How can you validate a vendor that claims to have ISO 27001 certification?

People often ask us how they can validate an ISO 27001 vendor, so here’s our advice.

Unfortunately, there is no central register of all ISO 27001 certificates, so confirming the validity of a vendor’s certificate takes a little legwork. Here’s what you need to do:

  1. Request a copy of the vendor’s certificate, including any annexes that are issued with it. (The annexes may include further detail on the scope, locations that are covered and other useful information.)
  2. Identify the name of the certification body or registrar that issued the certificate and the national accreditation body that accredited the certification body.
  3. Check that the accreditation body subscribes to the International Accreditation Forum (IAF).
  4. Contact the certification body to ask them to confirm the validity of the certificate. Some certification bodies do this through their website, but others check that their client is happy to share this information with you first.

If all this works out and you are satisfied that the certificate was issued under the accredited certification scheme, the last things to check are:

  • The scope of certification. Make sure that it covers the supplier’s business processes and locations that you are entrusting with your information. Many organisations restrict the scope in order to save on the cost of implementation or the certification audit. This can compromise the extent of assurance that the certificate provides.
  • The date of issue and the date of expiry. This gives you an idea of the maturity of the ISMS. It’s worth periodically confirming that the certificate is still valid, because it can be withdrawn if the ISMS is not maintained appropriately.
  • The reference to the Statement of Applicability (SoA). There should be a reference to the specific version of the SoA that your supplier was audited against, and you can request a copy. Some organisations exclude controls that you might expect to be in place, and you won’t be aware of this without reviewing the SoA. If they’ve excluded controls, you’ll need to find out which compensatory controls are in place to provide the same assurance and residual risk that hopefully satisfies your needs. The certification body should confirm the scope, dates and versions of the SoA in the information you request.

For more advice on advanced ISO 27001 training, register for our ISO27001 Certified ISMS Lead Implementer Online course >>