ISO 27001: Is your certification legitimate?

If you’re among the many organisations that have adopted ISO 27001, you should have gone through the assessment process and received a certificate demonstrating that you are following the Standard’s requirements.

Certification enables organisations to assure customers and clients that they are secure and reputable. Unfortunately, there are some instances where certification isn’t all that it seems to be. For the document to be considered legitimate, it needs to be awarded by an accredited certification body.

Checking the legitimacy of a certificate

There are a handful of steps you can go through to check whether your organisation, or an organisation you work with, is legitimately certified to ISO 27001:

  1. Locate the certificate. There is no central register for ISO 27001 certificates, but all the information you need will be on the document itself. Third parties can request a copy of the organisation’s certificate.
  2. Identify the name of the certification body or registrar that issued the certificate and the national accreditation body that recognised the certification body. This will probably be in the form of a logo for AMAB, UKAS, INAB, etc.
  3. Check that the accreditation body subscribes to the IAF (International Accreditation Forum).
  4. Contact the certification body to ask them to confirm the validity of the certificate. Some certification bodies do this through their website, but others require more details before proceeding.

If everything is in order, you can be sure that the certification is legitimate.

But is it still accurate?

A certificate awarded by an accredited body only proves that the organisation was ISO 27001-compliant at that time. Things can change quickly, so it’s worth checking the scope of the certification. You should make sure it covers all of the relevant business processes and locations. Many organisations restrict the scope to save on the cost of implementation or the certification audit. This can compromise the extent of assurance that the certificate provides.

You should also look for the date of issue and expiry. Certificates always come with an expiry date (usually no longer than three years after it was issued). If the document is out of date, the organisation has either fallen out of compliance or failed to seek reassessment.

You might need to conduct an audit

If you’re concerned that your organisation has fallen out of compliance with ISO 27001, you will need to conduct an internal audit or gap analysis. This will involve thoroughly checking your organisation’s policies and processing, and comparing them to the Standard’s requirements.

The audit and gap analysis process can be very complicated, particularly as your organisation’s compliance posture might not have been reviewed since you first certified to the Standard. Those who don’t know where to begin might consider getting advice from one of our ISO 27001 consultants.

Drawing on our unique blend of practical information security know-how and proven management system consultancy expertise, we can help you with whatever issues you face. This includes helping you with your gap analysis and internal audit. We also offer DIY consultancy, in which we provide you with core implementation tools, books, risk assessment software, training courses and 40 hours of structured consultancy.

Speak to an expert >>