If you are looking for a certification body to assess your organisation for ISO 27001 compliance, it would seem like common sense for you to ensure that they, themselves, have the necessary credentials to provide a credible assessment. Unfortunately, however, many organisations do not exercise sufficient care when selecting a certification partner. Many, mistakenly, assume that an organisation acting as a certification body must but qualified, somehow, to adopt that title. Sadly, this is not always true.
If you look at the finance sector, it has the FCA and travel companies have ABTA, but there is no equivalent regulatory body for ISO 27001 certification bodies. Because of this, there is no protection for those who select the wrong partner so it’s vitally important to choose the right partner before signing up. To this end, we would always recommend engaging with a UKAS accredited certification body.
What is UKAS
UKAS stands for United Kingdom Accreditation Service. UKAS are appointed by the government to be the UK’s sole National Accreditation Body (NAB). UKAS’ role is to ensure that Certification Bodies meet the ISO 17021 standard for conformity assessment. Achieving UKAS accreditation involves a rigorous review of management systems, policies and procedures. It is also necessary for Certification Bodies to pass a test of competence via Witnessed Assessments to ensure that they perform to the expected levels. This process is repeated annually to ensure that standards are maintained. This can be a lengthy and expensive process for the Certification Body but it provides assurance that organisations seeking certification to ISO 27001, are being correctly assessed.
Not All ISO 27001 Certification Bodies Created Equal
When it comes to ISO 27001, the UK is the second largest adopter of the standard, which has been driven by pressure from heavily regulated sectors on the supply chain. Unfortunately, some organisations have sought to profiteer from the UK’s increasing appetite for ISO 27001 by issuing certificates when they have little or no reasonable qualification to do so.
Companies holding non-UKAS certificates can end up frustrated as they may be rejected by the very same customers and partners that they wanted to impress. It can, in fact, have the complete opposite of the desired effect and actually damage the credibility of the organisation presenting the certificate.
There are some clues to look out for when selecting an ISO 27001 certification body. The combination of consulting and auditing roles clearly undermines impartiality, and is forbidden if a Certification Body wants UKAS accreditation.
You may be under pressure due to tender requirements to become ISO 27001 certified as quickly as possible, but look out for those seeking to take advantage of a hurried decision with unexpectedly low pricing and certification promised in a few days.
Opting for UKAS accredited certification means that your ISO certificate will be recognised anywhere in the world. It ensures credibility in competitive situations and ongoing access to experienced, qualified assessors who will help you maintain a compliant, efficient information security management system.