When seeking to achieve certification to ISO 27001, organizations should avoid non-accredited certification bodies.
Why? Non-accredited certification bodies typically offer a service that includes both consultancy and certification.
No formally accredited ISO 27001 certification body will offer this type of service, as the international ISO framework recognizes the obvious conflict of interest when a single organization assesses its own work while also offering advice/consultancy.
Non-accredited certification bodies – and those that claim to be accredited without the recognized scheme – may not be subject to regular performance, quality, and competence monitoring by a national accreditation body, such as ANSI-ASQ National Accreditation Board (ANAB).
Additionally, non-accredited certification bodies (and those that claim to be accredited without the recognized scheme) usually do not operate in line with the international standards that set out requirements for certification bodies (e.g., ISO/IEC 17021).
For peace of mind, organizations should look to ANAB. ANAB assesses and accredits certification bodies that audit and certify organizations conforming to management system standards across many industries – from information security and telecommunications to aerospace and food safety.
List of ISO 27001 accredited certification bodies (updated for 2022)
These are all ANAB-accredited certification bodies for ISO 27001:
- ABS Quality Evaluations
- BARR Certifications
- BSI Global
- Cadence Assurance
- ControlCase Assessments
- Consilium Labs
- Frank, Rimerman Information Security
- Marcum LLP
- Orion Registrar
- PRI Registrar
- Schellman Compliance
- SRI Quality System Registrar
- TÜV Rheinland
As this list is subject to change, we recommend that you use ANAB’s directory to confirm that a certification body has a valid ANAB accreditation certificate.
How to choose a certification body
Your main concern when choosing a certification body will probably be the fee, but there are a few other things you should consider as well.
For a start, you should make sure that the certification body is accredited and has a good reputation within your industry.
Remember, some certification bodies specialise within certain sectors. That means the auditor might have plenty of experience in, say, the retail industry, but aren’t aware of the specifics of your business.
As a result, you’ll end up losing time explaining the ins and outs of your organisation – an issue you won’t face if you select an auditor who is well-versed in your industry’s practices.
That’s not to say that the most expensive option is always the best, or that the least expensive version is the worst. It’s about finding someone with the knowledge and experience that’s right for your organization.
Need help achieving ISO 27001 certification?
Our ISO 27001 implementation checklist will provide you with a step-by-step process to best implement and achieve ISO 27001 certification.
IT Governance USA can also help with a variety of our tools and services.
- ISO 27001 Cybersecurity Toolkit: Have all the documentation templates in hand to streamline the implementation project
- ISO 27001 Gap Analysis: Obtain a specialist, in person review of your current information security posture against the requirements of ISO/IEC 27001:2013
- Certified ISO 27001 ISMS Lead Implementer Training Course: Find out how to scope the ISMS effectively by attending the definitive ISO 27001 Lead Implementer course
- ISO 27001 bespoke consultancy: Achieve certification as quickly and cost-effectively as possible with our made-to-measure service