The US suffers more cyber security incidents than any other country, so it’s no surprise that customers, partners, authorities and other stakeholders all want assurances that organisations are taking reasonable steps to prevent data breaches.
With that in mind, demand for ISO 27001 certification is increasing.
What is ISO 27001?
ISO 27001 is the internationally recognised standard that stipulates the requirements for an ISMS (information security management system).
A significant benefit of ISO 27001, compared to alternative standards such as the NIST Cybersecurity Framework, is that organisations can achieve independent, accredited certification to it.
While organisations implementing an ISMS don’t have to achieve ISO 27001 certification, doing so has numerous benefits. Most notably, it offers potential and existing clients assurance that you’re following information security best practice.
How do you know whether the certificate or the certification body is legitimate?
The best way to validate a potential vendor’s certification is to ask for a copy of their certificate. Any organisation with accredited certification should be happy to provide it.
However, do check that the certificate has been issued by an accredited certification body.
How do you assess whether the certification body is accredited?
Certification bodies must also go through their own strict accreditation process to ensure they meet requirements and are qualified to carry out audits in line with ISO 27001.
To verify that a US certification body is accredited, check whether it is listed on an accreditation body’s website.
The US has three accreditation bodies for ISO 27001:
- ANAB (ANSI-ASQ National Accreditation Board)
- IAS (International Accreditation Service)
- UAF (United Accreditation Foundation)
For ISO 27001, ANAB is the biggest accreditation body.
Here’s a list of ISO 27001 certification bodies it has accredited.
What’s the problem with unaccredited certification bodies?
An unaccredited certification body may not have complied with the strict measures put in place by a national accreditation body.
As such, the quality of the audits and certification process is questionable. Telltale signs of unaccredited certification include:
- The duration of the certificate exceeds the mandatory three years
- The certificate is issued to more than one address
Using an unaccredited certification body might seem like a good way to save money, but is a false economy.
Without the independent, trustworthy verification of an accredited certification body, stakeholders have no way of knowing whether the organization implemented ISO 27001 correctly. It simply doesn’t offer satisfactory evidence.
Stakeholders wouldn’t be unjustified in assuming that, if the organization took a shortcut in certification, it may also have taken shortcuts with the ISMS itself.
At best, this leads to increased scrutiny that an accredited certificate would’ve prevented. At worst, it leads to lost business that an accredited certificate could’ve secured.
Need more help with your ISO 27001 project?
Get help from the pioneers that led the world’s first ISO 27001 certification project.
We offer a range of solutions to help you prepare for certification, including gap analyses, internal audits, and even a FastTrack
service for small organizations. This gets you to certification readiness in just three months.
The post How to Check if a US Company is ISO 27001 Certified appeared first on IT Governance Blog.
