Organisations can gain certification for any number of frameworks and standards. Indeed, we regularly recommend certifying when implementing the likes of ISO 27001 and ISO 22301. But you’ll also hear us talk about ‘accredited certification’ – so what’s the difference?
What is certification?
Certification is the procedure by which a third party gives written assurance that a product, process, system or person has met specified requirements.
What is accredited certification?
Accredited certification is a written assurance provided by a third party that has been formally recognised by an accreditation body.
To gain accredited certification, organisations must make sure the certification body they are using has been accredited by the UK’s designated accreditation body, UKAS (United Kingdom Accreditation Service).
UKAS’s website provides a list of accredited certification bodies.
What’s the difference?
It’s easy to think of accredited certification as simply a better choice than non-accredited certification, but it’s really the only choice.
If a certification body isn’t accredited, there’s no way of knowing whether it’s applying the relevant framework or standard appropriately. There’s no one checking that its assessment practices are sound, so it could theoretically be handing out certifications to anyone who applies. As a result, certifications awarded by non-accredited bodies hold little weight.
By contrast, accredited certification proves that a well-respected organisation has verified that the person or organisation has met the relevant requirements. If a regulator, client or prospective employer requests that you are certified, they are almost always referring to accredited certification.
How hard is it to certify?
Gaining accredited certification shouldn’t be difficult if you’ve followed the requirements of the standard or framework you’re implementing.
All you need to do is select a certification body, which will send an auditor to review your documentation and business processes to confirm that you have the appropriate measures in place and that your organisation is following them.
If the auditor is satisfied, they will award your organisation with a certificate. You can then proudly use it to demonstrate to stakeholders and potential clients that you are following information security best practices.
The time it takes an auditor to assess an organisation will depend on its size and type and the scope of the audit, but it usually takes days rather than weeks.
Get ready for certification
IT Governance is the ideal source for the help you need to gain any number of accreditation certifications. We are independent of vendors and certification bodies, and are widely recognised among UKAS-accredited certification bodies as a leading consultancy provider. We’re listed on the:
- BSI Management Systems UK Associate Consultant Programme
- Bureau Veritas Certification approved list for the implementation and management of ISO 27001 and ISO 20000
- ISOQAR consultant database
- LRQA (Lloyd’s Register Quality Assurance) Consultant Network
- NQA consultant database
- DNV Consultant Gateway