How ISO27001 certification bodies do consultancy and give advice
[Updated 24th May 2023 to add more about the objective about this]"
ISO27001 certification bodies should not be doing anything that has the potential to compromise the objectivity and impartiality of the certification audit. I am using the term consultancy in this article to represent an activity that could potentially compromise this.
We need to split the certification bodies into two types:
? “Properly accredited”. By this we mean a certification body accredited to do ISO27001 certifications in your location by an accreditation body that is affiliated to the IAF.
? “The others”.
If your certification body is one of “The others” then they can do what they like and the rest of this article does not apply. I.e. they can freely undertake consultancy/give advice and most of them do. But they are not “proper” certification bodies and are best avoided for lots of reasons.
For a “Properly accredited” certification body the rules in ISO17021 and ISO27006 are (sort of) clear enough about this. Certification bodies and certification auditors are not supposed to do consultancy or give advice. This is for the obvious reason that it could easily give rise to a conflict of interest – either real or perceived. In practice a certification auditor is much less likely to raise a non conformity if they know that the organisation being audited has simply done what someone else from the certification body has suggested that they should do.
There are a few ways that “certification bodies” bend/break/ignore this rule:
1) The certification body splits their company into two legal entities – e.g. “BTRP Consulting” and “BTRP Certification”. This is often a bit suspect because they often have the same directors and staff. One day a member of staff may be working for “BTRP Consulting” and the next day for “BTRP certification”. They would not send the same member of staff to do both the consultancy and then the certification audit for the same client but the people sent might have the same boss and sit next to each other in the same office. ISO17021 has lots to say about this and how organisations can or cannot do this. Mostly they can’t … but they do anyway. Very suspect.
领英推荐
2) Typically some time before they do the certification audit the certification body may do a gap analysis or “readiness assessment” of the ISO27001 implementation. Whilst they are sometimes very careful with the wording of the associated report they are in effect giving advice to the company about what they need to do to conform to the requirements of ISO27001. This is a popular one. Sounds like consultancy to me.
3) It is reasonable for an organisation to want to talk to their certification body/auditor before their certification audit. This often involves questions such as “We have done X – will that be OK?”. The certification bodies/auditors are not supposed to reply to these kinds of queries but sometimes do. Sometimes they will only do this verbally so there is no record of them giving advice.
4) During the audit the certification auditor gives “off the record”/ad hoc advice about how to do something. This is very common and most auditors want to be helpful and show off their knowledge and “add value”. They are not supposed to this and will sometimes try to phrase it as “I have seen other organisations do X” so it does not look quite so consultancy like. But it is still consultancy.
5) The auditor raises an “Opportunity for improvement”. This is allowed by ISO17021 and ISO27006 although the auditor is not supposed to recommend specific solutions. The idea is that the auditor has seen something that meets the requirements of ISO27001 but they think could be improved. Again, they will sometimes try to be careful with the wording but this still sounds like consultancy and advice to me.
Most certification bodies will not send/give actual documents/templates to the organisation but will do as much as they can without doing this.
As I have said, ISO27001 certification bodies should not be doing anything that has the potential to compromise the objectivity and impartiality of the certification audit. But some of them do.
Chris
An index of all my articles is here:?https://btrp.co.uk/Articles2??
Managing Director at Irish Quality Centre
1 年Thanks for sharing
Managing Director and Senior Management Systems Auditor at TREETOPS (RATHBONE) LTD
1 年I don’t often agree with some of the sentiments expressed by Mr Hall but in this I think he is spot on. As a 27001 lead auditor for a CB for the last 16 years I now refuse to do Gap Analysis audits and have stopped giving opportunities for improvement in regular audits. As Chris says, you can play around with the wording but it is still advice (i.e. consultancy).
Lead Auditor Informatiebeveiliging, Privacy & Kwaliteit - ISO27001 NEN7510 ISO27701 BC5701 ISO9001
1 年There are indeed certification bodies that engage in consultancy, which should not be. In the Netherlands we then say "Wij van Wc-eend adviseren: Wc-eend". However, it is a pity that in the article the term consultancy is drawn wider than is defined in ISO 17021. Fortunately, this definition allows an auditor to provide added value to a certification audit without management system consultancy.
My favorite with iso 27k auditing....fully certified but logging is not done. It was out scoped or treated as a third party delivery item.
Information Security and Quality Management
1 年For people in the UK, the following link is the list of certification bodies (properly) accredited by UKAS to certify to ISO/IEC 27001. https://www.ukas.com/find-an-organisation/browse-by-category/?cat=2572 At the top of the list there is the following link to the list of certification bodies also accredited by UKAS to certify to ISO/IEC 27701. https://www.ukas.com/find-an-organisation/browse-by-category/?cat=3744