With cyber attacks on the rise, it’s natural that we are all becoming more clued up on cybersecurity. It seems there is no rhyme or reason to these cyber attacks, with all industries and organizations of any size and type being affected.
Data breaches – and the subsequent fines – are so widely publicized, it’s little wonder that many organizations require their contractors, suppliers, clients – or just about anyone that may handle their sensitive information – to hold ISO 27001 certification.
ISO 27001 is the internationally recognized standard that stipulates the requirements for an ISMS (information security management system). Effective information security risk management is a cornerstone of an ISO 27001-conformant ISMS.
Compliance with the Standard does not require organizations to independently certify their ISMS. Certification involves an independent audit from an accredited certification body. There are numerous benefits for organizations wishing to opt for certification. The most important benefit is that it offers potential and existing clients the assurance that the organization is following information security best practice. This assurance gives clients peace of mind that security risks are being treated effectively.
How do you know whether the certificate or the certification body is legitimate?
If you are tasked with vetting potential vendors to validate their certification, perhaps the best option is to simply ask the vendor for a copy of their certificate – any organization with accredited certification should oblige. It is, however, essential to check that the certificate has been issued by an accredited certification body.
How do you assess whether the certification body is accredited?
Accredited bodies must also go through their own strict accreditation process to ensure they meet necessary requirements and are qualified to carry out audits in line with the Standard.
If you wish to verify if a certification body is accredited, you can do so by checking that it is a member of the national standards body ANAB (ANSI-ASQ National Accreditation Board). Every country has its own accreditation body, selected and appointed by the IAF (International Accreditation Forum). In the USA, it is ANAB.
Some certification bodies offer unaccredited certification, which may not become apparent until you confirm that they are a member of ANAB. These certification bodies do not need to conform with the strict measures put in place by the national accreditation body. Often the quality of the audits and certification process is questionable. Telltale signs of unaccredited certification is if the duration of the certificate exceeds the mandatory three years, or if the certificate is issued to more than one address.
Is there a list of ISO 27001 certified companies?
Although it may seem obvious to have a central list of all certified organizations, it’s not as simple as you might think. Bearing in mind the estimation of certified organizations is more than 33,000, the vast number of certification bodies, and the fact that certification lasts for 3 years, maintaining a list could prove challenging.
Some certification bodies do have their own database where you can verify a certificate, but such confirmation may not be enough on its own. A certificate may only be valid for your specific needs if awarded by an accredited issuing body.
It’s important to check the certificate’s expiry date and scope to ensure it meets all your needs, which you should find on the certificate itself. Vendors may not implement an ISMS across all business processes, departments, or locations, which could expose gaps for risks.