If you plan to implement an information security management system (ISMS) and certify to ISO 27001, you will need to identify a certification body to carry out your Stage 1 and stage 2 audits, certification audits and annual surveillance audits.
It is also worth noting that recently the ISO 27001 standard was updated to ISO 27001:2022. With this came a raft of changes to the ISO 27001 control set. It is expected that there is to be a transition period of around 3-years to allow the changes to be implemented, but certification bodies will also need some time to interpret and adopt the new standard and the changes the new control set brings. This means that certification bodies are not likely to be offering assessments against the updated standard for a period of 3-6 months from the date it was published. Nevertheless, it’s helpful to understand the changes before engaging a third-party ISO certification body.
What is a certification body?
In the world of ISO, certification is the process of verifying that an organisation meets the requirements of the relevant ISO standard. You may plan to carry out internal ISO 27001 audits in-house or by engaging an external ISO 27001 consultant, but following that, you then need a certification body to assess and issue the certificate.
There are many certification bodies to choose from, of different sizes, experiences and specialisations. So how should you choose the certification body that is the right fit for your organisation?
UKAS vs Non-UKAS accredited certification bodies
Technically speaking, anyone can issue you with a certificate of compliance, but only some organisations are officially accredited (i.e., licenced) to do so.
The United Kingdom Accreditation Service (UKAS) is the only government-appointed accreditation body in the UK. If it is the International Organisation for Standardisation, aka ISO, that sets the requirements of a standard, it is UKAS that oversees them in the UK at the top level. While certification bodies visit organisations to validate that they are correctly applying a standard, UKAS reviews certification bodies to ensure that they and their assessors are performing at the expected level.
This ensures consistency amongst UKAS-accredited certification bodies, as they should all be working to the same standard.
A non-UKAS-accredited certification body can still issue an ISO certificate, but it may hold less value in the eyes of prospective clients and suppliers on the basis that it may not follow the consistent approach to certification promoted by UKAS and is not recognised by the UK Government. Alcumus ISOQAR recently published a blog Buyer beware: WHy it has to be UKAS which will help in understanding the importance of choosing a UKAS-accredited certification body.
Cost: Certification bodies have their own market focus and pricing strategies. This means that cost differences between certification bodies may vary. You may want to check whether costs for travel, accommodation and admin fees are included. While cost is clearly an important factor, it should not be the sole basis of your decision.
Specialisation: It is important to find a certification body that is suited to your organisation’s industry, size and maturity. The specialisation of a certification body and its auditors should also be considered, especially in more niche industries. A certification body that specialises in manufacturing companies may not be the best fit for a FinTech organisation and vice versa.
Location: It may seem obvious, but the location of the certification body is also important. If you have offices abroad that are within the scope of your Information Security Management System (ISMS), a certification body that only has UK-based auditors may not be the best choice. Be sure to check that a certification body can support all your in-scope locations before making a decision.
Integration: If you have any plans to certify to multiple standards, for example, ISO 27001 and ISO 9001, you may want to consider implementing an Integrated Management System, thus exploiting the synergies that exist between both standards. In doing this, you can ask your certification body to perform an integrated audit, instead of appointing separate certification bodies for each standard, or going through multiple audits. Doing so saves time and money and is generally easier to manage. If this is relevant to you, it’s important to check that the certification bodies you approach offer this as a service.
Requesting quotes from certification bodies
It is recommended to obtain quotes for certification from more than one certification body before making your choice. Many will provide questionnaires for you to populate to help them tailor a quotation; in general, you will need to provide the following information as a minimum:
- Name / address / website / companies house registration
- Primary activity
- Number of staff and their functions
- Number of locations in scope and their headcount
- Dependencies on cloud-based services and outsourced development
- Specific legislative or regulatory requirements
- Type of information in scope
- Target certification scope statement
- Special arrangements to allow the assessor to conduct the audit, i.e. security clearances
- Target date for certification
Hints and Tips
The process of approaching certification bodies and making the right choice for your organisation can be daunting. Ultimately, it should be treated as a commercial relationship, whereby you will enter into a contractual agreement between you. Here are some tips to help you navigate to the right decision.
Do your research
Seek recommendations, look for reviews, visit certification bodies’ website and their FAQs, check their client base and maybe obtain feedback or references from these clients.
Most certification bodies will welcome the opportunity to discuss your requirements and to convince you why you should choose them over their competitors. Treat this as a chance to find out not just about their services, but also their auditors and their experience, their maturity and their focus as an organisation.
Define your criteria
It is important to understand the benefits your organisation wants to achieve by certifying to a standard. Use this to create a set of criteria to shortlist your selected certification bodies. For example, if you manufacture products in several different countries, your criteria could be a certification body that actively supports your required locations, and either specialises in or has experience with your industry or sector.
It is recommended to begin the process of choosing a certification early in your implementation – you do not have to wait until your implementation is complete! Not only will this allow you to schedule your stage 1 and stage 2 assessments far in advance to ensure the availability of auditors, but having a target end date will also give you the opportunity to better structure your implementation and help you validate the scope and boundaries of your ISMS with the certification body.
Need help choosing an ISO certification body?
Evalian can support you through all stages of an ISO implementation and more specifically ISO 27001, ISO 9001, ISO 22301 or indeed any combination of these three standards. We will also assist you in finding the certification body that is right for you. We take the heavy lifting off your shoulders by collating and providing the necessary information, requesting and obtaining quotations and facilitating meetings to ensure the suggested certification bodies meet your requirements.
Please note: Evalian is not affiliated nor has a commercial relationship with any certification body, and does not receive compensation from any of the certification bodies we obtain quotes from. This ensures our objectivity and impartiality – our focus is on finding the right certification body for you.
If you’re still not sure if ISO 27001 is right for you, here, we discuss the business benefits of ISO 27001 certification. Got questions? We are happy to advise you and provide a no-obligation quote. You can also download our free Guide to ISO 27001, written by our lead ISO 27001 auditors.