Integrated Management System Policy, Declaration of impartiality

Effective from 10 September 2025

CCLab Ltd. and its Testing Laboratories operating as independent organisational units, "CCLab – The Agile Cybersecurity Laboratory" (hereinafter referred to as the Laboratory or Laboratories), strive to be reliable partners to their business partners and to ensure the long-term satisfaction of their customers (clients). 

CCLab Ltd. and its testing laboratories are committed to complying with the professional and ethical standards set out in the EUCC (European Common Criteria) cybersecurity certification system. To this end, we apply ethical and security principles in accordance with the CODE OF ETHICS – QIMA 2025 document and the provisions of the IBSZ00_Information Security Policy.

The primary task of the Laboratories is to provide our customers (clients) with test (evaluation) results based on objective evaluation methods. The Laboratories perform the activities specified in the accreditation document and provide professional assistance services related to testing (evaluation) outside the scope of accreditation. CCLab Ltd. and the Laboratories perform all their tasks in accordance with the requirements of independence and impartiality, which are separated at a personal level during projects. 

The scope of the Laboratory's professional support activities is strictly limited. Given that the Laboratories are required to perform conformity assessments in an impartial and independent manner, the scope of the consultancy may only extend to the preparation of documents necessary for conformity assessment, as specified by the relevant standard and in accordance with the prescribed terminology requirements (e.g. developer documents). Based on the above, no employee of the Laboratory may participate or have previously participated in the design, manufacture, commissioning, maintenance or distribution of a product that has been assessed or tested by the Laboratory in the course of providing professional support activities. The "consultancy" activity referred to in the relevant regulations and marketing materials can therefore only be interpreted as described above.

Consequently, and in view of the fact that all data must be provided by the customer during professional support activities, self-review as a potential threat to impartiality is excluded.

The service level of CCLab Kft. and the Laboratory complies at all times with the applicable regulations and the requirements of the Supervisory Authorities and Customers (Clients).

During our operations, we set quality and information security objectives at regular intervals, the implementation of which we continuously monitor. 

Our integrated management system (quality and information security) objectives:

  • our services meet the needs agreed in advance with our customers (clients),
  • our services are provided at the time agreed with the Customer (Client) and at an economically optimal cost,
  • the business information of our Customers (Clients) and the information provided to us is secure, 
  • continuous efforts to identify and mitigate circumstances related to climate change,
  • continuous compliance with the regulations applicable to us, successful acquisition and maintenance of accreditation by an external accreditation body,
  • striving to achieve an average customer satisfaction rating of at least 4.5 on a scale of 5 in our future projects,
  • impartial, independent and neutral, free from external influence (commercial, financial or other pressure), performing work on a strictly professional basis in the interests of our customers (clients),
  • ensure that the professional knowledge of our colleagues working in the Laboratory is up to date and of a high standard
  • effective cooperation with supervisory bodies and certification authorities, in particular, but not exclusively, for the purpose of ensuring the proper implementation of the requirements of the given testing (evaluation) scheme/system and the verification/accreditation of such implementation.

In order to achieve the above integrated management system objectives, we have established the following work ethics requirements:

