How can you validate a vendor that claims to have ISO 27001?

Attendees on the IT Governance ISO 27001 Certified Lead Implementer Masterclass frequently ask about ISO 27001 certificate validation. On our training courses, one of the valuable features is that we are there to answer related questions delegates may have during and after the course. I hope that the guidance below will prove useful to other ISO 27001 Lead Implementers and those looking to determine the weight to put on certificates of conformance provided by potential and existing suppliers.

Question: I want to validate the ISO 27001 certification for one of the vendors we are looking at. Could you tell me if there is a specific place I can search?

Unfortunately, there is no central register of all ISO 27001 certificates.

This means that confirming the validity of a certificate requires a little leg work, but the good news is that it is 100% certain to determine whether the claim of certification is valid and whether the certificate is issued from an accredited certification body.

1. Request a copy of the vendor’s certificate, including any annexes that are issued with it (the annexes may include further detail on the scope, locations that are covered, etc.).

2. Identify the name of the certification body that issued the certificate and the national accreditation body that accredited the certification body – this is likely to be in the form of a logo such as ANAB, UKAS, INAB, and so on.

3. Check that the accreditation body subscribes to the IAF (www.iaf.nu).  Technically, the ISMS scheme is not covered by the IAF yet, but that’s only a matter of time.

4. Contact the certification body to ask them to confirm the validity of the certificate. Some certification bodies do this through their website, whereas others check that their client is happy to share this information with you first.

5. Finally, if all of this works out and you are assured the certificate was issued under the accredited certification scheme, the last things to check are the same as discussed in the ISO27001 Lead Implementer Masterclass:

  • The scope of certification – Check that it covers all of the supplier’s business processes and locations that you are entrusting with your information. Many organisations restrict the scope in order to save on the cost of implementation or even the certification audit. As a result, this can compromise the extent of assurance that the certificate provides.
  • The date of issue and the date of expiry of the certificate – This gives you an idea of how mature the ISMS should be.  It is worth periodically confirming that the certificate is still valid because it can be withdrawn if the ISMS is not maintained appropriately.
  • The reference to the Statement of Applicability (SoA) – There should be a reference to the specific version of the SoA that your supplier was audited against, and you can request a copy. Some organisations exclude controls that you might expect to be in place and you will not be aware of this without reviewing the SoA. Of course, if they have excluded controls, then that is the start of another line of questioning: probing to find out which compensatory controls are in place to provide the same assurance and a residual risk that hopefully satisfies your needs. The certification body should confirm the scope, dates and version of the SoA in the information you request.

For more information on advanced ISO 27001 training, book a place on the next ISO27001 Lead Implementer Masterclass:

For more information on accredited certification bodies, visit www.itgovernance.co.uk/accredited-certification.aspx.

This post was first published February 2013 and has now been updated to reflect recent changes.

Share now…

Share on Twitter Share on Facebook Share on LinkedIn