MTCS Certification

A readiness assessment is a pre-certification review designed to evaluate how prepared an organization is to undergo the formal audit.  Readiness reviews help identify gaps between what is currently designed and/or implemented and the requirements of the standard, so that they can be addressed prior to the beginning of the official certification process. Although not required for certification, a readiness assessment can be a valuable step in any compliance initiative—helping you identify and address areas of concern ahead of an audit, quickly demonstrate your commitment to high security standards, and proactively reassure customers as you work toward full certification.

This first stage is largely an evaluation of your designed MTCS against the requirements of the SS 584 standard.  This stage is more high-level than the next since your auditor won’t dive into the effectiveness of all controls in practice (yet). The goal of the Stage 1 audit is to ensure you are ready to undergo the Stage 2 review. Your auditor will be looking for what is referred to as “areas of concern” i.e., lack of objective evidence to meet the SS 584 standard. If these areas of concern go unaddressed, they can or will likely materialize into formal nonconformities during the Stage 2.

In this stage, your auditor will also be looking for opportunities for improvement to help identify areas that can be enhanced. After you complete the Stage 1 process, you should address any areas of concern that your auditor notes in order to prepare for Stage 2. How this affects your overall timeline will be up to you, but you should expect to spend some time in between the initial certification stages to address areas of concern and demonstrate the effectiveness of the MTCS. 

If your MTCS appears well-designed and accounts for all necessary requirements, then it’s time to watch it in action. During this phase, the auditor will evaluate your MTCS to determine if its active practices, activities, and controls are functioning effectively. Your MTCS will be assessed against the full requirements of the SS 584 standard.

Similar to the Stage 1, the auditor will be looking for nonconformities and opportunities for improvement based upon the SS 584 standard and your own defined requirements:

• Major nonconformities require an acceptable corrective action plan, evidence of correction, and evidence of remediation prior to certificate issuance.
• Minor nonconformities only require those first two to issue the certificate—no remediation evidence necessary. 
  Prior to receiving your MTCS certification, corrective action plans and evidence of correction and remediation must be provided for each nonconformity based upon their classification. The time it takes to correct and remediate these nonconformities should be considered when determining the amount of time it will take to obtain your MTCS certification.

Note: Despite it not being necessary for the issuing of your certificate, your auditor will take the time to evaluate evidence of remediation for any noted minor nonconformities during the subsequent surveillance review (detailed below) to formally close them out.

Upon successful completion of the certification process (Stage 1 and Stage 2), an MTCS certificate of conformity is issued. The certificate is valid for a three-year period, with annual surveillance audits conducted to ensure continued compliance with the standard and the effectiveness of the MTCS. Surveillance audits require 1/3 of the time of the initial certification review. Surveillance audits can last anywhere between 2-5+ days (dependent on the number of personnel in-scope) and consist of documentation review and meetings with control owners, and other relevant personnel. Often, a sampling approach is taken during surveillance audits, as opposed to the initial certification audit which includes a full assessment of the MTCS controls.