How to choose an ISO27001 certification body/registrar
There are lots of factors that you might take into account when choosing a certification body (CB)/registrar. This article lists some of the ones you may want to consider.
Some terminology. It is the “Certification Body†that comes and audits you (and "certifies" you) and “Certification bodies†are regulated by an “accreditation bodyâ€. The logo of the “accreditation body†will be on the ISO27001 certificate as well as that of the CB but you will not have any contact with the accreditation body.
Also, for background, certification consist of 3 main stages/audits. The Stage 1 audit and the Stage 2 audit are the initial audits to see if you should get the certificate. This is followed by a number of shorter surveillance audits over the next 3 years to check that you should keep the certificate.
Here goes.
? Find an appropriate accreditation body that is “proper†and appropriate for you. Go to the International Accreditation Forum (IAF) web site to get a list of them. The IAF is a body that (sort of) oversees the accreditation bodies. This is the list of accreditation bodies that are members of IAF.?IAF member bodies?. There are not very many of these and they are based around a country. Some countries have more than one. In the UK there is just one - UKAS. You can choose one “local†to you although some accreditation bodies will cover worldwide CBs. To check that your chosen accreditation body accredits CBs that might do ISO27001 you need to click on the link on the IAF web site and make sure that it lists ISO17021 in its list of “main scopesâ€. Most people don’t do this check but if you want to be especially cautious or you are not sure if your CB is “OK†then it might be worthwhile doing this.
? The IAF web site also gives you the link to the accreditation body web site. Click on it and look on the web site of the accreditation body to get a list of CBs that are certified to undertake ISO27001 certifications. Note that some CBs are, for example, accredited to issue ISO9001 certificates but not ISO27001 certificates. As an example, this is the list of CBs accredited by UKAS (in the UK).?UKAS ISO27001 certification bodies. You also need to check that it is accredited to do ISO27001 audits in your country as some are only accredited for some countries. There are a number of what can best be described as “dodgy†CBs. Avoid! This step is strongly recommended unless you are using a big name CB and are very confident that they are properly accredited to do ISO27001 certifications.
? Is the CB a “big nameâ€? This should not really make much difference to the quality of the audit (although it does!) but this might be important to you. For example if you are an international organisation or you want to avoid the situation where someone you show the certificate to says “I have never heard of that certification body and I therefore don’t accept your certificateâ€. It is very rare for an organisation to challenge a certificate in this way but some very large organisations and public bodies might do this.
? You should consider the reputation of the CB. This is harder to assess – especially as even some of the big name CBs can and do have certification auditors of varying quality and consistency. Not all CBs are equal – even those ones properly accredited.
? Sector and sector expertise. In practice this is much less important than it might seem but some (not many) CBs do specialise in specific sectors. It is probably best to check that your chosen CB does not specialise in a sector that is different to yours.
? Do all your competitors use the same CB? A search of the internet might help you find this out. This should not really matter but it might to you and your clients.
? Skills and experience of the auditors. This various considerably and is almost impossible to assess before the audit. Note that some CBs have auditors who are not full time ISO27001 auditors but are also ISO27001 consultants/experts. Many ISO27001 certification auditors have little if any practical experience of information security. Many are also retrained ISO9001 auditors. It is debatable how important this is but if your focus is on wanting your auditors to strongly challenge you about what you have done then this could be important to you.
? How often do they do the surveillance audits? When you sign up to be certified this is over a 3 year cycle with surveillance audits at intervals during this period. The rules are that after the initial certification, surveillance audits must be conducted at least once a calendar year but some CBs will want to audit more frequently – perhaps every 6 months.
? Price. It is inevitable that price is a factor but look out for any hidden service/annual costs. Ask for the total cost for the 3 years. If expenses are excluded from the cost then you need to fully understand the implications of this - especially if the auditors will need to travel half way round the world. You could ask for a price that includes all expenses or put a cap on the expenses of (say) 5% of the fee. You should also keep an eye on what notice period you can give if you want to change the date of an audit. Some will charge you if you do not give more than (say) 6 weeks notice. Others will allow changes at very short notice without any additional charges.
? Are they available to do the audit when you want it? Some CBs need a lot of notice to do an audit.
领英推è
? Do they mandate what gap they need between the Stage 1 and Stage 2? People usually have a month or so but although it is not advisable you could just have a few days gap if you want to.
? How flexible are they about the timescales? See the notes on pricing.
? How often after the audit will you get the report and certification decision? Some CBs are very quick (a few days) and others very slow (up to a month). If this is important to you then get this timescale into the contract.
? How long are they going to take doing the actual audits? The rules for this should mean that most of the CBs should take about the same amount of on site auditing time but you will see variations on this. When you get a quote make sure you can see how much time is actually spent doing the actual audit on site as sometimes the fees just show the total number of days including all the auditor preparation and reporting time.
? Language. It might be important that the auditor speaks one or more languages.
? Security clearance. Will the auditor need security clearance of some kind and at some level?
? Location of your buildings. It makes sense if you can for your auditor to be reasonably local to your offices although if you have a contract that includes all the expenses this may not be too much of a factor. Some CBs are “global†and have offices in many countries. Some CBs are “global†but only have offices and staff in a few countries and then expect their auditors to travel. Some CBs really only operate in one country. This shouldn’t really make much difference but can in practice.
? Which version of ISO27001 will they use? This is a rhetorical question but is not a silly question. If you ask them they will tell you that it is the latest version but a number of the CBs effectively have their own virtual version of ISO27001 that they audit you against although of course they would not admit to this. They issue rules to their auditors saying “if the client does X raise a non conformity†or “if the client does not do X raise a non conformityâ€. Even if X is not a requirement of ISO27001! It is shocking that they do this but some do. As well as being true for some CBs this is also true for some individual auditors. You can’t normally find out about this when choosing a CB but if you can you should ask around to get other people’s experience.
? Approach to using several auditors for the same audit. If you have several locations across a country or across the world you need to consider your attitude to having several different auditors visiting these locations. This can be quite annoying as each new auditor needs to understand your organisation from scratch. Not only that but each of these auditors may well end up asking the same questions that you have already answered when the main audit at the head office location was undertaken. This can be very very irritating. But at the same time you do not necessarily want to have to pay for auditors to fly around the world to do the audits. If you think it is important to get continuity of auditors for different days/locations then ask the CB for their approach to this.
? Approach to remote auditing. The pandemic has changed the thinking about this as of course most audits have been conducted remotely. There are some pros and cons to auditors coming on site and if this is important to you then ask the CB about this. In “normal†times the official rules are that the stage 2 must be conducted on site but there is a bit more flexibility about Stage 1 audits and Surveillance audits.
As I said, you are unlikely to want to consider all the above factors but hopefully this gives you some ideas.
Chris