There are many organisations and consultants offering ISO 27001 certification in the UK – so how does an organisation choose the best certifying body? Make sure it’s an officially accredited body.

 

Ensure they are certified by UKAS

 

In 2009, The Department of Business, Innovation and Skills (BIS) (now known as the Department for Business, Energy & Industrial Strategy) appointed UKAS (United Kingdom Accreditation Service) as its national accreditation body. A national accreditation body is needed under EU Regulation (EC) 765/2008 which provides a legal framework for the provision of accreditation services to be carried out against recognised ‘harmonised standards’ across Europe.

This appointment empowered UKAS to undertake the accreditation of certification bodies in the UK, according to ISO/IEC 17021 compliance, for the certification of management system standards. UKAS is also a member of the IAF – membership ensures an accrediting body is legitimate.

 

How to ensure your ISO 27001 certification body is an approved accreditor?

 

Some certification providers claim to be accredited by an accreditation body not recognised by the IAF – it’s important to check that they are accredited by UKAS in the UK or a similar IAF member.  Typically, non-accredited companies offer both ISO 27001 consultancy and certification – this is a warning sign since no formally accredited certification body would offer this type of service. This is due to the fact that the international ISO framework recognises the obvious conflict of interest when a lone body assesses its own work while also simultaneously offering guidance or consultancy. The two services should be separate and independent – a consultant, and an accredited certification body.

In many cases, being offered a non-accredited ISO certificate from a potential supplier should raise more alarm bells that no certificate at all.

There are other risks associated with non-accredited certification bodies resulting from the fact that they are not subject to regular performance and quality monitoring by a national accreditation body such as UKAS, and they usually do not operate in line with the international standards that set out requirements for certification bodies.  This often results in certificates being valid for more than 3 years for example (not the usual approach), or certificates being offered per address and in some cases, the process only being documented via printed material rather than digital processes.

All accrediting bodies should comply with ISO 17021, which is the international standard that sets out the obligations for bodies providing audit and certification of management systems. The ISO says, “Certification of management systems is a third-party conformity assessment activity. Bodies performing this activity are therefore third-party conformity assessment bodies.” This highlights clearly that certification bodies should never be providing a certification service in conjunction with their own consultancy work since this would be a conflict of interests.

 

How to check if your certifying body is accredited?

 

The organisation should be able to evidence a current copy of its certificate of conformance with ISO/IEC 17021-1:2015, that has been issued by a national accreditation body, such as UKAS in the UK, for the relevant scheme.

Non-accredited bodies not only damage the reputation of certification schemes but also put the information security standards of organisations at risk. Many fall into the trap of using cheaper providers for ISO 27001 without conducting due diligence on the provider. Mistakes can be avoided by a simple check to ensure the certifying body has the proper accreditations by a recognised accreditation body like UKAS.

 

How can we help?

If you need help with ISO 27001 certification, book a consultation with us today.