Regulated vs unregulated ISO27001 certifications and certificates

Introduction

You may be aware that there two main types of ISO27001 certifications and certificates. Regulated ones and unregulated ones. At the risk of stating the obvious:

1) You should have a regulated one

2) Any certificate you receive (e.g. from a supplier) should be for a regulated ISO27001 certification

And I know that lots of you are now thinking. “I don’t need to read any more because I am sure we have a regulated certification”. But don’t be so sure. In the last 10 years I have worked with several organisations that already had an ISO27001 certificate and were unaware that their certifications were unregulated. Their certificates looked OK but on investigation they did not quite pass the test to be properly regulated.

To be fair, using the terms regulated and unregulated are perhaps not quite right terms in this context but do I think they give a reasonable representation of what is going on.

Read on….

Some background.

An ISO27001 certificate is issued by a “certification body (CB)”.

A certification body is accredited (i.e. allowed/approved) to issue such certificates by an “accreditation body (AB).”.

The International Accreditation Forum (IAF) is a worldwide association of accreditation bodies.

What do I mean by regulated and unregulated?

Regulated means that:

? the certificate is issued by a certification body, and

? that certification body is accredited by an accreditation body, and

? that accreditation body is a member of the IAF, and

? that accreditation by the accreditation body of the certification body specifically includes ISO17021 and ISO27001:2022, and

? that accreditation also covers the country that the certificate is issued in, and

? that all the above are true as of today. I.e. certifications/accreditations/membership of the IAF by the accreditation body have not expired or been withdrawn, etc.

If the certification/certificate does not meet the above it is unregulated.

In some countries (e.g. the UK) the government will state what it regards as the “official” accreditation bodies. In the UK this is UKAS but you should not need to check this as long as the accreditation body is a member of the IAF.

Typically the certificate has the logos of the certification body, the accreditation body and the IAF. However, the presence of the logos does not prove that the certification/certificate is regulated.

There is nothing illegal about an end user organisation or a certification body or an accreditation body being “unregulated”. However, the regulated end user organisations and certification bodies and accreditation bodies are subject to a number of rules and some level of oversight and checks to help try to ensure some level of quality and consistency. As an example, some of these rules (in ISO17021 and ISO27006) cover things like how long certification audits should take.

There is no doubt that an unregulated certificate is very much cheaper and very much easier to get. Surprise surprise. An appropriate search will find organisations that will send you one for almost no money at all – the so called “certificate mills”. This is very common in some countries - especially for ISO9001.

I have set up an unregulated accreditation body and a certification body and can issue ISO27001 certificates. I do for free. It is not illegal to do so as long as I don’t use any logos of “proper” accreditation bodies or the IAF. By the way I have never issued any certificates ??

For this reason many organisations who get sent an ISO27001 certificate by a supplier during a tender process will not accept an unregulated certificate. This can easily mean the difference between making a sale or not.

It is also worth noting that some certification bodies and accreditation bodies have been known to blatantly lie on their web sites about their status.

Any certification body that offers to help you implement the ISMS as well as issue the certificate is not regulated (or is breaking the rules!) because regulated certification bodies are not allowed to do “consultancy” as well as issue certificates.

I have come across a number of scenarios over the last 15 years, including:

? The certification body is reasonably large and well known but is not regulated. You would be surprised.

? The certification body is regulated and accredited to do ISO9001 but not ISO27001. Their website says things like “Accredited by UKAS” which is true but only for ISO9001. More common than it should be.

? A convincing looking certification body regulated by an accreditation body that is not a member of the IAF and its address is the same as the accreditation body.

? An organisation had unknowingly had an unregulated ISO27001 certification for several years when one of their large clients came back to them and said “If you do not get a regulated certificate we will stop doing business with you”.

? Certification bodies that are not regulated but their web site makes a very convincing case that “they are OK” and reference such things as ISO17021 to help give them credibility.

On a number of occasions I have been called in to help organisations move from an unregulated certificate to a regulated one and in all cases their ISMS fell very far short of the requirements of ISO27001. It was a lot of work to fix them and in almost all cases the work was close to doing an ISO27001 implementation from scratch. This gives you some indication about the typical quality of ISMSs associated with unregulated certificates.

How can you check if your certification/certificate is regulated?

It is possible to check that a certification/certificate is regulated by going through the steps below.

1) The certificate will state the name of the certification body. Contact the certification body and ask them to confirm that the ISO27001 certificate is valid. The certificate may be false(!) or have been withdrawn before the expiry date. Some certification bodies have web sites where you can do this check. If not then you should email them and ask. It is in the rules for how certification bodies must operate (ISO17021) that they must provide a mechanism for people to check that a certificate is valid. If you do not get a response then the certification is unregulated.

2) Look on the certificate to find out who has accredited the certification body. As an example, in the UK this is most likely to be UKAS. Look on the web site of the accreditation body and check that the certification body is accredited to issue ISO27001 certificates in your country. You may need to click through to get the actual accreditation certificate (sometimes a pdf) for the certification body which needs to specifically name ISO17021 and ISO27001:2022. If it only mentions ISO9001 it is unregulated.

3) You should check on the International Accreditation Forum (IAF) web site that the accreditation body is a member of the IAF. This is the current list https://iaf.nu/en/accreditation-bodies/ If it isn’t then the certification/certificate is unregulated.

If the certificate passes the above tests then it can be viewed as a regulated certificate although they are number of other checks that are not about being regulated that you should undertake to really check if a certificate sent to you is meaningful . See this article https://www.dhirubhai.net/pulse/does-iso27001-certificate-mean-anything-chris-hall/

Summary

Do not have an unregulated certificate and if an organisation sends you a certificate you should check carefully that it is a properly issued “regulated” certificate. If not you should ignore it.

#iso27001 #chrishalliso27001