FAQ Certification

The testing of medical devices used is not part of our process, as their approval is regulated on a country-specific basis and has different life cycles than the process in which they are used. If necessary, we check whether the necessary test certificates are available for the products used. In doing so, we comply with the requirements of Swissmedic.

Yes – deliberately. Our catalog integrates requirements from:

• ISO/IEC 27701 → Data protection measures
• ISO 27001 → Security measures
• EU AI Act → High-risk categorization and transparency obligations
• CH-GeBüV → Retention obligations
• Data protection law (DSG/DSGVO)

Certified systems can draw added value from this for other audits and verifications.

ISO/IEC 23894 is a guideline for organization-wide risk management. It offers good principles, but is not testable or certifiable. It also lacks an operational reference to specific applications.

CertifAI® operationalizes risk management:
We check whether risks such as bias, explainability gaps, data leaks or manipulation have been identified, addressed and technically secured in a specific system. Our testing methods include stress tests, technical evaluations, transparency checks and documented intervention mechanisms.

ISO 38507:
This standard is aimed at boards of directors and top management. It defines responsibilities, but does not contain any specific audit criteria. It is useful for governance, but not sufficient for system evaluation.

CertifAI® implements governance:
Our catalog includes governance controls such as responsibility, auditing, logging and traceability – concrete, verifiable and related to a specific system. CertifAI® checks special requirements for high-risk systems (EU AI Act Annex III) directly – incl. special logging, registration, annotator oversight.

The technical risk reference in CertifAI® is very specific with checkpoints such as “Bias Detection”, “Stress Testing”, “Adversarial Attacks” and “Data Classification”.

ISO/IEC 42001 is a management system standard that evaluates processes and structures at an organizational level – comparable to ISO 27001. It does not test specific AI systems, but rather the ability of an organization to manage AI safely.

CertifAI® goes beyond this: We certify specific AI applications from the perspective of the data subject (e.g. users of an app) and check whether and how a specific solution implements data protection, fairness, security and traceability in concrete terms.
We also integrate requirements from the AI Act and Swiss data protection law, including DPIA, data classification and human-centered control as well as the requirements for legally compliant data storage (according to the Ordinance on Business Records, GeBüV). In addition, there are further test contents such as: Explainability, incident response and logging mechanisms.

Yes, we know the big challenges with deletions even in regulated industries, e.g. banks.

NO, because the regularity requirements demand correct data. Non-deletable archives always contain erroneous data that should be deleted. However, the topic only became really explosive with the GDPR, because the ability to delete is a key competence in data protection.

Data protection compliance is a broad field. We specialize in the “difficult” issues surrounding data protection. These typically include the issue of integrity protection and application erasability, as well as privacy by design and privacy by default capabilities. These issues will be addressed during the pre-clearance process. The customer decides whether a data protection audit should take place.

With the GeBüV (Business Records Ordinance) certification, you receive a certificate that the examined digitization solution complies with the applicable legal standards.

The neutral certificate conveys confidence and provides assurance that the solution complies with the legal requirements. It increases the probative value of electronic evidence, as the procedures are sufficiently documented and meet the regularity requirements. It reduces the effort required in the event of an audit by the auditors. It can be really expensive if you want to deduct electronic invoices from input tax and have not secured them with evidence.

In addition to the GeBüV, other relevant sources are included as well as the KRM’s wealth of experience. These fundamentals are recorded in the KRM BOK (Body of Knowledge) and serve as a reference for testing and certification.

No, we agree with the customer which system or process should be investigated and tested. The certificate mentions the scope of the investigation and the basis of the assessment.

Switzerland has no official certification in this area. This is due to the fact that in a legal case the judge acts according to the principles of free evaluation of evidence. However, a party’s credibility and diligence increase substantially when an independent review by a neutral reviewer is provided. The KRM has the most experience in assessing digitization solutions due to its experience and involvement in legislation.

KRM’s experts have been dealing with the topics of electronic data storage, retention, information security, data protection and contract law for more than 25 years. KRM experts were involved in drafting the GeBüV as industry experts and have been writing expert opinions on the GeBüV and related procedures for years.

The KRM has no ties to providers or to parties that would affect our neutrality. The KRM offers only product-neutral consultations and KRM experts are also used as neutral evaluators.

Yes, of course we test the systems presented to us to the best of our knowledge and belief. In case of falling below the minimum due diligence level, we refuse to issue a certificate.

We offer a retest, which should normally be done within 2 years of the initial test. As a rule, certificates are valid for two years, although of course this always depends on whether the tested system has been significantly modified.

During initial certification, all necessary parameters are recorded and documented. We keep the reviewed system in a database together with the used BOK (Body of Knowledge). This allows us to efficiently re-certify and also provide information on what has been audited at any time.

The price depends on three main factors: 1. the complexity of the system under study, 2. the number of external partners (systems/contracts) 3. the laws and standards to be examined (e.g. only national, international, industry standards) In addition, the special risk situation must be taken into account. This is usually expressed in the laws and standards to be followed, but can also be deliberately adjusted upwards once (increase of care) We will be happy to provide an individual quote for the preparation.

No, of course we use in our BOK (Body of Knowledge) all relevant legal texts and other specifications that are relevant. In the context of digitization, these are primarily data protection regulations, commercial law requirements, and special legal requirements (e.g., tax law) or special legal storage regulations (e.g., plant engineering, pharmaceuticals, financial industry).

No, because this term does not exist in Switzerland! No consultant, no auditor and no certification body can make such a statement or give such an assurance (e.g. via contractual penalty). No manufacturer would sign such a guarantee. In Switzerland, the standard is the so-called “regularity”, i.e. the care required for the specific matter to be audited and the associated procedures and techniques. This regularity develops and contains, in addition to the mandatory legal provisions, the lived practice or the level of requirements. A bank must meet much higher requirements than the small craft business, so the same standard is not applied in the review. We know the requirements and will inform you if the care you choose does not meet the industry standard. In such cases, we do not issue a certificate.

You will receive a certificate in which the scope of the test and the test result are recorded. In addition, you will be issued a personalized certificate, which they can attach to products or documents, websites, etc.. This certification is based on a comprehensive report documenting the results of the investigation. It is also recorded here if, for example, certain parts of the process could not be certified (gap – analysis). This could then be made up at a later date (→ re-certification).

Of course, we also audit third parties that provide services (e.g. cloud providers, data centers, external service providers), provided we have access to their services and are thus able to conduct an objective audit.

The normal period of validity is two years. Depending on the scope and complexity of the test or change intervals, the validity may also be reduced. For systems or products, the certifications apply to the respective tested system status (release).

Electronic invoices are accepted by the authorities only if the evidential value is correct. I.e. the invoice recipient must prove that it meets the VAT requirements. He can ensure this with various processes. As the invoice recipient, you can demonstrate that you meet these requirements with verification.