Trustpilot
Account
Create account
Your account
Your subscriptions
Your downloads
Your orders
Training course bookings
Self-paced training bookings
E-learning course bookings
CyberComply portal
GRC e-learning platform
DocumentKits platform
Basket
United Kingdom
Select regional store:
USA
EU
Asia Pacific
£ GBP
+44 (0)333 800 7000
Shop
Shop by product
BS 10012 PIMS
Business continuity management (BCM) and ISO 22301
CEH
CGEIT, CISA, CISM, CISSP and CRISC
COBIT®
Cloud security
CyberComply
Cyber Essentials
Cyber incident response
Cyber resilience
Cyber security
Cyber security as a service (CSaaS)
Cyber Safeguard
DORA
DSP Toolkit
Gambling Commission
GDPR and data protection
Information security
ISO 27001
ISO 27701
ITIL®
IT governance
Management system standards
NIS Directive and NIS Regulations
PCI DSS
Penetration testing
Project management
Risk management
SOC 2
Shop by category
Latest products and services
Training courses
E-learning and staff awareness
Exam Vouchers
Toolkits
Software
Penetration testing
Vulnerability scanning
Consultancy services
Books and audiobooks
Standards
Templates
Self-assessment tools
Data Privacy
Shop by subject
BS 10012 PIMS
DPO as a service (DPOaaS)
DSP Toolkit
GDPR and data protection
GDPR compliance solutions
Information security
ISO 27701
Legal services
PECR
Data privacy information pages
Brexit and data protection
BS 10012 PIMS
Cyber Defence in Depth
Data breaches
DPA (Data Protection Act) 2018
DPO role under the GDPR
DSP Toolkit
EU ePR (ePrivacy Regulation)
Europrivacy
GDPR
GDPR compliance solutions
Information security
ISO 27701
Official Crown Commercial Service Provider
PECR
Privacy as a Service
UK data protection law
Useful links
Cyber Defence in Depth
£10 for your feedback
Become an IT Governance partner
Apply for a corporate account
Data privacy free resources
GDPR compliance tool for schools
Speak to a GDPR expert
In-house training options
Cyber Security
Shop by subject
Business continuity management (BCM) and ISO 22301
Certified ethical hacker (CEH)
Cloud security
Cyber Essentials
Cyber incident response
Cyber resilience
Cyber security
Information security
ISO 27001
IT governance
NIS Directive and NIS Regulations
PCI DSS
Penetration testing
Risk management
Cyber security information pages
Business continuity (BCM) and ISO 22301
CMMC
Cyber Defence in Depth
Cyber Essentials
Cyber incident response
Cyber resilience
Cyber security
DORA
Information security
ISO 27001
IT governance
ITIL®
Management system standards
NIS Directive and NIS Regulations
Official Crown Commercial Service Provider
PCI DSS
Penetration testing & ethical hacking
Risk management
SOC 2
Social engineering attacks
SWIFT CSCF
Useful Links
Cyber Defence in Depth
20 years of IT Governance
In-house training options
£10 for your feedback
Become an IT Governance partner
Cyber security free resources
Speak to a cyber security expert
Free cyber security assessment
Training
Shop by subject
Business continuity (BCM) & ISO 22301
BS 10012 PIMS
CGEIT, CISA, CISM, CISSP and CRISC
Cloud security
COBIT
®
Cyber security & ethical hacking
DORA
GDPR and data protection
Incident response management
Information security
ISO 27001
ITIL
®
Microsoft
PCI DSS
Risk management
Training information pages
Business continuity (BCM) & ISO 22301
BS 10012 PIMS
CGEIT, CISA, CISM, CISSP and CRISC
COBIT
®
Cyber security
DORA training overview
DORA training pathways
Ethical hacking
GDPR and data protection
Information security
ISO 27001
ITIL
®
MOD ELCAS scheme
Microsoft
Official Crown Commercial Service Provider
PCI DSS
Useful links
Learning paths
Learn from anywhere with IT Governance
In-house training options
£10 for your feedback
Become an IT Governance partner
Apply for a corporate account
Training free resources
Speak to a training expert
Staff Awareness
Shop by subject
Remote working
Phishing
Business Continuity & ISO 22301
Cyber security
GDPR and data protection
Information security
ISO 27001
PCI DSS
SCORM packages
Training aids
Shop all staff awareness
Staff awareness information pages
Staff awareness e-learning courses
Staff awareness training
Customised staff awareness courses
Security awareness programme
Staff Awareness Course Fulfilment
SCORM Packages
Ways to buy
Useful links
GRC eLearning platform
Staff awareness free resources
E-learning FAQs
Official Crown Commercial Service Provider
