How can you validate a vendor that claims to have ISO 27001?

We are often asked how to validate an ISO 27001 vendor on our ISO 27001 Certified Lead Implementer Masterclass and decided to share our guidance in this blog post:

How to validate an ISO 27001 vendor

Unfortunately, there is no central register of all ISO 27001 certificates.

This means that confirming the validity of a certificate requires a little leg work, but the good news is that it is 100% certain to determine whether the claim of certification is valid and whether the certificate is issued from an accredited certification body.

1. Request a copy of the vendor’s certificate, including any annexes that are issued with it (the annexes may include further detail on the scope, locations that are covered, etc.).

2. Identify the name of the certification body that issued the certificate and the national accreditation body that accredited the certification body – this is likely to be in the form of a logo such as ANAB, UKAS, INAB, and so on.

3. Check that the accreditation body subscribes to the IAF (www.iaf.nu).

4. Contact the certification body to ask them to confirm the validity of the certificate. Some certification bodies do this through their website, whereas others check that their client is happy to share this information with you first.

5. Finally, if all of this works out and you are assured the certificate was issued under the accredited certification scheme, the last things to check are the same as discussed in the ISO27001 Lead Implementer Masterclass:

  • The scope of certification – Check that it covers all of the supplier’s business processes and locations that you are entrusting with your information. Many organisations restrict the scope in order to save on the cost of implementation or even the certification audit. As a result, this can compromise the extent of assurance that the certificate provides.
  • The date of issue and the date of expiry of the certificate – This gives you an idea of how mature the ISMS should be.  It is worth periodically confirming that the certificate is still valid because it can be withdrawn if the ISMS is not maintained appropriately.
  • The reference to the Statement of Applicability (SoA) – There should be a reference to the specific version of the SoA that your supplier was audited against, and you can request a copy. Some organisations exclude controls that you might expect to be in place and you will not be aware of this without reviewing the SoA. Of course, if they have excluded controls, then that is the start of another line of questioning: probing to find out which compensatory controls are in place to provide the same assurance and a residual risk that hopefully satisfies your needs. The certification body should confirm the scope, dates and version of the SoA in the information you request.

For more information on advanced ISO 27001 training, book a place on the next ISO27001 Lead Implementer Masterclass:

For more information on accredited certification bodies, visit www.itgovernance.co.uk/accredited-certification.

This post was first published February 2013 and has now been updated to reflect recent changes.

Share now…

Share on Twitter Share on Facebook Share on LinkedIn