.