There are a number of steps that need to take place before an organization can embark on their ISO 27001 certification journey. Perhaps the most important is to determine which certification body to work with.
A certification body (CB) is an organization that provides certifications around a chosen standard. They can either be an Accredited CB or an Unaccredited CB. Although there are admittedly minor differences between the two, the outcome of your ISO/IEC 27001:2013 certification, and how you are able to leverage it, could vary drastically.
In this blog, we’ll explore the different certification bodies, and explain why choosing the right one matters.
ISO/IEC 27001:2013 ISO 27001 is a cybersecurity framework established by the International Organization for Standards (ISO), focused on building an information security management system (ISMS) within your organization. An ISMS helps organizations manage the security of all data, ranging from financial information to intellectual property (IP) or other confidential information.
ISO 27001, specifically, is a risk-driven standard that centers on data confidentiality, integrity and availability. Because it’s built around the process of monitoring and improving information security, its intent is to help organizations improve their approach to data security in a more holistic manner.
This is of particular importance for organizations looking to more efficiently reduce risk, optimize operations, and build a culture of information security. In fact, the standard also helps in implementing controls specific to an organization’s unique risks and assets, rather than applying general guidance in a one-size-fits-all approach.
As mentioned above, there are Accredited CBs and Unaccredited CBs that organizations can choose to work with in order to obtain their ISO 27001 certification.
An Accredited CB must complete an extremely rigorous evaluation process through an accreditation body to ensure the certification audit it conducts is performed in accordance with the audit requirements. The evaluation process reviews the competence of the audit team, the audit methodology used by the certification body, and the quality control procedures in place to ensure both the audit and report are properly completed.
It’s worth noting organizations that use an Accredited CB for certification will receive their ISO 27001 certifications with the accreditation body and IAF seal included. This illustrates that the certification body has an accreditation certificate and is accepted worldwide.
Unlike an Accredited CB, an Unaccredited CB is not audited to confirm their compliance with IAF certification audit requirements.
In some cases, it will be critically important for organizations to determine their clients’ expectations. If an organization is pursuing an ISO 27001 certification to meet a client need, they should also confirm if the client requires an accredited certificate or if they will accept a certificate from an unaccredited CB.
The ISO 27001 certification process is a detailed and intensive assessment that requires organizations to illustrate conformance to the standard across seven mandatory clauses and 114 Annex A controls. No organization wants to needlessly go through the process twice by working with an Unaccredited CB when a certificate from an Accredited CB is required.
Certification bodies are accredited to ISO/IEC 17021:2015 and ISO/IEC 27006:2015 in order to issue ISO/IEC 27001:2013 certificates. That said, there are many national accreditation bodies that provide accreditation to CBs for ISO 27001. Here is a deeper look into a few major players ANAB, RvA, and UKAS..
The ANSI National Accreditation Board (ANAB) is the largest accreditation body in North America, providing services to more than 75 countries. ANAB’s mission is to be a “leader in guiding the international development of accreditation processes that build confidence and value for stakeholders worldwide.” ANAB aims to do this by “providing high quality and reliable accreditation services with the most professional value-added services for customers and end users.”
Obtaining an ANAB accreditation for CBs has a number of benefits, including assurance of competence and reliability, and increased confidence from suppliers, partners and vendors. These result from the regular, impartial, and independent audits conducted by an internationally respected body.
The Dutch Accreditation Council (RvA) is the accreditation body in the Netherlands (worth noting, each member state in the European Union has their own accreditation body). The RvA’s primary focus is to ensure a justified trust in the quality of products and services. They do so by “accrediting and renewing the accreditations of conformity-assessment bodies.”
The benefits of an RvA accreditation for CBs include greater trust and increased opportunities for international trade since the accreditation mark is recognized and accepted worldwide.
The United Kingdom Accreditation Service (UKAS) is the national accreditation body for the UK. Its mission is to instill trust and confidence in the products and services widely used each day.
The benefits for CBs obtaining UKAS accreditation is that UKAS demonstrates the competence, impartiality and performance capability of the evaluators. Basically, UKAS describes themselves as “checking the checkers,” essentially allowing certified organizations to establish a stronger sense of trust around data security with their customers.
Although there are many accreditation bodies located throughout the world, there is little difference among the primary three. This is because all accreditation bodies follow similar processes to identify CBs based on alignment with various checks-and-balances established by organizations like the IAF.
The International Accreditation Forum (IAF) serves as the regulator for national accreditation bodies, including ANAB, RvA, and UKAS. Its primary function is to “develop a single worldwide program of conformity assessment which reduces risk for businesses and their customers by assuring them that accredited certificates and validation and verification statements may be relied upon.”
Basically, the IAF oversees the activities of the accreditation bodies to ensure they maintain the required standards when providing accreditation to CBs.
Most accreditation bodies are represented within the IAF and are committed to upholding the trust and validity of accreditation bodies in their efforts to provide certificates to CBs.
Certification bodies undergo a stringent process of annual office and witness audits. Many accreditation bodies will offer numerous training sessions for both individuals and organizations to not only stay educated on evolving standards, but to also maintain accreditations.
The ANAB, for example, offers a variety of training sessions focused on expanding knowledge of certain standards and mandatory documents.
With an ISO 27001 certification, your organization can gain significant benefits, including building a culture of information security and diligence, and meeting additional security compliance requirements. And when you leverage an accredited certification body to help you achieve your ISO 27001 certification, your certification creates a stronger sense of trust and acceptance with customers worldwide.
Zeroday is an ANAB accredited ISO/IEC 27001:2013 certification body that helps organizations meet their ISO certification needs.