Before choosing an ISO certification body for your ISO 27001 certification you need to understand the reasons for obtaining the certificate. Many clients want the ISO certificate to demonstrate to clients and partners that they take information security seriously. Others have requirements for certification to allow them to bid for certain contracts. There are a few rare clients who want the ISO certification as part of the process of organising and managing information security. It does have the added benefit of allowing senior management to understand what is going on with regards to information security.
UKAS Accredited Auditors
Once the reasons why certification is required are present, there are quite a few things that may influence your selection of an ISO 27001 Certification Body for your ISO 27001 audit but the one main concern that always seems to be topmost remains “is the audit company UKAS Accredited?” If you are new to ISO certification then this might not mean very much, so let me explain.
All companies who issue ISO certificates, (let’s call them ‘Auditors’), should be accredited by their national or regional accreditation service. The role of the accreditation service is to ensure that Auditors who issue the ISO 27001 certificates meet relevant international specified standards in how they operate and how they assess their clients.
All Auditors are not the same
The basic premise is that with international specified standards, all Auditors who issue ISO 27001 certificates will be operating to the known standard and therefore, they are equally trustworthy. Unfortunately, in practice, the quality of Auditors issuing ISO 27001 varies. This can have an impact on the level of trust people will regard the certificates they issue.
One of the quirks of the current system is that an Auditor can work here in the UK but be accredited by another national accreditation body. Everything might be 100% correct at the home office but that national accreditation body might not have any visibility of what the Auditors are doing outside of their jurisdiction.
The majority of Auditors (wherever they have been accredited) will provide a good consistent service with comparable results to other Auditors. However, there are a few audit companies I have come across whose virtue is shall we say, negotiable. Most of these select few companies were not accredited in the UK. They nearly always undercut their competitors on price too.
If you only require an ISO certificate to put up on your website and be safe in the knowledge that it will not be scrutinised, then one of these low-cost Auditors may be of interest. While you might make a small saving in the external audit it could cost you quite a bit more in the long run. The reason for this will be explained later.
UKAS – ISO certificates only excepted
Some Government departments and military aligned organisations will only accept ISO certificates from UKAS accredited audit companies. I think this may be as a result of variable quality in the approaches to ISO auditors who have been accredited in other jurisdictions. Perhaps I’m being overly polite here, but there seems to be more inherent trust in an ISO certificate issued by a UKAS Accredited Audit Company.
It just occurred to me that I have not said who UKAS are. In their own words “UKAS is the UK’s National Accreditation Body, responsible for determining, in the public interest, the technical competence and integrity of organisations such as those offering testing, calibration and certification services.” It’s not often you hear integrity being mentioned but there it is. Perhaps that is why there is more trust in an ISO certificate issued by a UKAS accredited company.
You’ll benefit from a UKAS accredited auditor
One of the things you must demonstrate with a proper ISO 27001 Certification is that the Information Security Management System (ISMS) is working as it should and has become ingrained in the normal operational processes of the company. This is important as when an information security incident occurs (and it will) the company will be able to react and control the response to the incident. This will help to minimise the incidents impact and ultimately its cost to the organisation.
Where a company has opted for a cheap and cheerful ISO 27001 Audit with a guaranteed certificate they may have made a saving on the external audit cost. However, they could pay dearly for it when the inevitable security incident occurs. If a company is only paying lip-service to the ISO 27001 requirements, they will be very badly prepared to deal with a significant security incident. This may escalate the impact of the incident and the associated costs.
Show that you’re taking information security seriously
There is another element to this of course and that is GDPR. Information security suddenly becomes centre stage when personally identifiable information is involved as potential fines on the company have a way of gaining management’s attention. An ISMS that is externally audited by a UKAS Accredited Auditor is documentary evidence that the company is taking information security seriously. This might be important if the ICO pay a visit after a data breach.
My advice to any client is to go for a UKAS Accredited Audit company. If you have multiple ISO certifications (for example ISO 9001, 14001, 27001, etc.) try and find a company that can cover all or most of them. There may be cost savings in doing so, without impacting on the quality and integrity of the service you receive.
People will want to trust the ISO certificate you proudly display on your website and office wall. If you choose the ISO certification body correctly, they will.
Risk Crew ISO Consultancy Service
We provide ISO 27001 consultancy services and are happy to provide you with recommended Auditors. If you have any questions on the certification or the audit process please contact us, we love chatting on the subject.