£10 for your feedback
Apply for a corporate account
Become an IT Governance partner
Request a tailored e-learning quote
Speak to an e-learning expert
Consultancy
Shop by subject
Business continuity (BCM) & ISO 22301
BS 10012 PIMS
Cloud security
Cyber Essentials
Cyber incident response
Cyber security
Data security and protection (DSP) toolkit
DPO as a service
Gambling Commision compliance
GDPR and data protection
ISO 27001
PECR
PCI DSS
Management system standards
NIS Directive and NIS Regulations
Shop consultancy by the hour
Consultancy information pages
Business Continuity (BCM) & ISO 22301
BS 10012 PIMS
CISO as a service (CISOaaS)
Cyber Essentials
Cyber incident response
Cyber security
Data security and protection (DSP) toolkit
DPO as a service (DPOaaS)
Gambling Commision compliance
GDPR and data protection
ISAE 3402, SSAE 16, SOC 2 and 3
ISO 27001
IT governance, ISO 38500 and COBIT
®
NIS Directive and NIS Regulations
Official Crown Commercial Service Provider
PECR
PCI DSS
SWIFT CSCF
Useful links
Cyber Defence in Depth
Consultancy services overview
Corporate and enterprise consultancy
Consultancy case studies
£10 for your feedback
Apply for a corporate account
Become an IT Governance partner
Speak to a consultancy expert
Free cyber security assessment
Security Testing
Shop by subject
Certified ethical hacker (CEH)
Cloud security
Cyber Essentials
PCI DSS
Penetration testing
Security testing information pages
The Cyber Essentials scheme
Cyber Essentials solutions
Penetration testing
Penetration testing services
Ethical hacking
Official Crown Commercial Service Provider
PCI DSS
PCI DSS services
Security testing
Security awareness programme
Vulnerability scanning
Useful links
Cyber Safeguard
Cyber Defence in Depth
Information security for hybrid working
£10 for your feedback
Security testing free resources
Apply for a corporate account
Become an IT Governance partner
Speak to a security testing expert
Tools
Shop toolkits
Business continuity (BCM) and ISO 22301
Cloud security
Cyber Essentials
Cyber resilience
Cyber security
Data security and protection (DSP)
GDPR and data protection
ITSM, ITIL® 4 & ISO 20000
IT governance
ISO 27001
Management Systems Standards
PCI DSS
Shop all toolkits
Shop software
CyberComply
vsRisk
Data Flow Mapping Tool
Compliance Manager
DPIA Tool
GDPR Manager
Vulnerability scanning
GDPR.co.uk
Shop all software
Useful links
CyberComply login
DocumentKits login
Tools and software solutions
Documentation Toolkits
What is DocumentKits?
Documentation toolkit FAQs
Cyber Defence in Depth
Win a £100 gift voucher
Apply for a corporate account
Become an IT Governance partner
Speak to a toolkit expert
Speak to a software expert
Learn for less: Save 10% on high-quality foundation and auditor training. Find out more
Complaints and Appeals Policy
Scope
Complaints from any customer related to any product or service provided by GRC International PLC group of companies falls within the remit of this procedure. This procedure also addresses complaints from data subject(s) related to the processing of their personal data and appeals from data subjects on how complaints have been handled.
Due to the time differences between the geographical locations of the business it may be that a short period of time will pass before the complaint can be allocated and managed by the appropriate person. It may be that the appropriate person is based in a different time zone to the recipient of the complaint. Complaints may also enter the business not from the most logical point - so this also needs to be considered when logging a complaint.
Responsibilities
Any member of staff from within GRCI or a subsidiary of GRCI receiving a complaint from any customer is responsible for reporting the complaint. The recipient of the complaint and the complaint owner can be the same person.
Recipients are responsible for ensuring that the complaint is logged and allocated to a complaint owner. Should there be uncertainty over who the complaint owner should be, then the recipient should refer to their line manager for clarification. Subsequently complaint owners are responsible for ensuring the complaint is satisfactorily resolved.
The Process & Accreditations team is responsible for overseeing the complaints process and ensuring that it is effective and being implemented.
