Perils of ISO 27001 Certification
By Stuart Barker.
ISO27001 is a comprehensive information security management solution for businesses of all sizes. To learn more about ISO27001 [ISO/IEC 27001:2005] explore ISO 27001 an Overview. Here we explore the perils of ISO 27001 certification and the worrying fact that the certificate you have or about to get, may not be worth the paper it is printed on.
When is an ISO 27001 Certification Not and ISO27001 Certification?
The implementation of ISO 27001 can lead to a certification in ISO 27001. The benefit of an ISO 27001 Certification is the ability to independently verify and attest to your compliance with the standard. This level of certification is what is often sought by customers, from public bodies to commercial business.
To be able to issue a certificate a business should be accredited by an accrediting organisation. And here in lies the problem as there are not many of them. The process to become accredited is rigorous and the investment significant and certification bodies are specialist and experienced businesses.
Not all ISO 27001 Certifications are Equal
So if you have a certificate that has been issued by an organisation that is not accredited to issue certificates and certify you, from an audit perspective, you are not certified. It’s as simple as that.
To check whether the business that provided your certification is an accredited certification body you can check the register here: UKAS Certification
If they are not then check the terms of your engagement, it is very likely there will be a clause in your terms of business or contract referring to the fact you are not officially certified. Worrying isn’t it. You may as well have downloaded a Word Template and printed your own certification.
Mark Your Own Homework
Agenci are not an accredited certification body and we do not issue certification. There is a very good reason for that. We deliver and implement ISO 27001. There is a rule in audit as well as in life that you don’t mark your own home work. We do work with a number of accredited certification bodies such as the BSI Group, who also publish and sell the standard.
The questions they don’t want you to ask
Before you embark upon any programme of certification with a company that offers you a quick, cheap solution to ISO 27001 certification and includes the issuing of certificate and certification here are some questions that you should ask them
1. Are they an accredited certification body accredited by UKAS or similar organisation?
2. Do they provide you with solutions, documentation or implementation that they then certify?
For additional peace of mind you might want to do a bit of due diligence on them. Try this free tool Due Dil. You will be surprised what you can learn.
ISO 27001 Certification Conclusion
For ISO 27001 certification use an UKAS accredited certification body. Anything else is just wasting your time and money.