That question really caught my eye because I have wondered exactly that. So thanks to IT Governance USA Blog for a very helpful post answering that question. Many organizations, especially large ones, require their contractors, suppliers, clients – or just about anyone that may handle their sensitive information – to hold an ISO 27001 certification.
ISO 27001 is the internationally recognized standard that sets forth the requirements for an ISMS (information security management system). Effective information security risk management is a cornerstone of an ISO 27001-conformant ISMS.
Certification involves an independent audit from an accredited certification body. There are numerous benefits for organizations wishing to opt for certification. The most important benefit is that it offers potential and existing clients the assurance that the organization is following information security best practices.
If you are tasked with vetting potential vendors to validate their certification, you can simply ask the vendor for a copy of their certificate – any organization with accredited certification should oblige. It is, however, essential to check that the certificate has been issued by an accredited certification body.
How do you do that?
Accredited bodies must also go through their own strict accreditation process to ensure they meet necessary requirements and are qualified to carry out audits in line with the standard. If you wish to verify if a certification body is accredited, you can do so by checking that it is a member of the national standards body ANAB (ANSI-ASQ National Accreditation Board). Every country has its own accreditation body, selected and appointed by the IAF (International Accreditation Forum). In the USA, it is ANAB.
Some certification bodies offer unaccredited certification, which may not become apparent until you confirm that they are a member of ANAB. These certification bodies do not need to conform with the strict measures put in place by the national accreditation body. Often the quality of the audits and certification process is questionable. Telltale signs of unaccredited certification is if the duration of the certificate exceeds the mandatory three years, or if the certificate is issued to more than one address.
Is there a list of ISO 27001 certified companies? A good question without a good answer.
Although it may seem obvious that there should be a central list of all certified organizations, it's not as simple as you might think. Bearing in mind the estimated number of certified organizations is more than 33,000, the vast number of certification bodies, and the fact that certification lasts for 3 years, maintaining a list would be difficult.
It's important to check the certificate's expiration date and scope to ensure it meets all your needs, which you should find on the certificate itself. Vendors may not implement an ISMS across all business processes, departments, or locations, which could expose gaps for risks.
This post certainly helped answer a lot of my questions – clients are always asking us to verify certifications – easy in some cases and harder than threading the eye of a needle in others.
E-mail: firstname.lastname@example.org Phone: 703-359-0700
Digital Forensics/Information Security/Information Technology