Does an ISO27001 certificate mean anything?

A supplier has sent you an ISO27001 certificate. Great but does it really mean anything much to you.

I am sure it means something but there are several checks you could undertake to determine if an ISO27001 certificate has any meaning and relevance to you. How many of these you undertake will vary depending on many factors, including your assessment of the importance of the supplier.

You are very unlikely to do all of them but some possible checks and activities are:

1) Do you have all the certificate? Some cover several pages. Make sure you have all of it. It should list all the locations in the scope.

2) Check the date on it. Has it expired?

3) Check the certificate and scope statement carefully. Does it cover the locations, business processes, organisation name, systems, etc that are of relevance to you? Does it cover the same legal entity delivering services to you? Do not assume that because an organisation has ISO27001 that it is covering the service it is giving to you. If in doubt ask for clarification.

4) As well as having a scope statement on the certificate some organisations also have a more detailed scope document which they may not be prepared to send you. But, there is no harm in asking for it if you think the scope statement is not clear enough for you.

5) The certificate will state the name of the Certification Body (CB). I.e. the organisation that audited the organisation and issued the certificate. Contact the certification body and ask them to confirm that the ISO27001 certificate is valid. The certificate may be false(!) or have been withdrawn before the expiry date. Some certification bodies have web sites where you can do this check. If not then you should email them and ask. It is in the rules for how Certification Bodies must operate that they must provide a mechanism for people to check that a certificate is valid.

6) Look on the certificate to find out who has accredited the CB. This is the organisation (accreditation body) that has “accredited” the CB to issue certificates. As an example, in the UK this is most likely to be UKAS. Look on the web site of the accreditation body and check that the CB is accredited to issue ISO27001 certificates in your country. Note that some CBs are, for example, accredited to issue ISO9001 certificates but not ISO27001 certificates. Also, some CBs can only certify organisations in some countries. As an example, this is the list of CBs accredited by UKAS (in the UK). UKAS ISO27001 certification bodies. If the CB is not accredited to issue ISO27001 certificates in your country then you are strongly recommended to ignore the ISO27001 certificate. There are a number of what can best be described as “dodgy” CBs. Is the certificate issued by one of them?

7) When you have the name of the accreditation body you should check on the International Accreditation Forum (IAF) web site that the accreditation body is a member of the IAF. The IAF is a body that (sort of) oversees the accreditation bodies. This is the list of accreditation bodies that are members of IAF.?IAF member bodies If the accreditation body that accredited the CB is not in the list in the link above then you are strongly recommended to ignore the ISO27001 certificate. There are a number of what can best be described as “dodgy” accreditation bodies that will accredit almost any certification body.

8) You should consider the reputation of the CB. This is harder to assess – especially as even some of the “big” name CBs can and do have certification auditors of varying quality and consistency. Note also that some CBs specialise in certain sectors and this may be important to you for some reason. Not all CBs are equal – even those ones properly accredited.

10) Contact your supplier and ask them for a copy of the Statement of Applicability (SOA) with the same version number on the certificate. This lists all the controls that the organisation has defined as being necessary to manage their information risks. The SOA will also contain a statement about whether the control is applicable to them and has been implemented or not. Look carefully at the SOA and be comfortable that the controls are reasonable and valid from your perspective. Are there any that are not implemented or marked as not applicable that are important to you? Some organisations will be reluctant to send you their SOA but press them as it is specifically named on the certificate. If they are not willing to send you it they may be able to show you it on a screen so you can at least see its contents. Do not assume that because an organisation has ISO27001 that it has implemented controls that are relevant to you.

11) You may have some specific controls that are of importance to you that you want to focus on whether they are listed in the SOA or not. As an example, supplier vetting of their own staff from a security perspective may be very important to you and if so you may want to ask about this specifically with your supplier. Do not assume that because an organisation has ISO27001 that it is fully operating effectively and properly all the controls that are important to you.

12) You could also ask see a copy of the risk assessment that was used to produce the SOA. Does the organisation have what you would view as a reasonable set of risks and attributes of those risks – for example the assessments of likelihood and impact? However, most companies would quite reasonably view this is as very sensitive information and so are very unlikely to let you see it.

13) You can also ask for a copy of the last two certification audit reports issued by the certification body (CB). These are potentially very useful to you as they will show what controls the certification auditor tested at their last visit and when it was. It will also show what locations they visited. The certification audit report will also list any weaknesses or problems that the certification auditor found. ISO27001 certification can be obtained and kept when the ISMS and associated controls are operating with weaknesses and faults as long as, of course, that these are not major weaknesses or faults. It might be useful for you to know what these faults are! Most companies are perhaps understandably going to be very reluctant to send you these.

14) Certification auditors do not test all the controls listed in the SOA at each visit and the initial certification may only test perhaps a third or so of the controls listed in the SOA. You should not rely on the ISO27001 certification to give you absolute assurance that all the controls have been independently tested by the certification auditor.

15) You might want to consider when the organisation was initially certified – was it recently? If the organisation was recently certified this may mean that the management of information risks is currently fairly high on managements thinking but, on the other hand it may mean that the management of information risks is not so fully mature or embedded. It may also mean that not all the controls will have been tested by the certification auditor. If the organisation has been certified for several years then this could be seen as a good sign and that most if not all the controls will have been tested at some point. But it may also mean that the management of information risks is not so high on management’s thinking.

In summary, how much weight you give to an ISO27001 certificate from a supplier is for you to decide but don’t forget the importance of other typical supplier controls – for example monitoring the performance of your supplier from an information security perspective.

Chris

www.btrp.co.uk