How can you validate a vendor that claims to have ISO 27001 certification?

People often ask us how they can validate an ISO 27001-accredited vendor, so here’s our advice.

Unfortunately, there is no central register of all ISO 27001 certificates, so confirming the validity of a vendor’s certificate takes a little legwork. Here’s what you need to do:

  1. Request a copy of the vendor’s certificate, including any annexes that are issued with it. (The annexes may include further detail on the scope, locations that are covered, and other useful information.)
  2. Identify the name of the certification body or registrar that issued the certificate and the national accreditation body that accredited the certification body. This is likely to be in the form of a logo for ANAB, IAS, ANSI, and so on.
  3. Check that the accreditation body subscribes to the International Accreditation Forum (IAF).
  4. Contact the certification body to ask them to confirm the validity of the certificate. Some certification bodies do this through their website, but others check that their client is happy to share this information with you first.

If all this works out and you are satisfied that the certificate was issued under the accredited certification scheme, the last things to check are:

  • The scope of certification. Make sure that it covers all the supplier’s business processes and locations that you are entrusting with your information. Many organizations restrict the scope in order to save on the cost of implementation or the certification audit. This can compromise the extent of assurance that the certificate provides.
  • The date of issue and the date of expiry. This gives you an idea of the maturity of the ISMS. It’s worth periodically confirming that the certificate is still valid, because it can be withdrawn if the ISMS is not maintained appropriately.
  • The reference to the Statement of Applicability (SoA). There should be a reference to the specific version of the SoA that your supplier was audited against, and you can request a copy. Some organizations exclude controls that you might expect to be in place, and you won’t be aware of this without reviewing the SoA. If they’ve excluded controls, you’ll need to find out which compensatory controls are in place to provide the same assurance and residual risk that hopefully satisfies your needs. The certification body should confirm the scope, dates, and versions of the SoA in the information you request.

Implementing an ISMS (information security management system) that conforms to the requirements of the international standard ISO 27001 requires careful planning and a thorough understanding of the criteria that auditors use when awarding certificates.

Learn how to implement an ISO 27001-accredited ISMS from the global experts

The IT Governance ISO27001 Certified ISMS Lead Implementer Online course equips you with the skills to implement an ISMS following the nine-step implementation approach developed by IT Governance. Our interactive, real-time courses allow delegates to study from any location and at convenient times, giving you access to the best ISO 27001 training course and trainers in the world.

Alternatively, attend the classroom course in Washington DC this October and learn from acknowledged security expert Alan Calder live and in person at the Certified InfoSec Conference.

Date: October 12–13 classroom session

Time: 9:00 am–5:00 pm

Venue: Hilton Hotel Rockville, Washington, DC. Register for the five day conference pass to gain access to the training.