The Chief Executive Officer is responsible for ensuring that employees have the necessary resources and training to deal with complaints effectively.
Definitions
BS 8543:2015 (complaint handling in organisations) refers to a complaint as being
any expression of dissatisfaction made to an organisation, related to its products, services, practices, staff or the handling of a complaint where a response or a resolution is explicably or implicitly expected.
In cases of uncertainty, it should be taken and treated as a complaint and this procedure followed.
A complaint may also be a repetition or an addition to a previous issue or known problem that has an identified root cause, so a review of previously resolved cases in the continual improvement logging system for a potential resolution should be carried out, particularly in more complex cases.
The complaint-handling process has two levels of categorisation, these are defined as either; level one basic, or level two complex. The definitions of each resolution category are:
Basic
- if upon analysis, a complaint can be resolved within 24 hours (or immediately), due to either experience of previous issues of a similar nature or from data within the knowledgebase, then it is classified as a level one category complaint and labelled as basic.
Complex
- if upon analysis a complaint requires a longer time to resolve than the level one (basic) status allows then the complaint is categorised as a level two category complaint and labelled as “complex” - Complex issues differ from basic issues in that typically it may require input from multiple areas within the business, potentially requiring input from globally based resources to resolve, due to potential time differences. This means it is envisaged that up to 48 hours may be required to resolve.
Process
On receipt of negative communication, the recipient is not to acknowledge or accept responsibility from the outset, but empathise with the position until at such time an in-depth assessment can be made as to whether it warrants progressing as a nonconformity, incident and/or information security incident, etc. Relevant information is collated, and the alleged situation/experience is investigated appropriately (sensitively, with an awareness of privacy issues, personal performance matters, etc.)
A complaint is received into the business, the recipient records the complaint details and the nature of the complaint into the Continual Improvement Log.
Recipient allocates the complaint to the appropriate complaint owner via the CI log and sends an email notification to the owner, if uncertain as to whom the owner should be, the recipient may take advice from within the business and/or their line manager or complaints of a similar nature from viewing closed complaints within the CI log.
The complaint owner receives the email notification that a complaint has been allocated to them to action. The complaint is analysed for appropriate category selection by the complaint owner.
There are two levels of categorisation for complaints, level 1 – a basic issue or level 2 – a complex issue (see above for category definitions).
The complaint owner acknowledges by email back to the complainant receipt of the complaint and that the issue is now being investigated and that a response will be communicated in due course and within 24 or 48 hours dependent on the classification. When sending an acknowledgment of the complaint to the complainant the complaint owner may use the acknowledgement template:
QA-TPT-013
.
The complaint owner carries out a thorough investigation into the complaint to obtain a satisfactory resolution.
Complaint owner will update the complainant if it becomes clear that the resolution requires further investigation or a recategorisation or more time in order to resolve.
Resolution is achieved, complainant is updated and asked if the resolution is satisfactory in order to close the complaint down.
If the complainant is satisfied with the resolution then the complaint can be closed, the CI log can then be updated, and the log entry closed. Should the complainant not be satisfied with the resolution from the complaint owner then the complaint owner may consider taking further action based on the dissatisfaction reason from the complainant; if the owner considers that further action is not feasible or logical to the business and that all reasonable efforts have been made with the resolution being offered then it should be deemed that the resolution is satisfactory and no further investigation is necessary, the owner should make a note in the CI log of the complainants response to the resolution for future reporting analysis.
Complaint Closed.
Post Reviews
The complaint log is reviewed on a fortnightly basis by the Process & Accreditation team to ensure compliance with this procedure is maintained.
Output data from the complaints log is analysed and reviewed on a regular basis at various review audiences such as input into the KPI report for the operational performance meeting(s).
Related information
Where a third party with whom the business has a professional relationship has its own complaints procedure, the relevant part of the business shall, where applicable, comply with their procedure whilst ensuring, wherever possible, that there is no deviation from following this procedure.
This complaint handling procedure shall be followed in circumstances where a candidate wishes to appeal an examination result. In these cases, we are reliant on the appeals processes operated by the respective examination bodies. Where required to defer to the appeals process of third parties this shall be explained to the candidate. Resolution time scales, in these specific cases, will depend on the responses received from the third party and as such may differ from the norm.
This website uses cookies. View our
cookie policy
SAVE 10%
ON SELECTED
TRAINING