How can you validate an ISO 27001 vendor?

I recently received an interesting question regarding ISO 27001 certificate validation from an attendee on the IT Governance ISO 27001 Certified Lead Implementer Masterclass. On our training courses, one of the value added features is that we are there to answer related questions delegates may have during and after the course.  I hope that the guidance below will prove useful to other ISO 27001 Lead Implementers and those looking to determine the weight to put on certificates of conformance.

Question: I want to validate the ISO 27001 certification for one of the vendors we are looking at. Could you tell me if there is a specific place I can search?

The www.iso27001certificates.com website is useful for confirming details of ISO 27001 accredited certificates, but it is not 100% accurate.

The other means of checking the validity of a certificate takes slightly longer, but is 100% certain to determine whether the claim of certification is valid and whether the certificate is issued from an accredited certification body.

Please follow the steps below:

  1. Request a copy of the vendor’s certificate, including any Annexes that are issued with it (the Annexes may include further detail on the scope, locations that are covered, etc.)
  2. Identify the name of the Certification Body that issued the certificate and the national Accreditation Body that accredited the Certification Body.
  3. Check that the Accreditation Body subscribes to the IAF: www.iaf.nu.  Technically, the ISMS scheme is not covered by the IAF yet, but it is only a matter of time until it is. For most organisations, this still indicates a suitable degree of assurance.
  4. Contact the Certification Body, asking that they confirm the validity of the certificate. Some certification bodies do this through their website, whereas others have a policy of checking that their client is happy to share this content with you first.
  5. Finally, if all of this works out and you are assured the certificate is issued under the accredited certification scheme, the last things to check are the same as discussed on the ISO27001 Lead Implementer Masterclass:
  • The scope of certification – Check it covers all of the supplier’s business processes and locations that you are entrusting with your information. Many organisations restrict the scope in order to save on the cost of implementation or even the certification audit. As a result, this can compromise the extent of assurance that the certificate provides;
  • The date of issue and the date of expiry of the certificate – This gives you an idea of how mature the ISMS should be and the latest date they hold certification for. It may be worth checking in the meantime, as certification can be withdrawn from organisations at any time if they fail to maintain their ISMS in accordance with the Standard;
  • The reference to the Statement of Applicability (SoA) – There should be a reference to the specific version of the SoA that your supplier was audited against, which you can request a copy of. Some organisations exclude controls that you might expect to be in place and without reviewing the SoA, you will not be aware of this. Of course, if they have excluded controls then that is the start of another line of questioning, probing which compensatory controls they have in place to provide the same assurance and a residual risk that hopefully satisfies your needs. The certification body should confirm the scope, dates and version of SoA in the information you request.

For more information on advanced ISO27001 training, book onto the next ISO27001 Lead Implementer Masterclass available as:

For more information on Accredited Certification Bodies visit www.itgovernance.co.uk/accredited-certification.aspx.

Share the joy
  •  
  •  
  •  
  •  
  •  
  •  

Share your thoughts