  • all employees must place particular emphasis on complying with and monitoring cyber security requirements and avoiding omissions, in accordance with the provisions of their employment contract and the Information Security Policy, failure to comply with which will result in sanctions;
  • in accordance with the QIMA Group Code of Ethics document and awareness training, as well as the provisions of the Information Security Policy, we encourage the reporting of personal security incidents and their use in cybersecurity awareness programmes;
  • We strictly prohibit any form of fraud, so employees are required to report any activity or suspicion that is deceptive, seeks to gain unauthorised profit, or compromises the integrity of the certification process.
  • We conduct ongoing self-assessment through internal audits, data analysis, corrective action, and management reviews.
  • When non-conformities are identified, we designate the appropriate departments to implement corrective measures and improve our procedures.
  • We pay particular attention to the systems and documentation that support our work processes.
  • management is committed to applying leading professional practices and to the quality of tests (evaluations) performed for the Customer (Client) and the accuracy and reliability of test (evaluation) results,
  • the management ensures that CCLab Kft. employees are familiar with the principles and procedures of the integrated management system and the quality-related documentation, and that they apply the quality policy and related procedures in their work,
  • we ensure that employees receive regular professional training,
  • in terms of information security protection, we work continuously to prevent and avert security incidents (external and internal) that could lead to information leaks through espionage or deliberate disclosure, and to prevent deliberate or accidental errors and damage, 
  • We develop plans and procedures for handling any incidents that may occur, taking into account the specific characteristics of the systems to be protected and keeping in mind the requirements of business continuity.
  • we ensure the physical and logical protection of our infrastructure and equipment with state-of-the-art technical tools and trained professionals,
  • We operate a system based on complex risk assessment, the primary purpose of which is to identify and assess potential sources of danger and threats. In the event of risks arising, we take immediate action to minimise or eliminate these risks.
  • we take measures to prevent the occurrence of risk factors and incidents,
  • we use state-of-the-art IT solutions to enhance security, 
  • we consider it a priority to be familiar with and comply with the relevant laws, regulations and data protection laws, and to ensure compliance with them,
  • we expect our suppliers and subcontractors to comply with our security guidelines, maintain their objectivity and impartiality, and work in a secure environment, both physically and in terms of IT,
  • We are constantly seeking opportunities to introduce more efficient and reliable procedures and tools.
  • We conduct regular audits to ensure that our information security objectives are met and that the relevant instructions and procedures are fully complied with by all parties concerned.
  • management is committed to continuously developing the collaboration infrastructure and providing modern work tools (which facilitate the efficient work of employees),
  • management ensures that an organisational structure and organisational processes are in place where personal tasks, powers and responsibilities are well defined,
  • management ensures that the integrated management system continues to function properly even when changes to the integrated management system are planned and implemented,
  • management draws the attention of colleagues to the importance of complying with customer, legal and other regulatory requirements, 
  • management ensures that investigations and services are conducted impartially, independently and neutrally, without external influence, and does not allow commercial, financial or other pressures to compromise impartiality.

The management of CCLab Kft. is committed to ensuring compliance with CIA (confidentiality, integrity, availability) as follows:

  • Employees working in any organisational unit of CCLab Kft. are required to treat information obtained during compliance assessment procedures as confidential. All parties in a legal relationship with CCLab Kft. must be informed of the scope of data to be treated as confidential, as well as the rules of confidentiality and the consequences of violating them.
  • The management shall ensure that employees protect the information and data obtained during compliance assessment procedures against damage, destruction, deletion, alteration and unauthorised access, and shall provide the necessary conditions for this by establishing the appropriate IT infrastructure.
  • CCLab Ltd. may not disclose any information, data or documents to third parties without a lawful court order or official request concerning CCLab Ltd., its employees and/or customers. Data, information and documents belonging to the customer may only be disclosed with the customer's written consent and within the scope and in the manner specified in the consent.
  • All employees are obliged to keep confidential any confidential information and business secrets that come to their knowledge in connection with their employment, both during and after the termination of their employment. Furthermore, they are obliged to ensure that confidential information is not disclosed or made available to third parties.

The CEO of CCLab Ltd. declares that he is committed to ensuring that the operations of CCLab – The Agile Cybersecurity Laboratory comply with ISO 9001 , ISO/IEC 17025 , ISO/IEC TS 23532-1 , ISO/IEC 19896-1 , ISO/IEC 19896-3 and ISO/IEC 27001 standards, as well as EUCC and related State-of-the-Art documents. It is also committed to complying with and enforcing the requirements of the standards and to continuously improving the effectiveness of the integrated management system.

Budapest, 10 September 2025.

Ferenc Tamás Molnár

Chief Executive Officer