How to check if a company is ISO 27001 certified

With cyber-attacks on the rise, it’s natural that we are all becoming more clued up on cybersecurity. It seems there is no rhyme or reason to these cyber-attacks, with all industries and organizations of any size and type being affected.

Many organizations require their contractors, suppliers and clients to be ISO 27001 certified in order to avoid data breaches and the fines that come with them.

ISO 27001 is the internationally recognized standard that stipulates the requirements for an ISMS (information security management system). Effective information security risk management is a cornerstone of an ISO 27001-conformant ISMS.

Compliance with the Standard does not require organizations to independently certify their ISMS. Certification involves an independent audit from an accredited certification body. There are numerous benefits for organizations wishing to opt for certification.

The most important benefit is that it offers potential and existing clients the assurance that the organization is following information security best practice. This assurance gives clients peace of mind that security risks are being treated effectively.

Download ‘Cybersecurity and ISO 27001 – Reducing your cyber risk’ to learn how smart organizations are protecting their reputations and their critical information assets while winning new business with ISO 27001 certification.

How do you know whether the certificate or the certification body is legitimate?

The best way to validate a potential vendor’s certification is to ask for a copy of their certificate. Any organization with accredited certification should be happy to provide one. It is, however, essential to check that the certificate has been issued by an accredited certification body.

How do you assess whether the certification body is accredited?

Accredited bodies must also go through their own strict accreditation process to ensure they meet necessary requirements and are qualified to carry out audits in line with the Standard.

To verify if a certification body is accredited, check if it is a member of ANAB (ANSI-ASQ National Accreditation Board).

Every country has its own accreditation body, selected and appointed by the IAF (International Accreditation Forum). In the USA, it is ANAB.

Some certification bodies offer unaccredited certification, which may not become apparent until you confirm that they are a member of ANAB.

These certification bodies do not need to conform with the strict measures put in place by the national accreditation body.

Often the quality of the audits and certification process is questionable. Telltale signs of unaccredited certification is if the duration of the certificate exceeds the mandatory three years, or if the certificate is issued to more than one address.

Is there a list of ISO 27001 certified companies?

Although it may seem obvious to have a central list of all certified organizations, it’s not as simple as you might think.

With over 33,000 certified organizations and a 3-year certification period, maintaining a list of certification bodies could be challenging.

Some certification bodies do have their own database where you can verify a certificate, but such confirmation may not be enough on its own. A certificate may only be valid for your specific needs if awarded by an accredited issuing body.

It’s important to check the certificate’s expiry date and scope to ensure it meets all your needs, which you should find on the certificate itself.

Vendors may not implement an ISMS across all business processes, departments, or locations, which could expose gaps for risks.

For more information on ISO 27001 certification, speak to our experts >>